Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help with Hijack please ! :D

Started by PIECER , Mar 23 2006 09:46 AM

  • This topic is locked This topic is locked
14 replies to this topic

#1 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 23 March 2006 - 09:46 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:31:55 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system32\qrdsregj.exe
C:\WINDOWS\system32\lwinsrag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wkfli.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst10.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\pumba3.dll (file missing)
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\pumba3.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{74-48-88-80-ZN}] C:\windows\system32\qrdsregj.exe FI002
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinsrag.exe FI002
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinsrag.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove

#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 23 March 2006 - 04:37 PM

Hello Piecer and Welcome to Tom Coyote,

Please do the following:

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.


STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin

Please post the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 24 March 2006 - 10:40 AM

********
7:30 AM: | Start of Session, Friday, March 24, 2006 |
7:30 AM: Spy Sweeper started
7:30 AM: Sweep initiated using definitions version 640
7:30 AM: Starting Memory Sweep
7:30 AM: Found Adware: mirar webband
7:30 AM: Detected running threat: C:\WINDOWS\system32\WinNB57.dll (ID = 185460)
7:30 AM: Found Adware: clkoptimizer
7:30 AM: Detected running threat: C:\WINDOWS\system32\minhype.dll (ID = 268933)
7:31 AM: Detected running threat: C:\WINDOWS\system32\gbnhih.exe (ID = 268995)
7:31 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fsryif (ID = 0)
7:31 AM: HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Run || cpyaj (ID = 0)
7:32 AM: Memory Sweep Complete, Elapsed Time: 00:02:19
7:32 AM: Starting Registry Sweep
7:32 AM: Found Adware: azsearch toolbar
7:32 AM: HKCR\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103891)
7:32 AM: HKCR\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103893)
7:32 AM: HKCR\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103895)
7:32 AM: HKLM\software\classes\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103915)
7:32 AM: HKLM\software\classes\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103917)
7:32 AM: HKLM\software\classes\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103919)
7:32 AM: HKLM\software\classes\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103932)
7:32 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {a19ef336-01d4-48e6-926a-fe7e1c747aed} (ID = 103945)
7:32 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (ID = 103949)
7:32 AM: HKLM\software\zsearchco\ (7 subtraces) (ID = 103954)
7:32 AM: HKCR\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103955)
7:32 AM: Found Adware: internetoptimizer
7:32 AM: HKCR\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ (8 subtraces) (ID = 128885)
7:32 AM: HKLM\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ (8 subtraces) (ID = 128896)
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\rotue\ (ID = 128925)
7:32 AM: HKCR\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (11 subtraces) (ID = 135064)
7:32 AM: HKCR\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (14 subtraces) (ID = 135065)
7:32 AM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
7:32 AM: HKCR\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135069)
7:32 AM: HKCR\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135070)
7:32 AM: HKCR\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135071)
7:32 AM: HKCR\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135072)
7:32 AM: HKCR\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135075)
7:32 AM: HKCR\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135076)
7:32 AM: HKLM\software\classes\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (11 subtraces) (ID = 135077)
7:32 AM: HKLM\software\classes\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (14 subtraces) (ID = 135078)
7:32 AM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
7:32 AM: HKLM\software\classes\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135082)
7:32 AM: HKLM\software\classes\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135083)
7:32 AM: HKLM\software\classes\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135084)
7:32 AM: HKLM\software\classes\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135085)
7:32 AM: HKLM\software\classes\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135088)
7:32 AM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135089)
7:32 AM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\clsid\ (1 subtraces) (ID = 135090)
7:32 AM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\curver\ (1 subtraces) (ID = 135091)
7:32 AM: HKLM\software\classes\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135092)
7:32 AM: HKLM\software\classes\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135093)
