Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Can't connect to the Internet and Hijackthis gets disabled


  • This topic is locked This topic is locked
17 replies to this topic

#1 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 13 April 2006 - 12:28 PM

Hi

Trying to clean up my sons computer. He can no longer connect to the internet and there's clearly a problem. Spybot and Adaware have both run with no effect. I've loaded HiJackthis, and almost as soon as you kick it off it disappears as do any log files that appear on the screen. The same happens when I try to run msconfig to check whats loading at startup. However I managed to be quick enough to save this log file

Very grateful for any help!

Logfile of HijackThis v1.99.1
Scan saved at 19:08:24, on 13/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmFtZXMgSG9sbWVz\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\mousepad9.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\xkrvmm\svshost.exe
C:\WINDOWS\System32\p2pnetworking.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: Supreme Toolbar - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - C:\WINDOWS\DOWNLO~1\supreme.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: wmplayer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFtZXMgSG9sbWVz\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 13 April 2006 - 08:09 PM

Click Start > Run

In the box, type in services.msc then hit <enter> (or click OK)

In the Name column, look for Command Service

<Double-click> it.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled, then click Apply then OK.

Next scan with hijackthis and put a check beside these lines and choose FIX


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFtZXMgSG9sbWVz\command.exe

Next

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#3 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 15 April 2006 - 06:37 AM

Hi Siggyx Very limited success I'm afraid - when I tried to run services.msc, the results are closed down in a matter of seconds. I've managed however to be quick enough to disable the Command Service process. However when I try to open Hijack and scan, this gets closed down after a couple of seconds. Consequently, haven't been able to check and fix any of the entries. Is there a plan B Thanks for your help. Regards Graham

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 15 April 2006 - 08:22 AM

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\System32\xkrvmm\svshost.exe
C:\windows\newname9.exe
C:\Program Files\winupdates\winupdates.exe /auto
C:\windows\keyboard9.exe
C:\windows\mousepad9.exe

Next

Please download hoster from the link below.

http://www.funkytoad...load/hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Then reboot and a new log if you can please.

#5 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 April 2006 - 01:53 PM

Hi SiggyX

Thanks for your help. Deleted all the files except for the winupdates.exe which it said it couldn't find. Also restored original hosts, but the host file after this looked a bit strange so I've taken a copy and its below. Managed to get into Hijackthis OK this time and the log is below as requested.

Logfile of HijackThis v1.99.1
Scan saved at 20:31:32, on 16/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\p2pnetworking.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: Supreme Toolbar - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - C:\WINDOWS\DOWNLO~1\supreme.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: wmplayer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Also the host file

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Cheers

Graham

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 18 April 2006 - 09:08 AM

Sorry was gone for Easter, can you please post a new hijackthis log.

#7 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 23 April 2006 - 03:57 AM

Hi Siggyx,

I too have been away, hope your break was as good as mine. New log attached - also see note re hosting in my previous post

Logfile of HijackThis v1.99.1
Scan saved at 10:35:16, on 23/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\p2pnetworking.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: Supreme Toolbar - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - C:\WINDOWS\DOWNLO~1\supreme.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: wmplayer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Cheers

Graham

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 23 April 2006 - 07:43 PM

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\System32\xkrvmm\svshost.exe
C:\Program Files\winupdates\winupdates.exe
C:\windows\keyboard9.exe
C:\windows\mousepad9.exe
C:\windows\newname9.exe


NEXT scan with hijackthis and put a check beside these lines if present


O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\xkrvmm\svshost.exe

NEXT

Please download hoster from the link below.

http://www.funkytoad...load/hoster.zip

NEXT

Please download Asquared from the link below.

http://www.emsisoft....tware/download/

Safe it to your desktop.

Open ASquared and check for updates.

Reboot to safe mode

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

NEXT

Open ASquared

Then scan your system (this will take some time) after the scan is compelte allow it to fix what it has found. If there is something that it can not clean please let me know what it was.

Then reboot and post a new hijackthis log.

#9 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 24 April 2006 - 02:21 PM

Hi Siggyx

Ran Hijackthis and fixed as instructed. Also ran Hoster in safe mode, but got the same result when I attempted to restore the original files. Couldn't however run a2 - need an internet connection to set up, but couldn't make one.

Up to date Hijackthis log below:-


Logfile of HijackThis v1.99.1
Scan saved at 20:42:24, on 24/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: Supreme Toolbar - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - C:\WINDOWS\DOWNLO~1\supreme.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: wmplayer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 24 April 2006 - 05:32 PM

Please download and run this winsock repair tool. Once rum reboot and try the internet.

http://www.snapfiles...nsockxpfix.html

If you can not download it I can upload it here for you.

