WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows Explorer using 100% processor

Started by DublinFrank , Mar 11 2006 11:50 AM

This topic is locked

8 replies to this topic

#1 DublinFrank

New Member

New Member
4 posts

Posted 11 March 2006 - 11:50 AM

my machine is running slowly as windows explorer is using up to 100% processor time
can you have a look at the log below and seeif it contains a clue to the problem!!
I have run AVG, AdAware and Spybot but this has not eliminated the problem.
All microsoft updates are in place.
Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 15:23:01, on 11/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gqgju.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqgju.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqgju.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gqgju.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F175688-1C1E-4B87-8B50-041A00AD578C} - C:\WINDOWS\system32\dlbb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [4C4.tmp.exe] C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
O4 - HKLM\..\Run: [4C4.tmp] C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130078535054
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 02:53 PM

Hello DublinFrank, welcome to the forum

Download CW-Shredder at the link below: (don't run it yet)
http://www.trendmicr.../cwshredder.exe

Download 'SpSeHjfix'. into a folder. (don't run it yet)

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Make sure you know how to boot into - SafeMode

Reboot into safe mode.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Now run the Shredder - Hit The FIX button!

Reboot and repeat the process above starting with Reboot in Safe Mode.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 DublinFrank

New Member

New Member
4 posts

Posted 11 March 2006 - 03:59 PM

Thanks for your time LDTate
followed your instructions, the logfiles are below
CWShredder reported CWS not present
problem persists!

Logfile of HijackThis v1.99.1
Scan saved at 21:50:12, on 11/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F175688-1C1E-4B87-8B50-041A00AD578C} - C:\WINDOWS\system32\dlbb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [4C4.tmp.exe] C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
O4 - HKLM\..\Run: [4C4.tmp] C:\DOCUME~1\Francis\LOCALS~1\Temp\4C4.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130078535054
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

(3/11/06 21:38:10) SPSeHjFix started v1.1.2
(3/11/06 21:38:10) OS: WinXP Service Pack 2 (5.1.2600)
(3/11/06 21:38:10) Language: english
(3/11/06 21:38:10) Win-Path: C:\WINDOWS
(3/11/06 21:38:10) System-Path: C:\WINDOWS\system32
(3/11/06 21:38:10) Temp-Path: C:\DOCUME~1\Francis\LOCALS~1\Temp\
(3/11/06 21:38:26) Disinfection started
(3/11/06 21:38:27) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:38:27) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:38:27) Stealth-String not found
(3/11/06 21:38:27) Not infected->END

(3/11/06 21:39:41) SPSeHjFix started v1.1.2
(3/11/06 21:39:41) OS: WinXP Service Pack 2 (5.1.2600)
(3/11/06 21:39:41) Language: english
(3/11/06 21:39:41) Win-Path: C:\WINDOWS
(3/11/06 21:39:41) System-Path: C:\WINDOWS\system32
(3/11/06 21:39:41) Temp-Path: C:\DOCUME~1\Francis\LOCALS~1\Temp\
(3/11/06 21:39:47) Disinfection started
(3/11/06 21:39:47) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:39:47) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:39:47) Stealth-String not found
(3/11/06 21:39:47) Not infected->END

(3/11/06 21:44:03) SPSeHjFix started v1.1.2
(3/11/06 21:44:03) OS: WinXP Service Pack 2 (5.1.2600)
(3/11/06 21:44:03) Language: english
(3/11/06 21:44:03) Win-Path: C:\WINDOWS
(3/11/06 21:44:03) System-Path: C:\WINDOWS\system32
(3/11/06 21:44:03) Temp-Path: C:\DOCUME~1\Francis\LOCALS~1\Temp\
(3/11/06 21:44:13) Disinfection started
(3/11/06 21:44:13) Bad-Dll(IEP): (not found)
(3/11/06 21:44:13) Bad-Dll(IEP) in BHO: (not found)
(3/11/06 21:44:13) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:44:13) UBF: 5 - UBB: 6 - UBR: 21
(3/11/06 21:44:13) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 04:04 PM

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 DublinFrank

New Member

New Member
4 posts

Posted 12 March 2006 - 12:24 PM

OK LDTate......
followed your last instructions but Spy Sweeper keeps hanging when its investigating the cookies in
C:\documents and settings\localservice\cookies\index.dat
by omitting the cookies search from spy sweeper i have got it to run and it has found some stuff and removed it.
I have only one log from Spy Sweeper but i have run it twice with cookies omitted

Behaviour of computer is slow response to all instructions, and if it goes to screensaver(which i have now turned off) it will take 5mins to respond.
Sysinternals process explorer is showing 99% use by explorer exe.

