help! hijacked web browser!

drtydog · Aug 28, 2005

IE has been hijacked! please see if you can help me fix it

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:11:09 PM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Kazaa\kazaa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
c:\documents and settings\sarah\local settings\temp\fsg_4203.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Directory 1 for KRC HijackThis Analyzer.zip\KRC HijackThis Analyzer.exe
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\System32\azesearch4.ocx
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\System32\azesearch4.ocx
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{962BB70E-BEF7-4773-9729-6EF0DE0AC0DA}: NameServer = 202.150.96.1 202.150.96.2
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of KRC HijackThis Analyzer Log.
====================================================================

POADB · Aug 28, 2005

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download KazaaBegone http://www.greyknight17.com/spy/KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknight17.com/spy/WinsockFix.zip just in case you need it (if it breaks your internet connection, run it).

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

iMesh
MyWay
AZE Search
P2P Networking
Kazaa
Media Access

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\System32\azesearch4.ocx
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\System32\azesearch4.ocx
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folder(s), if present:

C:\Program Files\iMesh\
C:\Program Files\MyWay\
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\Kazaa\
C:\Program Files\Media Access\

Locate and delete the following file(s), if present:

C:\WINDOWS\System32\azesearch4.ocx
C:\WINDOWS\system32\iasada.dll

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE This step is compulsory!

Do an online scan at one of the following sites:

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis
Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

drtydog · Aug 30, 2005

thanks heaps for your help

All that has goten rid of most of the main problems altho our homepage is still being changed

New hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:50 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.top20results.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

and activescan log

Logfile of HijackThis v1.99.1
Scan saved at 12:31:50 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.top20results.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Adware:Adware/WinAD No disinfected C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A\MediaAccess.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\Sarah\My Documents\My Received Files\crack.exe
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-262.dll
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-551.dll
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-817.inf
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\azentretien.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:adware/azesearch No disinfected C:\WINDOWS\system32\azebar.xml
thanks heaps

POADB · Aug 30, 2005

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose [Yes] at the Warning prompt.
Expand the [Tools] menu.
Click [Resident].
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click [Exit] to exit Spybot Search & Destroy.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

AltnetPointsManager

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.top20results.com
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folder(s), if present:

C:\Program Files\Altnet\
C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A\

Locate and delete the following file(s), if present:

C:\Documents and Settings\Sarah\My Documents\My Received Files\crack.exe
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-262.dll
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-551.dll
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-817.inf
C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
C:\WINDOWS\azentretien.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\azebar.xml

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Do an online scan at one of the following sites:

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis
Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

drtydog · Sep 1, 2005

HI there. done all that (apart from anoth online scan) her are the logs you asked for. i'll do another online scan overnight and post the log tomorow

