Multiple pop-ups on multiple user system - Page 2

stretched · 01-14-2006, 09:06 PM

Ok back from that adventure, one thing I forgot but did it now...sorry...and here are results:

This was present and fixed in HJT:

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess

Smashed these in unistall manager, there was no info on the size just the name and the bit about looks like its gone wanna take it from the list so this time I said yes:

Zango Toolbar
zbvugea
zseyqgxmad

This one:The Best Offers Had to remove it via HiJackThis Open Uninstall Manager task

ran this regsvr32 /u occache.dll

I missed deleting these until right now (!??)

C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe
C:\WINDOWS\SYSTEM32\msclock32.dll

I did it now.

I did run this: regsvr32 occache.dll
I did Boot to normal mode and CLEAR & RESET SYSTEM RESTORE'S CACHE

And I did Panda ActiveScan

RE: LOGS AND REPORTS

As for that webroot thing, did not see your post until it was actually done, so I managed to copy this on the lower most box by selecting holding shift and down arrow bit...control+c etc. Here it is:

(WEBROOT SPYSWEEPER FINDINGS)
Adware found: multidial
Adware found: screensavers
Adware found: websearch toolbar
Adware found: winad
Trojan Horse found: sysnet
Adware found: drsnsrch hijacker
Adware found: rich editor
Adware found: dealbar toolbar
Adware found: safesurf
Adware found: directrevenue-abetterinternet
Adware found: 180search assistant/zango
Adware found: cas
Adware found: ezula ilookup
Adware found: fullcontext
Adware found: ieplugin
Adware found: drsnsrch.com hijack
Adware found: starware toolbar
Adware found: instant access
Adware found: one2one viewer
Adware found: privacyscan
Adware found: hotconnect dialer
Spy Cookie found: 2o7.net cookie
Spy Cookie found: 888 cookie
Spy Cookie found: websponsors cookie
Spy Cookie found: aa cookie
Spy Cookie found: go.com cookie
Spy Cookie found: abetterinternet cookie
Spy Cookie found: about cookie
Spy Cookie found: yieldmanager cookie
Spy Cookie found: adknowledge cookie
Spy Cookie found: adrevservice cookie
Spy Cookie found: cc214142 cookie
Spy Cookie found: pointroll cookie
Spy Cookie found: adultrevenueservice cookie
Spy Cookie found: falkag cookie
Spy Cookie found: ask cookie
Spy Cookie found: atlas dmt cookie
Spy Cookie found: belnk cookie
Spy Cookie found: atwola cookie
Spy Cookie found: azjmp cookie
Spy Cookie found: a cookie
Spy Cookie found: bizrate cookie
Spy Cookie found: btgrab cookie
Spy Cookie found: burstnet cookie
Spy Cookie found: goclick cookie
Spy Cookie found: gostats cookie
Spy Cookie found: ccbill cookie
Spy Cookie found: cliks cookie
Spy Cookie found: dealtime cookie
Spy Cookie found: webservicehosts cookie
Spy Cookie found: gamespy cookie
Spy Cookie found: metareward.com cookie
Spy Cookie found: military cookie
Spy Cookie found: mywebsearch cookie
Spy Cookie found: nextag cookie
Spy Cookie found: offeroptimizer cookie
Spy Cookie found: outster cookie
Spy Cookie found: partypoker cookie
Spy Cookie found: paypopup cookie
Spy Cookie found: pricegrabber cookie
Spy Cookie found: rightmedia cookie
Spy Cookie found: spywarestormer cookie
Spy Cookie found: toplist cookie
Spy Cookie found: tracking cookie
Spy Cookie found: tribalfusion cookie
Spy Cookie found: burstbeacon cookie
Spy Cookie found: hardcoresexshack cookie
Spy Cookie found: xiti cookie
Spy Cookie found: yadro cookie
Spy Cookie found: 412 cookie
Spy Cookie found: 447 cookie
Spy Cookie found: 64.62.232 cookie
Spy Cookie found: adecn cookie
Spy Cookie found: adlegend cookie
Spy Cookie found: hbmediapro cookie
Spy Cookie found: hotbar cookie
Spy Cookie found: precisead cookie
Spy Cookie found: specificclick.com cookie
Spy Cookie found: adorigin cookie
Spy Cookie found: adprofile cookie
Spy Cookie found: starpulse cookie
Spy Cookie found: adultfriendfinder cookie
Spy Cookie found: advertising cookie
Spy Cookie found: angelfire cookie
Spy Cookie found: bannerspace cookie
Spy Cookie found: banners cookie
Spy Cookie found: banner cookie
Spy Cookie found: bravenet cookie
Spy Cookie found: callwave cookie
Spy Cookie found: casalemedia cookie
Spy Cookie found: commission junction cookie
Spy Cookie found: classmates cookie
Spy Cookie found: tickle cookie
Spy Cookie found: did-it cookie
Spy Cookie found: empnads cookie
Spy Cookie found: exitexchange cookie
Spy Cookie found: expage cookie
Spy Cookie found: fastclick cookie
Spy Cookie found: go2net.com cookie
Spy Cookie found: starware.com cookie
Spy Cookie found: clickandtrack cookie
Spy Cookie found: screensavers.com cookie
Spy Cookie found: kount cookie
Spy Cookie found: maxserving cookie
Spy Cookie found: touchclarity cookie
Spy Cookie found: reunion cookie
Spy Cookie found: search123 cookie
Spy Cookie found: servedby advertising cookie
Spy Cookie found: servlet cookie
Spy Cookie found: sirsearch cookie
Spy Cookie found: reliablestats cookie
Spy Cookie found: trb.com cookie
Spy Cookie found: clickzs cookie
Spy Cookie found: webpower cookie
Spy Cookie found: redzip cookie
Spy Cookie found: upspiral cookie
Spy Cookie found: adrevolver cookie
Spy Cookie found: askmen cookie
Spy Cookie found: enhance cookie
Spy Cookie found: cassava cookie
Spy Cookie found: cgi-win cookie
Spy Cookie found: cursorzone cookie
Spy Cookie found: overture cookie
Spy Cookie found: fe.lea.lycos.com cookie
Spy Cookie found: herfirstanalsex cookie
Spy Cookie found: herfirstlesbiansex cookie
Spy Cookie found: questionmarket cookie
Spy Cookie found: realmedia cookie
Spy Cookie found: adjuggler cookie
Spy Cookie found: serving-sys cookie
Spy Cookie found: directtrack cookie
Spy Cookie found: targetnet cookie
Spy Cookie found: teensforcash cookie
Spy Cookie found: trafficmp cookie
Spy Cookie found: joetec.net cookie
Spy Cookie found: freepassbucks cookie
Spy Cookie found: centrport net cookie
Spy Cookie found: ru4 cookie
Adware found: apropos
Adware found: begin2search
Adware found: shopathomeselect
Adware found: visfx
Adware found: exact cashback/bargain buddy
Adware found: winantispyware 2005
Adware found: newads transponder
Adware found: java byteverify
Full Sweep has completed. Elapsed time 00:47:33
Traces Found: 2650

END OF THAT LIST

ACTIVESCAN

Incident Status Location

Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\msclock32.dll
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers
Adware:adware/comet Not disinfected C:\Documents and Settings\Mommy\Application Data\Starware
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\SOFTWARE\TOOLBAR
Adware:adware/activshopper Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CLASSES_ROOT\ZANGOTOOLBAR.ZCTOOLBAND
Adware:adware/webext Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@ads.pointroll[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@ask[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@centrport[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@com[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@tribalfusion[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ads.pointroll[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt
Adware:Adware/WinTools Not disinfected C:\WINDOWS\SYSTEM32\grwinsthlp.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\msclock32.dll
END OF THAT LIST

Logfile of HijackThis v1.99.1

Scan saved at 9:59:44 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

OK, and sorry about screwing up the order of that one fix, and maybe the webroot thing is of some use here - no need for you to apologize, I am indebted to you as it is already.....

tetonbob · 01-14-2006, 10:42 PM

Well, I was afraid of that...the SpySweeper scan is worthless if it won't let you clean anything. It doesn't even give file names or registry locations any more. *sigh* That one's out of my arsenal...it's a great tool if you don't mind paying, though.

Make sure hidden files are still visible.

Delete these files/folders:

C:\WINDOWS\SYSTEM32\msclock32.dll
C:\WINDOWS\pcconfig.dat
C:\PROGRAM FILES\dialers
C:\Documents and Settings\Mommy\Application Data\Starware
C:\Documents and Settings\Mommy\cookies\mommy@2o7[1].txt
C:\Documents and Settings\Mommy\cookies\mommy@ads.pointroll[1].txt
C:\Documents and Settings\Mommy\cookies\mommy@ask[1].txt
C:\Documents and Settings\Mommy\cookies\mommy@centrport[1].txt
C:\Documents and Settings\Mommy\cookies\mommy@com[2].txt
C:\Documents and Settings\Mommy\cookies\mommy@questionmarket[1].txt
C:\Documents and Settings\Mommy\cookies\mommy@tribalfusion[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@ads.pointroll[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt
C:\Documents and Settings\Mommy\Cookies\mommy@questionmarket[1].txt
C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt
C:\WINDOWS\SYSTEM32\grwinsthlp.exe

If they resist deletion, boot to safe mode and delete from there.

Download and install CCleaner..http://www.ccleaner.com/ccdownload.asp

1. Open the program and the "Cleaner" button should be active.
2. Click on "Run Cleaner"
3. Once thats done it will clean out the TEMP folder.
4. Now click on "Issues" and then "Scan for Issues"
5. Once it's done checkmark ALL it finds and click "Fix Selected Issues"
6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back.

From normal mode, run this online scan, and have it scan your full system:

http://housecall65.trendmicro.com/

There should be an autoclean function on this one. This should not be the same one I had you use earlier.

We're essentially chasing remnants. Your HJT log is clean. How many other user accounts are there on this system?

stretched · 01-15-2006, 04:12 PM

Ok sorry for being gone, getting behind on other things and could not catch up on these until late today...

All of those files/folders you told me to delete I did. This one:

C:\WINDOWS\SYSTEM32\msclock32.dll
could not find it, so I ran the search and it was in the recycle bin(!) so I emptied the bin.

I did as you said with CCLEANER.

I went to the housecall (that is actually the one I used last time because it was the link I discovered somewhere on the forum)
I got a message:

MS00-034
An error occurred ... same as it said last time.
And:
(MS01-028) RTF Document linked to template can run macros without warning...

It gave the link below for details about that one:

http://www.trendmicro.com/vinfo/seca...ithout+Warning

I think that is everything with the exception of the number of users on this machine:

looks like they have eight on here, I can remove one for certain. You see, it is my wife, and my six kids, that is seven, the extra is "guest"

I have been using my wife's since close to the beginning here, "mommy"\

Alright thanx again and sorry for causing you any greif.

tetonbob · 01-15-2006, 06:55 PM

I really don't understand that error message from Housecall....when you get to the page, is there something telling you to load a plug-in? There may be, and you should.

I gotta tell you, I'm not looking forward to looking at 7 logs from this system. But I will, one at a time.

Make sure you keep track of which one's been cleaned, and which one hasn't. Run all these same tools on the user account first, before posting a HJT log.

Adware, Spybot, Ewido, CWShredder. I also have another idea to help us get some control. Uninstall that version of SpySweeper you have, as it scans only and won't help us.

I was able to find a link to a free trial version which does clean. I've just tested it on one of my test boxes. Try it out, and let me know how it goes....if possible, clean whatever it finds, save the session log, and post that and any Ewido log for each user account as we go through them.

Please download WebRoot SpySweeper from HERE (It's a 90 day trial):

Click the Download now link on the right to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

After doing all that, post a HJT log, and name the account.

stretched · 01-16-2006, 12:22 PM

"Alrighty then"

This is user account:

"mommy"

Ran the new Spysweeper, Adware, Spybot, Ewido, CWShredder, I also ran CCleaner after all of them (I hope that was not stupid).