Below are requested logs.
Once again - many thanks for your time.

Logfile of HijackThis v1.99.1
Scan saved at 18:05:58, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F175688-1C1E-4B87-8B50-041A00AD578C} - C:\WINDOWS\system32\dlbb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130078535054
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

********
13:49: | Start of Session, 12 March 2006 |
13:49: Spy Sweeper started
13:49: Sweep initiated using definitions version 630
13:49: Starting Cookie Sweep
13:49: Found Spy Cookie: yieldmanager cookie
13:49: francis@ad.yieldmanager[2].txt (ID = 3751)
13:49: Found Spy Cookie: bluestreak cookie
13:49: francis@bluestreak[1].txt (ID = 2314)
13:49: Found Spy Cookie: 2o7.net cookie
13:49: francis@microsofteup.112.2o7[1].txt (ID = 1958)
13:50: Cookie Sweep Complete, Elapsed Time: 00:00:01
13:50: Starting File Sweep
13:50: Warning: Failed to open file "c:\pagefile.sys". The process cannot access the file because it is being used by another process
13:50: Found Adware: hotbar
13:50: persist.dbs (ID = 208919)
13:51: Warning: Failed to open file "c:\documents and settings\francis\ntuser.dat". The process cannot access the file because it is being used by another process
13:51: Warning: Failed to open file "c:\documents and settings\francis\ntuser.dat.log". The process cannot access the file because it is being used by another process
13:52: Warning: Failed to open file "c:\documents and settings\francis\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
13:52: Warning: Failed to open file "c:\documents and settings\francis\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
13:52: Warning: Failed to open file "c:\documents and settings\francis\local settings\temp\jetd5a0.tmp". The process cannot access the file because it is being used by another process
13:52: Warning: Failed to open file "c:\documents and settings\francis\local settings\temp\hsperfdata_francis\1360". Access is denied
13:57: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs009c74a9-c4c7-4592-b2d2-d39646a814a9.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs015838da-78aa-4880-98df-73ca18bc2088.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04276bc5-42df-4a19-8556-7277b76fc54d.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs09e65baa-c1f0-43b4-b5bd-c6e2eadbfd41.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0bfea0c8-9562-436a-8c3f-cdc2265f7095.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0fbe91b9-b144-44c0-b68b-220f4f796b86.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs13ac5c0d-0f27-47e2-a3e7-f0874a700a30.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18ff611b-78c9-4092-850f-9d98f3ca93fc.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d05b689-72ef-4cd7-96b9-1e20a388569c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs208b0e91-acc4-4a46-bec5-2e427cf04150.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2177154f-592d-499d-9992-c38b55b4a7db.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23ecbec8-32bd-440d-b095-ea2d33349526.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23f365d5-f4b6-4ddc-844a-5e737d037d75.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f04d33c-891b-441a-accd-c4468a7763f2.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3026bec9-6067-47db-9809-341f928399d8.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs31b3559e-a52b-4d22-9316-4ab1eb101d06.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs31ce959a-c7e7-44c1-b414-fb4c2afe3c9e.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs330641d4-b756-4f2b-b70e-93269e74a07e.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3993921f-6840-4691-8f51-8d701726be1b.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d613315-d2a0-4b38-8326-f17939d84502.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e9f9188-8840-4bd9-a375-e7de80e8207d.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs41628939-8366-4b5c-a4ff-94678e99d5a4.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs45d1597b-4508-4156-be62-aa56d698e175.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs46fd66e1-d176-476a-9665-b645fca00170.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4725bf87-a251-4e4f-ad42-5357cde3d1c7.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs474805c2-47b9-4c4d-8987-a6e1db0a3436.