    Advertisements

Register to Remove


#11 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 25 April 2006 - 02:28 PM

Thats better - managed to get through to the internet!

Latest log

Logfile of HijackThis v1.99.1
Scan saved at 20:47:36, on 25/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Cheers

Graham

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 25 April 2006 - 08:33 PM

OK scan with hijackthis and put a check beside these lines and choose FIX'

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D7F3-FA7EA480A97D} - (no file)

NEXT

Please download WebRoot SpySweeper from HERE >>> http://www.webroot.c...ode=af1&rc=3597 (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply as well as a new hijackthsi log please.

#13 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 27 April 2006 - 02:07 PM

Latest hi jack log and Spy Sweeper log

Logfile of HijackThis v1.99.1
Scan saved at 20:34:41, on 27/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MessengerPlus3] "\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



********
18:25: | Start of Session, 27 April 2006 |
18:25: Spy Sweeper started
18:25: Sweep initiated using definitions version 665
18:25: Starting Memory Sweep
18:27: Memory Sweep Complete, Elapsed Time: 00:01:29
18:27: Starting Registry Sweep
18:27: Found Trojan Horse: fastvideoplayer
18:27: HKCR\interface\{9ff86c1b-7e6f-4a7f-932a-244fe7296dae}\ (8 subtraces) (ID = 126419)
18:27: HKCR\interface\{ee7e970d-3d17-4645-8660-d7f40b917092}\ (8 subtraces) (ID = 126420)
18:27: HKLM\software\classes\interface\{9ff86c1b-7e6f-4a7f-932a-244fe7296dae}\ (8 subtraces) (ID = 126426)
18:27: HKLM\software\classes\interface\{ee7e970d-3d17-4645-8660-d7f40b917092}\ (8 subtraces) (ID = 126427)
18:27: HKLM\software\classes\typelib\{022850cb-74fd-486d-8b1c-573ecfd599ad}\ (9 subtraces) (ID = 126428)
18:27: HKCR\typelib\{022850cb-74fd-486d-8b1c-573ecfd599ad}\ (9 subtraces) (ID = 126429)
18:27: Found Adware: systemprocess
18:27: HKCR\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\ (4 subtraces) (ID = 860384)
18:27: HKCR\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\inprocserver32\ (2 subtraces) (ID = 860386)
18:27: HKCR\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\inprocserver32\ || threadingmodel (ID = 860388)
18:27: HKLM\software\system process\ (10 subtraces) (ID = 860391)
18:27: HKLM\software\system process\ || modid (ID = 860392)
18:27: HKLM\software\system process\ || started (ID = 860395)
18:27: HKLM\software\system process\ || installed (ID = 860396)
18:27: HKLM\software\system process\ || dllver (ID = 860397)
18:27: HKLM\software\system process\ || lastupdatetime (ID = 860398)
18:27: HKLM\software\system process\files\ (4 subtraces) (ID = 860399)
18:27: HKLM\software\system process\files\ || system.dat (ID = 860400)
18:27: HKLM\software\system process\files\ || navshext.dll (ID = 860401)
18:27: HKLM\software\system process\files\ || ustart.exe (ID = 860402)
18:27: HKLM\software\system process\files\ || p.dat (ID = 860403)
18:27: HKLM\software\classes\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\ (4 subtraces) (ID = 860404)
18:27: HKLM\software\classes\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\inprocserver32\ (2 subtraces) (ID = 860406)
18:27: HKLM\software\classes\clsid\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb}\inprocserver32\ || threadingmodel (ID = 860408)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\startup\ (2 subtraces) (ID = 860412)
18:27: Found Adware: command
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
18:27: Found Adware: dollarrevenue
18:27: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
18:27: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
18:27: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
18:27: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
18:27: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
18:27: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
18:27: Found Adware: supreme toolbar
18:27: HKCR\supreme.supreme\ (3 subtraces) (ID = 1138128)
18:27: HKCR\supreme.suprememenu button\ (3 subtraces) (ID = 1138132)
18:27: HKCR\supreme.supremetoggle button\ (3 subtraces) (ID = 1138136)
18:27: HKCR\clsid\{4e7bd74f-2b8d-469e-d7f3-fa7ea480a97e}\ (6 subtraces) (ID = 1138140)
18:27: HKCR\clsid\{4e7bd74f-2b8d-469e-d7f3-fa7ea480a97f}\ (6 subtraces) (ID = 1138147)
18:27: HKLM\software\classes\supreme.supreme\ (3 subtraces) (ID = 1138200)
18:27: HKLM\software\classes\supreme.suprememenu button\ (3 subtraces) (ID = 1138204)
18:27: HKLM\software\classes\supreme.supremetoggle button\ (3 subtraces) (ID = 1138208)
18:27: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-d7f3-fa7ea480a97e}\ (6 subtraces) (ID = 1138212)
18:27: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-d7f3-fa7ea480a97f}\ (6 subtraces) (ID = 1138219)
18:27: Found Adware: maxifiles
18:27: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
18:27: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