7:32 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135098)
7:32 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (1 subtraces) (ID = 135105)
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (2 subtraces) (ID = 135119)
7:32 AM: HKCR\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135121)
7:32 AM: HKCR\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135122)
7:32 AM: Found Adware: moneytree
7:32 AM: HKCR\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ (8 subtraces) (ID = 135185)
7:32 AM: Found Adware: ist yoursitebar
7:32 AM: HKCR\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 147829)
7:32 AM: HKLM\software\classes\ysbactivex.installer\ (3 subtraces) (ID = 147849)
7:32 AM: Found Adware: ist software
7:32 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
7:32 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
7:32 AM: HKCR\ysbactivex.installer\ (3 subtraces) (ID = 147869)
7:32 AM: Found Adware: zenosearchassistant
7:32 AM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\ (2 subtraces) (ID = 147931)
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\enhanced ads by zeno\ (2 subtraces) (ID = 147934)
7:32 AM: Found Adware: quicklink search toolbar
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
7:32 AM: HKLM\software\ql\ (4 subtraces) (ID = 359458)
7:32 AM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
7:32 AM: Found Adware: psguard
7:32 AM: HKLM\software\psguard.com\psguard\ || installdir (ID = 849757)
7:32 AM: HKLM\software\qstat\ || brr (ID = 877670)
7:32 AM: HKLM\software\classes\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 920458)
7:32 AM: Found Adware: elitemediagroup-pop64
7:32 AM: HKCR\clsid\{9ac54695-69a4-46f1-be10-10c74f9520d5}\ (6 subtraces) (ID = 967504)
7:32 AM: HKCR\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\ (8 subtraces) (ID = 967532)
7:32 AM: HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967541)
7:32 AM: HKCR\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\ (9 subtraces) (ID = 967550)
7:32 AM: HKLM\software\classes\clsid\{9ac54695-69a4-46f1-be10-10c74f9520d5}\ (6 subtraces) (ID = 967564)
7:32 AM: HKLM\software\classes\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\ (8 subtraces) (ID = 967592)
7:32 AM: HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967601)
7:32 AM: HKLM\software\classes\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\ (9 subtraces) (ID = 967610)
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191)
7:32 AM: HKCR\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055242)
7:32 AM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055248)
7:32 AM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055250)
7:32 AM: HKCR\clsid\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\ (11 subtraces) (ID = 1055256)
7:32 AM: HKCR\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055268)
7:32 AM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055285)
7:32 AM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055291)
7:32 AM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055293)
7:32 AM: HKLM\software\classes\clsid\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75}\ (11 subtraces) (ID = 1055311)
7:32 AM: HKLM\software\classes\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055323)
7:32 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\winats.dll (ID = 1055333)
7:32 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
7:32 AM: Found Adware: purityscan
7:32 AM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroupoin\ (2 subtraces) (ID = 1070163)
7:32 AM: HKLM\software\microsoft\windows\currentversion\run\ || browserupdatesched (ID = 1075246)
7:32 AM: HKLM\software\microsoft\code store database\distribution units\{9ac54695-69a4-46f1-be10-10c74f9520d5}\ (12 subtraces) (ID = 1122691)
7:32 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/elite.ocx\ (2 subtraces) (ID = 1137453)
7:32 AM: Found Adware: ezula ilookup
7:32 AM: HKLM\software\microsoft\bit1ocker\ (1 subtraces) (ID = 1157705)
7:32 AM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212644)
7:32 AM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212651)
7:32 AM: HKLM\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}\ (2 subtraces) (ID = 1212690)
7:32 AM: HKU\S-1-5-21-4151388396-867582294-2632940306-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
7:32 AM: Found Adware: ist sidefind
7:32 AM: HKU\S-1-5-21-4151388396-867582294-2632940306-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
7:32 AM: Registry Sweep Complete, Elapsed Time:00:00:18
7:32 AM: Starting Cookie Sweep
7:32 AM: Found Spy Cookie: sandboxer cookie
7:32 AM: owner@0[1].txt (ID = 3282)
7:32 AM: Found Spy Cookie: primaryads cookie
7:32 AM: owner@1.primaryads[2].txt (ID = 3190)
7:32 AM: Found Spy Cookie: 247realmedia cookie
7:32 AM: owner@247realmedia[1].txt (ID = 1953)
7:32 AM: Found Spy Cookie: 2o7.net cookie
7:32 AM: owner@2o7[2].txt (ID = 1957)
7:32 AM: Found Spy Cookie: 888 cookie
7:32 AM: owner@888[1].txt (ID = 2019)
7:32 AM: Found Spy Cookie: websponsors cookie
7:32 AM: owner@a.websponsors[1].txt (ID = 3665)
7:32 AM: Found Spy Cookie: go.com cookie
