Hardware and Software
>
Microsoft Windows
>
Viruses, Spyware and other Nasties
>
Viruses,trojans malicious files ,please help
Have something to say? Contribute New Article Reply to this Article Viruses,trojans malicious files ,please help
About a month and a bit ago i allowed my nephew free use of the pc,he apparently went onto a site called runescape?,i'm not familiar with it,after his departing i myself went online to do some surfing and have had nothing but headaches since,first i lost use of my firewall which was sygate,then my task manager would not respond,and since that point the problems have escalated,i've just installed a program called ewido to go along with the many other programs i've tried,adaware ,spybot,no-adware to name a few,there was a major issue with a run32dll.exe trying to connect to the internet consistently as well as winlogonnt.exe and svchost.exe,i've managed to install a new firewall zonealarm but am still having lots of difficulties,theres a program\file called exe.exe on the pc which seems new as well as another called guard.tmp,i am unable to get into my email as the program will not open and there seems to be lots of running proccesses on this computer although i find it hard to determine what is actually running,any suggestions would be greatly appreciated ,i just took this snapshot with hijack this,hopefully this will help you understand whats going on,for me it tells me nothing as i'm a one finger typer who has little pc knowledge,thank you in advance.
Logfile of HijackThis v1.99.1
Scan saved at 11:59:53 AM, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\MYDOCU~1\SOLOSENT.EXE
C:\MYDOCU~1\SOLOCFG.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\'C.Phillips\Desktop\Autoruns\autoruns.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\'C.Phillips\Desktop\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoloSentry] C:\MYDOCU~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\MYDOCU~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101610816004
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123633994276
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
I appreciate the quick response to my problem here are the files you've requested first being the WinPFind followed by websweep then hijack this.Thank you again
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Umonitor 22/08/2005 2:41:34 PM 910336 C:\vx2cleaner.dll
ZepMon 22/08/2005 2:41:34 PM 910336 C:\vx2cleaner.dll
ad-w-a-r-e.com 22/08/2005 2:41:34 PM 910336 C:\vx2cleaner.dll
Umonitor 22/08/2005 2:41:34 PM 316416 C:\vx2cleaner.dlx
ZepMon 22/08/2005 2:41:34 PM 316416 C:\vx2cleaner.dlx
ad-w-a-r-e.com 22/08/2005 2:41:34 PM 316416 C:\vx2cleaner.dlx
Checking %ProgramFilesDir% folder...
UPX! 14/01/2003 5:27:30 PM 4297216 C:\Program Files\setup.msi
Checking %WinDir% folder...
UPX! 29/08/2004 1:07:16 PM 91648 C:\WINDOWS\realtime.exe
PEC2 19/05/2001 8:08:44 PM 6656 C:\WINDOWS\pcboot.exe
UPX! 15/11/2004 12:53:54 PM 1036800 C:\WINDOWS\vsapi32.dll
aspack 15/11/2004 12:53:54 PM 1036800 C:\WINDOWS\vsapi32.dll
PECompact2 15/11/2004 12:53:52 PM 10323682 C:\WINDOWS\VPTNFILE.246
Checking %System% folder...
PTech 12/01/2006 11:32:12 AM 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PEC2 01/10/2002 9:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 04/08/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
winsync 01/10/2002 9:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PECompact2 08/02/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/02/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 04/08/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 26/02/2006 10:29:14 PM 49019 C:\WINDOWS\SYSTEM32\Dunzip32.dll
Checking %System%\Drivers folder and sub-folders...