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\iMesh'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Settings'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Advanced'
Found '' in 'Software\Kazaa\LocalContent'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'Software\iMesh'
Found 'Tmp' in 'Software\Kazaa'
Found 'Status' in 'Software\Kazaa\Advanced'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'Date' in 'Software\Kazaa\Settings'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'UseCount' in 'Software\Kazaa\Settings'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'FirewallStatus' in 'SOFTWARE\Kazaa'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'my_ip_address' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'Tmp' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'UDP_receive_status' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'ShareDir' in 'SOFTWARE\Kazaa\CloudLoad'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\TopSearch.TSLink'
Found '' in 'SOFTWARE\Classes\TopSearch.TSLink.1'
Found '' in 'SOFTWARE\Classes\TopSearch.TSLink.1\CLSID'
Found '' in 'SOFTWARE\Classes\TopSearch.TSLink\CLSID'
Found '' in 'SOFTWARE\Classes\TopSearch.TSLink\CurVer'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}\1.0\HELPDIR'
Found 'AltnetPointsManager' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}'
Found '' in 'SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}'
Found '' in 'SOFTWARE\MyWay'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall'
Found '' in 'SOFTWARE\Classes\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}'
Found '' in 'SOFTWARE\Media Access'
Found 'conc' in 'Software\Microsoft\Internet Explorer\Main'
Found '' in 'SOFTWARE\AZESearchCo\AZESearch'
Found '' in 'SOFTWARE\AZESearchCo'
Found 'UninstallString' in 'SOFTWARE\AZESearchCo\AZESearch'
Found 'DateTimeLow' in 'SOFTWARE\AZESearchCo\AZESearch'
Found 'DateTimeHigh' in 'SOFTWARE\AZESearchCo\AZESearch'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMesh 5'
Found '' in 'SOFTWARE\iMeshBar'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{F048AEEC-AE7B-4DEC-BC7A-F5DB4B52C048}'
Found '' in 'SOFTWARE\Classes\TypeLib\{C8791281-D7A4-440D-A0F8-C02E2085A21D}'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{80F06796-5DE1-44CC-90A7-8B275950CFD7}'
Found '' in 'SOFTWARE\Classes\Interface\{D5E7424B-5AAD-41C5-944A-077CF49F9D45}'
Found '' in 'SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}'
Found '' in 'SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}'
Found '' in 'SOFTWARE\Classes\Interface\{6D9A2918-F869-40F8-85ED-4F7F1B4BB6B7}'
Found '' in 'SOFTWARE\Classes\Interface\{00000000-A447-4EB9-A8D8-0C4B0661D988}'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton\CurVer'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton.1'
Found '' in 'SOFTWARE\Classes\IMeshControl.iMeshBarButton'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect\CurVer'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect.1\CLSID'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect.1'
Found '' in 'SOFTWARE\Classes\IMeshBHO.DownloadRedirect'
Found '' in 'SOFTWARE\Classes\GnucCOM.Core\CLSID'
Found '' in 'SOFTWARE\Classes\GnucCOM.Core'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\Programmable'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32'
Found '' in 'Software\iMesh\iMesh5\Transfer'
Found '' in 'Software\iMesh\iMesh5\SetSplitter'
Found '' in 'Software\iMesh\iMesh5\SetListCol'
Found '' in 'Software\iMesh\iMesh5\Gnutella'
Found '' in 'Software\iMesh\iMesh5\AutoConnect'
Found '' in 'Software\iMesh\iMesh5'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{5EAA54AB-6601-40E4-A13F-01559500D2C7}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{42AB8D08-F741-4166-8A0D-3C1A50B43F93}\InProcServer32'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp'
Found '' in 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp\accum\Trickler'
Found 'kmd10.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd11.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd12.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd13.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd14.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd15.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd16.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1A.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1B.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1C.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1D.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1E.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd1F.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd20.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd21.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd22.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd23.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd24.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd25.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd26.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd27.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd28.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd29.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd2D.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd2E.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd2F.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd30.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd31.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd32.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd33.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd34.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd35.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd36.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd37.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd38.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd39.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd3A.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd3B.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd3C.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd40.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd41.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd42.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd43.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd44.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd45.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd46.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd47.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd48.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd49.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4A.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4B.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4C.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4D.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4E.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd4F.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd50.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd51.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd52.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd56.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd57.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd58.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd59.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd5B.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd5D.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd5E.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd5F.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd6.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd60.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd61.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd64.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd65.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd7.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd8.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmd9.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdA.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdB.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdC.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdD.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdE.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'kmdF.tmp' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'temp.fr0A42' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'MediaAccess.exe' in 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A'
Found 'temp.fr8AAE' in 'C:\Documents and Settings\Sarah\Local Settings\Temp'
Found 'backup-20050829-212832-640.dll' in 'C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp\accum\Trickler' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp\accum\Trickler' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp\accum\Trickler'
[SCANMODS] The file 'C:\Documents and Settings\Sarah\Local Settings\Temp\fsg_tmp\accum\Trickler' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd10.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd10.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd10.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd11.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd11.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd11.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd12.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd12.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd12.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd13.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd13.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd13.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd14.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd14.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd14.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd15.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd15.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd15.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd16.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd16.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd16.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1A.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1A.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1A.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1B.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1B.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1B.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1C.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1C.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1C.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1D.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1D.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1D.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1E.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1E.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1E.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1F.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1F.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd1F.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd20.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd20.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd20.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd21.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd21.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd21.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd22.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd22.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd22.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd23.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd23.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd23.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd24.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd24.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd24.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd25.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd25.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd25.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd26.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd26.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd26.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd27.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd27.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd27.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd28.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd28.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd28.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd29.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd29.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd29.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2D.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2D.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2D.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2E.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2E.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2E.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2F.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2F.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd2F.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd30.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd30.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd30.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd31.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd31.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd31.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd32.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd32.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd32.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd33.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd33.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd33.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd34.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd34.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd34.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd35.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd35.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd35.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd36.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd36.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd36.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd37.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd37.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd37.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd38.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd38.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd38.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd39.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd39.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd39.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3A.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3A.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3A.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3B.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3B.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3B.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3C.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3C.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd3C.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd40.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd40.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd40.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd41.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd41.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd41.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd42.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd42.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd42.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd43.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd43.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd43.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd44.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd44.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd44.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd45.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd45.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd45.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd46.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd46.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd46.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd47.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd47.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd47.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd48.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd48.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd48.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd49.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd49.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd49.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4A.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4A.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4A.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4B.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4B.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4B.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4C.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4C.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4C.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4D.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4D.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4D.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4E.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4E.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4E.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4F.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4F.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd4F.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd50.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd50.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd50.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd51.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd51.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd51.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd52.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd52.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd52.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd56.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd56.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd56.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd57.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd57.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd57.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd58.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd58.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd58.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd59.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd59.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd59.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5B.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5B.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5B.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5D.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5D.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5D.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5E.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5E.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5E.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5F.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5F.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd5F.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd6.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd6.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd6.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd60.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd60.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd60.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd61.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd61.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd61.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd64.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd64.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd64.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd65.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd65.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd65.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd7.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd7.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd7.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd8.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd8.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd8.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd9.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd9.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmd9.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdA.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdA.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdA.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdB.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdB.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdB.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdC.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdC.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdC.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdD.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdD.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdD.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdE.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdE.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdE.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdF.tmp' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdF.tmp' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\kmdF.tmp'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr0A42' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr0A42' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr0A42'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A\MediaAccess.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A\MediaAccess.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr476A\MediaAccess.exe'
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr8AAE' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr8AAE' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\Local Settings\Temp\temp.fr8AAE'
Checking for 'C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-640.dll' in shortcut areas.
Checking for 'C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-640.dll' in startup areas.
Cleaning 'C:\Documents and Settings\Sarah\My Documents\Virus Protectors\backups\backup-20050829-212832-640.dll'
Finished Cleaning

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:12:52 PM, on 9/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Logfile of HijackThis v1.99.1
Scan saved at 8:12:52 PM, on 9/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sarah\My Documents\Virus Protectors\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

POADB · Sep 1, 2005

Everything is looking good.

I'll need the online scan as soon as you can. If you could aslo run TMAS once more i'd appreciate it.

Are you having any more problems?

drtydog · Sep 2, 2005

HI there, no problems at all

that seem to have fixed the viruses, and zone alarm seems to be keeping new ones out

thanks heaps for you help

POADB · Sep 3, 2005

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Clear Java Cache

Click Start >Settings>Control Panel
Click the Java Plugin Icon
Click the Cache tab
Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

help! hijacked web browser!

Top Contributors this Month