7:32 AM: owner@abc.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: about cookie
7:32 AM: owner@about[1].txt (ID = 2037)
7:32 AM: Found Spy Cookie: yieldmanager cookie
7:32 AM: owner@ad.yieldmanager[1].txt (ID = 3751)
7:32 AM: Found Spy Cookie: adecn cookie
7:32 AM: owner@adecn[1].txt (ID = 2063)
7:32 AM: owner@adisney.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: adknowledge cookie
7:32 AM: owner@adknowledge[2].txt (ID = 2072)
7:32 AM: Found Spy Cookie: hbmediapro cookie
7:32 AM: owner@adopt.hbmediapro[2].txt (ID = 2768)
7:32 AM: Found Spy Cookie: specificclick.com cookie
7:32 AM: owner@adopt.specificclick[2].txt (ID = 3400)
7:32 AM: Found Spy Cookie: adrevolver cookie
7:32 AM: owner@adrevolver[1].txt (ID = 2088)
7:32 AM: owner@adrevolver[2].txt (ID = 2088)
7:32 AM: Found Spy Cookie: addynamix cookie
7:32 AM: owner@ads.addynamix[2].txt (ID = 2062)
7:32 AM: Found Spy Cookie: ads.adsag cookie
7:32 AM: owner@ads.adsag[1].txt (ID = 2108)
7:32 AM: Found Spy Cookie: cc214142 cookie
7:32 AM: owner@ads.cc214142[2].txt (ID = 2367)
7:32 AM: Found Spy Cookie: pointroll cookie
7:32 AM: owner@ads.pointroll[2].txt (ID = 3148)
7:32 AM: Found Spy Cookie: advertising cookie
7:32 AM: owner@advertising[1].txt (ID = 2175)
7:32 AM: owner@ahollywoodrecords.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: apmebf cookie
7:32 AM: owner@apmebf[1].txt (ID = 2229)
7:32 AM: Found Spy Cookie: falkag cookie
7:32 AM: owner@as-eu.falkag[1].txt (ID = 2650)
7:32 AM: owner@as-us.falkag[1].txt (ID = 2650)
7:32 AM: owner@as1.falkag[2].txt (ID = 2650)
7:32 AM: Found Spy Cookie: ask cookie
7:32 AM: owner@ask[1].txt (ID = 2245)
7:32 AM: Found Spy Cookie: atlas dmt cookie
7:32 AM: owner@atdmt[2].txt (ID = 2253)
7:32 AM: Found Spy Cookie: atwola cookie
7:32 AM: owner@atwola[1].txt (ID = 2255)
7:32 AM: Found Spy Cookie: azjmp cookie
7:32 AM: owner@azjmp[2].txt (ID = 2270)
7:32 AM: Found Spy Cookie: goldenpalace cookie
7:32 AM: owner@banner.goldenpalace[2].txt (ID = 2735)
7:32 AM: Found Spy Cookie: bannerspace cookie
7:32 AM: owner@bannerspace[2].txt (ID = 2284)
7:32 AM: Found Spy Cookie: banner cookie
7:32 AM: owner@banner[1].txt (ID = 2276)
7:32 AM: Found Spy Cookie: belnk cookie
7:32 AM: owner@belnk[1].txt (ID = 2292)
7:32 AM: Found Spy Cookie: bizrate cookie
7:32 AM: owner@bizrate[1].txt (ID = 2308)
7:32 AM: Found Spy Cookie: bluestreak cookie
7:32 AM: owner@bluestreak[2].txt (ID = 2314)
7:32 AM: owner@bookspan.122.2o7[1].txt (ID = 1958)
7:32 AM: Found Spy Cookie: bravenet cookie
7:32 AM: owner@bravenet[1].txt (ID = 2322)
7:32 AM: Found Spy Cookie: bs.serving-sys cookie
7:32 AM: owner@bs.serving-sys[1].txt (ID = 2330)
7:32 AM: owner@buenavistarecords.go[1].txt (ID = 2729)
7:32 AM: owner@buildabear.122.2o7[1].txt (ID = 1958)
7:32 AM: Found Spy Cookie: burstnet cookie
7:32 AM: owner@burstnet[2].txt (ID = 2336)
7:32 AM: Found Spy Cookie: enhance cookie
7:32 AM: owner@c.enhance[1].txt (ID = 2614)
7:32 AM: Found Spy Cookie: goclick cookie
7:32 AM: owner@c.goclick[2].txt (ID = 2733)
7:32 AM: Found Spy Cookie: casalemedia cookie
7:32 AM: owner@casalemedia[1].txt (ID = 2354)
7:32 AM: Found Spy Cookie: ccbill cookie
7:32 AM: owner@ccbill[1].txt (ID = 2369)
7:32 AM: Found Spy Cookie: centrport net cookie
7:32 AM: owner@centrport[2].txt (ID = 2374)
7:32 AM: Found Spy Cookie: classmates cookie
7:32 AM: owner@classmates[2].txt (ID = 2384)
7:32 AM: Found Spy Cookie: clickbank cookie
7:32 AM: owner@clickbank[2].txt (ID = 2398)
7:32 AM: Found Spy Cookie: coolsavings cookie
7:32 AM: owner@coolsavings[2].txt (ID = 2465)
7:32 AM: Found Spy Cookie: sextracker cookie
7:32 AM: owner@counter7.sextracker[2].txt (ID = 3362)
7:32 AM: Found Spy Cookie: clickzs cookie
7:32 AM: owner@cz4.clickzs[1].txt (ID = 2413)
7:32 AM: Found Spy Cookie: overture cookie
7:32 AM: owner@data1.perf.overture[1].txt (ID = 3106)
7:32 AM: owner@data3.perf.overture[1].txt (ID = 3106)
7:32 AM: owner@data4.perf.overture[1].txt (ID = 3106)
7:32 AM: Found Spy Cookie: did-it cookie
7:32 AM: owner@did-it[1].txt (ID = 2523)
7:32 AM: owner@disney.go[1].txt (ID = 2729)
7:32 AM: owner@disneyshopping.go[2].txt (ID = 2729)
7:32 AM: owner@dist.belnk[2].txt (ID = 2293)
7:32 AM: Found Spy Cookie: ru4 cookie
7:32 AM: owner@edge.ru4[2].txt (ID = 3269)
7:32 AM: Found Spy Cookie: engage cookie
7:32 AM: owner@engage.everyone[1].txt (ID = 2611)
7:32 AM: owner@entrepreneur.122.2o7[1].txt (ID = 1958)
7:32 AM: Found Spy Cookie: exitexchange cookie
7:32 AM: owner@exitexchange[2].txt (ID = 2633)
7:32 AM: owner@falkag[1].txt (ID = 2649)
7:32 AM: Found Spy Cookie: fastclick cookie
7:32 AM: owner@fastclick[2].txt (ID = 2651)
7:32 AM: Found Spy Cookie: gamespy cookie
7:32 AM: owner@gamespy[1].txt (ID = 2719)
7:32 AM: owner@global.go[1].txt (ID = 2729)
7:32 AM: owner@goldenpalace[1].txt (ID = 2734)
7:32 AM: owner@go[1].txt (ID = 2728)
7:32 AM: Found Spy Cookie: humanclick cookie
7:32 AM: owner@hc2.humanclick[1].txt (ID = 2810)
7:32 AM: Found Spy Cookie: herfirstanalsex cookie
7:32 AM: owner@herfirstanalsex[1].txt (ID = 2769)
7:32 AM: Found Spy Cookie: clickandtrack cookie
7:32 AM: owner@hits.clickandtrack[2].txt (ID = 2397)
7:32 AM: owner@hollywoodrecords.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: hypertracker.com cookie