PTech 04/08/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
05/03/2006 6:29:46 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
06/03/2006 11:07:52 AM H 35870 C:\WINDOWS\SYSTEM32\vsconfig.xml
06/03/2006 2:47:02 PM H 1024 C:\WINDOWS\SYSTEM32\config\system.LOG
06/03/2006 5:15:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\software.LOG
06/03/2006 5:16:16 PM H 1024 C:\WINDOWS\SYSTEM32\config\default.LOG
23/02/2006 1:55:52 PM H 0 C:\WINDOWS\SYSTEM32\config\SOFTWARE.rrr.LOG
23/02/2006 1:55:54 PM H 0 C:\WINDOWS\SYSTEM32\config\SYSTEM.rrr.LOG
23/02/2006 1:55:54 PM H 0 C:\WINDOWS\SYSTEM32\config\SAM.rrr.LOG
06/03/2006 11:05:06 AM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
06/03/2006 11:07:26 AM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
23/02/2006 1:55:54 PM H 0 C:\WINDOWS\SYSTEM32\config\DEFAULT.rrr.LOG
19/02/2006 7:50:56 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
01/02/2006 5:41:40 PM S 216 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
01/02/2006 5:41:40 PM S 216 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
01/02/2006 5:41:40 PM S 18 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
01/02/2006 5:41:40 PM S 20531 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
27/01/2006 8:52:48 PM H 8628 C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\2\LXAENTCP.GID
05/03/2006 6:06:24 PM HS 58368 C:\WINDOWS\SYSTEM32\oobe\html\mouse\images\Thumbs.db
06/02/2006 11:12:18 PM S 92310 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem0.CAT
13/01/2006 2:28:32 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
13/01/2006 12:34:32 PM S 7898 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
05/03/2006 5:56:50 PM HS 207872 C:\WINDOWS\SYSTEM32\DirectX\Dinput\Thumbs.db
24/02/2006 6:21:38 PM S 64 C:\WINDOWS\CSC\00000002
28/02/2006 3:21:36 AM S 64 C:\WINDOWS\CSC\00000001
26/02/2006 3:41:34 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
26/02/2006 3:41:34 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\KXQFGT2V\desktop.ini
26/02/2006 3:41:34 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\MRA28REK\desktop.ini
26/02/2006 3:41:34 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\L4BH56JB\desktop.ini
26/02/2006 3:41:34 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\P1RFPX9K\desktop.ini
23/02/2006 7:09:24 PM HS 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini
19/02/2006 6:15:38 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
19/02/2006 6:15:38 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
19/02/2006 6:54:28 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
19/02/2006 6:54:44 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
06/03/2006 11:05:08 AM H 6 C:\WINDOWS\Tasks\SA.DAT
06/03/2006 5:00:04 PM H 294 C:\WINDOWS\Tasks\A97BD27491A44ED4.job
Checking for CPL files...
Logitech Inc. 11/09/2002 12:56:50 PM 94208 C:\WINDOWS\SYSTEM32\CamCpl.cpl
RealNetworks, Inc. 18/08/2003 3:13:08 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 18/06/2000 2:03:10 PM 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL
Microsoft Corporation 04/08/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 01/10/2002 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
16/11/2005 2:52:54 PM 1694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
27/11/2004 5:05:44 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
27/11/2004 4:51:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
27/11/2004 5:05:44 PM HS 84 C:\Documents and Settings\'C.Phillips\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
27/11/2004 4:51:50 PM HS 62 C:\Documents and Settings\'C.Phillips\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Library
{54F51408-DD44-4a12-82EF-519AD2A80DE9} = C:\PROGRAM FILES\ATI MULTIMEDIA\MLIBRARY\MLSHELL.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{F5735C15-1FB2-41FE-BA12-242757E69DDE} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11D0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{44BE0690-5429-47F0-85BB-3FFD8020233E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
avgnt "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
PPMemCheck C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
PestPatrol Control Center C:\PROGRA~1\PESTPA~1\PPControl.exe
CookiePatrol C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
SoloSentry C:\MYDOCU~1\SOLOSENT.EXE
SoloSchedule C:\MYDOCU~1\SOLOCFG.EXE
ATICCC "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^'C.Phillips^Start Menu^Programs^Startup^Registration Brothers In Arms EiB.LNK
backup C:\WINDOWS\pss\Registration Brothers In Arms EiB.LNKStartup
location Startup
item Registration Brothers In Arms EiB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDevMgrUpdate 0
NoWindowsUpdate 0
NoFolderOptions 0
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
DisablePwdCaching 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
NoBackButton 0
NoFileMru 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoFavoritesMenu
NoTrayContextMenu 0
NoViewContextMenu 0
NoSetFolders 0
NoDrives 0
NoRecentDocsHistory 0
NoWindowsUpdate 0
NoChangeStartMenu 0
ClearRecentDocsOnExit 0
NoFileMenu 0
NoExpandedNewMenu 0
NoToolBarCustomize 0
NoBandCustomize 0
NoInstrumentation 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 06/03/2006 5:16:57 PM
Here is the Spysweeper
********
2:48 PM: | Start of Session, March 6, 2006 |
2:48 PM: Spy Sweeper started
2:48 PM: Sweep initiated using definitions version 625
2:48 PM: Starting Memory Sweep
2:57 PM: Memory Sweep Complete, Elapsed Time: 00:08:49
2:57 PM: Starting Registry Sweep
2:57 PM: Found Adware: findthewebsiteyouneed hijack
2:57 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
2:57 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125242)
2:58 PM: Found Adware: clkoptimizer
2:58 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
2:58 PM: HKLM\software\qstat\ || brr (ID = 877670)
2:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191)
2:58 PM: Found Adware: dollarrevenue
2:58 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
2:58 PM: HKU\S-1-5-21-1844237615-839522115-1060284298-1003\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
2:58 PM: HKU\S-1-5-21-1844237615-839522115-1060284298-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
2:58 PM: HKU\S-1-5-21-1844237615-839522115-1060284298-1003\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
2:58 PM: Registry Sweep Complete, Elapsed Time:00:01:07
2:58 PM: Starting Cookie Sweep
2:58 PM: Found Spy Cookie: adjuggler cookie
2:58 PM: 'c.phillips@rotator.adjuggler[2].txt (ID = 2071)
2:58 PM: Found Spy Cookie: myaffiliateprogram.com cookie
2:58 PM: 'c.phillips@www.myaffiliateprogram[1].txt (ID = 3032)
2:58 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:58 PM: Starting File Sweep
2:58 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
3:04 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
3:07 PM: Warning: Failed to open file "c:\windows\temp\zlt01691.tmp". The process cannot access the file because it is being used by another process
3:08 PM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{af76cabc-3348-409d-bf09-3d4b22bb2aa4}.bin". The process cannot access the file because it is being used by another process
3:17 PM: Found Adware: lopdotcom
3:17 PM: rule cdrom.exe (ID = 91)
3:17 PM: Warning: Failed to open file "c:\documents and settings\'c.phillips\ntuser.dat". The process cannot access the file because it is being used by another process
3:17 PM: Warning: Failed to open file "c:\documents and settings\'c.phillips\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:18 PM: fordbin.exe (ID = 308)
3:18 PM: Found Adware: effective-i toolbar
3:18 PM: glbc.tmp (ID = 253666)
3:19 PM: Warning: Failed to open file "c:\documents and settings\'c.phillips\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\'c.phillips\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:19 PM: Found Adware: zquest
3:19 PM: dr21206[1].exe (ID = 251354)
3:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsac6ffb7a-e905-4f51-a7ec-abea217f47ec.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs556a472b-bd8d-4e2d-a3ca-5897ff98fa75.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb8abc3eb-3915-4228-b088-676581572fc7.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb711888f-1bc9-409f-a460-6f5c86c9478c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbe189e99-39eb-4972-9e90-9a10ad476d3c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa3a3b84a-5977-402e-80e8-6b2dc7c3a940.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4720153a-1194-40f7-84f9-2d7f9efb6a4d.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs76f90036-cdc0-4485-b3a3-05c83772b5df.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa49d2b57-e90d-4f8b-a382-88ed646ee165.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfb444a72-b8de-4754-b688-17c33741dcbd.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc78d1e41-d445-43d9-9ed8-167a93c29f61.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs76b1a4c5-cd04-4ffe-9a0c-3bf27c2bf849.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2ae6a170-1376-4916-a00d-b442faaf542c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1f8a9dd5-50d3-4c8a-9758-2eb8e48c7721.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs705bfd52-be91-441e-bb8e-daae9a1f10a1.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8fdf1c43-e50d-4008-932e-3ae5e353e4ee.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e7fb361-e7d3-4e45-b044-18f7faa87997.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5178d9b-7cc8-407a-805c-b13f5730f211.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c8e8733-7764-4362-b73c-f1d71e5dae5e.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs780f2040-c0bf-4a04-a320-6cbb9a109c6f.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsddd11f88-6e2e-481e-bb82-7df1a6cb762f.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs810ae3b6-cbb3-4f4f-bfe3-1f277f3a7593.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d791d87-22b0-455a-8a29-9154359604ad.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsee781ae5-52df-45bc-9e1d-06300678801f.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs974130de-d446-4398-8f37-fe4c89c556b2.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4331ce35-7067-4b40-a784-f51a7cee59f0.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs89bd3906-b032-4891-8f2d-82c4f91fb796.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs35bf60c7-db4e-4d17-93e1-3197f2cf0753.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d57774b-2ff4-403f-b1a3-e59884c3bf77.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscadb3a06-a745-4ccb-a258-d375c65a67fe.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1f5f7daa-223e-4c37-9211-e31f34281290.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaeb22ac9-a2c9-4c87-a2f2-654f9e5337f7.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs15d66f9b-a953-4ddd-8d63-ba5aee606440.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse1d08b63-66e1-403a-b5cc-72be337f9a9f.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd6147f96-1481-4947-b48c-2d13580707f2.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5327fc91-add3-485d-956e-a8d309da40e9.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs36870958-7df8-4417-9b09-e694e745bd32.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a84bf34-9420-483d-9a4f-2424500c33b0.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc9842d14-9bea-42f2-9f52-bf6e19f09da3.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs61fe9435-4d81-4368-833d-2dcd65b183de.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2e71ff4-8577-444e-a386-9e2339d2b3d3.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs35c9828d-a867-46bc-91dc-a2c91a525617.