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4987ada4-e688-4f07-9bea-efb82d415b9c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4c4597c8-6239-4b06-b9b6-7c6a3e0e6c1d.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4f8957d3-22ce-4923-9baf-650164122398.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4fe57ba1-290d-4c84-b8ed-af3fe76385e3.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs54bbde7d-6f8f-40b4-aab6-f94b353d4931.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs57bc35f7-5275-4e5d-928e-213d0b5b1f16.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs57e0997c-8750-4f90-b97b-8d560a96289c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs590c2962-ef8c-4152-977a-7144d4b53c30.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f811f1e-0af5-44ab-ad24-a7b0430aee6c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f8e86a6-0777-466a-b815-c26435735f71.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs616f8f09-afa4-4754-af69-2004aaac2858.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64554da9-47b2-4790-82d2-9f917652d6b8.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs68c15032-b3aa-450d-a02b-59c6b29c9e48.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs69ae3d7f-c550-4d58-92f1-c70dbc1ea5fc.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6cbab68d-bd2f-429a-85f1-361639ee008f.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71212c4d-e0a2-4255-8988-e0062f0d91b3.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71e78b50-802f-4867-9024-15e019eb7427.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73d82a9d-eaf6-406b-9d92-20ea0a3bbaf1.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7550cfeb-2e8f-4c6a-867a-b56e5d390669.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs765c5a77-e974-4fb0-a98f-8d151e107556.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs77ce48d1-fb2b-459f-b036-40351c109b5b.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a72fd3f-f42d-4bf6-998a-f6c32c6a65c4.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8ad0c8-29d7-4e8c-a3e2-96366708d4a9.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7d4fc1d2-c76a-4ab1-ac77-8a0834aaa767.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7d60d5a4-ba80-4673-be07-b068f2cc23c5.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs83ac70b2-029c-4338-b982-342c9d031aac.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs84ba9fc3-fc2a-4ff7-a927-6e8dd9632dab.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs877fdc1b-35c5-4eeb-967c-eea43a0b6335.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs87facaf1-60ac-4117-a545-9358f7cb53de.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs89936640-e1b7-40dc-ad2e-d62bcf3b14d3.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8f0a2cad-61e9-4e79-9239-eafe00b6ed58.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8f6a58f6-6582-4a4c-8d01-77e397fe6b5f.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8fad6c37-968f-40cb-8098-489dfbee4f8c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs92550155-44f7-45fa-91da-92c6e7b62a68.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9375c641-a714-46c9-a5af-cf8c371de586.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9478410a-761b-446f-b833-efd71ab6e0fb.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs949c9156-fb1f-42f8-9d7b-156dbbbebe8d.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs973f5b4a-9424-40c4-a73e-0c5ca26fb499.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9b30747f-4fc4-4831-a427-55deb48a7119.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9d623368-9650-4f4c-bdb9-82e39c8f299a.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa03c022c-db46-4fcb-a539-d7c17cc064ed.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa2ffeb14-3d52-4aa1-a148-64a8b3275335.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa502eee3-1bd9-465f-8b2e-68272582aa17.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa6adc5a9-dfb4-48fb-8279-805bc3e7cff0.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb2a867d6-6389-43f5-8720-615e023c039e.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb3b64b0f-1f3c-4abd-8f94-736f8df293ca.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb49db5ae-c5ab-4aa2-ab94-d57f1f63807e.