18:27: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
18:27: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
18:27: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
18:27: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
18:27: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
18:27: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
18:27: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
18:27: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
18:27: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
18:27: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
18:27: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
18:27: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (ID = 1156519)
18:27: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
18:27: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
18:27: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1004\software\system process\ (1 subtraces) (ID = 860389)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1004\software\system process\ || lastptime (ID = 860390)
18:27: Found Adware: qsearch
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1004\software\program data\ (1 subtraces) (ID = 1025463)
18:27: Found Adware: desktop toolbar common components
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\dsktb\ (5 subtraces) (ID = 128171)
18:27: Found Adware: redzip toolbar
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\microsoft\windows\currentversion\explorer\ || insid (ID = 139328)
18:27: Found Adware: surfsidekick
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
18:27: Found Adware: directrevenue-thebestoffersnetwork
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\tbon\ (52 subtraces) (ID = 826461)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\microsoft\windows\currentversion\run\ || tbon (ID = 826497)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\system process\ (1 subtraces) (ID = 860389)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\system process\ || lastptime (ID = 860390)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\director\ || baseurl (ID = 980277)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\program data\ (1 subtraces) (ID = 1025463)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\program info\ (1 subtraces) (ID = 1028138)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\supreme toolbar\ (11 subtraces) (ID = 1138155)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-d7f3-fa7ea480a97d} (ID = 1138171)
18:27: Found Adware: zquest
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
18:27: HKU\S-1-5-21-776561741-1965331169-839522115-1003\software\xbtb04715\ (71 subtraces) (ID = 1156401)
18:27: Registry Sweep Complete, Elapsed Time:00:00:07
18:27: Starting Cookie Sweep
18:27: Found Spy Cookie: 2o7.net cookie
18:27: graham holmes@2o7[2].txt (ID = 1957)
18:27: Found Spy Cookie: touchclarity cookie
18:27: graham holmes@btow.touchclarity[1].txt (ID = 3566)
18:27: Found Spy Cookie: kount cookie
18:27: graham holmes@kount[2].txt (ID = 2911)
18:27: Found Spy Cookie: myaffiliateprogram.com cookie
18:27: graham holmes@www.myaffiliateprogram[1].txt (ID = 3032)
18:27: Found Spy Cookie: belnk cookie
18:27: graham holmes@belnk[1].txt (ID = 2292)
18:27: graham holmes@belnk[3].txt (ID = 2292)
18:27: Found Spy Cookie: 888 cookie
18:27: graham holmes@888[1].txt (ID = 2019)
18:27: Found Spy Cookie: cassava cookie
18:27: graham holmes@cassava[1].txt (ID = 2362)
18:27: Found Spy Cookie: a cookie
18:27: james holmes@a[1].txt (ID = 2027)
18:27: james holmes@888[1].txt (ID = 2019)
18:27: Found Spy Cookie: qsrch cookie
18:27: james holmes@search.qsrch[2].txt (ID = 3216)
18:27: Found Spy Cookie: atlas dmt cookie
18:27: james holmes@atdmt[2].txt (ID = 2253)
18:27: Found Spy Cookie: web-stat cookie
18:27: james holmes@server3.web-stat[1].txt (ID = 3649)
18:27: Found Spy Cookie: rn11 cookie
18:27: james holmes@rn11[1].txt (ID = 3261)
18:27: Found Spy Cookie: desktop kazaa cookie
18:27: james holmes@desktop.kazaa[2].txt (ID = 2515)
18:27: james holmes@belnk[1].txt (ID = 2292)
18:27: james holmes@dist.belnk[2].txt (ID = 2293)
18:27: Found Spy Cookie: teensforcash cookie
18:27: james holmes@teensforcash[2].txt (ID = 3509)
18:27: james holmes@www.teensforcash[2].txt (ID = 3510)
18:27: Found Spy Cookie: bestmovies cookie
18:27: james holmes@bestmovies[2].txt (ID = 2298)
18:27: Found Spy Cookie: hbmediapro cookie
18:27: james holmes@adopt.hbmediapro[2].txt (ID = 2768)
18:27: Found Spy Cookie: webpower cookie
18:27: james holmes@webpower[1].txt (ID = 3660)
18:27: Found Spy Cookie: advertising cookie
18:27: james holmes@advertising[1].txt (ID = 2175)
18:27: Found Spy Cookie: nextag cookie
18:27: james holmes@nextag[1].txt (ID = 5014)
18:27: Found Spy Cookie: mediaplex cookie
18:27: james holmes@mediaplex[1].txt (ID = 6442)
18:27: Found Spy Cookie: falkag cookie
18:27: james holmes@as-us.falkag[2].txt (ID = 2650)
18:27: james holmes@sel.as-us.falkag[2].txt (ID = 2650)