Here is the Spysweeper log:

********
10:57 AM: | Start of Session, Monday, January 16, 2006 |
10:57 AM: Spy Sweeper started
10:57 AM: Sweep initiated using definitions version 601
10:57 AM: Starting Memory Sweep
11:01 AM: Memory Sweep Complete, Elapsed Time: 00:03:26
11:01 AM: Starting Registry Sweep
11:01 AM: Found Adware: screensavers
11:01 AM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140550)
11:01 AM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140555)
11:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
11:01 AM: HKLM\software\screensavers.com\ (18 subtraces) (ID = 140569)
11:01 AM: Found Adware: websearch toolbar
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow_as2.dll\ (2 subtraces) (ID = 146482)
11:01 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
11:01 AM: Found Adware: winad
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
11:01 AM: HKLM\software\media gateway\ (10 subtraces) (ID = 359545)
11:01 AM: Found Adware: drsnsrch hijacker
11:01 AM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
11:01 AM: Found Adware: rich editor
11:01 AM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\lanbrup.exe\ (1 subtraces) (ID = 552678)
11:01 AM: HKLM\software\lanbridge\ (51 subtraces) (ID = 609177)
11:01 AM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
11:01 AM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
11:01 AM: Found Adware: dealbar toolbar
11:01 AM: HKCR\compbar.getpricebar\ (5 subtraces) (ID = 726184)
11:01 AM: HKCR\compbar.getpricebar.1\ (3 subtraces) (ID = 726190)
11:01 AM: HKCR\mynewsbarlauncher.ie5barlauncher\ (5 subtraces) (ID = 726194)
11:01 AM: HKCR\mynewsbarlauncher.ie5barlauncher.1\ (3 subtraces) (ID = 726200)
11:01 AM: HKCR\clsid\{3d782bb3-f2a5-11d3-bf4c-000000000000}\ (1 subtraces) (ID = 726226)
11:01 AM: HKLM\software\classes\compbar.getpricebar\ (5 subtraces) (ID = 726303)
11:01 AM: HKLM\software\classes\compbar.getpricebar.1\ (3 subtraces) (ID = 726309)
11:01 AM: HKLM\software\classes\mynewsbarlauncher.ie5barlauncher\ (5 subtraces) (ID = 726313)
11:01 AM: HKLM\software\classes\mynewsbarlauncher.ie5barlauncher.1\ (3 subtraces) (ID = 726337)
11:01 AM: HKLM\software\classes\clsid\{3d782bb3-f2a5-11d3-bf4c-000000000000}\ (1 subtraces) (ID = 726363)
11:01 AM: Found Adware: safesurf
11:01 AM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
11:01 AM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
11:01 AM: HKLM\software\picshow\ (26 subtraces) (ID = 730989)
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
11:01 AM: Found Adware: 180search assistant/zango
11:01 AM: HKCR\clsid\{d676f999-4608-4dc5-a135-4f51f4212739}\ (1 subtraces) (ID = 792270)
11:01 AM: HKLM\software\classes\clsid\{d676f999-4608-4dc5-a135-4f51f4212739}\ (1 subtraces) (ID = 792320)
11:01 AM: Found Adware: cas
11:01 AM: HKCR\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820387)
11:01 AM: HKCR\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820397)
11:01 AM: HKLM\software\italmanager\ (29 subtraces) (ID = 820452)
11:01 AM: HKLM\software\classes\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820540)
11:01 AM: HKLM\software\classes\typelib\{65d99893-a650-4292-83d0-3aff6f39e0b5}\ (9 subtraces) (ID = 820550)
11:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\italmgr\ (2 subtraces) (ID = 820572)
11:01 AM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ichckupd.exe\ (1 subtraces) (ID = 820614)
11:01 AM: Found Adware: ezula ilookup
11:01 AM: HKLM\software\microsoft\webext\ (1 subtraces) (ID = 828947)
11:01 AM: HKLM\software\microsoft\windows\currentversion\app paths\ichckupd\ (2 subtraces) (ID = 831816)
11:01 AM: Found Adware: multidial
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956093)
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956095)
11:01 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956097)
11:01 AM: Found Adware: fullcontext
11:01 AM: HKCR\typelib\{1b8b502e-465b-4022-be77-fb6d9f808a18}\ (9 subtraces) (ID = 1075392)
11:01 AM: HKLM\software\classes\typelib\{1b8b502e-465b-4022-be77-fb6d9f808a18}\ (9 subtraces) (ID = 1075534)
11:01 AM: Found Adware: ieplugin
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\intexp\ (2 subtraces) (ID = 128173)
11:01 AM: Found Adware: drsnsrch.com hijack
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\salm\ (3 subtraces) (ID = 135792)
11:01 AM: Found Adware: starware toolbar
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\starware\ (12 subtraces) (ID = 142866)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\toolbar\ (34 subtraces) (ID = 146513)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\wintools\ (17 subtraces) (ID = 146514)
11:01 AM: Found Adware: directrevenue-abetterinternet
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\aurorahandler\ (16 subtraces) (ID = 360172)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\aurora\ (37 subtraces) (ID = 360174)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\aurorahandler\ (16 subtraces) (ID = 480802)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\dsrch\ (2 subtraces) (ID = 509156)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\toolbar\ (34 subtraces) (ID = 646239)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-501\software\wintools\ (17 subtraces) (ID = 646241)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\internet explorer\explorer bars\{7bed0340-176b-44bc-915e-c21c1dd6f617}\ (1 subtraces) (ID = 142856)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\internet explorer\toolbar\webbrowser\ || {7bed0340-176b-44bc-915e-c21c1dd6f617} (ID = 142861)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\starware\ (12 subtraces) (ID = 142866)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\dsrch\ (5 subtraces) (ID = 509156)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\fchelp\ (2 subtraces) (ID = 1075408)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1015\software\microsoft\windows\currentversion\run\ || fchelp (ID = 1075456)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\starware\ (12 subtraces) (ID = 142866)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\aurora\ (37 subtraces) (ID = 360174)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1011\software\dsrch\ (7 subtraces) (ID = 509156)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\searchurl\ (ID = 128212)
11:01 AM: Found Adware: instant access
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\egdhtml\ (16 subtraces) (ID = 128787)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\windows\currentversion\run\ || instant access (ID = 128817)
11:01 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\salm\ (3 subtraces) (ID = 135792)
11:02 AM: Found Adware: one2one viewer
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\livesvc\ (ID = 136368)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\starware\ (12 subtraces) (ID = 142866)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\toolbar\ (36 subtraces) (ID = 146513)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\wintools\ (16 subtraces) (ID = 146514)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\aurorahandler\ (22 subtraces) (ID = 360172)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\aurora\ (37 subtraces) (ID = 360174)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\aurorahandler\ (22 subtraces) (ID = 480802)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\dsrch\ (9 subtraces) (ID = 509156)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\toolbar\ (36 subtraces) (ID = 646239)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1010\software\wintools\ (16 subtraces) (ID = 646241)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\intexp\ (2 subtraces) (ID = 128173)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\egdhtml\ (16 subtraces) (ID = 128787)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\windows\currentversion\run\ || instant access (ID = 128817)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\salm\ (4 subtraces) (ID = 135792)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\livesvc\ (ID = 136368)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\starware\ (12 subtraces) (ID = 142866)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\toolbar\ (42 subtraces) (ID = 146513)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\wintools\ (19 subtraces) (ID = 146514)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\aurorahandler\ (22 subtraces) (ID = 360172)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\aurora\ (37 subtraces) (ID = 360174)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\aurorahandler\ (22 subtraces) (ID = 480802)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\dsrch\ (9 subtraces) (ID = 509156)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\toolbar\ (42 subtraces) (ID = 646239)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\wintools\ (19 subtraces) (ID = 646241)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1009\software\microsoft\windows\currentversion\run\ || pshower (ID = 730935)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\intexp\ (2 subtraces) (ID = 128173)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\egdhtml\ (12 subtraces) (ID = 128787)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\windows\currentversion\run\ || instant access (ID = 128817)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\salm\ (3 subtraces) (ID = 135792)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\livesvc\ (ID = 136368)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\starware\ (12 subtraces) (ID = 142866)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\toolbar\ (38 subtraces) (ID = 146513)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\wintools\ (16 subtraces) (ID = 146514)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\aurorahandler\ (22 subtraces) (ID = 360172)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\aurora\ (37 subtraces) (ID = 360174)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\aurorahandler\ (22 subtraces) (ID = 480802)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\dsrch\ (11 subtraces) (ID = 509156)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\toolbar\ (38 subtraces) (ID = 646239)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1008\software\wintools\ (16 subtraces) (ID = 646241)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\intexp\ (11 subtraces) (ID = 128173)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\main\ || search page (ID = 128207)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\egdhtml\ (13 subtraces) (ID = 128787)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || instant access (ID = 128817)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 128845)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\salm\ (11 subtraces) (ID = 135792)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\livesvc\ (ID = 136368)
11:02 AM: Found Adware: privacyscan