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsad1abf31-c6ba-4428-a823-87e9874b8423.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb0f3f98-15ce-4992-ab38-167cc7d9e3a6.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4d5ef58b-f825-4cf3-9a9b-333a701f69bc.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs47dc8d29-996e-49a0-8711-23a2228d2887.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs703685c4-411e-45b1-bc3a-1f2cee8f0955.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsce10b2e0-9995-495e-90de-d191069b9f8c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs892850bd-d475-4645-b307-e49004de715b.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsec6884de-5e2e-47f9-9af2-9387c49708cd.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa6d9cbea-2684-4bd5-adf9-72c0ae3b3cdb.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bbaa808-50ce-4288-9afa-7b7acd65b71b.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse36f011c-76fa-4407-8bdd-5ac3da40639d.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs28eeb930-ed8e-44b2-8bfc-af36a4a4da48.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a02bddc-a077-4ba9-9ced-dca2be7d1e47.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9290bf4d-b987-459c-82a0-078ac3b081a4.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a88916e-653f-46ab-84f4-8740e5578b67.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdf7a3c1b-1ee3-475f-b335-fb6f7d9137c4.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5ea4c1a-102a-4468-a0ac-3b62f5146f9e.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs498f4c88-46d8-48e7-aa6c-699d218dd530.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb8b44d16-53a0-48d8-bc8f-efe1daa120bd.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04e0fe59-f9ff-44e7-9f69-5b2b6846fc77.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a1dd8da-a356-430a-b48e-cb3047674660.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7ba4fb30-1fba-48f7-972b-50fd200e1c47.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaa624851-5de3-4ac5-9a98-011391c16292.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfe9b85a2-1db4-48a4-9bff-809cec57a5e5.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs81a18eaf-b980-4e8d-9a8f-e357038c414f.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs707e42f3-18e1-4bf2-8930-7975e89ced44.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs49040348-9b8a-4776-b1a6-45460176bd64.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa862ef8e-6365-4075-9bd4-fc743080479e.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8ba09d97-c216-4370-a307-0c8225a6955c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8d870aaa-3d88-4a70-b57e-a0b6ed38fcab.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse50859b6-e6a7-4712-870c-88cd6989c105.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1041494c-9a8e-46ba-bf7e-24170fe0f562.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58356b79-c0d3-4119-ac05-a5fad7fb0bd6.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d610062-82b1-4108-8867-8d36cb5d2af5.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ead43bb-c9f8-48c4-aa99-cbc7aa477958.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs43504437-4c57-4500-b5c4-d6aeb040b20d.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse32d8ab3-0dce-4dc4-8582-64ae822621b4.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4985bb8a-f3b6-4bff-9f10-2068ea67fef9.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd768c50a-a297-4fea-8446-e25c8876c379.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsae011d93-cffa-4d54-a1dd-25d4bec8f5b0.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90e4393c-b30d-450f-96e2-307acef38784.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf68e27c7-3c52-4ad2-a0a7-9296cb539338.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc1035df4-2a02-4c32-8ac4-cebd388356bd.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs92f0118d-5e9a-4131-b475-ffd9bb1015f5.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3103c7ec-5f08-4b20-b37d-abac3393fb26.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse23e4014-9efd-4474-b519-4e67c985aca3.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs083c5ce1-ca40-4025-ba97-52dac4bfc5c3.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb61ae0-2efd-4e7d-b0e4-3663b0671d83.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb5e09e2-cfa5-413e-8207-e2fdd346ab56.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc6b86a3c-942d-4cca-9f6f-45b79e4e714d.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7cf7c026-1b9e-4841-aefe-783563a3cd7e.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs273a0b56-d76a-4054-ad1c-0b7bd4df411d.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsebc6e32f-f2a9-4eaf-b1f8-950248fad867.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3868d46e-c0c4-480d-9a66-fabe6ff2c9e8.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d28ebe4-3103-4fc3-ae40-a78283f444f7.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscabcf18f-3960-492f-b870-98126d9010e4.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0339448b-ff3c-4749-b7b2-86282b1f85a5.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscfc99ec1-8ddd-408e-b2da-b30b1a4b953c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4103a15f-1487-43ea-9b5d-e97fb12b6b0c.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3a21fc3b-1868-4e6a-8556-909635a5dd44.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7df7ded3-3eca-40fc-a4bf-b6b53861d339.tmp". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc20d7a55-3080-42c3-a464-c58d46c29177.tmp". The process cannot access the file because it is being used by another process
3:21 PM: File Sweep Complete, Elapsed Time: 00:23:02
3:21 PM: Full Sweep has completed. Elapsed time 00:33:22
3:21 PM: Traces Found: 23
********
2:44 PM: | Start of Session, March 6, 2006 |
2:44 PM: Spy Sweeper started
2:46 PM: Messenger service has been disabled.