18:27: Found Spy Cookie: yieldmanager cookie
18:27: james holmes@ad.yieldmanager[4].txt (ID = 3751)
18:27: Found Spy Cookie: adecn cookie
18:27: james holmes@adecn[1].txt (ID = 2063)
18:27: james holmes@888[2].txt (ID = 2019)
18:27: james holmes@adopt.hbmediapro[3].txt (ID = 2768)
18:27: Found Spy Cookie: websponsors cookie
18:27: james holmes@a.websponsors[2].txt (ID = 3665)
18:27: Found Spy Cookie: questionmarket cookie
18:27: james holmes@questionmarket[2].txt (ID = 3217)
18:27: james holmes@888[3].txt (ID = 2019)
18:27: james holmes@cassava[1].txt (ID = 2362)
18:27: Found Spy Cookie: about cookie
18:27: james holmes@about[1].txt (ID = 2037)
18:27: Found Spy Cookie: netvenda cookie
18:27: james holmes@netvenda[1].txt (ID = 3073)
18:27: Found Spy Cookie: eadexchange cookie
18:27: james holmes@www.eadexchange[2].txt (ID = 2556)
18:27: james holmes@compsimgames.about[1].txt (ID = 2038)
18:27: Found Spy Cookie: adultfriendfinder cookie
18:27: james holmes@adultfriendfinder[1].txt (ID = 2165)
18:27: james holmes@partypoker.touchclarity[1].txt (ID = 3567)
18:27: Found Spy Cookie: partypoker cookie
18:27: james holmes@partypoker[2].txt (ID = 3111)
18:27: Found Spy Cookie: azjmp cookie
18:27: james holmes@azjmp[1].txt (ID = 2270)
18:27: james holmes@www.netvenda[2].txt (ID = 3074)
18:27: james holmes@desktop.kazaa[3].txt (ID = 2515)
18:27: Found Spy Cookie: ic-live cookie
18:27: james holmes@ic-live[1].txt (ID = 2821)
18:27: Found Spy Cookie: kmpads cookie
18:27: james holmes@kmpads[2].txt (ID = 2909)
18:27: Found Spy Cookie: btgrab cookie
18:27: james holmes@btg.btgrab[2].txt (ID = 2333)
18:27: Found Spy Cookie: adorigin cookie
18:27: james holmes@adorigin[2].txt (ID = 2082)
18:27: james holmes@dist.belnk[3].txt (ID = 2293)
18:27: james holmes@belnk[3].txt (ID = 2292)
18:27: Found Spy Cookie: adknowledge cookie
18:27: james holmes@adknowledge[1].txt (ID = 2072)
18:27: james holmes@azjmp[2].txt (ID = 2270)
18:27: Found Spy Cookie: gamespy cookie
18:27: james holmes@pc.gamespy[1].txt (ID = 2719)
18:27: james holmes@gamespy[2].txt (ID = 2719)
18:27: james holmes@msn.touchclarity[1].txt (ID = 3566)
18:27: Found Spy Cookie: screensavers.com cookie
18:27: james holmes@i.screensavers[2].txt (ID = 3298)
18:27: james holmes@search.qsrch[1].txt (ID = 3216)
18:27: james holmes@ad.yieldmanager[2].txt (ID = 3751)
18:27: Found Spy Cookie: burstnet cookie
18:27: james holmes@burstnet[2].txt (ID = 2336)
18:27: james holmes@msnportal.112.2o7[1].txt (ID = 1958)
18:27: Found Spy Cookie: cliks cookie
18:27: james holmes@cliks[2].txt (ID = 2414)
18:27: james holmes@ad.yieldmanager[1].txt (ID = 3751)
18:27: james holmes@122.2o7[1].txt (ID = 1958)
18:27: james holmes@sonycorporate.122.2o7[1].txt (ID = 1958)
18:27: james holmes@burstnet[1].txt (ID = 2336)
18:27: Found Spy Cookie: tacoda cookie
18:27: james holmes@tacoda[2].txt (ID = 6444)
18:27: james holmes@azjmp[3].txt (ID = 2270)
18:27: Found Spy Cookie: precisead cookie
18:27: james holmes@adopt.precisead[2].txt (ID = 3182)
18:27: james holmes@about[3].txt (ID = 2037)
18:27: james holmes@www.screensavers[1].txt (ID = 3298)
18:27: Found Spy Cookie: starware.com cookie
18:27: james holmes@starware[2].txt (ID = 3441)
18:27: Found Spy Cookie: reliablestats cookie
18:27: james holmes@stats1.reliablestats[2].txt (ID = 3254)
18:27: james holmes@dogs.about[2].txt (ID = 2038)
18:27: Found Spy Cookie: bizrate cookie
18:27: james holmes@bizrate[2].txt (ID = 2308)
18:27: james holmes@ford.112.2o7[1].txt (ID = 1958)
18:27: Found Spy Cookie: atwola cookie
18:27: james holmes@atwola[2].txt (ID = 2255)
18:27: Found Spy Cookie: ccbill cookie
18:27: james holmes@ccbill[2].txt (ID = 2369)
18:27: james holmes@dist.belnk[4].txt (ID = 2293)
18:27: james holmes@ford.touchclarity[1].txt (ID = 3566)
18:27: james holmes@www.screensavers[2].txt (ID = 3298)
18:27: Found Spy Cookie: paypopup cookie
18:27: james holmes@paypopup[2].txt (ID = 3119)
18:27: james holmes@rn11[3].txt (ID = 3261)
18:27: james holmes@www.888[1].txt (ID = 2020)
18:27: Found Spy Cookie: top-banners cookie
18:27: james holmes@media.top-banners[1].txt (ID = 3548)
18:27: Found Spy Cookie: hpm001 cookie
18:27: james holmes@hpm001[1].txt (ID = 2807)
18:27: Found Spy Cookie: searchingbooth cookie
18:27: james holmes@banners.searchingbooth[1].txt (ID = 3322)
18:27: james holmes@web-stat[2].txt (ID = 3648)
18:27: Found Spy Cookie: offeroptimizer cookie
18:27: james holmes@offeroptimizer[1].txt (ID = 3087)
18:27: Found Spy Cookie: winantiviruspro cookie
18:27: james holmes@www.winantiviruspro[1].txt (ID = 3690)
18:27: Found Spy Cookie: servlet cookie
18:27: james holmes@servlet[1].txt (ID = 3345)
18:27: james holmes@nextag[3].txt (ID = 5014)
18:27: james holmes@stats1.reliablestats[3].txt (ID = 3254)
18:27: james holmes@h.starware[1].txt (ID = 3442)
18:27: system@ad.yieldmanager[2].txt (ID = 3751)
18:27: Cookie Sweep Complete, Elapsed Time: 00:00:01
18:27: Starting File Sweep
18:27: Warning: Failed to open file "c:\pagefile.sys". Access is denied
18:27: tboninst.cfg (ID = 211835)
18:27: sk02.exe (ID = 273586)
18:27: mte3ndi6odoxng.exe (ID = 185985)
18:27: Found Adware: webhancer
18:27: whcc2.exe (ID = 267157)
18:27: drsmartload46a.exe (ID = 277449)
18:27: drsmartload45a.exe (ID = 278325)
18:27: keyboard8.exe (ID = 276255)
18:27: mousepad8.exe (ID = 276257)
18:27: newname8.exe (ID = 276258)
18:27: uninstall_nmon.vbs (ID = 231442)
18:27: ssupreme.exe (ID = 253363)
18:29: ustart.exe (ID = 242836)
18:29: atmtd.dll (ID = 166754)
18:29: Found Adware: look2me
18:29: sddll.dll (ID = 159)
18:29: nwlsapi.dll (ID = 159)
18:29: atmtd.dll._ (ID = 166754)
18:29: pvrfos.dll (ID = 159)
18:29: guard.tmp (ID = 159)
18:29: kgdycc.dll (ID = 159)
18:29: Found Adware: exact navisearch
18:29: nvms.dll_tobedeleted (ID = 279569)
18:29: e202lcdo1f0c.dll (ID = 159)
18:29: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
18:31: maiqtrg0m36pvqpw.vbs (ID = 185675)
18:32: Found Adware: winantispyware 2005
18:32: winfixer2006freesetup.exe (ID = 266623)
18:32: setup.exe (ID = 266687)
18:32: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
18:32: supreme.dll (ID = 238673)
18:32: Found Adware: targetsaver
18:32: class-barrel (ID = 78229)
18:32: zzirc.dll (ID = 195129)
18:32: vocabulary (ID = 78283)
18:32: autoit3.exe (ID = 185254)
18:35: c:\program files\network monitor (ID = -2147459771)
18:35: Found Adware: exact cashback/bargain buddy
18:35: c:\program files\be network (10 subtraces) (ID = -2147452448)
18:35: c:\program files\supreme toolbar (12 subtraces) (ID = -2147458776)
18:35: uninstall.exe (ID = 280655)
18:35: slidev.exe (ID = 279574)
18:35: slidex.exe (ID = 200337)
18:35: Warning: Failed to open file "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat". The process cannot access the file because it is being used by another process
18:35: Warning: Failed to open file "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat". The process cannot access the file because it is being used by another process
18:35: Warning: Failed to open file "c:\documents and settings\james holmes\ntuser.dat.log". The process cannot access the file because it is being used by another process
18:35: Warning: Failed to open file "c:\documents and settings\james holmes\ntuser.dat". The process cannot access the file because it is being used by another process
18:35: Found Adware: gain - common components
18:35: bundle.inf (ID = 61287)
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\3li0a5us\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmaaolaji-h-myofwpidk-rx7znx_k9rq6onec5ivyvpk-hhzf9z-w3qvdpjry4d8_dthjj8zmfri7gm_fni5_-ren_sqlytbkfa1ekekgkpwzg[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\3li0a5us\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmadxrb2slbehhqz51nn_ec-zltv48twiz-fwpxidtd10m-lx7fyr3rqeon52wmv7xvk_qtp9kcsedxuopgcsuoyuy91zmgzdjx6vlothurehjq[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\3li0a5us\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmabwt7kqurn21fvlfuvhiyjpjzmlkowb5fk02eswgqmycvfcnqrhxapqgfwl4hklsydd_lazdzv7iejk2iuvjehzaxmi5entyx4cbtebo_8kmg[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\3li0a5us\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmaaolaji-h-myt92nif5ghxqkzbgw7lcfov1makslsnw0ifmbfa_cqcavw9okzwtrdmm-lgtdt89pkbe2almlcljiumavxuxfnacrwfr-artrq[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\3li0a5us\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmabwt7kqurn21cxuhl2efciey1nkwhgdavn0jbkiaw1btmagojb8-cmmrtq97rebdp5drqz_9lj-nw4a1twxvnayvkhkqjhdcxa3oiuuomeyxq[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\4pijo1un\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmab1ipg9nbunflcawvg1v9njovjioah5zav6jj3_efyyymzuynn5tbvv_ig5uqqf1ye1wns4bj3o431obp217etal5dd_hwws1qpsgzb5tf39q[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\4pijo1un\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmabxiqpjkvfbvvxl-st_jimckglp19ompri3naz9nuakp9xlsze32jukp4obdj913ubnorgnexuejfogrpejfnycoqkwvjvocifwqe7h24ee2w[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\4pijo1un\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmabxiqpjkvfbvogeunnn0zmiatyim1ux3vhycob_78yuwirpodcsrowgdz6sboowzvqi0lbnefcjkx7xur50ekr29kxxtruylhtxdygzvkp4yq[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\qveyhiau\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmacko1r-h1ycatdwknr7o1tebe0hpb4jrisltr3f1h5ub8vva6u8l1rc7ecgvgtclakudgvxb3cdnpejit74mkn4qdcfdt668pkjzcnar9yddw[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\qveyhiau\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmab1ipg9nbunfmzbnkpkxf5bu81i0wzselkxalr5wsamodgapjub1w4g90xwze8glu2queywqvtbfve5feekwmusvrsrel2iwcik3kru87wrfg[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\qveyhiau\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmaapqwhpod4xbyphmut0ycsyii36pdnqkf7paf6l7iwvlfxyx5yomcbobez9fvdg9f-bcgipc9np7xk2uymr7xvcg41kzi6w266gkvj0_q5dwq[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\qveyhiau\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmaapqwhpod4xbbfth5dfrq4zgymcouzkqyhhzzi7hkhn8zgr2jfccbxppvysfvdrhrqrjboc9ztwbthfvmwz9yw8piqjk1rufel63yxgkrg5sa[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\adj4y7zo\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmaacj4g6_5fvddjirzl4a8zaojsbgwmywkzgjwr4leorhptotszqlzhvsvvoob9tcgb9k15nsyuoiamkyshts7vpj3hl7m8aucxte4c_otatow[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\adj4y7zo\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmadxrb2slbehhmh84h960jtkynk7f5dbhckwgb-5jby4k1ja32hvwf1u3myhabjz28qtpcrvowaxs36tyyuh66qjeucum2ftaf1thex2cgmyrg[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\adj4y7zo\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmadlcy8bxdon4idakfp1s_zq0teigfly2lmox_hoplz05m982tegq_o69pssvb62njyts57s-tsjuu3apryfnwm60sqeqz7f-xpoxuoqmmdygg[1].jpg". The system cannot find the path specified
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\local settings\temp\temporary internet files\content.ie5\adj4y7zo\x1pqp5nogpwaa63-jqw2oqjmotmbowei5phllrd3nysmadlcy8bxdon4aacgwr68_yo0lm1_4pl00lashhose004ocuflnwynmxv-krneq9hqlmbw15iynklrsl4hntiax2zwkqeezgnid0asvn_5tina[1].jpg". The system cannot find the path specified
18:36: cmdinst.exe (ID = 231664)
18:36: tsinstall_4_0_4_0_b4.exe (ID = 193496)
18:36: i6c.tmp (ID = 253411)
18:36: Found Adware: exact bullseye
18:36: c:\documents and settings\james holmes\start menu\programs\bullseye network (1 subtraces) (ID = -2147471505)
18:36: c:\documents and settings\james holmes\start menu\programs\navisearch (1 subtraces) (ID = -2147470942)
18:36: sskknwrd.dll (ID = 77733)
18:36: sskcwrd.dll (ID = 77712)
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
18:36: Warning: Failed to open file "c:\documents and settings\james holmes\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
18:37: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs496d6341-56de-43d8-af61-066200520504.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3b94c734-a399-4beb-969b-d5f3d5fb2d30.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfa5810f-96cd-46cb-9ccc-469af7c9aeb9.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f9f0fc-c3a4-462d-baad-83e7d494a8cd.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2ac49579-a434-4e1f-9d67-165190d88e4f.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf9d7820-829e-4266-927f-d7ce2b1aa40e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs50de0dca-243c-4e3d-a033-864d90818ad0.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ee8f148-b841-4f9c-8ca4-ee5b265a2402.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd34357e-81ec-4063-ad86-44f3f606fb5a.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs428849e6-b4a1-4ac1-8570-43f872505bd5.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfcd945b0-9b30-4db6-b0a3-e489ad348031.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4c2b4d19-792f-4df4-9484-71f8ae776178.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1f964bed-9b87-4692-8e53-4272fffda670.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0e08b164-1832-4d67-aa82-82bb46d8014b.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs093f0adc-4216-4deb-a85a-dd0e9e04c1d5.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs736b08b1-c854-4a9f-aa69-5f06ad8dedc1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb9b93276-d16a-4468-8e64-4860f5a86333.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs166f39f7-3d19-4452-af18-4068655b98bd.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85de03f9-dcb2-4bdc-a31e-f0855e44c493.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d865a19-565b-4ffd-af57-7b25330ba24a.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs29e18c16-5879-4baf-90c8-baa0efb09a16.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs605aa3e4-b79f-47d1-8a28-480d3230a9fa.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa804272e-5939-449d-bec5-40ce004752a1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs62013666-69b1-493a-8611-d1e0574d4bc1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs194a85da-cb55-4681-9bc8-cdb097987ea1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsac9532ac-50c6-4f5f-8da8-7fb9ecf17cc5.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd75e9c6b-4877-483c-964a-8f9e9a6baf5f.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs70b76d8b-1266-437c-952f-4670960d1e18.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1651c775-afd7-4fd8-8b23-73e8d0ada661.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5c2110e2-dfed-43b3-8104-aa23bbb59c78.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6fb77b24-9345-4257-b351-ac378ab43203.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6bb34479-4bfe-450f-a557-1ade84d3e4f6.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs510dcc4c-ee9e-4139-bd8c-274be9645b2f.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0deee59e-2c20-4121-9555-63400e5f372e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42a25bb2-2ca3-4014-8e6e-d6b55a82d0b8.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64b6d3a1-6ab0-43bc-b395-b583359b9c05.