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\privacy champion\ (1 subtraces) (ID = 136898)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || privacyscanner (ID = 136899)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {2d51d869-c36b-42bd-ae68-0a81bc771fa5} (ID = 142860)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\starware\ (12 subtraces) (ID = 142866)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\toolbar\ (36 subtraces) (ID = 146513)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\wintools\ (18 subtraces) (ID = 146514)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\zango\ (15 subtraces) (ID = 147919)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\aurorahandler\ (22 subtraces) (ID = 360172)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\aurora\ (38 subtraces) (ID = 360174)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\cmapp\ (12 subtraces) (ID = 381792)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || cmapp (ID = 381808)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\aurorahandler\ (22 subtraces) (ID = 480802)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\dsrch\ (9 subtraces) (ID = 509156)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\toolbar\ (36 subtraces) (ID = 646239)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\wintools\ (18 subtraces) (ID = 646241)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\cmapp\client\ || registered (ID = 724012)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\cmsystem\ (9 subtraces) (ID = 820421)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || ichckupd (ID = 820435)
11:02 AM: Found Adware: hotconnect dialer
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\montorgueil\ (18 subtraces) (ID = 879699)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\cmman\ (9 subtraces) (ID = 980823)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || cmman (ID = 1018857)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\fchelp\ (3 subtraces) (ID = 1075408)
11:02 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\software\microsoft\windows\currentversion\run\ || fchelp (ID = 1075456)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\starware\ (12 subtraces) (ID = 142866)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
11:02 AM: HKU\S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
11:02 AM: Registry Sweep Complete, Elapsed Time:00:01:01
11:02 AM: Starting Cookie Sweep
11:02 AM: Found Spy Cookie: 2o7.net cookie
11:02 AM: zakariya@2o7[1].txt (ID = 1957)
11:02 AM: Found Spy Cookie: 888 cookie
11:02 AM: zakariya@888[1].txt (ID = 2019)
11:02 AM: Found Spy Cookie: websponsors cookie
11:02 AM: zakariya@a.websponsors[2].txt (ID = 3665)
11:02 AM: Found Spy Cookie: aa cookie
11:02 AM: zakariya@aa[1].txt (ID = 2029)
11:02 AM: Found Spy Cookie: go.com cookie
11:02 AM: zakariya@abcfamily.go[1].txt (ID = 2729)
11:02 AM: Found Spy Cookie: abetterinternet cookie
11:02 AM: zakariya@abetterinternet[1].txt (ID = 2035)
11:02 AM: Found Spy Cookie: about cookie
11:02 AM: zakariya@about[1].txt (ID = 2037)
11:02 AM: Found Spy Cookie: yieldmanager cookie
11:02 AM: zakariya@ad.yieldmanager[1].txt (ID = 3751)
11:02 AM: Found Spy Cookie: adknowledge cookie
11:02 AM: zakariya@adknowledge[1].txt (ID = 2072)
11:02 AM: Found Spy Cookie: adrevservice cookie
11:02 AM: zakariya@adrevservice[1].txt (ID = 2091)
11:02 AM: Found Spy Cookie: cc214142 cookie
11:02 AM: zakariya@ads.cc214142[2].txt (ID = 2367)
11:02 AM: Found Spy Cookie: pointroll cookie
11:02 AM: zakariya@ads.pointroll[1].txt (ID = 3148)
11:02 AM: Found Spy Cookie: adultrevenueservice cookie
11:02 AM: zakariya@adultrevenueservice[1].txt (ID = 2167)
11:02 AM: zakariya@anime.about[1].txt (ID = 2038)
11:02 AM: Found Spy Cookie: falkag cookie
11:02 AM: zakariya@as-us.falkag[1].txt (ID = 2650)
11:02 AM: Found Spy Cookie: ask cookie
11:02 AM: zakariya@ask[1].txt (ID = 2245)
11:02 AM: Found Spy Cookie: atlas dmt cookie
11:02 AM: zakariya@atdmt[2].txt (ID = 2253)
11:02 AM: Found Spy Cookie: belnk cookie
11:02 AM: zakariya@ath.belnk[1].txt (ID = 2293)
11:02 AM: Found Spy Cookie: atwola cookie
11:02 AM: zakariya@atwola[1].txt (ID = 2255)
11:02 AM: Found Spy Cookie: azjmp cookie
11:02 AM: zakariya@azjmp[2].txt (ID = 2270)
11:02 AM: Found Spy Cookie: a cookie
11:02 AM: zakariya@a[2].txt (ID = 2027)
11:02 AM: zakariya@belnk[2].txt (ID = 2292)
11:02 AM: Found Spy Cookie: bizrate cookie
11:02 AM: zakariya@bizrate[2].txt (ID = 2308)
11:02 AM: Found Spy Cookie: btgrab cookie
11:02 AM: zakariya@btg.btgrab[1].txt (ID = 2333)
11:02 AM: zakariya@btg.btgrab[2].txt (ID = 2333)
11:02 AM: Found Spy Cookie: burstnet cookie
11:02 AM: zakariya@burstnet[2].txt (ID = 2336)
11:02 AM: Found Spy Cookie: goclick cookie
11:02 AM: zakariya@c.goclick[1].txt (ID = 2733)
11:02 AM: Found Spy Cookie: gostats cookie
11:02 AM: zakariya@c3.gostats[1].txt (ID = 2748)
11:02 AM: Found Spy Cookie: ccbill cookie
11:02 AM: zakariya@ccbill[2].txt (ID = 2369)
11:02 AM: Found Spy Cookie: cliks cookie
11:02 AM: zakariya@cliks[2].txt (ID = 2414)
11:02 AM: Found Spy Cookie: dealtime cookie
11:02 AM: zakariya@dealtime[1].txt (ID = 2505)
11:02 AM: zakariya@dist.belnk[1].txt (ID = 2293)
11:02 AM: Found Spy Cookie: webservicehosts cookie
11:02 AM: zakariya@dr.webservicehosts[2].txt (ID = 3663)
11:02 AM: Found Spy Cookie: gamespy cookie
11:02 AM: zakariya@gamespy[1].txt (ID = 2719)
11:02 AM: zakariya@gostats[1].txt (ID = 2747)
11:02 AM: Found Spy Cookie: metareward.com cookie
11:02 AM: zakariya@metareward[2].txt (ID = 2990)
11:02 AM: Found Spy Cookie: military cookie
11:02 AM: zakariya@military[1].txt (ID = 2996)
11:02 AM: Found Spy Cookie: mywebsearch cookie
11:02 AM: zakariya@mywebsearch[2].txt (ID = 3051)
11:02 AM: Found Spy Cookie: nextag cookie
11:02 AM: zakariya@nextag[2].txt (ID = 5014)
11:02 AM: Found Spy Cookie: offeroptimizer cookie
11:02 AM: zakariya@offeroptimizer[1].txt (ID = 3087)
11:02 AM: Found Spy Cookie: outster cookie
11:02 AM: zakariya@outster[2].txt (ID = 3103)
11:02 AM: Found Spy Cookie: partypoker cookie
11:02 AM: zakariya@partypoker[2].txt (ID = 3111)
11:02 AM: Found Spy Cookie: paypopup cookie
11:02 AM: zakariya@paypopup[1].txt (ID = 3119)
11:02 AM: Found Spy Cookie: pricegrabber cookie
11:02 AM: zakariya@pricegrabber[1].txt (ID = 3185)
11:02 AM: Found Spy Cookie: rightmedia cookie
11:02 AM: zakariya@rightmedia[1].txt (ID = 3259)
11:02 AM: Found Spy Cookie: spywarestormer cookie
11:02 AM: zakariya@spywarestormer[2].txt (ID = 3417)
11:02 AM: zakariya@stat.dealtime[1].txt (ID = 2506)
11:02 AM: Found Spy Cookie: toplist cookie
11:02 AM: zakariya@toplist[1].txt (ID = 3557)
11:02 AM: zakariya@toplist[2].txt (ID = 3557)
11:02 AM: Found Spy Cookie: tracking cookie
11:02 AM: zakariya@tracking[2].txt (ID = 3571)
11:02 AM: Found Spy Cookie: tribalfusion cookie
11:02 AM: zakariya@tribalfusion[1].txt (ID = 3589)
11:02 AM: Found Spy Cookie: burstbeacon cookie
11:02 AM: zakariya@www.burstbeacon[1].txt (ID = 2335)
11:02 AM: zakariya@www.burstnet[1].txt (ID = 2337)
11:02 AM: Found Spy Cookie: hardcoresexshack cookie
11:02 AM: zakariya@www.hardcoresexshack[1].txt (ID = 2764)
11:02 AM: Found Spy Cookie: xiti cookie
11:02 AM: zakariya@xiti[1].txt (ID = 3717)
11:02 AM: Found Spy Cookie: yadro cookie
11:02 AM: zakariya@yadro[2].txt (ID = 3743)
11:02 AM: safiyah@2o7[1].txt (ID = 1957)
11:02 AM: Found Spy Cookie: 412 cookie
11:02 AM: safiyah@412[2].txt (ID = 1969)
11:02 AM: Found Spy Cookie: 447 cookie
11:02 AM: safiyah@447[2].txt (ID = 1973)
11:02 AM: Found Spy Cookie: 64.62.232 cookie
11:02 AM: safiyah@64.62.232[2].txt (ID = 1987)
11:02 AM: safiyah@64.62.232[3].txt (ID = 1987)
11:02 AM: safiyah@64.62.232[4].txt (ID = 1987)
11:02 AM: safiyah@64.62.232[5].txt (ID = 1987)
11:02 AM: safiyah@64.62.232[6].txt (ID = 1987)
11:02 AM: safiyah@888[2].txt (ID = 2019)
11:02 AM: safiyah@a.websponsors[2].txt (ID = 3665)
11:02 AM: safiyah@abc.go[2].txt (ID = 2729)
11:02 AM: safiyah@abcfamily.go[2].txt (ID = 2729)
11:02 AM: safiyah@abetterinternet[1].txt (ID = 2035)
11:02 AM: safiyah@about[2].txt (ID = 2037)
11:02 AM: safiyah@ad.yieldmanager[2].txt (ID = 3751)
11:02 AM: Found Spy Cookie: adecn cookie
11:02 AM: safiyah@adecn[2].txt (ID = 2063)
11:02 AM: safiyah@adknowledge[1].txt (ID = 2072)
11:02 AM: Found Spy Cookie: adlegend cookie
11:02 AM: safiyah@adlegend[1].txt (ID = 2074)
11:02 AM: Found Spy Cookie: hbmediapro cookie
11:02 AM: safiyah@adopt.hbmediapro[2].txt (ID = 2768)
11:02 AM: Found Spy Cookie: hotbar cookie
11:02 AM: safiyah@adopt.hotbar[2].txt (ID = 4207)
11:02 AM: Found Spy Cookie: precisead cookie
11:02 AM: safiyah@adopt.precisead[1].txt (ID = 3182)
11:02 AM: Found Spy Cookie: specificclick.com cookie
11:02 AM: safiyah@adopt.specificclick[1].txt (ID = 3400)
11:02 AM: Found Spy Cookie: adorigin cookie
11:02 AM: safiyah@adorigin[1].txt (ID = 2082)
11:02 AM: Found Spy Cookie: adprofile cookie
11:02 AM: safiyah@adprofile[1].txt (ID = 2084)
11:02 AM: safiyah@ads.cc214142[1].txt (ID = 2367)
11:02 AM: Found Spy Cookie: starpulse cookie
11:02 AM: safiyah@ads.starpulse[1].txt (ID = 3440)
11:02 AM: Found Spy Cookie: adultfriendfinder cookie
11:02 AM: safiyah@adultfriendfinder[2].txt (ID = 2165)
11:02 AM: Found Spy Cookie: advertising cookie
11:02 AM: safiyah@advertising[1].txt (ID = 2175)
11:02 AM: Found Spy Cookie: angelfire cookie
11:02 AM: safiyah@angelfire[1].txt (ID = 2221)
11:02 AM: safiyah@ask[1].txt (ID = 2245)
11:02 AM: safiyah@atdmt[2].txt (ID = 2253)
11:02 AM: safiyah@ath.belnk[2].txt (ID = 2293)
11:02 AM: safiyah@atwola[2].txt (ID = 2255)
11:02 AM: safiyah@azjmp[2].txt (ID = 2270)
11:02 AM: safiyah@a[1].txt (ID = 2027)
11:02 AM: safiyah@a[3].txt (ID = 2027)
11:02 AM: safiyah@a[4].txt (ID = 2027)
11:02 AM: Found Spy Cookie: bannerspace cookie
11:02 AM: safiyah@bannerspace[1].txt (ID = 2284)
11:02 AM: Found Spy Cookie: banners cookie
11:02 AM: safiyah@banners[1].txt (ID = 2282)
11:02 AM: Found Spy Cookie: banner cookie
11:02 AM: safiyah@banner[1].txt (ID = 2276)
11:02 AM: safiyah@belnk[1].txt (ID = 2292)
11:02 AM: safiyah@bizrate[1].txt (ID = 2308)
11:02 AM: Found Spy Cookie: bravenet cookie
11:02 AM: safiyah@bravenet[2].txt (ID = 2322)
11:02 AM: safiyah@btg.btgrab[2].txt (ID = 2333)
11:02 AM: safiyah@btg.btgrab[3].txt (ID = 2333)
11:02 AM: safiyah@burstnet[2].txt (ID = 2336)
11:02 AM: safiyah@c.goclick[1].txt (ID = 2733)
11:02 AM: safiyah@c3.gostats[2].txt (ID = 2748)
11:02 AM: Found Spy Cookie: callwave cookie
11:02 AM: safiyah@callwave[1].txt (ID = 2342)
11:02 AM: Found Spy Cookie: casalemedia cookie
11:02 AM: safiyah@casalemedia[2].txt (ID = 2354)
11:02 AM: Found Spy Cookie: commission junction cookie
11:02 AM: safiyah@cj[1].txt (ID = 2453)
11:02 AM: Found Spy Cookie: classmates cookie
11:02 AM: safiyah@classmates[2].txt (ID = 2384)
11:02 AM: safiyah@cliks[1].txt (ID = 2414)
11:02 AM: Found Spy Cookie: tickle cookie
11:02 AM: safiyah@cookie.tickle[1].txt (ID = 3530)
11:02 AM: safiyah@countrymusic.about[2].txt (ID = 2038)
11:02 AM: safiyah@dealtime[2].txt (ID = 2505)
11:02 AM: Found Spy Cookie: did-it cookie
11:02 AM: safiyah@did-it[2].txt (ID = 2523)
11:02 AM: safiyah@dist.belnk[1].txt (ID = 2293)
11:02 AM: safiyah@dr.webservicehosts[1].txt (ID = 3663)
11:02 AM: Found Spy Cookie: empnads cookie
11:02 AM: safiyah@empnads[2].txt (ID = 5012)