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb590a8dd-f3ef-4f7e-bce0-caefe30b0c7c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb807bbea-5015-4386-8bc1-fd29448c2cb5.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb85c73d3-0a69-4275-aae8-60dbcca0f634.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb90e1aff-4f95-4520-aa46-8a1c3104d37b.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbda5c43e-8a68-48cf-8e23-7dca7b62a407.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbf022eed-70d2-4e12-a878-c5bad279f38a.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0bfb5be-4c65-4843-ba49-eeb8346ec4eb.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc74f7d84-82f2-4de2-be62-af6c40121343.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd53cf00e-894c-460c-b922-322473be1904.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd55ec69c-69db-4390-ab42-4d5a2bdc1cf6.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd91e705e-a68f-49a5-a854-5479f8e77d24.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd985850e-5688-4c61-8bf9-4e99ff544e6f.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc62a402-951e-480e-adb2-3b2582ba85c9.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdec8ca05-3146-4f4c-8d1b-923b77b712e8.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfd13090-79b8-4361-af74-1556723a4442.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse20f9b21-db3b-474a-9d66-00add1030c1f.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2f36e83-cbce-4989-836d-b9839ddca853.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse3008c73-15db-44f5-81d2-35920d645d67.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse30106ad-4c0a-46d4-8221-da204d42f413.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse72e025e-03eb-4ab0-879c-37909d1756a8.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse73c9465-53e4-4f69-a507-339de5a669b9.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse85b495e-70dc-4135-937f-887e2daba9d9.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb96631c-8311-4d67-974e-2121560b5bb0.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsecc3d53b-2ca8-4818-8b94-34dbdfdaf41c.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf1f7bbab-0b8d-4833-9c05-f0881bbec764.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf5b40c52-006b-4c8e-b703-b94b52b601dc.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf62e973f-2b30-4814-ae12-4d1c5d112182.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf85a8465-5f64-4230-b43b-c138599c6b51.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf8960d6c-26e7-4a36-a0ad-2efc2c90fa29.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf8df148f-26c1-430d-8826-2d56244f79b6.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc399617-dc78-49dd-be9b-ba4b66a15a5a.tmp". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
13:57: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
13:59: Found Adware: starware toolbar
13:59: c:\documents and settings\ruth\application data\starware (18 subtraces) (ID = -2147480225)
13:59: Found Adware: gain - common components
13:59: c:\documents and settings\ruth\local settings\temp\fsg_tmp (ID = -2147480935)
14:17: Warning: Failed to open file "c:\system volume information\_restore{2b195e0b-b425-4eed-9576-8d497fe32e29}\rp358\a0243332.exe". Access is denied
14:17: Warning: Failed to open file "c:\system volume information\_restore{2b195e0b-b425-4eed-9576-8d497fe32e29}\rp358\a0243334.dll". Access is denied
14:17: Warning: Failed to open file "c:\system volume information\_restore{2b195e0b-b425-4eed-9576-8d497fe32e29}\rp358\a0243395.exe". Access is denied
14:17: Warning: Failed to open file "c:\system volume information\_restore{2b195e0b-b425-4eed-9576-8d497fe32e29}\rp362\a0243629.dll". Access is denied
14:18: Found Adware: screensavers
14:18: a0236631.exe (ID = 74759)
14:27: a0249285.manifest (ID = 61435)
14:27: a0249299.exe (ID = 74759)
14:27: a0249302.cfg (ID = 61553)
14:32: Found Adware: elitemediagroup-mediamotor
14:32: unstall.exe (ID = 74177)
14:50: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
14:50: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
14:57: Found Adware: tibs dialer
14:57: dktibs.exe (ID = 79262)
15:22: File Sweep Complete, Elapsed Time: 01:32:05
15:22: Full Sweep has completed. Elapsed time 01:32:09
15:22: Traces Found: 30
15:22: Removal process initiated