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0b440b14-990e-4a48-b160-1881bcd15c6e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f9e1782-03fb-4b3c-bc2d-fa974a2676d3.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6b01060b-8cce-4a91-85f7-6d2700e6d4d8.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6492db98-8894-4adc-8093-77dd93c379ad.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaf0f0953-9684-404c-abb8-5cf4eab6fc7c.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6a5b111b-3447-4965-8be7-9f81ad863dfd.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs00b5fa4e-3c46-4a29-b9a4-f32785741232.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse7471ad6-a4fd-4d38-bf74-3db37b0b9034.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs49735aba-3c39-4b1f-b045-8092d6712f52.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf8e4e62-4ae4-498c-ae2a-4d3ef5f86d29.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4728723c-0d1a-4aa6-942d-32ff28da9726.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs627b203c-bf27-4d4c-a6a0-6b6c0a82eceb.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc63f593d-a2fc-4657-832b-1afe00dc4c59.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa3927065-b6c9-4b79-92ec-30851c89356e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsac344907-ce39-4d6a-98bc-8a2434d30dd0.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs06fce77a-7ee3-42f0-9745-d659f4dae96c.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsedf66efa-9f95-410f-9037-3baee005f05d.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs21516100-b248-4bf2-9b97-740d714e6db9.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs17d96259-6d84-4a1f-a690-7c5726e12bed.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs902e4541-a05d-4a39-8b36-3e2159da4bdc.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs799bdaf4-029b-49fb-a661-71b189d25a88.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs79f4aa23-1e53-406a-a31f-5abe5e52c0b6.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90c8924f-b7c7-47d1-8e52-290b8c16c0f4.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23db5889-29a8-4abc-830c-2ef4fc1450a1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc9007157-0d4f-4607-afcd-3f93724d461f.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dc80ca8-ea47-4c8e-a6c8-2fbea6b490d1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfd5e6ac4-1f4b-4545-ac50-32d46d6a2939.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0a733dc0-ea3b-48e3-9fa2-f07f7c90a7d0.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56f3d68d-0170-4ebc-813b-08cdaa47b7d2.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf19faf78-a914-416a-87e0-2285f68ef4b4.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaf7e6293-a0fa-41fc-bfeb-618759d3fbfe.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ad13e0-1099-457d-8557-a5684ec45ab1.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7422f208-d90e-461e-a966-adcacd14379e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0d750d7d-8816-4005-8b9f-7235d14bfaa0.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd1b8e6fb-708b-4255-afe1-1758a11f8405.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3de5f835-6ddb-4402-8889-ca30ddceab99.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f670081-d995-43b2-9464-7075b6b40742.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs96ec7fdc-ca0f-4bab-9e95-ea56b54e30e0.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8fd63177-63c0-462e-a6e1-2364a8d5d763.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs31b08312-9e25-4686-88da-6bfe0123c36c.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs67585444-3346-41e0-83ac-3dad2954b70e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1046a6ff-2c0f-4818-b273-c12cd8807ac9.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs43d85b04-c378-4c01-a5ff-d91ed0747782.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf3c4f677-17cb-4eb0-99bb-1cb963220325.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8d48b8f2-3dad-4695-83e5-90c01010634f.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs40a5a584-586f-48f9-a379-104a40a1b001.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5c17ec50-fffd-414a-a7ca-ca0fe23aaf48.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs97538435-837d-437d-94db-dcb7619a9cd6.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs05ebaae1-c48d-4888-86a5-822a8653a233.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf515fcd3-7c25-4ade-8087-bf92963b82ca.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse495a664-2d7c-4931-be60-9b43b830ff6e.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4b8ab2e0-4abe-474b-a845-4c44566e36de.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8744cc35-3b82-49fe-a54f-3aa4a16fef38.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsce76126e-5d81-474d-b57b-a729f827094d.tmp". The process cannot access the file because it is being used by another process
18:38: Warning: Failed to open file "c:\documents and set

#14 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 27 April 2006 - 08:04 PM

Start > Run

In the box, type in services.msc then hit <enter> (or click OK)

In the Name column, look for Network Monitor

<Double-click> it.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled, then click Apply then OK.

Next

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task .
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button , your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button .
  • You will receive a Done Scanning message, click OK .
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK .
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339'. please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32. Directory
http://www.ascentive...ib/MSWINSCK.OCX

#15 Gomez

Gomez

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 01 May 2006 - 01:34 PM

Actions completed. Logs below

Logfile of HijackThis v1.99.1
Scan saved at 20:12:46, on 01/05/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btyahoo.com/
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MessengerPlus3] "\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprote.../wemade/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.neff...Crypt/npkcx.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 01/05/2006 20:07:14


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}"
HKCR\Clsid\{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53C74826-AB99-4d33-ACA4-3117F51D3788}"
HKCR\Clsid\{53C74826-AB99-4d33-ACA4-3117F51D3788}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE377C33-10E0-4C6C-AE3E-DB1D069BCE70}"
HKCR\Clsid\{DE377C33-10E0-4C6C-AE3E-DB1D069BCE70}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{22D18C45-D10A-4570-A7AD-83ACCE47920C}"
HKCR\Clsid\{22D18C45-D10A-4570-A7AD-83ACCE47920C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9D599C02-2C0E-43B4-92FE-FB5C2A16E0C2}"
HKCR\Clsid\{9D599C02-2C0E-43B4-92FE-FB5C2A16E0C2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2420CB6F-CBD0-41CD-ADCA-FDAA94A910AE}"
HKCR\Clsid\{2420CB6F-CBD0-41CD-ADCA-FDAA94A910AE}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Cheers

Graham

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users