11:02 AM: Found Spy Cookie: exitexchange cookie
11:02 AM: safiyah@exitexchange[2].txt (ID = 2633)
11:02 AM: Found Spy Cookie: expage cookie
11:02 AM: safiyah@expage[2].txt (ID = 2637)
11:02 AM: Found Spy Cookie: fastclick cookie
11:02 AM: safiyah@fastclick[2].txt (ID = 2651)
11:02 AM: safiyah@forums.go[1].txt (ID = 2729)
11:02 AM: Found Spy Cookie: go2net.com cookie
11:02 AM: safiyah@go2net[1].txt (ID = 2730)
11:02 AM: safiyah@go[1].txt (ID = 2728)
11:02 AM: Found Spy Cookie: starware.com cookie
11:02 AM: safiyah@h.starware[1].txt (ID = 3442)
11:02 AM: Found Spy Cookie: clickandtrack cookie
11:02 AM: safiyah@hits.clickandtrack[1].txt (ID = 2397)
11:02 AM: safiyah@hollywoodrecords.go[2].txt (ID = 2729)
11:02 AM: Found Spy Cookie: screensavers.com cookie
11:02 AM: safiyah@i.screensavers[1].txt (ID = 3298)
11:02 AM: Found Spy Cookie: kount cookie
11:02 AM: safiyah@kount[1].txt (ID = 2911)
11:02 AM: Found Spy Cookie: maxserving cookie
11:02 AM: safiyah@maxserving[2].txt (ID = 2966)
11:02 AM: safiyah@media.fastclick[1].txt (ID = 2652)
11:02 AM: safiyah@metareward[2].txt (ID = 2990)
11:02 AM: safiyah@military[2].txt (ID = 2996)
11:02 AM: safiyah@movies.about[1].txt (ID = 2038)
11:02 AM: safiyah@mywebsearch[2].txt (ID = 3051)
11:02 AM: safiyah@nextag[2].txt (ID = 5014)
11:02 AM: safiyah@offeroptimizer[1].txt (ID = 3087)
11:02 AM: Found Spy Cookie: touchclarity cookie
11:02 AM: safiyah@partypoker.touchclarity[1].txt (ID = 3567)
11:02 AM: safiyah@partypoker[1].txt (ID = 3111)
11:02 AM: safiyah@paypopup[2].txt (ID = 3119)
11:02 AM: safiyah@pricegrabber[1].txt (ID = 3185)
11:02 AM: safiyah@primetimetv.about[1].txt (ID = 2038)
11:02 AM: safiyah@quiz.disney.go[1].txt (ID = 2729)
11:02 AM: Found Spy Cookie: reunion cookie
11:02 AM: safiyah@reunion[2].txt (ID = 3255)
11:02 AM: safiyah@rightmedia[2].txt (ID = 3259)
11:02 AM: safiyah@rsi.abc.go[1].txt (ID = 2729)
11:02 AM: safiyah@search.starware[1].txt (ID = 3442)
11:02 AM: Found Spy Cookie: search123 cookie
11:02 AM: safiyah@search123[2].txt (ID = 3305)
11:02 AM: Found Spy Cookie: servedby advertising cookie
11:02 AM: safiyah@servedby.advertising[2].txt (ID = 3335)
11:02 AM: Found Spy Cookie: servlet cookie
11:02 AM: safiyah@servlet[1].txt (ID = 3345)
11:02 AM: Found Spy Cookie: sirsearch cookie
11:02 AM: safiyah@sirsearch[1].txt (ID = 3379)
11:02 AM: safiyah@starware[2].txt (ID = 3441)
11:02 AM: safiyah@stat.dealtime[1].txt (ID = 2506)
11:02 AM: Found Spy Cookie: reliablestats cookie
11:02 AM: safiyah@stats1.reliablestats[2].txt (ID = 3254)
11:02 AM: safiyah@teentvmovies.about[1].txt (ID = 2038)
11:02 AM: safiyah@top40.about[1].txt (ID = 2038)
11:02 AM: safiyah@toplist[1].txt (ID = 3557)
11:02 AM: safiyah@tracking[1].txt (ID = 3571)
11:02 AM: safiyah@travelwithkids.about[1].txt (ID = 2038)
11:02 AM: Found Spy Cookie: trb.com cookie
11:02 AM: safiyah@trb[2].txt (ID = 3587)
11:02 AM: Found Spy Cookie: clickzs cookie
11:02 AM: safiyah@vip.clickzs[2].txt (ID = 2413)
11:02 AM: Found Spy Cookie: webpower cookie
11:02 AM: safiyah@webpower[2].txt (ID = 3660)
11:02 AM: safiyah@wgntv.trb[1].txt (ID = 3588)
11:02 AM: safiyah@www.burstbeacon[2].txt (ID = 2335)
11:02 AM: safiyah@www.burstnet[2].txt (ID = 2337)
11:02 AM: safiyah@www.metareward[1].txt (ID = 2991)
11:02 AM: Found Spy Cookie: redzip cookie
11:02 AM: safiyah@www.redzip[1].txt (ID = 3250)
11:02 AM: safiyah@www.screensavers[2].txt (ID = 3298)
11:02 AM: safiyah@www.starpulse[1].txt (ID = 3440)
11:02 AM: Found Spy Cookie: upspiral cookie
11:02 AM: safiyah@www.upspiral[1].txt (ID = 3615)
11:02 AM: safiyah@xiti[1].txt (ID = 3717)
11:02 AM: safiyah@yadro[1].txt (ID = 3743)
11:02 AM: safiyah@yieldmanager[2].txt (ID = 3749)
11:02 AM: khaliyl@2o7[1].txt (ID = 1957)
11:02 AM: khaliyl@a.websponsors[1].txt (ID = 3665)
11:02 AM: khaliyl@abetterinternet[1].txt (ID = 2035)
11:02 AM: khaliyl@about[2].txt (ID = 2037)
11:02 AM: khaliyl@ad.yieldmanager[2].txt (ID = 3751)
11:02 AM: khaliyl@adknowledge[2].txt (ID = 2072)
11:02 AM: khaliyl@adlegend[1].txt (ID = 2074)
11:02 AM: khaliyl@adopt.hbmediapro[2].txt (ID = 2768)
11:02 AM: khaliyl@adopt.specificclick[1].txt (ID = 3400)
11:02 AM: khaliyl@adprofile[1].txt (ID = 2084)
11:02 AM: Found Spy Cookie: adrevolver cookie
11:02 AM: khaliyl@adrevolver[2].txt (ID = 2088)
11:02 AM: khaliyl@adrevolver[3].txt (ID = 2088)
11:02 AM: khaliyl@ads.cc214142[2].txt (ID = 2367)
11:02 AM: Found Spy Cookie: askmen cookie
11:02 AM: khaliyl@askmen[1].txt (ID = 2247)
11:02 AM: khaliyl@ask[1].txt (ID = 2245)
11:02 AM: khaliyl@atdmt[2].txt (ID = 2253)
11:02 AM: khaliyl@atwola[2].txt (ID = 2255)
11:02 AM: khaliyl@a[2].txt (ID = 2027)
11:02 AM: khaliyl@belnk[1].txt (ID = 2292)
11:02 AM: khaliyl@bizrate[2].txt (ID = 2308)
11:02 AM: khaliyl@btg.btgrab[2].txt (ID = 2333)
11:02 AM: khaliyl@burstnet[2].txt (ID = 2336)
11:02 AM: Found Spy Cookie: enhance cookie
11:02 AM: khaliyl@c.enhance[1].txt (ID = 2614)
11:02 AM: khaliyl@casalemedia[2].txt (ID = 2354)
11:02 AM: Found Spy Cookie: cassava cookie
11:02 AM: khaliyl@cassava[1].txt (ID = 2362)
11:02 AM: Found Spy Cookie: cgi-win cookie
11:02 AM: khaliyl@cgi-win[2].txt (ID = 2376)
11:02 AM: khaliyl@cliks[1].txt (ID = 2414)
11:02 AM: Found Spy Cookie: cursorzone cookie
11:02 AM: khaliyl@cursorzone[2].txt (ID = 2479)
11:02 AM: khaliyl@cz4.clickzs[2].txt (ID = 2413)
11:02 AM: Found Spy Cookie: overture cookie
11:02 AM: khaliyl@data3.perf.overture[1].txt (ID = 3106)
11:02 AM: khaliyl@dist.belnk[2].txt (ID = 2293)
11:02 AM: khaliyl@exitexchange[2].txt (ID = 2633)
11:02 AM: khaliyl@expage[1].txt (ID = 2637)
11:02 AM: khaliyl@fastclick[2].txt (ID = 2651)
11:02 AM: Found Spy Cookie: fe.lea.lycos.com cookie
11:02 AM: khaliyl@fe.lea.lycos[1].txt (ID = 2660)
11:02 AM: khaliyl@gamespy[1].txt (ID = 2719)
11:02 AM: khaliyl@h.starware[2].txt (ID = 3442)
11:02 AM: Found Spy Cookie: herfirstanalsex cookie
11:02 AM: khaliyl@herfirstanalsex[1].txt (ID = 2769)
11:02 AM: Found Spy Cookie: herfirstlesbiansex cookie
11:02 AM: khaliyl@herfirstlesbiansex[1].txt (ID = 2771)
11:02 AM: khaliyl@i.screensavers[1].txt (ID = 3298)
11:02 AM: khaliyl@offeroptimizer[1].txt (ID = 3087)
11:02 AM: khaliyl@paypopup[1].txt (ID = 3119)
11:02 AM: khaliyl@pricegrabber[1].txt (ID = 3185)
11:02 AM: Found Spy Cookie: questionmarket cookie
11:02 AM: khaliyl@questionmarket[2].txt (ID = 3217)
11:02 AM: Found Spy Cookie: realmedia cookie
11:02 AM: khaliyl@realmedia[2].txt (ID = 3235)
11:02 AM: Found Spy Cookie: adjuggler cookie
11:02 AM: khaliyl@rotator.adjuggler[2].txt (ID = 2071)
11:02 AM: Found Spy Cookie: serving-sys cookie
11:02 AM: khaliyl@serving-sys[2].txt (ID = 3343)
11:02 AM: Found Spy Cookie: directtrack cookie
11:02 AM: khaliyl@sideshow.directtrack[2].txt (ID = 2528)
11:02 AM: khaliyl@spywarestormer[1].txt (ID = 3417)
11:02 AM: khaliyl@stat.dealtime[1].txt (ID = 2506)
11:02 AM: khaliyl@stats1.reliablestats[1].txt (ID = 3254)
11:02 AM: Found Spy Cookie: targetnet cookie
11:02 AM: khaliyl@targetnet[2].txt (ID = 3489)
11:02 AM: Found Spy Cookie: teensforcash cookie
11:02 AM: khaliyl@teensforcash[2].txt (ID = 3509)
11:02 AM: khaliyl@toplist[2].txt (ID = 3557)
11:02 AM: Found Spy Cookie: trafficmp cookie
11:02 AM: khaliyl@trafficmp[1].txt (ID = 3581)
11:02 AM: khaliyl@tribalfusion[1].txt (ID = 3589)
11:02 AM: khaliyl@vgstrategies.about[1].txt (ID = 2038)
11:02 AM: khaliyl@webpower[2].txt (ID = 3660)
11:02 AM: khaliyl@wgntv.trb[1].txt (ID = 3588)
11:02 AM: Found Spy Cookie: joetec.net cookie
11:02 AM: khaliyl@www.ads.joetec[1].txt (ID = 2890)
11:02 AM: khaliyl@www.burstbeacon[2].txt (ID = 2335)
11:02 AM: Found Spy Cookie: freepassbucks cookie
11:02 AM: khaliyl@www.freepassbucks[1].txt (ID = 2702)
11:02 AM: khaliyl@www.starware[1].txt (ID = 3442)
11:02 AM: khaliyl@xiti[1].txt (ID = 3717)
11:02 AM: khaliyl@yadro[1].txt (ID = 3743)
11:02 AM: mommy@2o7[1].txt (ID = 1957)
11:02 AM: mommy@ads.pointroll[2].txt (ID = 3148)
11:02 AM: mommy@ask[1].txt (ID = 2245)
11:02 AM: mommy@atwola[1].txt (ID = 2255)
11:02 AM: Found Spy Cookie: ru4 cookie
11:02 AM: mommy@edge.ru4[1].txt (ID = 3269)
11:02 AM: mommy@questionmarket[1].txt (ID = 3217)
11:02 AM: mommy@tribalfusion[2].txt (ID = 3589)
11:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:21
11:02 AM: Starting File Sweep
11:03 AM: Found Adware: apropos
11:03 AM: c:\documents and settings\safiyah\local settings\temp\atf (ID = -2147481416)
11:03 AM: c:\documents and settings\guest\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\documents and settings\hehehe\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\documents and settings\safiyah\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\program files\screensavers.com (10 subtraces) (ID = -2147480365)
11:03 AM: c:\documents and settings\khaliyl\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\documents and settings\456\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\documents and settings\zakariya\application data\starware (47 subtraces) (ID = -2147480225)
11:03 AM: c:\documents and settings\faizah\application data\starware (47 subtraces) (ID = -2147480225)
11:04 AM: cmappupd[1].exe (ID = 198859)
11:06 AM: fchelp[1].exe (ID = 215768)
11:06 AM: Found Adware: shopathomeselect
11:06 AM: liqp7c25q_.dll (ID = 75611)
11:07 AM: aurareco.exe (ID = 115472)
11:08 AM: umqltg4cl_.exe (ID = 75603)
11:09 AM: egdaccess_1066_aspiv4_xp[1].cab (ID = 168074)
11:09 AM: thin_installer.exe (ID = 109660)
11:09 AM: nahbluff.exe (ID = 154779)
11:09 AM: norisuni.exe (ID = 138284)
11:09 AM: adsetup.silent.1.12[1].exe (ID = 161596)
11:10 AM: umqltg4cl_.exe (ID = 75603)
11:10 AM: Found Adware: visfx
11:10 AM: vfx3.exe (ID = 155627)
11:11 AM: crptclrs.tmp (ID = 156483)
11:11 AM: cmapp13.exe (ID = 156523)
11:11 AM: eulaupgrade.exe (ID = 107447)
11:11 AM: umqltg4cl_.exe (ID = 75603)
11:11 AM: 111419.exe (ID = 156165)
11:11 AM: Found Adware: begin2search
11:11 AM: bingo_big3123.ico (ID = 51022)
11:11 AM: update.exe (ID = 75690)
11:11 AM: eulaupgrade.exe (ID = 107447)
11:12 AM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp396\a0422763.exe". Access is denied
11:12 AM: upd0002.exe (ID = 156532)
11:12 AM: adwsetup_upd.exe (ID = 161596)
11:14 AM: egdaccess_1070_xp[1].cab (ID = 206943)
11:15 AM: Found Adware: winantispyware 2005
11:15 AM: setup.exe (ID = 162517)
11:15 AM: adwsetup_upd.exe (ID = 161596)
11:16 AM: egdaccess_1066_xp[1].cab (ID = 166450)
11:16 AM: liqp7c25q_.dll (ID = 75611)
11:21 AM: netlanm.dll (ID = 138227)
11:21 AM: pdrpdb.dll (ID = 156482)
11:21 AM: ichckupd.exe (ID = 156483)
11:21 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Run || ichckupd (ID = 0)
11:22 AM: cmappsetup.exe (ID = 115280)
11:22 AM: installerv5_thin.exe (ID = 140473)
11:22 AM: stb.exe (ID = 138172)
11:22 AM: egdaccess_1070_aspiv4_xp[1].cab (ID = 206942)
11:23 AM: fchelp.exe (ID = 215768)
11:23 AM: Found Adware: newads transponder
11:23 AM: tpsetup[1].exe (ID = 209294)
11:23 AM: transponder.dll (ID = 209206)
11:23 AM: tpuninstall.exe (ID = 209217)
11:24 AM: pscan-pcscan3.exe (ID = 72722)
11:25 AM: setup4030.cab (ID = 107452)
11:25 AM: setup4030.cab (ID = 107452)
11:25 AM: winfixer2005setup.exe (ID = 162518)
11:25 AM: gah95on6.ini (ID = 75741)
11:26 AM: swpstart.exe (ID = 74759)