7:32 AM: owner@hypertracker[1].txt (ID = 2817)
7:32 AM: Found Spy Cookie: screensavers.com cookie
7:32 AM: owner@i.screensavers[2].txt (ID = 3298)
7:32 AM: Found Spy Cookie: ic-live cookie
7:32 AM: owner@ic-live[1].txt (ID = 2821)
7:32 AM: Found Spy Cookie: maxserving cookie
7:32 AM: owner@maxserving[1].txt (ID = 2966)
7:32 AM: owner@media.fastclick[2].txt (ID = 2652)
7:32 AM: Found Spy Cookie: top-banners cookie
7:32 AM: owner@media.top-banners[1].txt (ID = 3548)
7:32 AM: Found Spy Cookie: mediaplex cookie
7:32 AM: owner@mediaplex[1].txt (ID = 6442)
7:32 AM: Found Spy Cookie: mp3downloadhq cookie
7:32 AM: owner@member.mp3downloadhq[1].txt (ID = 3015)
7:32 AM: owner@mercury.bravenet[2].txt (ID = 2323)
7:32 AM: owner@microsofteup.112.2o7[1].txt (ID = 1958)
7:32 AM: owner@microsoftwga.112.2o7[1].txt (ID = 1958)
7:32 AM: Found Spy Cookie: military cookie
7:32 AM: owner@military[2].txt (ID = 2996)
7:32 AM: owner@mp3downloadhq[1].txt (ID = 3014)
7:32 AM: Found Spy Cookie: aptimus cookie
7:32 AM: owner@network.aptimus[1].txt (ID = 2235)
7:32 AM: Found Spy Cookie: nextag cookie
7:32 AM: owner@nextag[1].txt (ID = 5014)
7:32 AM: owner@overture[2].txt (ID = 3105)
7:32 AM: Found Spy Cookie: partypoker cookie
7:32 AM: owner@partypoker[1].txt (ID = 3111)
7:32 AM: Found Spy Cookie: paycounter cookie
7:32 AM: owner@paycounter[2].txt (ID = 3115)
7:32 AM: Found Spy Cookie: paypopup cookie
7:32 AM: owner@paypopup[2].txt (ID = 3119)
7:32 AM: Found Spy Cookie: freestats.net cookie
7:32 AM: owner@pennypincher.freestats[2].txt (ID = 2705)
7:32 AM: owner@perf.overture[1].txt (ID = 3106)
7:32 AM: Found Spy Cookie: stamps.com cookie
7:32 AM: owner@photo.stamps[1].txt (ID = 3438)
7:32 AM: owner@playhouse.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: pricegrabber cookie
7:32 AM: owner@pricegrabber[1].txt (ID = 3185)
7:32 AM: Found Spy Cookie: pro-market cookie
7:32 AM: owner@pro-market[2].txt (ID = 3197)
7:32 AM: owner@psc.disney.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: qksrv cookie
7:32 AM: owner@qksrv[1].txt (ID = 3213)
7:32 AM: Found Spy Cookie: questionmarket cookie
7:32 AM: owner@questionmarket[1].txt (ID = 3217)
7:32 AM: owner@quiz.disney.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: affiliatefuel.com cookie
7:32 AM: owner@r1.affiliatefuel[2].txt (ID = 2202)
7:32 AM: owner@radio.disney.go[2].txt (ID = 2729)
7:32 AM: Found Spy Cookie: realmedia cookie
7:32 AM: owner@realmedia[2].txt (ID = 3235)
7:32 AM: Found Spy Cookie: valuead cookie
7:32 AM: owner@reduxads.valuead[1].txt (ID = 3627)
7:32 AM: owner@register.go[2].txt (ID = 2729)
7:32 AM: Found Spy Cookie: revenue.net cookie
7:32 AM: owner@revenue[2].txt (ID = 3257)
7:32 AM: Found Spy Cookie: adjuggler cookie
7:32 AM: owner@rotator.adjuggler[2].txt (ID = 2071)
7:32 AM: Found Spy Cookie: adbureau cookie
7:32 AM: owner@sbuilder-s.adbureau[2].txt (ID = 2060)
7:32 AM: owner@sel.as-us.falkag[2].txt (ID = 2650)
7:32 AM: Found Spy Cookie: servedby advertising cookie
7:32 AM: owner@servedby.advertising[1].txt (ID = 3335)
7:32 AM: Found Spy Cookie: server.iad.liveperson cookie
7:32 AM: owner@server.iad.liveperson[1].txt (ID = 3341)
7:32 AM: Found Spy Cookie: serving-sys cookie
7:32 AM: owner@serving-sys[2].txt (ID = 3343)
7:32 AM: owner@sextracker[2].txt (ID = 3361)
7:32 AM: owner@shoplocl.adbureau[2].txt (ID = 2060)
7:32 AM: Found Spy Cookie: spywarestormer cookie
7:32 AM: owner@spywarestormer[1].txt (ID = 3417)
7:32 AM: owner@stamps[2].txt (ID = 3437)
7:32 AM: Found Spy Cookie: dealtime cookie
7:32 AM: owner@stat.dealtime[2].txt (ID = 2506)
7:32 AM: Found Spy Cookie: statcounter cookie
7:32 AM: owner@statcounter[2].txt (ID = 3447)
7:32 AM: Found Spy Cookie: reliablestats cookie
7:32 AM: owner@stats1.reliablestats[1].txt (ID = 3254)
7:32 AM: Found Spy Cookie: stlyrics cookie
7:32 AM: owner@stlyrics[1].txt (ID = 3461)
7:32 AM: Found Spy Cookie: tacoda cookie
7:32 AM: owner@tacoda[1].txt (ID = 6444)
7:32 AM: Found Spy Cookie: tickle cookie
7:32 AM: owner@tickle[1].txt (ID = 3529)
7:32 AM: owner@tokenzone.go[1].txt (ID = 2729)
7:32 AM: Found Spy Cookie: sexsearch cookie
7:32 AM: owner@tour.splash.sexsearch[1].txt (ID = 3358)
7:32 AM: Found Spy Cookie: tradedoubler cookie
7:32 AM: owner@tradedoubler[2].txt (ID = 3575)
7:32 AM: Found Spy Cookie: trafficmp cookie
7:32 AM: owner@trafficmp[2].txt (ID = 3581)
7:32 AM: Found Spy Cookie: tribalfusion cookie
7:32 AM: owner@tribalfusion[1].txt (ID = 3589)
7:32 AM: Found Spy Cookie: tripod cookie
7:32 AM: owner@tripod[1].txt (ID = 3591)
7:32 AM: Found Spy Cookie: videodome cookie
7:32 AM: owner@videodome[1].txt (ID = 3638)
7:32 AM: Found Spy Cookie: realtracker cookie
7:32 AM: owner@web4.realtracker[2].txt (ID = 3242)
7:32 AM: Found Spy Cookie: webpower cookie
7:32 AM: owner@webpower[2].txt (ID = 3660)
7:32 AM: owner@www.888[1].txt (ID = 2020)
7:32 AM: Found Spy Cookie: burstbeacon cookie
7:32 AM: owner@www.burstbeacon[2].txt (ID = 2335)
7:32 AM: owner@www.falkag[2].txt (ID = 2650)
7:32 AM: owner@www.goldenpalace[1].txt (ID = 2735)
7:32 AM: Found Spy Cookie: mp3s hits cookie
7:32 AM: owner@www.mp3shits[1].txt (ID = 3019)
7:32 AM: Found Spy Cookie: myaffiliateprogram.com cookie
7:32 AM: owner@www.myaffiliateprogram[1].txt (ID = 3032)
7:32 AM: Found Spy Cookie: redzip cookie
7:32 AM: owner@www.redzip[1].txt (ID = 3250)
7:32 AM: owner@www.screensavers[2].txt (ID = 3298)
7:32 AM: owner@www.stamps[1].txt (ID = 3438)
7:32 AM: owner@www.stlyrics[1].txt (ID = 3462)
7:32 AM: Found Spy Cookie: upspiral cookie
7:32 AM: owner@www.upspiral[1].txt (ID = 3615)
7:32 AM: Found Spy Cookie: wirefly cookie
7:32 AM: owner@www.wirefly[2].txt (ID = 3694)
7:32 AM: owner@yieldmanager[2].txt (ID = 3749)
7:32 AM: Found Spy Cookie: adserver cookie
7:32 AM: owner@z1.adserver[1].txt (ID = 2142)
7:32 AM: Found Spy Cookie: zenotecnico cookie
7:32 AM: owner@zenotecnico[2].txt (ID = 3858)
7:32 AM: Cookie Sweep Complete, Elapsed Time: 00:00:06
7:32 AM: Starting File Sweep
7:32 AM: Found Adware: apropos
7:32 AM: c:\documents and settings\owner\local settings\temp\~compoundinst0 (1 subtraces) (ID = -2147481413)
7:32 AM: c:\documents and settings\owner\application data\psguard.com (11 subtraces) (ID = -2147480442)
7:32 AM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
7:35 AM: uninst.exe (ID = 73428)
7:35 AM: preuninstallql.exe (ID = 131326)
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:37 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:38 AM: ag[1].exe (ID = 254879)
7:40 AM: e9b15.tmp (ID = 153752)
7:41 AM: wkfli.exe (ID = 268934)
7:41 AM: qrdsregj.exe (ID = 293)
7:41 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || {74-48-88-80-ZN} (ID = 0)
7:41 AM: dwdsregt.exe (ID = 235995)
7:41 AM: mediaview[1].cab (ID = 187158)
7:41 AM: elite.ocx (ID = 187157)
7:41 AM: elite.inf (ID = 187156)
7:41 AM: justin2[1].exe (ID = 247604)
7:41 AM: justin2.exe (ID = 247604)
7:41 AM: gbnhih.exe (ID = 268995)
7:41 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fsryif (ID = 0)
7:41 AM: HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Run || cpyaj (ID = 0)
7:41 AM: yjaio.exe (ID = 268995)
7:41 AM: lydkt.dat (ID = 268995)
7:41 AM: hglpsms.exe (ID = 268932)
7:41 AM: minhype.dll (ID = 268933)
7:41 AM: zifi002[1].exe (ID = 235993)
7:41 AM: unwn.exe (ID = 268798)
7:41 AM: 876057[1].exe (ID = 185463)
7:41 AM: 876057.exe (ID = 185463)
7:41 AM: winnb57.dll (ID = 185460)
7:41 AM: windmy.dll (ID = 70014)
7:41 AM: yoinsi[1].exe (ID = 213483)
7:41 AM: yoinsi.exe (ID = 213483)
7:41 AM: eliteunstall[1].exe (ID = 244416)
7:41 AM: eliteunstall.exe (ID = 244416)
7:41 AM: elitemediagroupoinuninstaller.exe (ID = 213484)
7:41 AM: winats[1].cab (ID = 208237)
7:41 AM: winats.dll (ID = 208226)
7:41 AM: yjaio.execommon startup (ID = 268995)
7:41 AM: wkfli.exe.tmp (ID = 268934)
7:41 AM: nt68rrtc12.sys (ID = 220230)
7:43 AM: msnav32.ax (ID = 220229)
7:43 AM: zeno.lnk (ID = 146127)
7:43 AM: winats.inf (ID = 208224)
7:44 AM: File Sweep Complete, Elapsed Time: 00:11:49
7:44 AM: Full Sweep has completed. Elapsed time 00:14:39
7:44 AM: Traces Found: 805
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:45 AM: Removal process initiated
7:46 AM: Quarantining All Traces: clkoptimizer
7:46 AM: clkoptimizer is in use. It will be removed on reboot.
7:46 AM: gbnhih.exe is in use. It will be removed on reboot.
7:46 AM: yjaio.exe is in use. It will be removed on reboot.
7:46 AM: minhype.dll is in use. It will be removed on reboot.
7:46 AM: C:\WINDOWS\system32\minhype.dll is in use. It will be removed on reboot.
7:46 AM: C:\WINDOWS\system32\gbnhih.exe is in use. It will be removed on reboot.
7:46 AM: Quarantining All Traces: purityscan
7:46 AM: Quarantining All Traces: apropos
7:46 AM: Quarantining All Traces: azsearch toolbar
7:46 AM: Quarantining All Traces: internetoptimizer
7:46 AM: Quarantining All Traces: quicklink search toolbar
7:46 AM: Quarantining All Traces: elitemediagroup-pop64
7:46 AM: Quarantining All Traces: ezula ilookup
7:46 AM: Quarantining All Traces: ist sidefind
7:46 AM: Quarantining All Traces: ist software
7:46 AM: Quarantining All Traces: ist yoursitebar
7:46 AM: Quarantining All Traces: mirar webband
7:46 AM: mirar webband is in use. It will be removed on reboot.
7:46 AM: winnb57.dll is in use. It will be removed on reboot.
7:46 AM: Quarantining All Traces: moneytree
7:46 AM: Quarantining All Traces: psguard
7:46 AM: Quarantining All Traces: zenosearchassistant
7:46 AM: zenosearchassistant is in use. It will be removed on reboot.
7:46 AM: qrdsregj.exe is in use. It will be removed on reboot.
7:46 AM: Quarantining All Traces: 247realmedia cookie
7:46 AM: Quarantining All Traces: 2o7.net cookie
7:46 AM: Quarantining All Traces: 888 cookie
7:46 AM: Quarantining All Traces: about cookie
7:46 AM: Quarantining All Traces: adbureau cookie
7:46 AM: Quarantining All Traces: addynamix cookie
7:46 AM: Quarantining All Traces: adecn cookie
7:46 AM: Quarantining All Traces: adjuggler cookie
7:46 AM: Quarantining All Traces: adknowledge cookie
7:46 AM: Quarantining All Traces: adrevolver cookie
7:46 AM: Quarantining All Traces: ads.adsag cookie
7:46 AM: Quarantining All Traces: adserver cookie
7:46 AM: Quarantining All Traces: advertising cookie
7:46 AM: Quarantining All Traces: affiliatefuel.com cookie
7:46 AM: Quarantining All Traces: apmebf cookie
7:46 AM: Quarantining All Traces: aptimus cookie
7:46 AM: Quarantining All Traces: ask cookie
7:46 AM: Quarantining All Traces: atlas dmt cookie
7:46 AM: Quarantining All Traces: atwola cookie
7:46 AM: Quarantining All Traces: azjmp cookie
7:46 AM: Quarantining All Traces: banner cookie
7:46 AM: Quarantining All Traces: bannerspace cookie
7:46 AM: Quarantining All Traces: belnk cookie
7:46 AM: Quarantining All Traces: bizrate cookie
7:46 AM: Quarantining All Traces: bluestreak cookie
7:46 AM: Quarantining All Traces: bravenet cookie
7:46 AM: Quarantining All Traces: bs.serving-sys cookie
7:46 AM: Quarantining All Traces: burstbeacon cookie
7:46 AM: Quarantining All Traces: burstnet cookie
7:46 AM: Quarantining All Traces: casalemedia cookie
7:46 AM: Quarantining All Traces: cc214142 cookie
7:46 AM: Quarantining All Traces: ccbill cookie
7:46 AM: Quarantining All Traces: centrport net cookie
7:46 AM: Quarantining All Traces: classmates cookie
7:46 AM: Quarantining All Traces: clickandtrack cookie
7:46 AM: Quarantining All Traces: clickbank cookie
7:46 AM: Quarantining All Traces: clickzs cookie
7:46 AM: Quarantining All Traces: coolsavings cookie
7:46 AM: Quarantining All Traces: dealtime cookie
7:46 AM: Quarantining All Traces: did-it cookie
7:46 AM: Quarantining All Traces: engage cookie
7:46 AM: Quarantining All Traces: enhance cookie
7:46 AM: Quarantining All Traces: exitexchange cookie
7:46 AM: Quarantining All Traces: falkag cookie
7:46 AM: Quarantining All Traces: fastclick cookie
7:46 AM: Quarantining All Traces: freestats.net cookie
7:46 AM: Quarantining All Traces: gamespy cookie
7:46 AM: Quarantining All Traces: go.com cookie
7:46 AM: Quarantining All Traces: goclick cookie
7:46 AM: Quarantining All Traces: goldenpalace cookie
7:46 AM: Quarantining All Traces: hbmediapro cookie
7:46 AM: Quarantining All Traces: herfirstanalsex cookie
7:46 AM: Quarantining All Traces: humanclick cookie
7:46 AM: Quarantining All Traces: hypertracker.com cookie
7:46 AM: Quarantining All Traces: ic-live cookie
7:46 AM: Quarantining All Traces: maxserving cookie
7:46 AM: Quarantining All Traces: mediaplex cookie
7:46 AM: Quarantining All Traces: military cookie
7:46 AM: Quarantining All Traces: mp3downloadhq cookie
7:46 AM: Quarantining All Traces: mp3s hits cookie
7:46 AM: Quarantining All Traces: myaffiliateprogram.com cookie
7:46 AM: Quarantining All Traces: nextag cookie
7:46 AM: Quarantining All Traces: overture cookie
7:46 AM: Quarantining All Traces: partypoker cookie
7:46 AM: Quarantining All Traces: paycounter cookie
7:46 AM: Quarantining All Traces: paypopup cookie
7:46 AM: Quarantining All Traces: pointroll cookie
7:46 AM: Quarantining All Traces: pricegrabber cookie
7:46 AM: Quarantining All Traces: primaryads cookie
7:46 AM: Quarantining All Traces: pro-market cookie
7:46 AM: Quarantining All Traces: qksrv cookie
7:46 AM: Quarantining All Traces: questionmarket cookie
7:46 AM: Quarantining All Traces: realmedia cookie
7:46 AM: Quarantining All Traces: realtracker cookie
7:46 AM: Quarantining All Traces: redzip cookie
7:46 AM: Quarantining All Traces: reliablestats cookie
7:46 AM: Quarantining All Traces: revenue.net cookie
7:46 AM: Quarantining All Traces: ru4 cookie
7:46 AM: Quarantining All Traces: sandboxer cookie
7:46 AM: Quarantining All Traces: screensavers.com cookie
7:46 AM: Quarantining All Traces: servedby advertising cookie
7:46 AM: Quarantining All Traces: server.iad.liveperson cookie
7:46 AM: Quarantining All Traces: serving-sys cookie
7:46 AM: Quarantining All Traces: sexsearch cookie
7:46 AM: Quarantining All Traces: sextracker cookie
7:46 AM: Quarantining All Traces: specificclick.com cookie
7:46 AM: Quarantining All Traces: spywarestormer cookie
7:46 AM: Quarantining All Traces: stamps.com cookie
7:46 AM: Quarantining All Traces: statcounter cookie
7:46 AM: Quarantining All Traces: stlyrics cookie
7:46 AM: Quarantining All Traces: tacoda cookie
7:46 AM: Quarantining All Traces: tickle cookie
7:46 AM: Quarantining All Traces: top-banners cookie
7:46 AM: Quarantining All Traces: tradedoubler cookie
7:46 AM: Quarantining All Traces: trafficmp cookie
7:46 AM: Quarantining All Traces: tribalfusion cookie
7:46 AM: Quarantining All Traces: tripod cookie
7:46 AM: Quarantining All Traces: upspiral cookie
7:46 AM: Quarantining All Traces: valuead cookie
7:46 AM: Quarantining All Traces: videodome cookie
7:46 AM: Quarantining All Traces: webpower cookie
7:46 AM: Quarantining All Traces: websponsors cookie
7:46 AM: Quarantining All Traces: wirefly cookie
7:46 AM: Quarantining All Traces: yieldmanager cookie
7:46 AM: Quarantining All Traces: zenotecnico cookie
7:47 AM: Preparing to restart your computer. Please wait...
7:47 AM: Removal process completed. Elapsed time 00:01:32
********
7:26 AM: | Start of Session, Friday, March 24, 2006 |
7:26 AM: Spy Sweeper started
7:27 AM: Your spyware definitions have been updated.
7:29 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:29 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:29 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:29 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
7:30 AM: | End of Session, Friday, March 24, 2006 |
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:31:18 AM, 3/24/2006
+ Report-Checksum: 7897FEF3