15:22: Quarantining All Traces: elitemediagroup-mediamotor
15:22: Quarantining All Traces: hotbar
15:22: Quarantining All Traces: starware toolbar
15:22: Quarantining All Traces: tibs dialer
15:22: Quarantining All Traces: screensavers
15:22: Quarantining All Traces: 2o7.net cookie
15:22: Quarantining All Traces: bluestreak cookie
15:22: Quarantining All Traces: gain - common components
15:22: Quarantining All Traces: yieldmanager cookie
15:23: Removal process completed. Elapsed time 00:00:25
********
01:59: | Start of Session, 12 March 2006 |
01:59: Spy Sweeper started
01:59: Sweep initiated using definitions version 630
01:59: Starting Memory Sweep
02:11: Memory Sweep Complete, Elapsed Time: 00:11:39
02:11: Starting Registry Sweep
02:46: Registry Sweep Complete, Elapsed Time:00:35:22
02:46: Starting Cookie Sweep
02:46: Found Spy Cookie: 888 cookie
02:46: ruth@888[1].txt (ID = 2019)
02:46: Found Spy Cookie: yieldmanager cookie
02:46: ruth@ad.yieldmanager[2].txt (ID = 3751)
02:46: Found Spy Cookie: adlegend cookie
02:46: ruth@adlegend[1].txt (ID = 2074)
02:46: Found Spy Cookie: hbmediapro cookie
02:46: ruth@adopt.hbmediapro[1].txt (ID = 2768)
02:46: Found Spy Cookie: revenue.net cookie
02:46: ruth@ads1.revenue[1].txt (ID = 3258)
02:46: Found Spy Cookie: belnk cookie
02:46: ruth@belnk[1].txt (ID = 2292)
02:46: Found Spy Cookie: cassava cookie
02:46: ruth@cassava[1].txt (ID = 2362)
02:46: Found Spy Cookie: overture cookie
02:46: ruth@data2.perf.overture[1].txt (ID = 3106)
02:46: ruth@dist.belnk[2].txt (ID = 2293)
02:46: Found Spy Cookie: hotbar cookie
02:46: ruth@hotbar[2].txt (ID = 2797)
02:46: Found Spy Cookie: screensavers.com cookie
02:46: ruth@i.screensavers[1].txt (ID = 3298)
02:46: Found Spy Cookie: 2o7.net cookie
02:46: ruth@maxis.112.2o7[1].txt (ID = 1958)
02:46: ruth@msnportal.112.2o7[1].txt (ID = 1958)
02:46: Found Spy Cookie: starware.com cookie
02:46: ruth@starware[2].txt (ID = 3441)
02:46: ruth@www.screensavers[1].txt (ID = 3298)
02:46: francis@ad.yieldmanager[2].txt (ID = 3751)
02:46: Found Spy Cookie: bluestreak cookie
02:46: francis@bluestreak[1].txt (ID = 2314)
02:46: francis@microsofteup.112.2o7[1].txt (ID = 1958)
02:46: Cookie Sweep Complete, Elapsed Time: 00:00:05
********
00:58: | Start of Session, 12 March 2006 |
00:58: Spy Sweeper started
00:58: Sweep initiated using definitions version 630
00:58: Starting Memory Sweep
01:08: Found Adware: pc adprotector fakealert
01:08: Detected running threat: C:\Documents and Settings\Francis\Local Settings\Temp\4C4.tmp.exe (ID = 241)
01:08: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp.exe (ID = 0)
01:08: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp (ID = 0)
01:10: Memory Sweep Complete, Elapsed Time: 00:12:18
01:10: Starting Registry Sweep
01:15: Found Adware: cws_analyzeie
01:15: HKLM\software\microsoft\internet explorer\main\msmsgsvc\ (ID = 116919)
01:23: Found Adware: screensavers
01:23: HKLM\software\screensavers.com\ (16 subtraces) (ID = 140569)
01:25: Found Adware: winad
01:25: HKCR\mediapassx.installer\ (3 subtraces) (ID = 147160)
01:25: HKLM\software\classes\mediapassx.installer\ (3 subtraces) (ID = 147174)
01:25: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (2 subtraces) (ID = 147192)
01:25: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediapassx.dll (ID = 147222)
01:28: Found Adware: hotbar
01:28: HKLM\software\microsoft\windows\currentversion\uninstall\ shopperreports\ (5 subtraces) (ID = 1008466)
01:32: Found Adware: cws_ns3 hijack
01:32: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
01:32: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search page (ID = 123391)
01:32: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\shopperreports\ (4 subtraces) (ID = 127631)
01:33: Found Adware: starware toolbar
01:33: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\starware\ (10 subtraces) (ID = 142866)
01:34: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
01:34: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\windows\currentversion\run\ || msmsgsvc (ID = 116935)
01:36: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
01:45: Registry Sweep Complete, Elapsed Time:00:34:25
01:45: Starting File Sweep
01:51: Sweep Canceled
01:51: File Sweep Complete, Elapsed Time: 00:06:31
01:51: Traces Found: 60
01:52: Removal process initiated
01:52: Quarantining All Traces: cws_analyzeie