11:26 AM: installer4_thin.exe (ID = 122354)
11:27 AM: bwf1003.exe (ID = 125426)
11:27 AM: egdaccess_1065.dll (ID = 161514)
11:29 AM: aurareco.exe (ID = 115472)
11:29 AM: liqp7c25q_.dll (ID = 75611)
11:29 AM: installer4_thin.exe (ID = 122354)
11:31 AM: siuninst.exe (ID = 74757)
11:31 AM: setup4030.cab (ID = 107452)
11:31 AM: update.exe (ID = 75690)
11:31 AM: egdaccess_1065.dll (ID = 161514)
11:32 AM: Found Trojan Horse: sysnet
11:32 AM: snuninst.exe (ID = 115282)
11:32 AM: tpsetup.exe (ID = 209294)
11:32 AM: installer4_thin.exe (ID = 122354)
11:32 AM: wupdt.exe (ID = 63392)
11:33 AM: update.exe (ID = 75690)
11:33 AM: thin_installer2.exe (ID = 109660)
11:33 AM: aurareco.exe (ID = 115472)
11:34 AM: aurareco.exe (ID = 115472)
11:34 AM: eulaupgrade.exe (ID = 107447)
11:34 AM: res53a.tmp (ID = 157832)
11:35 AM: wincmapp.exe (ID = 145805)
11:38 AM: bln02nqv.ini (ID = 75683)
11:38 AM: egdaccess.inf (ID = 161541)
11:38 AM: egdaccess.inf (ID = 161541)
11:38 AM: umqltg4cl_.ini (ID = 75960)
11:38 AM: hqrhil7kg_.ini (ID = 75789)
11:38 AM: setup4030.ini (ID = 107455)
11:38 AM: backup-20060110-014730-926.inf (ID = 217684)
11:38 AM: backup-20060110-014731-305.inf (ID = 217684)
11:38 AM: backup-20060110-014731-467.inf (ID = 217684)
11:38 AM: backup-20060110-014731-916.inf (ID = 206934)
11:38 AM: backup-20060110-014731-569.inf (ID = 206934)
11:38 AM: backup-20060110-014732-817.inf (ID = 217684)
11:38 AM: backup-20060110-014732-334.inf (ID = 206934)
11:38 AM: backup-20060110-014732-179.inf (ID = 217684)
11:38 AM: backup-20060110-014732-557.inf (ID = 206934)
11:38 AM: backup-20060110-014733-325.inf (ID = 63912)
11:38 AM: backup-20060110-014733-797.inf (ID = 206934)
11:38 AM: backup-20060110-014733-227.inf (ID = 217684)
11:38 AM: backup-20060110-014733-265.inf (ID = 206934)
11:38 AM: backup-20060110-014733-998.inf (ID = 74756)
11:38 AM: backup-20060110-014734-980.inf (ID = 217684)
11:39 AM: backup-20060110-014734-997.inf (ID = 217684)
11:39 AM: backup-20060110-014734-117.inf (ID = 185438)
11:39 AM: backup-20060110-014735-250.inf (ID = 217684)
11:39 AM: backup-20060110-014735-863.inf (ID = 217684)
11:39 AM: backup-20060110-014735-612.inf (ID = 217684)
11:39 AM: backup-20060110-014735-214.inf (ID = 206934)
11:39 AM: backup-20060110-014735-309.inf (ID = 217684)
11:39 AM: backup-20060110-014736-309.inf (ID = 217684)
11:39 AM: backup-20060110-014736-192.inf (ID = 206934)
11:39 AM: backup-20060110-014736-853.inf (ID = 217684)
11:39 AM: umqltg4cl_.ini (ID = 75960)
11:39 AM: hqrhil7kg_.ini (ID = 75789)
11:39 AM: setup4030.ini (ID = 107455)
11:39 AM: umqltg4cl_.ini (ID = 75960)
11:39 AM: hqrhil7kg_.ini (ID = 75789)
11:39 AM: setup4030.ini (ID = 107455)
11:40 AM: Found Adware: java byteverify
11:40 AM: jar.jar-134a9cc4-350ad1bb.zip (ID = 64818)
11:40 AM: Warning: Unhandled Archive Type
11:41 AM: jar.jar-16e6c0b4-2f901308.zip (ID = 64818)
11:41 AM: jar.jar-7f062dc3-5173e449.zip (ID = 64818)
11:41 AM: Warning: Unhandled Archive Type
11:41 AM: Warning: Invalid Stream
11:41 AM: Warning: Invalid Stream
11:41 AM: Warning: Invalid Stream
11:41 AM: Warning: Invalid Stream
11:42 AM: File Sweep Complete, Elapsed Time: 00:39:14
11:42 AM: Full Sweep has completed. Elapsed time 00:44:22
11:42 AM: Traces Found: 2478
11:50 AM: Removal process initiated
11:50 AM: Quarantining All Traces: 180search assistant/zango
11:50 AM: Quarantining All Traces: directrevenue-abetterinternet
11:50 AM: Quarantining All Traces: newads transponder
11:50 AM: Quarantining All Traces: visfx
11:50 AM: Quarantining All Traces: websearch toolbar
11:50 AM: websearch toolbar is in use. It will be removed on reboot.
11:50 AM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
11:50 AM: Quarantining All Traces: apropos
11:50 AM: Quarantining All Traces: begin2search
11:50 AM: Quarantining All Traces: cas
11:50 AM: Quarantining All Traces: starware toolbar
11:51 AM: Quarantining All Traces: sysnet
11:51 AM: Quarantining All Traces: winad
11:51 AM: Quarantining All Traces: dealbar toolbar
11:51 AM: Quarantining All Traces: drsnsrch hijacker
11:51 AM: Quarantining All Traces: drsnsrch.com hijack
11:51 AM: Quarantining All Traces: ezula ilookup
11:51 AM: Quarantining All Traces: fullcontext
11:51 AM: Quarantining All Traces: hotconnect dialer
11:51 AM: Quarantining All Traces: ieplugin
11:51 AM: Quarantining All Traces: instant access
11:51 AM: Quarantining All Traces: java byteverify
11:51 AM: Quarantining All Traces: multidial
11:51 AM: Quarantining All Traces: one2one viewer
11:51 AM: Quarantining All Traces: privacyscan
11:51 AM: Quarantining All Traces: rich editor
11:51 AM: Quarantining All Traces: safesurf
11:51 AM: Quarantining All Traces: screensavers
11:51 AM: Quarantining All Traces: shopathomeselect
11:51 AM: Quarantining All Traces: 2o7.net cookie
11:51 AM: Quarantining All Traces: 412 cookie
11:51 AM: Quarantining All Traces: 447 cookie
11:51 AM: Quarantining All Traces: 64.62.232 cookie
11:51 AM: Quarantining All Traces: 888 cookie
11:51 AM: Quarantining All Traces: a cookie
11:51 AM: Quarantining All Traces: aa cookie
11:51 AM: Quarantining All Traces: abetterinternet cookie
11:51 AM: Quarantining All Traces: about cookie
11:51 AM: Quarantining All Traces: adecn cookie
11:51 AM: Quarantining All Traces: adjuggler cookie
11:51 AM: Quarantining All Traces: adknowledge cookie
11:51 AM: Quarantining All Traces: adlegend cookie
11:51 AM: Quarantining All Traces: adorigin cookie
11:51 AM: Quarantining All Traces: adprofile cookie
11:51 AM: Quarantining All Traces: adrevolver cookie
11:51 AM: Quarantining All Traces: adrevservice cookie
11:51 AM: Quarantining All Traces: adultfriendfinder cookie
11:51 AM: Quarantining All Traces: adultrevenueservice cookie
11:51 AM: Quarantining All Traces: advertising cookie
11:51 AM: Quarantining All Traces: angelfire cookie
11:51 AM: Quarantining All Traces: ask cookie
11:51 AM: Quarantining All Traces: askmen cookie
11:51 AM: Quarantining All Traces: atlas dmt cookie
11:51 AM: Quarantining All Traces: atwola cookie
11:51 AM: Quarantining All Traces: azjmp cookie
11:51 AM: Quarantining All Traces: banner cookie
11:51 AM: Quarantining All Traces: banners cookie
11:51 AM: Quarantining All Traces: bannerspace cookie
11:51 AM: Quarantining All Traces: belnk cookie
11:51 AM: Quarantining All Traces: bizrate cookie
11:51 AM: Quarantining All Traces: bravenet cookie
11:51 AM: Quarantining All Traces: btgrab cookie
11:51 AM: Quarantining All Traces: burstbeacon cookie
11:51 AM: Quarantining All Traces: burstnet cookie
11:51 AM: Quarantining All Traces: callwave cookie
11:51 AM: Quarantining All Traces: casalemedia cookie
11:51 AM: Quarantining All Traces: cassava cookie
11:51 AM: Quarantining All Traces: cc214142 cookie
11:51 AM: Quarantining All Traces: ccbill cookie
11:51 AM: Quarantining All Traces: cgi-win cookie
11:51 AM: Quarantining All Traces: classmates cookie
11:51 AM: Quarantining All Traces: clickandtrack cookie
11:51 AM: Quarantining All Traces: clickzs cookie
11:51 AM: Quarantining All Traces: cliks cookie
11:51 AM: Quarantining All Traces: commission junction cookie
11:51 AM: Quarantining All Traces: cursorzone cookie
11:51 AM: Quarantining All Traces: dealtime cookie
11:51 AM: Quarantining All Traces: did-it cookie
11:51 AM: Quarantining All Traces: directtrack cookie
11:51 AM: Quarantining All Traces: empnads cookie
11:51 AM: Quarantining All Traces: enhance cookie
11:51 AM: Quarantining All Traces: exitexchange cookie
11:51 AM: Quarantining All Traces: expage cookie
11:51 AM: Quarantining All Traces: falkag cookie
11:51 AM: Quarantining All Traces: fastclick cookie
11:51 AM: Quarantining All Traces: fe.lea.lycos.com cookie
11:51 AM: Quarantining All Traces: freepassbucks cookie
11:51 AM: Quarantining All Traces: gamespy cookie
11:51 AM: Quarantining All Traces: go.com cookie
11:51 AM: Quarantining All Traces: go2net.com cookie
11:51 AM: Quarantining All Traces: goclick cookie
11:51 AM: Quarantining All Traces: gostats cookie
11:51 AM: Quarantining All Traces: hardcoresexshack cookie
11:51 AM: Quarantining All Traces: hbmediapro cookie
11:51 AM: Quarantining All Traces: herfirstanalsex cookie
11:51 AM: Quarantining All Traces: herfirstlesbiansex cookie
11:51 AM: Quarantining All Traces: hotbar cookie
11:51 AM: Quarantining All Traces: joetec.net cookie
11:51 AM: Quarantining All Traces: kount cookie
11:51 AM: Quarantining All Traces: maxserving cookie
11:51 AM: Quarantining All Traces: metareward.com cookie
11:51 AM: Quarantining All Traces: military cookie
11:51 AM: Quarantining All Traces: mywebsearch cookie
11:51 AM: Quarantining All Traces: nextag cookie
11:52 AM: Quarantining All Traces: offeroptimizer cookie
11:52 AM: Quarantining All Traces: outster cookie
11:52 AM: Quarantining All Traces: overture cookie
11:52 AM: Quarantining All Traces: partypoker cookie
11:52 AM: Quarantining All Traces: paypopup cookie
11:52 AM: Quarantining All Traces: pointroll cookie
11:52 AM: Quarantining All Traces: precisead cookie
11:52 AM: Quarantining All Traces: pricegrabber cookie
11:52 AM: Quarantining All Traces: questionmarket cookie
11:52 AM: Quarantining All Traces: realmedia cookie
11:52 AM: Quarantining All Traces: redzip cookie
11:52 AM: Quarantining All Traces: reliablestats cookie
11:52 AM: Quarantining All Traces: reunion cookie
11:52 AM: Quarantining All Traces: rightmedia cookie
11:52 AM: Quarantining All Traces: ru4 cookie
11:52 AM: Quarantining All Traces: screensavers.com cookie
11:52 AM: Quarantining All Traces: search123 cookie
11:52 AM: Quarantining All Traces: servedby advertising cookie
11:52 AM: Quarantining All Traces: serving-sys cookie
11:52 AM: Quarantining All Traces: servlet cookie
11:52 AM: Quarantining All Traces: sirsearch cookie
11:52 AM: Quarantining All Traces: specificclick.com cookie
11:52 AM: Quarantining All Traces: spywarestormer cookie
11:52 AM: Quarantining All Traces: starpulse cookie
11:52 AM: Quarantining All Traces: starware.com cookie
11:52 AM: Quarantining All Traces: targetnet cookie
11:52 AM: Quarantining All Traces: teensforcash cookie
11:52 AM: Quarantining All Traces: tickle cookie
11:52 AM: Quarantining All Traces: toplist cookie
11:52 AM: Quarantining All Traces: touchclarity cookie
11:52 AM: Quarantining All Traces: tracking cookie
11:52 AM: Quarantining All Traces: trafficmp cookie
11:52 AM: Quarantining All Traces: trb.com cookie
11:52 AM: Quarantining All Traces: tribalfusion cookie
11:52 AM: Quarantining All Traces: upspiral cookie
11:52 AM: Quarantining All Traces: webpower cookie
11:52 AM: Quarantining All Traces: webservicehosts cookie
11:52 AM: Quarantining All Traces: websponsors cookie
11:52 AM: Quarantining All Traces: winantispyware 2005
11:52 AM: Quarantining All Traces: xiti cookie
11:52 AM: Quarantining All Traces: yadro cookie
11:52 AM: Quarantining All Traces: yieldmanager cookie
11:53 AM: Removal process completed. Elapsed time 00:02:37
********
10:47 AM: | Start of Session, Monday, January 16, 2006 |
10:47 AM: Spy Sweeper started
10:47 AM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
10:53 AM: Your spyware definitions have been updated.
10:57 AM: | End of Session, Monday, January 16, 2006 |

HERE IS HJT WHICH WAS JUST RUN:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:51 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Starting on next account, sorry about the delay, I work at home (translator) and getting behind a bit....

tetonbob · 01-16-2006, 02:48 PM

Now....that's progress. Glad we were able to get the proper trial version...the one that helps us clean. As you can see, it's very effective. Once we're through, you may want to consider purchasing this one. I usually tout freeware, but this one seems to be worth it, especially with 6 kids on the internet.

Ok, so Mommy is the account we were working on all this time...right? It looks good to me.

Now, one by one, work the other user accounts, and post a HJT log after the sweeps.

I'll be here.

stretched · 01-16-2006, 03:03 PM

This is the user

GUEST

Spysweeper Log

********
1:37 PM: | Start of Session, Monday, January 16, 2006 |
1:37 PM: Spy Sweeper started
1:37 PM: Sweep initiated using definitions version 601
1:37 PM: Starting Memory Sweep
1:40 PM: Memory Sweep Complete, Elapsed Time: 00:02:59
1:40 PM: Starting Registry Sweep
1:41 PM: Found Adware: websearch toolbar
1:41 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
1:41 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
1:41 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
1:41 PM: Registry Sweep Complete, Elapsed Time:00:01:04
1:41 PM: Starting Cookie Sweep
1:41 PM: Found Spy Cookie: pointroll cookie
1:41 PM: mommy@ads.pointroll[2].txt (ID = 3148)
1:41 PM: Found Spy Cookie: ask cookie
1:41 PM: mommy@ask[1].txt (ID = 2245)
1:41 PM: Found Spy Cookie: centrport net cookie
1:41 PM: mommy@centrport[1].txt (ID = 2374)
1:41 PM: Found Spy Cookie: tribalfusion cookie
1:41 PM: mommy@tribalfusion[1].txt (ID = 3589)
1:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:13
1:41 PM: Starting File Sweep
1:48 PM: Found Adware: safesurf
1:48 PM: a0422881.exe (ID = 154779)
1:48 PM: a0422880.exe (ID = 138284)
1:50 PM: Found Adware: begin2search
1:50 PM: a0422852.ico (ID = 51022)
1:50 PM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp396\a0422763.exe". Access is denied
1:59 PM: a0422879.dll (ID = 138227)
1:59 PM: a0422878.dll (ID = 156482)
1:59 PM: a0422877.exe (ID = 156483)
2:01 PM: Found Adware: newads transponder
2:01 PM: a0422851.exe (ID = 209217)
2:03 PM: Found Adware: screensavers
2:03 PM: a0422884.exe (ID = 74759)
2:08 PM: a0422883.exe (ID = 74757)
2:15 PM: Found Adware: shopathomeselect
2:15 PM: a0422885.ini (ID = 75683)
2:15 PM: Found Adware: instant access
2:15 PM: a0422876.inf (ID = 217684)
2:15 PM: a0422875.inf (ID = 217684)
2:15 PM: a0422874.inf (ID = 217684)
2:15 PM: a0422873.inf (ID = 206934)
2:15 PM: a0422872.inf (ID = 206934)
2:15 PM: a0422871.inf (ID = 217684)
2:15 PM: a0422870.inf (ID = 206934)
2:15 PM: a0422869.inf (ID = 217684)
2:15 PM: a0422868.inf (ID = 206934)
2:15 PM: a0422867.inf (ID = 63912)
2:15 PM: a0422866.inf (ID = 206934)
2:15 PM: a0422865.inf (ID = 217684)
2:15 PM: a0422864.inf (ID = 206934)
2:15 PM: a0422882.inf (ID = 74756)
2:15 PM: a0422863.inf (ID = 217684)
2:15 PM: a0422862.inf (ID = 217684)
2:15 PM: a0422861.inf (ID = 185438)
2:15 PM: a0422860.inf (ID = 217684)
2:15 PM: a0422859.inf (ID = 217684)
2:15 PM: a0422858.inf (ID = 217684)
2:15 PM: a0422857.inf (ID = 206934)
2:15 PM: a0422856.inf (ID = 217684)
2:15 PM: a0422855.inf (ID = 217684)
2:16 PM: a0422854.inf (ID = 206934)
2:16 PM: a0422853.inf (ID = 217684)
2:18 PM: File Sweep Complete, Elapsed Time: 00:36:23
2:18 PM: Full Sweep has completed. Elapsed time 00:40:52
2:18 PM: Traces Found: 52
2:59 PM: Removal process initiated
2:59 PM: Quarantining All Traces: newads transponder
2:59 PM: Quarantining All Traces: websearch toolbar
2:59 PM: websearch toolbar is in use. It will be removed on reboot.
2:59 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
2:59 PM: Quarantining All Traces: begin2search
2:59 PM: Quarantining All Traces: instant access
2:59 PM: Quarantining All Traces: safesurf
2:59 PM: Quarantining All Traces: screensavers
2:59 PM: Quarantining All Traces: shopathomeselect
2:59 PM: Quarantining All Traces: ask cookie
2:59 PM: Quarantining All Traces: centrport net cookie
2:59 PM: Quarantining All Traces: pointroll cookie
2:59 PM: Quarantining All Traces: tribalfusion cookie
2:59 PM: Removal process completed. Elapsed time 00:00:30
********
1:35 PM: | Start of Session, Monday, January 16, 2006 |
1:35 PM: Spy Sweeper started
1:36 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
1:37 PM: | End of Session, Monday, January 16, 2006 |

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:54:15 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [pezlta] c:\windows\system32\pezlta.exe -start
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

looks like some junk in here.

I will not be back for a couple of hours.....

stretched · 01-16-2006, 07:41 PM

This is the user account for Zak, I am not typing that crazy name he gave it.

This time I ran Ccleaner first to relieve us of all those cookies.

Here is Spysweeper log:

********
5:49 PM: | Start of Session, Monday, January 16, 2006 |
5:49 PM: Spy Sweeper started
5:49 PM: Sweep initiated using definitions version 601
5:49 PM: Starting Memory Sweep
5:51 PM: Memory Sweep Complete, Elapsed Time: 00:02:35
5:51 PM: Starting Registry Sweep
5:52 PM: Found Adware: websearch toolbar
5:52 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
5:52 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
5:52 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
5:52 PM: Registry Sweep Complete, Elapsed Time:00:00:59
5:52 PM: Starting Cookie Sweep
5:53 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
5:53 PM: Starting File Sweep
6:00 PM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp396\a0422763.exe". Access is denied
6:25 PM: File Sweep Complete, Elapsed Time: 00:32:28
6:25 PM: Full Sweep has completed. Elapsed time 00:36:22
6:25 PM: Traces Found: 13
6:34 PM: Removal process initiated
6:34 PM: Quarantining All Traces: websearch toolbar
6:34 PM: websearch toolbar is in use. It will be removed on reboot.
6:34 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
6:34 PM: Removal process completed. Elapsed time 00:00:20
********
5:23 PM: | Start of Session, Monday, January 16, 2006 |
5:23 PM: Spy Sweeper started
5:23 PM: Sweep initiated using definitions version 601
5:23 PM: Starting Memory Sweep
5:26 PM: Memory Sweep Complete, Elapsed Time: 00:02:43
5:26 PM: Starting Registry Sweep
5:26 PM: Found Adware: websearch toolbar
5:26 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
5:27 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
5:27 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
5:27 PM: Registry Sweep Complete, Elapsed Time:00:00:59
5:27 PM: Starting Cookie Sweep
5:27 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
5:27 PM: Starting File Sweep
5:36 PM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp396\a0422763.exe". Access is denied
5:48 PM: Sweep Canceled
5:48 PM: File Sweep Complete, Elapsed Time: 00:20:19
5:48 PM: Traces Found: 13
5:49 PM: | End of Session, Monday, January 16, 2006 |
********
4:48 PM: | Start of Session, Monday, January 16, 2006 |
4:48 PM: Spy Sweeper started
4:48 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
5:23 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
5:23 PM: | End of Session, Monday, January 16, 2006 |

Here is the HJT log which I just made:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:00 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [lyzfmgqu] c:\windows\system32\lyzfmgqu.exe lyzfmgqu
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Sorry about all those cookies last time.

I'm going to catch some rest and return tommorow..... I really am very grateful for your help.

tetonbob · 01-16-2006, 07:47 PM

Hi stretched -

Before you post any more logs...what I meant was we'd clean one user at a time.
I'm seeing infections on both of those....so don't post any more HJT user logs until I ask, ok?

tetonbob · 01-16-2006, 08:32 PM

For GUEST account:

Fix this entry with HJT:

O4 - HKCU\..\Run: [pezlta] c:\windows\system32\pezlta.exe -start

Search for this file and delete it if present:

c:\windows\system32\pezlta.exe

IF it resists, delete from safe mode.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post a new HJT log, along with Kaspersky results.

stretched · 01-17-2006, 09:41 AM

I deleted that file, and here is the GUEST logs

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 10:35:23
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 171560
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 38204
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 1
Duration of the scan process: 2458 sec

Infected Object Name - Virus Name
C:\Program Files\Common Files\Nullsoft\ActiveX\plugins\in_wave.dll Suspicious: Type_Win32

Scan process completed.

*************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:37:32 AM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tetonbob · 01-17-2006, 02:35 PM

A question -

How many users are Administrator accounts? You can check this in Control Panel -> User Accounts

OK, GUEST is clean. We can safely ignore that file Kaspersky found.

Now, Zak account -

Fix these entries with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [lyzfmgqu] c:\windows\system32\lyzfmgqu.exe lyzfmgqu

Uninstall if present:

Mailskinner

Delete these files/folders if present:

c:\program files\mailskinner
c:\windows\system32\lyzfmgqu.exe

If they resist deletion, boot to safe mode, and delete from there.

Normal mode now.

Run a Kaspersky scan.

Post those results, and a new HJT log for Zak.

stretched · 01-17-2006, 08:55 PM

sorry about the delay, for some reason the kapersky scan took nearly three hours (see the log).

I removed all that stuff per your instructions, and I did not find Mailskinner nor the other one via visual search after fixing it with HJT, I ran a start/search for mailskinner too. I was sure that hidden files were visible as well. Here is the kapersky scan it found one item:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 21:44:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/01/2006
Kaspersky Anti-Virus database records: 171637
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77008
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 10445 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP396\A0422762.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m

Scan process completed.
*************************************
Logfile of HijackThis v1.99.1
Scan saved at 9:52:14 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

*****************************************************

You asked how many users are admins, the answer is six, I can change that if I should.

Also, I do not mind if you want to stop helping, others probably need your help more than me now, I may be able to get most of the rest of this done myself, maybe you want to give me a few general pointers on top of all the time you have sacrificed already, it is greatly appreciated.

tetonbob · 01-17-2006, 09:07 PM

For now, it's to our advantage that all acounts are admin. When we're done, to retake control from the kids, you may want to consider making their accounts Limited. This will prevent the installation of some softwares. Might mean more work or hassles for you, but the effect should be a cleaner system.

No worries, stretched....we have other helpers as well, and I am helping other members. Let's keep plugging.

Zak account:

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK.

Now clean.

Next user account, SpySweeper, Ewido, HJT logs, please.

stretched · 01-18-2006, 11:27 AM

This is user account "rocky"

Webroot Spysweeper Log (did this yesterday)
********
10:53 AM: | Start of Session, Tuesday, January 17, 2006 |
10:53 AM: Spy Sweeper started
10:53 AM: Sweep initiated using definitions version 602
10:53 AM: Starting Memory Sweep
10:57 AM: Memory Sweep Complete, Elapsed Time: 00:03:11
10:57 AM: Starting Registry Sweep
10:57 AM: Found Adware: websearch toolbar
10:57 AM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
10:58 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
10:58 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
10:58 AM: Registry Sweep Complete, Elapsed Time:00:01:09
10:58 AM: Starting Cookie Sweep
10:58 AM: Found Spy Cookie: ask cookie
10:58 AM: guest@ask[1].txt (ID = 2245)
10:58 AM: Cookie Sweep Complete, Elapsed Time: 00:00:07
10:58 AM: Starting File Sweep
11:08 AM: Found Adware: exact cashback/bargain buddy
11:08 AM: a0422763.exe (ID = 116175)
11:36 AM: File Sweep Complete, Elapsed Time: 00:38:05
11:36 AM: Full Sweep has completed. Elapsed time 00:42:50
11:36 AM: Traces Found: 15
11:37 AM: Removal process initiated
11:37 AM: Quarantining All Traces: websearch toolbar
11:37 AM: websearch toolbar is in use. It will be removed on reboot.
11:37 AM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
11:37 AM: Quarantining All Traces: exact cashback/bargain buddy
11:37 AM: Quarantining All Traces: ask cookie
11:37 AM: Removal process completed. Elapsed time 00:00:22
********
9:16 AM: | Start of Session, Tuesday, January 17, 2006 |
9:16 AM: Spy Sweeper started
9:16 AM: Sweep initiated using definitions version 602
9:16 AM: Starting Memory Sweep
9:20 AM: Memory Sweep Complete, Elapsed Time: 00:03:04
9:20 AM: Starting Registry Sweep
9:20 AM: Found Adware: websearch toolbar
9:20 AM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
9:21 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
9:21 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
9:21 AM: Registry Sweep Complete, Elapsed Time:00:01:06
9:21 AM: Starting Cookie Sweep
9:21 AM: Found Spy Cookie: pointroll cookie
9:21 AM: zakariya@ads.pointroll[1].txt (ID = 3148)
9:21 AM: Found Spy Cookie: advertising cookie
9:21 AM: zakariya@advertising[1].txt (ID = 2175)
9:21 AM: Found Spy Cookie: tribalfusion cookie
9:21 AM: zakariya@tribalfusion[1].txt (ID = 3589)
9:21 AM: Cookie Sweep Complete, Elapsed Time: 00:00:08
9:21 AM: Starting File Sweep
9:29 AM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp396\a0422763.exe". Access is denied
9:32 AM: Sweep Canceled
9:32 AM: File Sweep Complete, Elapsed Time: 00:11:18
9:32 AM: Traces Found: 16
9:32 AM: Removal process initiated
9:32 AM: Quarantining All Traces: websearch toolbar
9:32 AM: websearch toolbar is in use. It will be removed on reboot.
9:32 AM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
9:32 AM: Quarantining All Traces: advertising cookie
9:32 AM: Quarantining All Traces: pointroll cookie
9:32 AM: Quarantining All Traces: tribalfusion cookie
9:33 AM: Removal process completed. Elapsed time 00:00:22
10:53 AM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
10:53 AM: | End of Session, Tuesday, January 17, 2006 |
********
9:16 AM: | Start of Session, Tuesday, January 17, 2006 |
9:16 AM: Spy Sweeper started
9:16 AM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
9:16 AM: | End of Session, Tuesday, January 17, 2006 |

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:18:06 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ok....

stretched · 01-18-2006, 12:02 PM

sorry, I scanned the account "rocky" but I did not save an ewido log, so I am re-scanning it so I can post that log, and another HJT log after it.

stretched · 01-18-2006, 12:39 PM

Here is the ewido scan log for user account "rocky"

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:33:47 PM, 1/18/2006
+ Report-Checksum: A99E16CC

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\hehehe\Cookies\hehehe@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

::Report End

And a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:34 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tetonbob · 01-18-2006, 01:55 PM

Looks like we're making great progress.

Rocky account:

Fix these with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing

Run a Kaspersky online scan. Post it's log, and a new HJT log.

stretched · 01-18-2006, 08:20 PM

Kapersky scan was clean for rocky user account, so it gave no report. Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:59 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I'll bring the info for the next account in the morning, been crazy busy around here today...thanks for the help looks like it is getting clean....

tetonbob · 01-18-2006, 09:03 PM

That's from Rocky still, right?

It's clean.

Next!