+ Scan result:

HKLM\SOFTWARE\PSGuard.com -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Adware.PSGuard : Cleaned with backup
HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup
HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A19EF336-01D4-48E6-926A-FE7E1C747AED} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA7FF3F8-08BE-4CAC-BC00-94D91C6AE7F4} -> Adware.MWSearch : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[1].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfk4olazekq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfk4qgdpiho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfk4ulc5kho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkicjazcep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkiggdpago.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkikhajcfp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkogldjcap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoqkdjmfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkospajsfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoujajggo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoujc5kfo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkounczgko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkygncjsgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkykmcjshp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyokazefp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyonazwgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyujajwfp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4chajwkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4oicjakq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4uiazskp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfligpd5aho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflikhajmlp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflispdpeko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliwhd5ico.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliwnazcgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfliwoc5meq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflykldjcbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmianc5kgq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmisldjego.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmismczcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmygocjoeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmykldjkbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyqmdpmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyslcjceo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkikpcjmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkowhdjghp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkyamdzsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkygiajcbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgkykgdzwao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgl4unajslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgmyahdjcdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4cld5kao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4gkdzkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4gnczsep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoagazilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoalczoko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkocgcjiko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoklcpmbq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoopazsao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkoslajsdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkosncjmkq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkychdpkap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyekcjsfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyknc5wdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyoiazibp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkyoicjilo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4kgajskp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4qmczcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4skcjmgp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4soc5mfo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4spazsho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4umd5oco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjliencjmgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjligkdzoap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlioidpcko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlioldzkeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlionazafo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlocidpkbq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlocpc5ibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloejcjobp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloekdzggp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloemcpgao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlogkazaap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlookcpcco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloomcjebp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloqidjcdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjloqpc5gep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlosgdjelp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyeoazwgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyklc5mao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlykodpmap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyolazkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlysgdjkho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlysmdpgaq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmiemd5glo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmigoczeho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmikkdzsgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmyancjkgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmycgdjchp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmygmd5gao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmygmd5seo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmywgc5wdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1jc5id.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1kajak.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1mazil.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1nc5sk.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjny-1odjwa.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnycld5ico.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnycndzoho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyelazoeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyeld5gbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygjczalo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygldpikp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygnczsdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyohazgbp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyoiazelp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyoodpsfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyqidjgeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysgajiho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysid5ikp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnysldjmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyuhdpkfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-attworldnet.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@sec1.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.directnetadvertising[2].txt -> TrackingCookie.Directnetadvertising : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G1IN4TUF\bu7dyo4f[1].exe -> Downloader.Small.afi : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPYBCDI3\installer_2512[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\bu7dyo4f.exe -> Downloader.Small.afi : Cleaned with backup
C:\WINDOWS\system32\kzvegfyn.kkn -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\lwinsrag.exe -> Adware.ZenoSearch : Cleaned with backup


::Report EndLogfile of HijackThis v1.99.1
Scan saved at 8:34:05 AM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst10.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared&#

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 24 March 2006 - 11:05 AM

Hello Piecer, Your hijackthis log got cut off. Please post another log so I can analyze it. Thanks, Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 25 March 2006 - 09:27 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:21:29 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst10.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 25 March 2006 - 11:01 AM

Hello Piecer,

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Ewido:
Please disable Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:
  • Right-click the system tray icon and uncheck real time protection.
    or From within Ewido -
  • Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
Once your log is clean you can re-enable Ewido.

Close all programs leaving only HijackThis running. Place a check against each of the following:
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst10.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\nst10.dll<==file
ShowWnd.exe<== do a search to find file
Exit Explorer, and reboot as normal afterwards.


Post back a fresh HijackThis log and we will take another look.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 27 March 2006 - 09:45 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:35:59 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 27 March 2006 - 09:59 AM

Hello Piecer,

Please update your Java for security reasons.

Update Your Java
  • Uninstall any and all versions you have listed in add/remove programs
  • Install the latest version from here: http://www.java.com/en/
If you or administrator did not set Policies then check--otherwise forget this!
Close all programs leaving only HijackThis running. Place a check against each of the following:
These options should only appear if your administrator set them on purpose or if you used Spybots Home Page and Option Lock down features in the Immunize section of Spybot.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log and I will check your java version.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 29 March 2006 - 10:41 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:35:30 AM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Chicken Little Registration.lnk = C:\GAMES\CHICKEN\ereg\DSN1.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 30 March 2006 - 04:21 AM

Hello Piecer,

Your hijackthis log appears to be clean but I would like more information about this PSGuard.com which showed up in your SpySweeper log..

HKLM\SOFTWARE\PSGuard.com -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Adware.PSGuard : Cleaned with backup

Please do the following:

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
PSGuard
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#11 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 April 2006 - 09:04 AM

Windows Registry Editor Version 5.00 ; Regscan.vbs Version: 1.2 by rand1038 ; 4/3/2006 7:55:59 AM ; Search Term(s) Used: "PSGUARD" ; 7 matches were found. ; The search took 17 seconds. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\P.S.Guard] "item"="PSGuard" "command"="C:\\Program Files\\P.S.Guard\\PSGuard.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\PSGuard.com] [HKEY_LOCAL_MACHINE\SOFTWARE\PSGuard.com\PSGuard] "RegistrationUrl"="http://www.psguard.c...egister/50.0.2" [HKEY_LOCAL_MACHINE\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard] [HKEY_USERS\S-1-5-21-4151388396-867582294-2632940306-1003\Software\Microsoft\Search Assistant\ACMru\5603] "000"="psguard" THANKS AGAIN SUSAN...BTW I DO NOT USE THIS PROGRAM AT ALL.

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 03 April 2006 - 02:16 PM

Hello Piecer,

Please do the following:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Reboot to get out of safe mode.
STEP 1.
======
Panda Active Scan
Please go to Panda ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, by using Add Reply.

Edited by Susan528, 03 April 2006 - 03:12 PM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 PIECER

PIECER

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 04 April 2006 - 09:25 AM

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 04/04/2006
The current time is: 7:46:28.70

Running from
C:\Documents and Settings\Owner\My Documents\SPYWARE\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key present!



Running LTDFix/PSGuard.com fix!



PSGuard.com key was successfully removed! :)


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

wp.bmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter10.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter7.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Owner\Cookies\owner@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Owner\Cookies\owner@errorguard[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Owner\Cookies\owner@linksynergy[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mp3search[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@sel.as-eu.falkag[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Owner\Cookies\owner@sexlist[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xmts[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SPYWARE\smitRem\Process.exe
Logfile of HijackThis v1.99.1
Scan saved at 8:18:50 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hglpsms.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: Chicken Little Registration.lnk = C:\GAMES\CHICKEN\ereg\DSN1.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Owner\My Documents\SPYWARE\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 April 2006 - 10:45 AM

Posted below!

Edited by Susan528, 04 April 2006 - 10:48 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 April 2006 - 10:47 AM

Hello Piecer,

Your hijackthis log appears to be clean and now just need to delete cookies.
You can delete the following tool that we used too.
C:\Documents and Settings\Owner\My Documents\SPYWARE\smitRem\<==folder

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP 1.-
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 2.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • More info on how to prevent malware you can also find here (By Tony Klein)
    and here: http://wiki.castleco...nt_Re-infection
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·