01:52: Quarantining All Traces: pc adprotector fakealert
01:52: Quarantining All Traces: hotbar
01:52: Quarantining All Traces: starware toolbar
01:52: Quarantining All Traces: winad
01:52: Quarantining All Traces: cws_ns3 hijack
01:52: Quarantining All Traces: screensavers
01:54: Preparing to restart your computer. Please wait...
01:54: Removal process completed. Elapsed time 00:01:49
********
00:02: | Start of Session, 12 March 2006 |
00:02: Spy Sweeper started
00:02: Sweep initiated using definitions version 630
00:02: Starting Memory Sweep
00:12: Found Adware: pc adprotector fakealert
00:12: Detected running threat: C:\Documents and Settings\Francis\Local Settings\Temp\4C4.tmp.exe (ID = 241)
00:12: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp.exe (ID = 0)
00:12: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp (ID = 0)
00:14: Memory Sweep Complete, Elapsed Time: 00:11:33
00:14: Starting Registry Sweep
00:19: Found Adware: cws_analyzeie
00:19: HKLM\software\microsoft\internet explorer\main\msmsgsvc\ (ID = 116919)
00:28: Found Adware: screensavers
00:28: HKLM\software\screensavers.com\ (16 subtraces) (ID = 140569)
00:30: Found Adware: winad
00:30: HKCR\mediapassx.installer\ (3 subtraces) (ID = 147160)
00:30: HKLM\software\classes\mediapassx.installer\ (3 subtraces) (ID = 147174)
00:30: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (2 subtraces) (ID = 147192)
00:30: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediapassx.dll (ID = 147222)
00:33: Found Adware: hotbar
00:33: HKLM\software\microsoft\windows\currentversion\uninstall\ shopperreports\ (5 subtraces) (ID = 1008466)
00:37: Found Adware: cws_ns3 hijack
00:37: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
00:37: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search page (ID = 123391)
00:38: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\shopperreports\ (4 subtraces) (ID = 127631)
00:39: Found Adware: starware toolbar
00:39: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\starware\ (10 subtraces) (ID = 142866)
00:39: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
00:40: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\windows\currentversion\run\ || msmsgsvc (ID = 116935)
00:42: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
00:50: Registry Sweep Complete, Elapsed Time:00:36:21
00:50: Starting Cookie Sweep
00:50: Found Spy Cookie: 888 cookie
00:50: ruth@888[1].txt (ID = 2019)
00:50: Found Spy Cookie: yieldmanager cookie
00:50: ruth@ad.yieldmanager[2].txt (ID = 3751)
00:50: Found Spy Cookie: adlegend cookie
00:50: ruth@adlegend[1].txt (ID = 2074)
00:50: Found Spy Cookie: hbmediapro cookie
00:50: ruth@adopt.hbmediapro[1].txt (ID = 2768)
00:50: Found Spy Cookie: revenue.net cookie
00:50: ruth@ads1.revenue[1].txt (ID = 3258)
00:50: Found Spy Cookie: belnk cookie
00:50: ruth@belnk[1].txt (ID = 2292)
00:50: Found Spy Cookie: cassava cookie
00:50: ruth@cassava[1].txt (ID = 2362)
00:50: Found Spy Cookie: overture cookie
00:50: ruth@data2.perf.overture[1].txt (ID = 3106)
00:50: ruth@dist.belnk[2].txt (ID = 2293)
00:50: Found Spy Cookie: hotbar cookie
00:50: ruth@hotbar[2].txt (ID = 2797)
00:50: Found Spy Cookie: screensavers.com cookie
00:50: ruth@i.screensavers[1].txt (ID = 3298)
00:50: Found Spy Cookie: 2o7.net cookie
00:50: ruth@maxis.112.2o7[1].txt (ID = 1958)
00:50: ruth@msnportal.112.2o7[1].txt (ID = 1958)
00:50: Found Spy Cookie: starware.com cookie
00:50: ruth@starware[2].txt (ID = 3441)
00:50: ruth@www.screensavers[1].txt (ID = 3298)
00:50: francis@ad.yieldmanager[2].txt (ID = 3751)
00:50: Found Spy Cookie: bluestreak cookie
00:50: francis@bluestreak[1].txt (ID = 2314)
00:50: francis@microsofteup.112.2o7[1].txt (ID = 1958)
00:50: Cookie Sweep Complete, Elapsed Time: 00:00:05
********
23:00: | Start of Session, 11 March 2006 |
23:00: Spy Sweeper started
23:00: Sweep initiated using definitions version 630
23:00: Starting Memory Sweep
23:11: Found Adware: pc adprotector fakealert
23:11: Detected running threat: C:\Documents and Settings\Francis\Local Settings\Temp\4C4.tmp.exe (ID = 241)
23:11: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp.exe (ID = 0)
23:11: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || 4C4.tmp (ID = 0)
23:12: Memory Sweep Complete, Elapsed Time: 00:12:31