2:47 PM: Your spyware definitions have been updated.
2:48 PM: | End of Session, March 6, 2006 |
and finallt Hijack this
Logfile of HijackThis v1.99.1
Scan saved at 5:26:34 PM, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\'C.Phillips\Desktop\WinPFind\WinPFind\winpfind.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\'C.Phillips\Desktop\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoloSentry] C:\MYDOCU~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\MYDOCU~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101610816004
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123633994276
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Hopefully i've sent this properly
since doing these scans i cannot go on-line regularly,i'm now in safe mode with networking as something is quickly taking over the pc ?,i lose my mouse and the task manager says that it is using 100% of processes?
Did Spysweeper give you an option to remove the files? It doesnt show that it quarantined or removed anything. If not, I have an alternate download location, but this trial period should remove it by choosing Select All and then Remove
Also - it did not show you having guard.tmp on your system...
You have a slight Lop Infection
C:\WINDOWS\Tasks\A97BD27491A44ED4.job
-------------------------------------------------------------------------------------------------------------------------------------
First please relocate HijackThis to a permanent location such asC:\Program Files\HJT
-------------------------------------------------------------------------------------------------------------------------------------
Now you are showing two Antiviruses which will cause system conflicts and hog resources as well. Please uninstall either of the two
Antivir
SOLO Antivirus
-------------------------------------------------------------------------------------------------------------------------------------
Scan with HijackThis and check the following:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Now with ALL Browsers closed, clickFIX CHECKED
----------------------------------------------------------------------------------------------------------------------------------------
Download PocketKillbox from here:
http://files2.majorgeeks.com/files//admin/killbox.exe
Open PocketKillbox
-Check the Delete on Reboot option
-Copy and paste the following into the box
-Click the Red X to confirm deletion
-When prompted to reboot choose YES
C:\WINDOWS\Tasks\A97BD27491A44ED4.job
If it doesnt reboot on it's own, reboot it manually.
-----------------------------------------------------------------------------------------------------------------------------------------Let me know what problems you may be having after doing this
After doing what you've suggested i again ran a hijack this log and it looks like 2 of the entries returned
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed and
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed
the other file i mentioned to you was guardtmp ,it now seems to be gone,but until this was done it kept showing up on this program i'm running called Autoruns,so i guess thats good news there,now i need to find out what keeps creating the above mentioned lines,again here is my most recent hijack file .Thank you i realllllllly appreciate this...
Logfile of HijackThis v1.99.1
Scan saved at 10:00:45 PM, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Program Files\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7900
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101610816004
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123633994276
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Ok - but did Spysweeper remove what it detected? Did you tell it to remove?
Figured them two lines would come back - no biggie ;)
Download CWShredder
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
-Run CWShredder.exe and Check for updates.
-Close ALL windows except CWShredder and click on the Fix button, then click Next.
Now scan and check them two lines if they still exist
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comReboot and attach one more log
sorry for taking so long i used the sweeper again and it takes awhile,after using it and deleting the finds it made i rebooted and did another hijack this log,and i'm sure at this point you really wanna not see another one,but here it is and everything seems to be alright from my perspective,but then i'm not the pc genius that you are,is there anything else i need to do or take care of?,Thank you very much ,i reallllllly appreciate you taking the time you have.
Logfile of HijackThis v1.99.1
Scan saved at 11:34:57 PM, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7900
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101610816004
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123633994276
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Glad I could help! :)
Everything looks good.
Now you can flush your System Restore points and you should be good.
Windows XP
Disable
1. Right click My Computer
2. Choose Properties>System Restore tab
3. Check Turn off System Restore or Turn off System Restore on all Drives
4. Click Apply and reboot
Enable
1. Right click My Computer
2. Choose Properties>System Restore tab
3. Uncheck Turn off System Restore or Turn off System Restore on all Drives
4. Click Apply and reboot
Wow never thought i'd get back behind the pc today,but here i am finally ,i just finished the reboots you suggested and am now ready to continue on what i started about a month ago,lol,i'd like to thank you for all your help it really is appreciated and my pc wouldn't be running as smooth as it is if it wasn't for you.Thank You VERY much again ,have a great day.
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
