Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Helpless Collge Girl Victimized by Unknown Virus

Started by karin anne , Apr 16 2006 11:46 AM

  • This topic is locked This topic is locked
6 replies to this topic

#1 karin anne

karin anne

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 16 April 2006 - 11:46 AM

Yesterday my symantec antivirus real time protection notified me that there is a virus on my c:\windows\system32\byxwv.dll file. The antivirus could not fix or quarantine it. I can't find anything on google about it except a couple of logs in french, which do me no good.

Also-- I looked at the processes in my task manager.. there in a winlogon.exe that is taking up most of my cpu. everything is very slow. There are also 6 processes labled as svchost.exe running.

I ran a search for extra winlogon files other than in system32, and there were a few which i deleted, but they keep returning.

Another weird thing- if I run Ad-Aware the computer shuts down. Microsoft Antispyware on the other hand runs fine and doesn't catch anything.

Also, I am having problems running in safe mode. Either it just wont recognize that I pressed f8, or it will start going into safe mode and freeze.

Please help me! This is the last 2 weeks before the end of the semester and absolutely the worst weekend for my computer to malfunction. I have a 20 pg research paper to work on, as well as 3 other 5 page papers. Woe is me!

Here is the HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:25:35 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingto...asia/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\rqolm.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\byxwv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O20 - Winlogon Notify: byxwv - C:\WINDOWS\SYSTEM32\byxwv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqolm - C:\WINDOWS\system32\rqolm.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
xoxo karin anne

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 April 2006 - 03:01 PM

Hello karin anne, welcome to the TC.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 karin anne

karin anne

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 16 April 2006 - 06:41 PM

thanks so much! spy sweeper found the virus, trojan-downloader-conhook, plus a lot of spyware that my other programs didn't catch. the only weird thing is that while it was fixing the problems, it suddnely turned off and restarted. i am not sure if that is nomral or not. the computer seems to be running at normal speed again, and norton isnt bothering me about the virus anymore so im assuming its gone. here is the log, as well as the new hj log:

********
7:37 PM: | Start of Session, Sunday, April 16, 2006 |
7:37 PM: Spy Sweeper started
7:37 PM: Sweep initiated using definitions version 658
7:37 PM: Found Adware: virtumonde
7:37 PM: HKCR\clsid\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\inprocserver32\ (2 subtraces) (ID = 1142174)
7:37 PM: rqolm.dll (ID = 1142174)
7:37 PM: Found Trojan Horse: trojan-downloader-conhook
7:37 PM: HKCR\clsid\{adcd30ff-0119-4906-8a8b-d52d1eed044b}\inprocserver32\ (2 subtraces) (ID = 1223972)
7:37 PM: byxwv.dll (ID = 1223972)
7:37 PM: Starting Memory Sweep
7:37 PM: Detected running threat: C:\WINDOWS\system32\byxwv.dll (ID = 274080)
7:38 PM: Detected running threat: C:\WINDOWS\system32\rqolm.dll (ID = 77)
7:41 PM: Memory Sweep Complete, Elapsed Time: 00:03:52
7:41 PM: Starting Registry Sweep
7:41 PM: Found Adware: blazefind
7:41 PM: HKLM\software\classes\winctladx.installer\ (3 subtraces) (ID = 104503)
7:41 PM: HKCR\winctladx.installer\ (3 subtraces) (ID = 104569)
7:41 PM: Found Adware: ieplugin
7:41 PM: HKLM\software\classes\typelib\{074a9743-0517-454c-b2f4-ff964de43e4c}\ (9 subtraces) (ID = 128168)
7:41 PM: HKCR\typelib\{074a9743-0517-454c-b2f4-ff964de43e4c}\ (9 subtraces) (ID = 128200)
7:41 PM: Found Adware: syncroad
7:41 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\syncroadx.dll (ID = 143515)
7:41 PM: HKCR\atldistrib.atldistrib\ (5 subtraces) (ID = 1030533)
7:41 PM: HKCR\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030535)
7:41 PM: HKCR\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030537)
7:41 PM: HKCR\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030539)
7:41 PM: HKCR\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030541)
7:41 PM: HKLM\software\classes\atldistrib.atldistrib\ (5 subtraces) (ID = 1030666)
7:41 PM: HKLM\software\classes\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030668)
7:41 PM: HKLM\software\classes\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030670)
7:41 PM: HKLM\software\classes\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030672)
7:41 PM: HKLM\software\classes\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030674)
7:41 PM: HKCR\clsid\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (12 subtraces) (ID = 1124723)
7:41 PM: HKLM\software\classes\clsid\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (12 subtraces) (ID = 1124736)
7:41 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (ID = 1124749)
7:41 PM: HKCR\clsid\{adcd30ff-0119-4906-8a8b-d52d1eed044b}\ (3 subtraces) (ID = 1223957)
7:41 PM: HKLM\software\classes\clsid\{adcd30ff-0119-4906-8a8b-d52d1eed044b}\ (3 subtraces) (ID = 1223961)
7:41 PM: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {adcd30ff-0119-4906-8a8b-d52d1eed044b} (ID = 1223965)
7:41 PM: Found Adware: ebates money maker
7:41 PM: HKU\S-1-5-21-4268582733-1274370631-3825234021-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
7:41 PM: HKU\S-1-5-21-4268582733-1274370631-3825234021-1006\software\enhsrch\ (124 subtraces) (ID = 128172)
7:41 PM: Found Adware: drsnsrch hijacker
7:41 PM: HKU\S-1-5-21-4268582733-1274370631-3825234021-1006\software\dsrch\ (11 subtraces) (ID = 509156)
7:41 PM: Found Adware: powwa bar
7:41 PM: HKU\S-1-5-21-4268582733-1274370631-3825234021-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-c0ff-fd6da382b52d} (ID = 510639)
7:41 PM: Registry Sweep Complete, Elapsed Time:00:00:11
7:41 PM: Starting Cookie Sweep
7:41 PM: Found Spy Cookie: primaryads cookie
7:41 PM: karin curtis@1.primaryads[1].txt (ID = 3190)
7:41 PM: Found Spy Cookie: 2o7.net cookie
7:41 PM: karin curtis@112.2o7[2].txt (ID = 1958)
7:41 PM: Found Spy Cookie: 247realmedia cookie
7:41 PM: karin curtis@247realmedia[1].txt (ID = 1953)
7:41 PM: karin curtis@2o7[1].txt (ID = 1957)
7:41 PM: Found Spy Cookie: 498 cookie
7:41 PM: karin curtis@498[1].txt (ID = 1975)
7:41 PM: Found Spy Cookie: 5 cookie
7:41 PM: karin curtis@5[1].txt (ID = 1979)
7:41 PM: Found Spy Cookie: 64.62.232 cookie
7:41 PM: karin curtis@64.62.232[1].txt (ID = 1987)
7:41 PM: karin curtis@64.62.232[2].txt (ID = 1987)
7:41 PM: Found Spy Cookie: 888 cookie
7:41 PM: karin curtis@888[1].txt (ID = 2019)
7:41 PM: karin curtis@888[2].txt (ID = 2019)
7:41 PM: Found Spy Cookie: websponsors cookie
7:41 PM: karin curtis@a.websponsors[1].txt (ID = 3665)
7:41 PM: Found Spy Cookie: aa cookie
7:41 PM: karin curtis@aa[1].txt (ID = 2029)
7:41 PM: Found Spy Cookie: go.com cookie
7:41 PM: karin curtis@abc.go[2].txt (ID = 2729)
7:41 PM: karin curtis@abcnews.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: abetterinternet cookie
7:41 PM: karin curtis@abetterinternet[1].txt (ID = 2035)
7:41 PM: Found Spy Cookie: about cookie
7:41 PM: karin curtis@about[1].txt (ID = 2037)
7:41 PM: Found Spy Cookie: accoona cookie
7:41 PM: karin curtis@accoona[2].txt (ID = 2041)
7:41 PM: Found Spy Cookie: yieldmanager cookie
7:41 PM: karin curtis@ad.yieldmanager[2].txt (ID = 3751)
7:41 PM: karin curtis@add.about[2].txt (ID = 2038)
7:41 PM: Found Spy Cookie: adecn cookie
7:41 PM: karin curtis@adecn[2].txt (ID = 2063)
7:41 PM: Found Spy Cookie: adknowledge cookie
7:41 PM: karin curtis@adknowledge[2].txt (ID = 2072)
7:41 PM: Found Spy Cookie: adlegend cookie
7:41 PM: karin curtis@adlegend[2].txt (ID = 2074)
7:41 PM: Found Spy Cookie: hbmediapro cookie
7:41 PM: karin curtis@adopt.hbmediapro[2].txt (ID = 2768)
7:41 PM: Found Spy Cookie: precisead cookie
7:41 PM: karin curtis@adopt.precisead[2].txt (ID = 3182)
7:41 PM: Found Spy Cookie: specificclick.com cookie
7:41 PM: karin curtis@adopt.specificclick[2].txt (ID = 3400)
7:41 PM: Found Spy Cookie: adprofile cookie
7:41 PM: karin curtis@adprofile[1].txt (ID = 2084)
7:41 PM: Found Spy Cookie: adrevolver cookie
7:41 PM: karin curtis@adrevolver[1].txt (ID = 2088)
7:41 PM: karin curtis@adrevolver[2].txt (ID = 2088)
7:41 PM: Found Spy Cookie: addynamix cookie
7:41 PM: karin curtis@ads.addynamix[1].txt (ID = 2062)
7:41 PM: Found Spy Cookie: cc214142 cookie
7:41 PM: karin curtis@ads.cc214142[1].txt (ID = 2367)
7:41 PM: Found Spy Cookie: euniverseads cookie
7:41 PM: karin curtis@ads.euniverseads[1].txt (ID = 2630)
7:41 PM: Found Spy Cookie: pointroll cookie
7:41 PM: karin curtis@ads.pointroll[2].txt (ID = 3148)
7:41 PM: Found Spy Cookie: bpath cookie
7:41 PM: karin curtis@ads18.bpath[1].txt (ID = 2321)
7:41 PM: Found Spy Cookie: adtech cookie
7:41 PM: karin curtis@adtech[2].txt (ID = 2155)
7:41 PM: Found Spy Cookie: adultfriendfinder cookie
7:41 PM: karin curtis@adultfriendfinder[1].txt (ID = 2165)
7:41 PM: Found Spy Cookie: advertising cookie
7:41 PM: karin curtis@advertising[2].txt (ID = 2175)
7:41 PM: Found Spy Cookie: affiliate cookie
7:41 PM: karin curtis@affiliate[1].txt (ID = 2199)
7:41 PM: karin curtis@alcoholism.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: alt cookie
7:41 PM: karin curtis@alt[2].txt (ID = 2217)
7:41 PM: Found Spy Cookie: tacoda cookie
7:41 PM: karin curtis@anat.tacoda[1].txt (ID = 6445)
7:41 PM: Found Spy Cookie: apmebf cookie
7:41 PM: karin curtis@apmebf[1].txt (ID = 2229)
7:41 PM: karin curtis@app.abc.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: atwola cookie
7:41 PM: karin curtis@ar.atwola[1].txt (ID = 2256)
7:41 PM: Found Spy Cookie: falkag cookie
7:41 PM: karin curtis@as-us.falkag[1].txt (ID = 2650)
7:41 PM: Found Spy Cookie: casalemedia cookie
7:41 PM: karin curtis@as.casalemedia[1].txt (ID = 2355)
7:41 PM: Found Spy Cookie: askmen cookie
7:41 PM: karin curtis@askmen[2].txt (ID = 2247)
7:41 PM: Found Spy Cookie: ask cookie
7:41 PM: karin curtis@ask[2].txt (ID = 2245)
7:41 PM: Found Spy Cookie: atlas dmt cookie
7:41 PM: karin curtis@atdmt[2].txt (ID = 2253)
7:41 PM: Found Spy Cookie: belnk cookie
7:41 PM: karin curtis@ath.belnk[1].txt (ID = 2293)
7:41 PM: karin curtis@atheism.about[1].txt (ID = 2038)
7:41 PM: karin curtis@atwola[1].txt (ID = 2255)
7:41 PM: karin curtis@autorepair.about[2].txt (ID = 2038)
7:41 PM: Found Spy Cookie: azjmp cookie
7:41 PM: karin curtis@azjmp[2].txt (ID = 2270)
7:41 PM: Found Spy Cookie: a cookie
7:41 PM: karin curtis@a[1].txt (ID = 2027)
7:41 PM: karin curtis@a[2].txt (ID = 2027)
7:41 PM: karin curtis@a[3].txt (ID = 2027)
7:41 PM: karin curtis@a[4].txt (ID = 2027)
7:41 PM: Found Spy Cookie: inet-traffic.com cookie
7:41 PM: karin curtis@banner3.inet-traffic[1].txt (ID = 2856)
7:41 PM: Found Spy Cookie: banner cookie
7:41 PM: karin curtis@banner[2].txt (ID = 2276)
7:41 PM: karin curtis@beauty.about[2].txt (ID = 2038)
7:41 PM: karin curtis@belnk[1].txt (ID = 2292)
7:41 PM: Found Spy Cookie: bizrate cookie
7:41 PM: karin curtis@bizrate[2].txt (ID = 2308)
7:41 PM: Found Spy Cookie: bluestreak cookie
7:41 PM: karin curtis@bluestreak[1].txt (ID = 2314)
7:41 PM: karin curtis@bookspan.122.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: bravenet cookie
7:41 PM: karin curtis@bravenet[1].txt (ID = 2322)
7:41 PM: Found Spy Cookie: bs.serving-sys cookie
7:41 PM: karin curtis@bs.serving-sys[1].txt (ID = 2330)
7:41 PM: Found Spy Cookie: btgrab cookie
7:41 PM: karin curtis@btg.btgrab[2].txt (ID = 2333)
7:41 PM: Found Spy Cookie: burstnet cookie
7:41 PM: karin curtis@burstnet[2].txt (ID = 2336)
7:41 PM: karin curtis@buycom.122.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: enhance cookie
7:41 PM: karin curtis@c.enhance[2].txt (ID = 2614)
7:41 PM: Found Spy Cookie: barelylegal cookie
7:41 PM: karin curtis@c.fsx[1].txt (ID = 2286)
7:41 PM: Found Spy Cookie: zedo cookie
7:41 PM: karin curtis@c5.zedo[1].txt (ID = 3763)
7:41 PM: Found Spy Cookie: callwave cookie
7:41 PM: karin curtis@callwave[2].txt (ID = 2342)
7:41 PM: karin curtis@casalemedia[1].txt (ID = 2354)
7:41 PM: Found Spy Cookie: cassava cookie
7:41 PM: karin curtis@cassava[1].txt (ID = 2362)
7:41 PM: karin curtis@cats.about[2].txt (ID = 2038)
7:41 PM: Found Spy Cookie: adbureau cookie
7:41 PM: karin curtis@cent.adbureau[1].txt (ID = 2060)
7:41 PM: karin curtis@chicagosuntimes.122.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@classicrock.about[2].txt (ID = 2038)
7:41 PM: Found Spy Cookie: classmates cookie
7:41 PM: karin curtis@classmates[2].txt (ID = 2384)
7:41 PM: Found Spy Cookie: clickbank cookie
7:41 PM: karin curtis@clickbank[1].txt (ID = 2398)
7:41 PM: Found Spy Cookie: cliks cookie
7:41 PM: karin curtis@cliks[1].txt (ID = 2414)
7:41 PM: karin curtis@cnn.122.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: tickle cookie
7:41 PM: karin curtis@cookie.tickle[1].txt (ID = 3530)
7:41 PM: karin curtis@coxhsi.112.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@cratebarrel.112.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: 360i cookie
7:41 PM: karin curtis@ct.360i[1].txt (ID = 1962)
7:41 PM: Found Spy Cookie: customer cookie
7:41 PM: karin curtis@customer[1].txt (ID = 2481)
7:41 PM: karin curtis@customer[2].txt (ID = 2481)
7:41 PM: karin curtis@customer[3].txt (ID = 2481)
7:41 PM: karin curtis@customer[4].txt (ID = 2481)
7:41 PM: karin curtis@customer[5].txt (ID = 2481)
7:41 PM: karin curtis@customer[6].txt (ID = 2481)
7:41 PM: Found Spy Cookie: clickzs cookie
7:41 PM: karin curtis@cz3.clickzs[2].txt (ID = 2413)
7:41 PM: Found Spy Cookie: overture cookie
7:41 PM: karin curtis@data2.perf.overture[1].txt (ID = 3106)
7:41 PM: karin curtis@data3.perf.overture[2].txt (ID = 3106)
7:41 PM: karin curtis@dc.about[1].txt (ID = 2038)
7:41 PM: karin curtis@deafness.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: dealtime cookie
7:41 PM: karin curtis@dealtime[2].txt (ID = 2505)
7:41 PM: karin curtis@delivery.inet-traffic[2].txt (ID = 2856)
7:41 PM: Found Spy Cookie: desktop kazaa cookie
7:41 PM: karin curtis@desktop.kazaa[2].txt (ID = 2515)
7:41 PM: Found Spy Cookie: did-it cookie
7:41 PM: karin curtis@did-it[1].txt (ID = 2523)
7:41 PM: Found Spy Cookie: directtrack cookie
7:41 PM: karin curtis@digitalmoses.directtrack[2].txt (ID = 2528)
7:41 PM: karin curtis@disney.go[1].txt (ID = 2729)
7:41 PM: karin curtis@dist.belnk[1].txt (ID = 2293)
7:41 PM: Found Spy Cookie: webservicehosts cookie
7:41 PM: karin curtis@dr.webservicehosts[1].txt (ID = 3663)
7:41 PM: karin curtis@drawsketch.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: localnrd cookie
7:41 PM: karin curtis@drk.localnrd[2].txt (ID = 2933)
7:41 PM: Found Spy Cookie: ru4 cookie
7:41 PM: karin curtis@edge.ru4[1].txt (ID = 3269)
7:41 PM: karin curtis@espn.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: exitexchange cookie
7:41 PM: karin curtis@exitexchange[2].txt (ID = 2633)
7:41 PM: karin curtis@experts.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: fastclick cookie
7:41 PM: karin curtis@fastclick[2].txt (ID = 2651)
7:41 PM: karin curtis@geography.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: go2net.com cookie
7:41 PM: karin curtis@go2net[1].txt (ID = 2730)
7:41 PM: Found Spy Cookie: gostats cookie
7:41 PM: karin curtis@gostats[1].txt (ID = 2747)
7:41 PM: Found Spy Cookie: gotoast cookie
7:41 PM: karin curtis@gotoast[1].txt (ID = 2751)
7:41 PM: karin curtis@go[2].txt (ID = 2728)
7:41 PM: karin curtis@hbmediapro[1].txt (ID = 2767)
7:41 PM: Found Spy Cookie: humanclick cookie
7:41 PM: karin curtis@hc2.humanclick[2].txt (ID = 2810)
7:41 PM: Found Spy Cookie: clickandtrack cookie
7:41 PM: karin curtis@hits.clickandtrack[2].txt (ID = 2397)
7:41 PM: Found Spy Cookie: hitstats.net cookie
7:41 PM: karin curtis@hitstats[2].txt (ID = 2791)
7:41 PM: Found Spy Cookie: homestore cookie
7:41 PM: karin curtis@homestore[2].txt (ID = 2793)
7:41 PM: karin curtis@honeymoons.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: hotmatch cookie
7:41 PM: karin curtis@hotmatch[1].txt (ID = 3854)
7:41 PM: Found Spy Cookie: qsrch cookie
7:41 PM: karin curtis@hs.qsrch[1].txt (ID = 3216)
7:41 PM: Found Spy Cookie: hypertracker.com cookie
7:41 PM: karin curtis@hypertracker[2].txt (ID = 2817)
7:41 PM: Found Spy Cookie: screensavers.com cookie
7:41 PM: karin curtis@i.screensavers[1].txt (ID = 3298)
7:41 PM: Found Spy Cookie: ic-live cookie
7:41 PM: karin curtis@ic-live[1].txt (ID = 2821)
7:41 PM: Found Spy Cookie: infospace cookie
7:41 PM: karin curtis@infospace[1].txt (ID = 2865)
7:41 PM: Found Spy Cookie: kount cookie
7:41 PM: karin curtis@kount[1].txt (ID = 2911)
7:41 PM: Found Spy Cookie: netster cookie
7:41 PM: karin curtis@lb3.netster[1].txt (ID = 3072)
7:41 PM: Found Spy Cookie: linksynergy cookie
7:41 PM: karin curtis@linksynergy[1].txt (ID = 2926)
7:41 PM: Found Spy Cookie: webtrends cookie
7:41 PM: karin curtis@m.webtrends[2].txt (ID = 3669)
7:41 PM: Found Spy Cookie: maxserving cookie
7:41 PM: karin curtis@maxserving[1].txt (ID = 2966)
7:41 PM: karin curtis@media.fastclick[2].txt (ID = 2652)
7:41 PM: Found Spy Cookie: mediaplex cookie
7:41 PM: karin curtis@mediaplex[1].txt (ID = 6442)
7:41 PM: Found Spy Cookie: metareward.com cookie
7:41 PM: karin curtis@metareward[1].txt (ID = 2990)
7:41 PM: karin curtis@microsofteup.112.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@microsoftwga.112.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@mobileoffice.about[1].txt (ID = 2038)
7:41 PM: karin curtis@movie-times.movies.go[1].txt (ID = 2729)
7:41 PM: karin curtis@movies.about[1].txt (ID = 2038)
7:41 PM: karin curtis@movies.go[2].txt (ID = 2729)
7:41 PM: Found Spy Cookie: mrskin cookie
7:41 PM: karin curtis@mrskin[1].txt (ID = 3020)
7:41 PM: karin curtis@msnportal.112.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: nextag cookie
7:41 PM: karin curtis@nextag[1].txt (ID = 5014)
7:41 PM: Found Spy Cookie: offeroptimizer cookie
7:41 PM: karin curtis@offeroptimizer[2].txt (ID = 3087)
7:41 PM: karin curtis@offeroptimizer[3].txt (ID = 3087)
7:41 PM: Found Spy Cookie: one-time-offer cookie
7:41 PM: karin curtis@one-time-offer[1].txt (ID = 3095)
7:41 PM: karin curtis@oneeconomy.122.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@partygaming.122.2o7[1].txt (ID = 1958)
7:41 PM: Found Spy Cookie: touchclarity cookie
7:41 PM: karin curtis@partypoker.touchclarity[1].txt (ID = 3567)
7:41 PM: Found Spy Cookie: partypoker cookie
7:41 PM: karin curtis@partypoker[1].txt (ID = 3111)
7:41 PM: Found Spy Cookie: paypopup cookie
7:41 PM: karin curtis@paypopup[1].txt (ID = 3119)
7:41 PM: Found Spy Cookie: pcstats.com cookie
7:41 PM: karin curtis@pcstats[1].txt (ID = 3125)
7:41 PM: Found Spy Cookie: peel network cookie
7:41 PM: karin curtis@peel[2].txt (ID = 3127)
7:41 PM: karin curtis@perf.overture[1].txt (ID = 3106)
7:41 PM: karin curtis@pittsburgh.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: mircx cookie
7:41 PM: karin curtis@pop.mircx[1].txt (ID = 2998)
7:41 PM: Found Spy Cookie: pricegrabber cookie
7:41 PM: karin curtis@pricegrabber[2].txt (ID = 3185)
7:41 PM: Found Spy Cookie: pro-market cookie
7:41 PM: karin curtis@pro-market[2].txt (ID = 3197)
7:41 PM: Found Spy Cookie: pub cookie
7:41 PM: karin curtis@pub[1].txt (ID = 3205)
7:41 PM: Found Spy Cookie: pynix cookie
7:41 PM: karin curtis@pyn.pynix[2].txt (ID = 3212)
7:41 PM: Found Spy Cookie: qksrv cookie
7:41 PM: karin curtis@qksrv[2].txt (ID = 3213)
7:41 PM: Found Spy Cookie: questionmarket cookie
7:41 PM: karin curtis@questionmarket[1].txt (ID = 3217)
7:41 PM: karin curtis@rapidresponse.directtrack[2].txt (ID = 2528)
7:41 PM: Found Spy Cookie: realmedia cookie
7:41 PM: karin curtis@realmedia[1].txt (ID = 3235)
7:41 PM: Found Spy Cookie: rednova cookie
7:41 PM: karin curtis@rednova[1].txt (ID = 3245)
7:41 PM: Found Spy Cookie: reunion cookie
7:41 PM: karin curtis@reunion[2].txt (ID = 3255)
7:41 PM: Found Spy Cookie: revenue.net cookie
7:41 PM: karin curtis@revenue[1].txt (ID = 3257)
7:41 PM: Found Spy Cookie: rightmedia cookie
7:41 PM: karin curtis@rightmedia[1].txt (ID = 3259)
7:41 PM: Found Spy Cookie: rn11 cookie
7:41 PM: karin curtis@rn11[1].txt (ID = 3261)
7:41 PM: Found Spy Cookie: adjuggler cookie
7:41 PM: karin curtis@rotator.adjuggler[2].txt (ID = 2071)
7:41 PM: karin curtis@rotator.dex.adjuggler[1].txt (ID = 2070)
7:41 PM: karin curtis@rsi.abc.go[1].txt (ID = 2729)
7:41 PM: karin curtis@rsi.abcnews.go[1].txt (ID = 2729)
7:41 PM: karin curtis@rsi.espn.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: coolsavings cookie
7:41 PM: karin curtis@sav.coolsavings[1].txt (ID = 2466)
7:41 PM: Found Spy Cookie: pch cookie
7:41 PM: karin curtis@sb.pch[1].txt (ID = 3124)
7:41 PM: Found Spy Cookie: domain sponsor cookie
7:41 PM: karin curtis@search.domainsponsor[1].txt (ID = 2534)
7:41 PM: karin curtis@search.movies.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: search123 cookie
7:41 PM: karin curtis@search123[1].txt (ID = 3305)
7:41 PM: Found Spy Cookie: techtarget cookie
7:41 PM: karin curtis@searchcrm.techtarget[2].txt (ID = 3500)
7:41 PM: karin curtis@sel.as-eu.falkag[1].txt (ID = 2650)
7:41 PM: karin curtis@sel.as-us.falkag[2].txt (ID = 2650)
7:41 PM: Found Spy Cookie: server.iad.liveperson cookie
7:41 PM: karin curtis@server.iad.liveperson[2].txt (ID = 3341)
7:41 PM: Found Spy Cookie: web-stat cookie
7:41 PM: karin curtis@server3.web-stat[2].txt (ID = 3649)
7:41 PM: Found Spy Cookie: serving-sys cookie
7:41 PM: karin curtis@serving-sys[1].txt (ID = 3343)
7:41 PM: Found Spy Cookie: servlet cookie
7:41 PM: karin curtis@servlet[2].txt (ID = 3345)
7:41 PM: karin curtis@servlet[3].txt (ID = 3345)
7:41 PM: karin curtis@sonycorporate.122.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@sonymediasoftware.122.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@spanish.about[1].txt (ID = 2038)
7:41 PM: Found Spy Cookie: specificpop cookie
7:41 PM: karin curtis@specificpop[1].txt (ID = 3401)
7:41 PM: karin curtis@sports.espn.go[1].txt (ID = 2729)
7:41 PM: Found Spy Cookie: starware.com cookie
7:41 PM: karin curtis@starware[2].txt (ID = 3441)
7:41 PM: karin curtis@stat.dealtime[2].txt (ID = 2506)
7:41 PM: Found Spy Cookie: statcounter cookie
7:41 PM: karin curtis@statcounter[1].txt (ID = 3447)
7:41 PM: Found Spy Cookie: stats.klsoft.com cookie
7:41 PM: karin curtis@stats.klsoft[1].txt (ID = 3451)
7:41 PM: Found Spy Cookie: reliablestats cookie
7:41 PM: karin curtis@stats1.reliablestats[2].txt (ID = 3254)
7:41 PM: Found Spy Cookie: webtrendslive cookie
7:41 PM: karin curtis@statse.webtrendslive[1].txt (ID = 3667)
7:41 PM: karin curtis@stubhub.122.2o7[1].txt (ID = 1958)
7:41 PM: karin curtis@tacoda[1].txt (ID = 6444)
7:41 PM: karin curtis@tattoo.about[2].txt (ID = 2038)
7:41 PM: Found Spy Cookie: teensforcash cookie
7:41 PM: karin curtis@teensforcash[2].txt (ID = 3509)
7:41 PM: karin curtis@thunderbolt.adjuggler[2].txt (ID = 2070)
7:41 PM: karin curtis@tickle[2].txt (ID = 3529)
7:41 PM: Found Spy Cookie: toprebates.com cookie
7:41 PM: karin curtis@toprebates[2].txt (ID = 3561)
7:41 PM: Found Spy Cookie: tracking cookie
7:41 PM: karin curtis@tracking[2].txt (ID = 3571)
7:41 PM: karin curtis@tracking[3].txt (ID = 3571)
7:41 PM: Found Spy Cookie: tradedoubler cookie
7:41 PM: karin curtis@tradedoubler[2].txt (ID = 3575)
7:41 PM: Found Spy Cookie: trafficmp cookie
7:41 PM: karin curtis@trafficmp[2].txt (ID = 3581)
7:41 PM: Found Spy Cookie: trb.com cookie
7:41 PM: karin curtis@trb[1].txt (ID = 3587)
7:41 PM: Found Spy Cookie: tribalfusion cookie
7:41 PM: karin curtis@tribalfusion[2].txt (ID = 3589)
7:41 PM: Found Spy Cookie: videodome cookie
7:41 PM: karin curtis@videodome[1].txt (ID = 3638)
7:41 PM: karin curtis@vip.clickzs[1].txt (ID = 2413)
7:41 PM: Found Spy Cookie: weborama cookie
7:41 PM: karin curtis@weborama[2].txt (ID = 3658)
7:41 PM: Found Spy Cookie: webpower cookie
7:41 PM: karin curtis@webpower[1].txt (ID = 3660)
7:41 PM: karin curtis@womenshealth.about[1].txt (ID = 2038)
7:41 PM: karin curtis@womensissues.about[1].txt (ID = 2038)
7:41 PM: karin curtis@wreport.weborama[2].txt (ID = 3659)
7:41 PM: karin curtis@www.888[1].txt (ID = 2020)
7:41 PM: Found Spy Cookie: adminder cookie
7:41 PM: karin curtis@www.adminder[2].txt (ID = 2079)
7:41 PM: Found Spy Cookie: brazilwelcomesyou cookie
7:41 PM: karin curtis@www.brazilwelcomesyou[1].txt (ID = 2325)
7:41 PM: Found Spy Cookie: burstbeacon cookie
7:41 PM: karin curtis@www.burstbeacon[2].txt (ID = 2335)
7:41 PM: Found Spy Cookie: ebates cookie
7:41 PM: karin curtis@www.ebates[1].txt (ID = 2558)
7:41 PM: Found Spy Cookie: epilot cookie
7:41 PM: karin curtis@www.epilot[1].txt (ID = 2622)
7:41 PM: Found Spy Cookie: expage cookie
7:41 PM: karin curtis@www.expage[2].txt (ID = 2638)
7:41 PM: karin curtis@www.metareward[1].txt (ID = 2991)
7:41 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:41 PM: karin curtis@www.myaffiliateprogram[2].txt (ID = 3032)
7:41 PM: karin curtis@www.rednova[2].txt (ID = 3246)
7:41 PM: karin curtis@www.screensavers[1].txt (ID = 3298)
7:41 PM: Found Spy Cookie: seeq cookie
7:41 PM: karin curtis@www.seeq[1].txt (ID = 3332)
7:41 PM: Found Spy Cookie: stlyrics cookie
7:41 PM: karin curtis@www.stlyrics[2].txt (ID = 3462)
7:41 PM: karin curtis@www.teensforcash[1].txt (ID = 3510)
7:41 PM: karin curtis@www.toprebates[2].txt (ID = 3562)
7:41 PM: karin curtis@www.web-stat[1].txt (ID = 3649)
7:41 PM: Found Spy Cookie: winantiviruspro cookie
7:41 PM: karin curtis@www.winantiviruspro[1].txt (ID = 3690)
7:41 PM: karin curtis@www48.seeq[1].txt (ID = 3332)
7:41 PM: karin curtis@www9.dealtime[1].txt (ID = 2506)
7:41 PM: Found Spy Cookie: xiti cookie
7:41 PM: karin curtis@xiti[1].txt (ID = 3717)
7:41 PM: Found Spy Cookie: xmatch cookie
7:41 PM: karin curtis@xmatch[1].txt (ID = 3719)
7:41 PM: Found Spy Cookie: yadro cookie
7:41 PM: karin curtis@yadro[1].txt (ID = 3743)
7:41 PM: karin curtis@yieldmanager[1].txt (ID = 3749)
7:41 PM: Found Spy Cookie: adserver cookie
7:41 PM: karin curtis@z1.adserver[1].txt (ID = 2142)
7:41 PM: karin curtis@zedo[1].txt (ID = 3762)
7:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:29
7:41 PM: Starting File Sweep
7:41 PM: Found Adware: bullguard popup ad
7:41 PM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
7:43 PM: Found Adware: cydoor peer-to-peer dependency
7:43 PM: cd_clint.dll (ID = 57300)
7:45 PM: backup-20060416-130833-583.dll (ID = 274080)
7:46 PM: backup-20060416-131428-316.dll (ID = 274080)
7:49 PM: Found Adware: exact cashback/bargain buddy
7:49 PM: package8029_cdt3.exe (ID = 50800)
7:51 PM: Found Adware: 180search assistant/zango
7:51 PM: salmau.dat (ID = 93788)
7:52 PM: Found Adware: targetsaver
7:52 PM: pootz_58.exe (ID = 78250)
7:53 PM: bulldownload.exe (ID = 52017)
7:54 PM: Found Adware: altnet
7:54 PM: __unin__.exe (ID = 49795)
8:09 PM: byxwv.dll (ID = 274080)
8:19 PM: enhuninstall.exe (ID = 63348)
8:21 PM: salm_gdf.dat (ID = 93789)
8:21 PM: Found Adware: directrevenue-abetterinternet
8:21 PM: satmat.ini (ID = 83499)
8:21 PM: satmat.inf (ID = 83498)
8:21 PM: polall1r.inf (ID = 83425)
8:22 PM: Warning: Unhandled Archive Type
8:23 PM: Warning: Unhandled Archive Type
8:23 PM: File Sweep Complete, Elapsed Time: 00:42:06
8:24 PM: Full Sweep has completed. Elapsed time 00:46:46
8:24 PM: Traces Found: 509
8:24 PM: Removal process initiated
8:25 PM: Quarantining All Traces: 180search assistant/zango
8:25 PM: Quarantining All Traces: directrevenue-abetterinternet
8:25 PM: Quarantining All Traces: virtumonde
8:25 PM: virtumonde is in use. It will be removed on reboot.
8:25 PM: rqolm.dll is in use. It will be removed on reboot.
8:25 PM: C:\WINDOWS\system32\rqolm.dll is in use. It will be removed on reboot.
8:25 PM: Quarantining All Traces: blazefind
8:25 PM: Quarantining All Traces: powwa bar
8:25 PM: Quarantining All Traces: trojan-downloader-conhook
8:25 PM: ActiveX Shield: found: Trojan Horse: trojan-downloader-conhook, version 1.0.0.0 -- Installation denied
8:25 PM: trojan-downloader-conhook is in use. It will be removed on reboot.
8:25 PM: byxwv.dll is in use. It will be removed on reboot.
8:25 PM: byxwv.dll is in use. It will be removed on reboot.
8:25 PM: C:\WINDOWS\system32\byxwv.dll is in use. It will be removed on reboot.
8:25 PM: Quarantining All Traces: altnet
8:25 PM: Quarantining All Traces: bullguard popup ad
8:26 PM: Quarantining All Traces: cydoor peer-to-peer dependency
8:26 PM: Quarantining All Traces: drsnsrch hijacker
8:26 PM: Quarantining All Traces: ebates money maker
8:26 PM: Quarantining All Traces: exact cashback/bargain buddy
8:26 PM: Quarantining All Traces: ieplugin
8:26 PM: Quarantining All Traces: syncroad
8:26 PM: Quarantining All Traces: targetsaver
8:26 PM: Quarantining All Traces: 247realmedia cookie
8:26 PM: Quarantining All Traces: 2o7.net cookie
8:26 PM: Quarantining All Traces: 360i cookie
8:26 PM: Quarantining All Traces: 498 cookie
8:26 PM: Quarantining All Traces: 5 cookie
8:26 PM: Quarantining All Traces: 64.62.232 cookie
8:26 PM: Quarantining All Traces: 888 cookie
8:26 PM: Quarantining All Traces: a cookie
8:26 PM: Quarantining All Traces: aa cookie
8:26 PM: Quarantining All Traces: abetterinternet cookie
8:26 PM: Quarantining All Traces: about cookie
8:26 PM: Quarantining All Traces: accoona cookie
8:26 PM: Quarantining All Traces: adbureau cookie
8:26 PM: Quarantining All Traces: addynamix cookie
8:26 PM: Quarantining All Traces: adecn cookie
8:26 PM: Quarantining All Traces: adjuggler cookie
8:26 PM: Quarantining All Traces: adknowledge cookie
8:26 PM: Quarantining All Traces: adlegend cookie
8:26 PM: Quarantining All Traces: adminder cookie
8:26 PM: Quarantining All Traces: adprofile cookie
8:26 PM: Quarantining All Traces: adrevolver cookie
8:26 PM: Quarantining All Traces: adserver cookie
8:26 PM: Quarantining All Traces: adtech cookie
8:26 PM: Quarantining All Traces: adultfriendfinder cookie
8:26 PM: Quarantining All Traces: advertising cookie
8:26 PM: Quarantining All Traces: affiliate cookie
8:26 PM: Quarantining All Traces: alt cookie
8:26 PM: Quarantining All Traces: apmebf cookie
8:26 PM: Quarantining All Traces: ask cookie
8:26 PM: Quarantining All Traces: askmen cookie
8:26 PM: Quarantining All Traces: atlas dmt cookie
8:26 PM: Quarantining All Traces: atwola cookie
8:26 PM: Quarantining All Traces: azjmp cookie
8:26 PM: Quarantining All Traces: banner cookie
8:26 PM: Quarantining All Traces: barelylegal cookie
8:26 PM: Quarantining All Traces: belnk cookie
8:26 PM: Quarantining All Traces: bizrate cookie
8:26 PM: Quarantining All Traces: bluestreak cookie
8:26 PM: Quarantining All Traces: bpath cookie
8:26 PM: Quarantining All Traces: bravenet cookie
8:26 PM: Quarantining All Traces: brazilwelcomesyou cookie
8:26 PM: Quarantining All Traces: bs.serving-sys cookie
8:26 PM: Quarantining All Traces: btgrab cookie
8:26 PM: Quarantining All Traces: burstbeacon cookie
8:26 PM: Quarantining All Traces: burstnet cookie
8:26 PM: Quarantining All Traces: callwave cookie
8:26 PM: Quarantining All Traces: casalemedia cookie
8:26 PM: Quarantining All Traces: cassava cookie
8:26 PM: Quarantining All Traces: cc214142 cookie
8:26 PM: Quarantining All Traces: classmates cookie
8:26 PM: Quarantining All Traces: clickandtrack cookie
8:26 PM: Quarantining All Traces: clickbank cookie
8:26 PM: Quarantining All Traces: clickzs cookie
8:26 PM: Quarantining All Traces: cliks cookie
8:26 PM: Quarantining All Traces: coolsavings cookie
8:26 PM: Quarantining All Traces: customer cookie
8:26 PM: Quarantining All Traces: dealtime cookie
8:26 PM: Quarantining All Traces: desktop kazaa cookie
8:26 PM: Quarantining All Traces: did-it cookie
8:26 PM: Quarantining All Traces: directtrack cookie
8:26 PM: Quarantining All Traces: domain sponsor cookie
8:26 PM: Quarantining All Traces: ebates cookie
8:26 PM: Quarantining All Traces: enhance cookie
8:26 PM: Quarantining All Traces: epilot cookie
8:26 PM: Quarantining All Traces: euniverseads cookie
8:26 PM: Quarantining All Traces: exitexchange cookie
8:26 PM: Quarantining All Traces: expage cookie
8:26 PM: Quarantining All Traces: falkag cookie
8:26 PM: Quarantining All Traces: fastclick cookie
8:26 PM: Quarantining All Traces: go.com cookie
8:26 PM: Quarantining All Traces: go2net.com cookie
8:26 PM: Quarantining All Traces: gostats cookie
8:26 PM: Quarantining All Traces: gotoast cookie
8:26 PM: Quarantining All Traces: hbmediapro cookie
8:26 PM: Quarantining All Traces: hitstats.net cookie
8:26 PM: Quarantining All Traces: homestore cookie
8:26 PM: Quarantining All Traces: hotmatch cookie
8:26 PM: Quarantining All Traces: humanclick cookie
8:26 PM: Quarantining All Traces: hypertracker.com cookie
8:26 PM: Quarantining All Traces: ic-live cookie
8:26 PM: Quarantining All Traces: inet-traffic.com cookie
8:26 PM: Quarantining All Traces: infospace cookie
8:26 PM: Quarantining All Traces: kount cookie
8:26 PM: Quarantining All Traces: linksynergy cookie
8:26 PM: Quarantining All Traces: localnrd cookie
8:26 PM: Quarantining All Traces: maxserving cookie
8:26 PM: Quarantining All Traces: mediaplex cookie
8:26 PM: Quarantining All Traces: metareward.com cookie
8:26 PM: Quarantining All Traces: mircx cookie
8:26 PM: Quarantining All Traces: mrskin cookie
8:26 PM: Quarantining All Traces: myaffiliateprogram.com cookie
8:26 PM: Quarantining All Traces: netster cookie
8:26 PM: Quarantining All Traces: nextag cookie
8:26 PM: Quarantining All Traces: offeroptimizer cookie
8:26 PM: Quarantining All Traces: one-time-offer cookie
8:26 PM: Quarantining All Traces: overture cookie
8:26 PM: Quarantining All Traces: partypoker cookie
8:26 PM: Quarantining All Traces: paypopup cookie
8:26 PM: Quarantining All Traces: pch cookie
8:26 PM: Quarantining All Traces: pcstats.com cookie
8:26 PM: Quarantining All Traces: peel network cookie
8:26 PM: Quarantining All Traces: pointroll cookie
8:26 PM: Quarantining All Traces: precisead cookie
8:26 PM: Quarantining All Traces: pricegrabber cookie
8:26 PM: Quarantining All Traces: primaryads cookie
8:26 PM: Quarantining All Traces: pro-market cookie
8:26 PM: Quarantining All Traces: pub cookie
8:26 PM: Quarantining All Traces: pynix cookie
8:26 PM: Quarantining All Traces: qksrv cookie
8:26 PM: Quarantining All Traces: qsrch cookie
8:26 PM: Quarantining All Traces: questionmarket cookie
8:26 PM: Quarantining All Traces: realmedia cookie
8:26 PM: Quarantining All Traces: rednova cookie
8:26 PM: Quarantining All Traces: reliablestats cookie
8:26 PM: Quarantining All Traces: reunion cookie
8:26 PM: Quarantining All Traces: revenue.net cookie
8:26 PM: Quarantining All Traces: rightmedia cookie
8:26 PM: Quarantining All Traces: rn11 cookie
8:26 PM: Quarantining All Traces: ru4 cookie
8:26 PM: Quarantining All Traces: screensavers.com cookie
8:26 PM: Quarantining All Traces: search123 cookie
8:26 PM: Quarantining All Traces: seeq cookie
8:26 PM: Quarantining All Traces: server.iad.liveperson cookie
8:26 PM: Quarantining All Traces: serving-sys cookie
8:26 PM: Quarantining All Traces: servlet cookie
8:26 PM: Quarantining All Traces: specificclick.com cookie
8:26 PM: Quarantining All Traces: specificpop cookie
8:26 PM: Quarantining All Traces: starware.com cookie
8:26 PM: Quarantining All Traces: statcounter cookie
8:26 PM: Quarantining All Traces: stats.klsoft.com cookie
8:26 PM: Quarantining All Traces: stlyrics cookie
8:26 PM: Quarantining All Traces: tacoda cookie
8:26 PM: Quarantining All Traces: techtarget cookie
8:26 PM: Quarantining All Traces: teensforcash cookie
8:26 PM: Quarantining All Traces: tickle cookie
8:26 PM: Quarantining All Traces: toprebates.com cookie
8:26 PM: Quarantining All Traces: touchclarity cookie
8:26 PM: Quarantining All Traces: tracking cookie
8:26 PM: Quarantining All Traces: tradedoubler cookie
8:26 PM: Quarantining All Traces: trafficmp cookie
8:26 PM: Quarantining All Traces: trb.com cookie
8:26 PM: Quarantining All Traces: tribalfusion cookie
8:26 PM: Quarantining All Traces: videodome cookie
8:26 PM: Quarantining All Traces: weborama cookie
8:26 PM: Quarantining All Traces: webpower cookie
8:26 PM: Quarantining All Traces: webservicehosts cookie
8:26 PM: Quarantining All Traces: websponsors cookie
8:26 PM: Quarantining All Traces: web-stat cookie
8:26 PM: Quarantining All Traces: webtrends cookie
8:26 PM: Quarantining All Traces: webtrendslive cookie
8:26 PM: Quarantining All Traces: winantiviruspro cookie
8:26 PM: Quarantining All Traces: xiti cookie
8:26 PM: Quarantining All Traces: xmatch cookie
8:26 PM: Quarantining All Traces: yadro cookie
8:26 PM: Quarantining All Traces: yieldmanager cookie
8:26 PM: Quarantining All Traces: zedo cookie
8:26 PM: Warning: Timed out waiting for explorer.exe
8:26 PM: Warning: Unable to query service start type: The system cannot find the path specified
8:26 PM: Warning: Launched explorer.exe
8:26 PM: Warning: Quarantine process could not restart Explorer.
********
7:34 PM: | Start of Session, Sunday, April 16, 2006 |
7:34 PM: Spy Sweeper started
7:35 PM: Your spyware definitions have been updated.
7:37 PM: | End of Session, Sunday, April 16, 2006 |



Logfile of HijackThis v1.99.1
Scan saved at 8:33:45 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingto...asia/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O20 - Winlogon Notify: byxwv - byxwv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
xoxo karin anne

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 April 2006 - 06:49 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O20 - Winlogon Notify: byxwv - byxwv.dll (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
scrgrd.exe
You'll need to do a file search for the file's location.


Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 karin anne

karin anne

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 16 April 2006 - 07:13 PM

You are pretty much a superhero. Thanks again. I didn't find any scrgrd.exe files. The computer is running better than it ever has in my almost 2 years of owning it. The only weird thing is that the ATF cleaner window stalled for a bit, and then looked like it was wiggling around for a bit before it loaded up. Here is the new HJ log:

ogfile of HijackThis v1.99.1
Scan saved at 9:03:39 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingto...asia/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
xoxo karin anne

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 April 2006 - 07:21 PM

You are pretty much a superhero.

Not me. The superhero's are the makers of HijackThis [Merijn.org] http://www.merijn.org/donate.html and SpySweeper.


Good Job :thumbup:

Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2006 - 05:46 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·