01-14-2006, 10:42 PM	#22 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	Well, I was afraid of that...the SpySweeper scan is worthless if it won't let you clean anything. It doesn't even give file names or registry locations any more. sigh That one's out of my arsenal...it's a great tool if you don't mind paying, though. Make sure hidden files are still visible. Delete these files/folders: C:\WINDOWS\SYSTEM32\msclock32.dll C:\WINDOWS\pcconfig.dat C:\PROGRAM FILES\dialers C:\Documents and Settings\Mommy\Application Data\Starware C:\Documents and Settings\Mommy\cookies\mommy@2o7[1].txt C:\Documents and Settings\Mommy\cookies\mommy@ads.pointroll[1].txt C:\Documents and Settings\Mommy\cookies\mommy@ask[1].txt C:\Documents and Settings\Mommy\cookies\mommy@centrport[1].txt C:\Documents and Settings\Mommy\cookies\mommy@com[2].txt C:\Documents and Settings\Mommy\cookies\mommy@questionmarket[1].txt C:\Documents and Settings\Mommy\cookies\mommy@tribalfusion[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@ads.pointroll[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt C:\Documents and Settings\Mommy\Cookies\mommy@questionmarket[1].txt C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt C:\WINDOWS\SYSTEM32\grwinsthlp.exe If they resist deletion, boot to safe mode and delete from there. Download and install CCleaner..http://www.ccleaner.com/ccdownload.asp 1. Open the program and the "Cleaner" button should be active. 2. Click on "Run Cleaner" 3. Once thats done it will clean out the TEMP folder. 4. Now click on "Issues" and then "Scan for Issues" 5. Once it's done checkmark ALL it finds and click "Fix Selected Issues" 6. It will ask you if you want to back up the registry entrys it's removing so please do so. If it removes anything important..just locate the .reg file you saved...double click on it to add the entrys back. From normal mode, run this online scan, and have it scan your full system: http://housecall65.trendmicro.com/ There should be an autoclean function on this one. This should not be the same one I had you use earlier. We're essentially chasing remnants. Your HJT log is clean. How many other user accounts are there on this system? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-15-2006, 06:55 PM	#24 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	I really don't understand that error message from Housecall....when you get to the page, is there something telling you to load a plug-in? There may be, and you should. I gotta tell you, I'm not looking forward to looking at 7 logs from this system. But I will, one at a time. Make sure you keep track of which one's been cleaned, and which one hasn't. Run all these same tools on the user account first, before posting a HJT log. Adware, Spybot, Ewido, CWShredder. I also have another idea to help us get some control. Uninstall that version of SpySweeper you have, as it scans only and won't help us. I was able to find a link to a free trial version which does clean. I've just tested it on one of my test boxes. Try it out, and let me know how it goes....if possible, clean whatever it finds, save the session log, and post that and any Ewido log for each user account as we go through them. Please download WebRoot SpySweeper from HERE (It's a 90 day trial): Click the Download now link on the right to download the program. Double-click the file to install it as follows: Click "Next", read the agreement, Click "Next" Choose "Custom" click "Next". Leave the default installation directory as it is, then click "Next". UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next". On the following screen you can leave the e-mail address field blank, if you wish. Click "Next". Finally, click "Install" Once the program is installed, it will open. It will prompt you to update to the latest definitions, click Yes. Once the definitions are installed, click Options on the left side. Click the Sweep Options tab. Under What to Sweep please put a check next to the following: Sweep Memory Sweep Registry Sweep Cookies Sweep All User Accounts Enable Direct Disk Sweeping Sweep Contents of Compressed Files Sweep for Rootkits Please UNCHECK Do not Sweep System Restore Folder. Click Sweep Now on the left side. Click the Start button. When it's done scanning, click the Next button. Make sure everything has a check next to it, then click the Next button. It will remove all of the items found. Click Session Log in the upper right corner, copy everything in that window. Click the Summary tab and click Finish. Paste the contents of the session log you copied into your next reply. After doing all that, post a HJT log, and name the account. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-16-2006, 02:48 PM	#26 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	Now....that's progress. Glad we were able to get the proper trial version...the one that helps us clean. As you can see, it's very effective. Once we're through, you may want to consider purchasing this one. I usually tout freeware, but this one seems to be worth it, especially with 6 kids on the internet. Ok, so Mommy is the account we were working on all this time...right? It looks good to me. Now, one by one, work the other user accounts, and post a HJT log after the sweeps. I'll be here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-16-2006, 07:47 PM	#29 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	Hi stretched - Before you post any more logs...what I meant was we'd clean one user at a time. I'm seeing infections on both of those....so don't post any more HJT user logs until I ask, ok? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-16-2006, 08:32 PM	#30 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	For GUEST account: Fix this entry with HJT: O4 - HKCU\..\Run: [pezlta] c:\windows\system32\pezlta.exe -start Search for this file and delete it if present: c:\windows\system32\pezlta.exe IF it resists, delete from safe mode. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Post a new HJT log, along with Kaspersky results. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-14-2006, 09:06 PM	#21 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Ok back from that adventure, one thing I forgot but did it now...sorry...and here are results: This was present and fixed in HJT: O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess Smashed these in unistall manager, there was no info on the size just the name and the bit about looks like its gone wanna take it from the list so this time I said yes: Zango Toolbar zbvugea zseyqgxmad This one:The Best Offers Had to remove it via HiJackThis Open Uninstall Manager task ran this regsvr32 /u occache.dll I missed deleting these until right now (!??) C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe C:\WINDOWS\SYSTEM32\msclock32.dll I did it now. I did run this: regsvr32 occache.dll I did Boot to normal mode and CLEAR & RESET SYSTEM RESTORE'S CACHE And I did Panda ActiveScan RE: LOGS AND REPORTS As for that webroot thing, did not see your post until it was actually done, so I managed to copy this on the lower most box by selecting holding shift and down arrow bit...control+c etc. Here it is: (WEBROOT SPYSWEEPER FINDINGS) Adware found: multidial Adware found: screensavers Adware found: websearch toolbar Adware found: winad Trojan Horse found: sysnet Adware found: drsnsrch hijacker Adware found: rich editor Adware found: dealbar toolbar Adware found: safesurf Adware found: directrevenue-abetterinternet Adware found: 180search assistant/zango Adware found: cas Adware found: ezula ilookup Adware found: fullcontext Adware found: ieplugin Adware found: drsnsrch.com hijack Adware found: starware toolbar Adware found: instant access Adware found: one2one viewer Adware found: privacyscan Adware found: hotconnect dialer Spy Cookie found: 2o7.net cookie Spy Cookie found: 888 cookie Spy Cookie found: websponsors cookie Spy Cookie found: aa cookie Spy Cookie found: go.com cookie Spy Cookie found: abetterinternet cookie Spy Cookie found: about cookie Spy Cookie found: yieldmanager cookie Spy Cookie found: adknowledge cookie Spy Cookie found: adrevservice cookie Spy Cookie found: cc214142 cookie Spy Cookie found: pointroll cookie Spy Cookie found: adultrevenueservice cookie Spy Cookie found: falkag cookie Spy Cookie found: ask cookie Spy Cookie found: atlas dmt cookie Spy Cookie found: belnk cookie Spy Cookie found: atwola cookie Spy Cookie found: azjmp cookie Spy Cookie found: a cookie Spy Cookie found: bizrate cookie Spy Cookie found: btgrab cookie Spy Cookie found: burstnet cookie Spy Cookie found: goclick cookie Spy Cookie found: gostats cookie Spy Cookie found: ccbill cookie Spy Cookie found: cliks cookie Spy Cookie found: dealtime cookie Spy Cookie found: webservicehosts cookie Spy Cookie found: gamespy cookie Spy Cookie found: metareward.com cookie Spy Cookie found: military cookie Spy Cookie found: mywebsearch cookie Spy Cookie found: nextag cookie Spy Cookie found: offeroptimizer cookie Spy Cookie found: outster cookie Spy Cookie found: partypoker cookie Spy Cookie found: paypopup cookie Spy Cookie found: pricegrabber cookie Spy Cookie found: rightmedia cookie Spy Cookie found: spywarestormer cookie Spy Cookie found: toplist cookie Spy Cookie found: tracking cookie Spy Cookie found: tribalfusion cookie Spy Cookie found: burstbeacon cookie Spy Cookie found: hardcoresexshack cookie Spy Cookie found: xiti cookie Spy Cookie found: yadro cookie Spy Cookie found: 412 cookie Spy Cookie found: 447 cookie Spy Cookie found: 64.62.232 cookie Spy Cookie found: adecn cookie Spy Cookie found: adlegend cookie Spy Cookie found: hbmediapro cookie Spy Cookie found: hotbar cookie Spy Cookie found: precisead cookie Spy Cookie found: specificclick.com cookie Spy Cookie found: adorigin cookie Spy Cookie found: adprofile cookie Spy Cookie found: starpulse cookie Spy Cookie found: adultfriendfinder cookie Spy Cookie found: advertising cookie Spy Cookie found: angelfire cookie Spy Cookie found: bannerspace cookie Spy Cookie found: banners cookie Spy Cookie found: banner cookie Spy Cookie found: bravenet cookie Spy Cookie found: callwave cookie Spy Cookie found: casalemedia cookie Spy Cookie found: commission junction cookie Spy Cookie found: classmates cookie Spy Cookie found: tickle cookie Spy Cookie found: did-it cookie Spy Cookie found: empnads cookie Spy Cookie found: exitexchange cookie Spy Cookie found: expage cookie Spy Cookie found: fastclick cookie Spy Cookie found: go2net.com cookie Spy Cookie found: starware.com cookie Spy Cookie found: clickandtrack cookie Spy Cookie found: screensavers.com cookie Spy Cookie found: kount cookie Spy Cookie found: maxserving cookie Spy Cookie found: touchclarity cookie Spy Cookie found: reunion cookie Spy Cookie found: search123 cookie Spy Cookie found: servedby advertising cookie Spy Cookie found: servlet cookie Spy Cookie found: sirsearch cookie Spy Cookie found: reliablestats cookie Spy Cookie found: trb.com cookie Spy Cookie found: clickzs cookie Spy Cookie found: webpower cookie Spy Cookie found: redzip cookie Spy Cookie found: upspiral cookie Spy Cookie found: adrevolver cookie Spy Cookie found: askmen cookie Spy Cookie found: enhance cookie Spy Cookie found: cassava cookie Spy Cookie found: cgi-win cookie Spy Cookie found: cursorzone cookie Spy Cookie found: overture cookie Spy Cookie found: fe.lea.lycos.com cookie Spy Cookie found: herfirstanalsex cookie Spy Cookie found: herfirstlesbiansex cookie Spy Cookie found: questionmarket cookie Spy Cookie found: realmedia cookie Spy Cookie found: adjuggler cookie Spy Cookie found: serving-sys cookie Spy Cookie found: directtrack cookie Spy Cookie found: targetnet cookie Spy Cookie found: teensforcash cookie Spy Cookie found: trafficmp cookie Spy Cookie found: joetec.net cookie Spy Cookie found: freepassbucks cookie Spy Cookie found: centrport net cookie Spy Cookie found: ru4 cookie Adware found: apropos Adware found: begin2search Adware found: shopathomeselect Adware found: visfx Adware found: exact cashback/bargain buddy Adware found: winantispyware 2005 Adware found: newads transponder Adware found: java byteverify Full Sweep has completed. Elapsed time 00:47:33 Traces Found: 2650 END OF THAT LIST ACTIVESCAN Incident Status Location Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\msclock32.dll Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers Adware:adware/comet Not disinfected C:\Documents and Settings\Mommy\Application Data\Starware Adware:adware/wupd Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\SOFTWARE\TOOLBAR Adware:adware/activshopper Not disinfected Windows Registry Potentially unwanted tool:application/zango Not disinfected HKEY_CLASSES_ROOT\ZANGOTOOLBAR.ZCTOOLBAND Adware:adware/webext Not disinfected Windows Registry Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@ads.pointroll[1].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@ask[1].txt Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@centrport[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@com[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\cookies\mommy@tribalfusion[1].txt Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ads.pointroll[1].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@questionmarket[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt Adware:Adware/WinTools Not disinfected C:\WINDOWS\SYSTEM32\grwinsthlp.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\msclock32.dll END OF THAT LIST Logfile of HijackThis v1.99.1 Scan saved at 9:59:44 PM, on 1/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\wanmpsvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\America Online 9.0\aolwbspd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe OK, and sorry about screwing up the order of that one fix, and maybe the webroot thing is of some use here - no need for you to apologize, I am indebted to you as it is already.....

01-15-2006, 04:12 PM	#23 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Ok sorry for being gone, getting behind on other things and could not catch up on these until late today... All of those files/folders you told me to delete I did. This one: C:\WINDOWS\SYSTEM32\msclock32.dll could not find it, so I ran the search and it was in the recycle bin(!) so I emptied the bin. I did as you said with CCLEANER. I went to the housecall (that is actually the one I used last time because it was the link I discovered somewhere on the forum) I got a message: MS00-034 An error occurred ... same as it said last time. And: (MS01-028) RTF Document linked to template can run macros without warning... It gave the link below for details about that one: http://www.trendmicro.com/vinfo/seca...ithout+Warning I think that is everything with the exception of the number of users on this machine: looks like they have eight on here, I can remove one for certain. You see, it is my wife, and my six kids, that is seven, the extra is "guest" I have been using my wife's since close to the beginning here, "mommy"\ Alright thanx again and sorry for causing you any greif.

01-17-2006, 09:41 AM	#31 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	I deleted that file, and here is the GUEST logs ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, January 17, 2006 10:35:23 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 17/01/2006 Kaspersky Anti-Virus database records: 171560 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 38204 Number of viruses found: 1 Number of infected objects: 0 Number of suspicious objects: 1 Duration of the scan process: 2458 sec Infected Object Name - Virus Name C:\Program Files\Common Files\Nullsoft\ActiveX\plugins\in_wave.dll Suspicious: Type_Win32 Scan process completed. ************************************************* Logfile of HijackThis v1.99.1 Scan saved at 10:37:32 AM, on 1/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\Explorer.EXE C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\America Online 9.0\aolwbspd.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

01-17-2006, 02:35 PM	#32 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	A question - How many users are Administrator accounts? You can check this in Control Panel -> User Accounts OK, GUEST is clean. We can safely ignore that file Kaspersky found. Now, Zak account - Fix these entries with HJT: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe O4 - HKCU\..\Run: [lyzfmgqu] c:\windows\system32\lyzfmgqu.exe lyzfmgqu Uninstall if present: Mailskinner Delete these files/folders if present: c:\program files\mailskinner c:\windows\system32\lyzfmgqu.exe If they resist deletion, boot to safe mode, and delete from there. Normal mode now. Run a Kaspersky scan. Post those results, and a new HJT log for Zak. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-17-2006 at 02:36 PM.

01-17-2006, 08:55 PM	#33 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	sorry about the delay, for some reason the kapersky scan took nearly three hours (see the log). I removed all that stuff per your instructions, and I did not find Mailskinner nor the other one via visual search after fixing it with HJT, I ran a start/search for mailskinner too. I was sure that hidden files were visible as well. Here is the kapersky scan it found one item: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, January 17, 2006 21:44:45 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 18/01/2006 Kaspersky Anti-Virus database records: 171637 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 77008 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 10445 sec Infected Object Name - Virus Name C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP396\A0422762.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m Scan process completed. *********************************** Logfile of HijackThis v1.99.1 Scan saved at 9:52:14 PM, on 1/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\America Online 9.0\aolwbspd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe *************************************************** You asked how many users are admins, the answer is six, I can change that if I should. Also, I do not mind if you want to stop helping, others probably need your help more than me now, I may be able to get most of the rest of this done myself, maybe you want to give me a few general pointers on top of all the time you have sacrificed already, it is greatly appreciated.

01-17-2006, 09:07 PM	#34 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	For now, it's to our advantage that all acounts are admin. When we're done, to retake control from the kids, you may want to consider making their accounts Limited. This will prevent the installation of some softwares. Might mean more work or hassles for you, but the effect should be a cleaner system. No worries, stretched....we have other helpers as well, and I am helping other members. Let's keep plugging. Zak account: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK. Now clean. Next user account, SpySweeper, Ewido, HJT logs, please. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-18-2006, 12:02 PM	#36 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	sorry, I scanned the account "rocky" but I did not save an ewido log, so I am re-scanning it so I can post that log, and another HJT log after it.

01-18-2006, 12:39 PM	#37 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Here is the ewido scan log for user account "rocky" --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 1:33:47 PM, 1/18/2006 + Report-Checksum: A99E16CC + Scan result: HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning C:\Documents and Settings\hehehe\Cookies\hehehe@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\Documents and Settings\hehehe\Cookies\hehehe@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\hehehe\Cookies\hehehe@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\Documents and Settings\hehehe\Cookies\hehehe@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup ::Report End And a new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 1:34:34 PM, on 1/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

01-18-2006, 01:55 PM	#38 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	Looks like we're making great progress. Rocky account: Fix these with HJT: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R3 - Default URLSearchHook is missing Run a Kaspersky online scan. Post it's log, and a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-18-2006, 08:20 PM	#39 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Kapersky scan was clean for rocky user account, so it gave no report. Here is the new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 9:18:59 PM, on 1/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\AMERIC~1.0\waol.exe C:\PROGRA~1\AMERIC~1.0\shellmon.exe C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe I'll bring the info for the next account in the morning, been crazy busy around here today...thanks for the help looks like it is getting clean....

01-18-2006, 09:03 PM	#40 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,480 OS: 2000 Pro; XP Pro; XP Home	That's from Rocky still, right? It's clean. Next! __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009