23:12: Starting Registry Sweep
23:19: Found Adware: cws_analyzeie
23:19: HKLM\software\microsoft\internet explorer\main\msmsgsvc\ (ID = 116919)
23:26: Found Adware: screensavers
23:26: HKLM\software\screensavers.com\ (16 subtraces) (ID = 140569)
23:28: Found Adware: winad
23:28: HKCR\mediapassx.installer\ (3 subtraces) (ID = 147160)
23:28: HKLM\software\classes\mediapassx.installer\ (3 subtraces) (ID = 147174)
23:28: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (2 subtraces) (ID = 147192)
23:28: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediapassx.dll (ID = 147222)
23:31: Found Adware: hotbar
23:31: HKLM\software\microsoft\windows\currentversion\uninstall\ shopperreports\ (5 subtraces) (ID = 1008466)
23:35: Found Adware: cws_ns3 hijack
23:35: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
23:35: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\main\ || search page (ID = 123391)
23:36: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\shopperreports\ (4 subtraces) (ID = 127631)
23:37: Found Adware: starware toolbar
23:37: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\starware\ (10 subtraces) (ID = 142866)
23:38: HKU\WRSS_Profile_S-1-5-21-1177238915-436374069-854245398-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
23:38: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\windows\currentversion\run\ || msmsgsvc (ID = 116935)
23:40: HKU\S-1-5-21-1177238915-436374069-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe15} (ID = 1058296)
23:48: Registry Sweep Complete, Elapsed Time:00:36:04
23:49: Starting Cookie Sweep
23:49: Found Spy Cookie: 888 cookie
23:49: ruth@888[1].txt (ID = 2019)
23:49: Found Spy Cookie: yieldmanager cookie
23:49: ruth@ad.yieldmanager[2].txt (ID = 3751)
23:49: Found Spy Cookie: adlegend cookie
23:49: ruth@adlegend[1].txt (ID = 2074)
23:49: Found Spy Cookie: hbmediapro cookie
23:49: ruth@adopt.hbmediapro[1].txt (ID = 2768)
23:49: Found Spy Cookie: revenue.net cookie
23:49: ruth@ads1.revenue[1].txt (ID = 3258)
23:49: Found Spy Cookie: belnk cookie
23:49: ruth@belnk[1].txt (ID = 2292)
23:49: Found Spy Cookie: cassava cookie
23:49: ruth@cassava[1].txt (ID = 2362)
23:49: Found Spy Cookie: overture cookie
23:49: ruth@data2.perf.overture[1].txt (ID = 3106)
23:49: ruth@dist.belnk[2].txt (ID = 2293)
23:49: Found Spy Cookie: hotbar cookie
23:49: ruth@hotbar[2].txt (ID = 2797)
23:49: Found Spy Cookie: screensavers.com cookie
23:49: ruth@i.screensavers[1].txt (ID = 3298)
23:49: Found Spy Cookie: 2o7.net cookie
23:49: ruth@maxis.112.2o7[1].txt (ID = 1958)
23:49: ruth@msnportal.112.2o7[1].txt (ID = 1958)
23:49: Found Spy Cookie: starware.com cookie
23:49: ruth@starware[2].txt (ID = 3441)
23:49: ruth@www.screensavers[1].txt (ID = 3298)
23:49: francis@ad.yieldmanager[2].txt (ID = 3751)
23:49: Found Spy Cookie: bluestreak cookie
23:49: francis@bluestreak[1].txt (ID = 2314)
23:49: francis@microsofteup.112.2o7[1].txt (ID = 1958)
23:49: Cookie Swe

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 12 March 2006 - 01:07 PM

Do you use iRiver Music Manager?

I suggest you do this:

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
LimeWire

Here's a list of the good and bad
http://www.spywarein...m/articles/p2p/

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6F175688-1C1E-4B87-8B50-041A00AD578C} - C:\WINDOWS\system32\dlbb.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete this File if listed:
C:\WINDOWS\system32\pc32.exe

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 DublinFrank

New Member

New Member
4 posts

Posted 12 March 2006 - 02:09 PM

-I dont know if we use IRiver manager - we download to the player using media player
-deleted Limewire
-ran hijackthis and 'fix checked' all items except C:WINDOWS\SYSTEM32\dlbb.dll
which was not listed
- ran ATF Cleaner ok
- no sign of ....\pc32.exe
- new log attached
- THANKS!!!!

Logfile of HijackThis v1.99.1
Scan saved at 19:56:49, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130078535054
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 12 March 2006 - 02:27 PM

Good Job

use Add/Remove Programs and remove Spy Sweeper, unless you want to keep it. It's only a 14 day trial version.

Log looks good

How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 15 March 2006 - 04:08 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme