Download Spysweeper here
http://www.malwareteks.com/dload.php...load&file_id=5
-Update to the latest definitions and run it
-Please attach the log when returning

Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-Follow step 9 here on how to properly run it:
http://wiki.castlecops.com/Vundo_Roo...oval_Procedure
-Save the log and attach for me

Also include a new HijackThis log and we'll go from there....

Good Luck

Ran into a problem...

and I know this really doesn't have anything to do with you, but I followed the instructions and I COULD NOT GET WINPFIND TO RUN!

I ran it 3 times yesterday allowing it at least 3 hours. My hard drive activity would never stop but nothing else would happen either. The last time I just let it run all night while I was sleep and when I woke up still the same. Each time I ended up having to just end task.

But let me say this, shortly after I clicked the "Start Scan" button I got a message about my virtual memory being low, I clicked OK as the message said it would increase the size of the file so I thought all would be fine.

I don't know if this is a common problem or not. What I am going to try is manually increasing the size of my virtual memory and seeing if that will help the problem.

If I'm doing anything wrong, you have any suggestions, or some other program that will do the job maybe let me know.

And yeah I know it's not your job to be product support for WinPFind, I just hope maybe I'm doing something boneheaded or you've seen this before and can point me in the right direction.

We'll try WinPFind, or some other scans a little later. Just do the Spysweeper scan and remove what it finds, then let me see it and another HijackThis log.

Got that...

********
2:01 PM: | Start of Session, Tuesday, March 28, 2006 |
2:01 PM: Spy Sweeper started
2:01 PM: Sweep initiated using definitions version 643
2:01 PM: Starting Memory Sweep
2:10 PM: Found Adware: psguard\winhound fakealert
2:10 PM: Detected running threat: C:\WINNT\system32\oleext.dll (ID = 134)
2:11 PM: Found Trojan Horse: trojan downloader matcash
2:11 PM: Detected running threat: C:\Program Files\Common Files\Windows\services32.exe (ID = 184143)
2:12 PM: Found Adware: purityscan
2:12 PM: Detected running threat: C:\WINNT\?icrosoft.NET\nopdb.exe (ID = 230)
2:14 PM: Memory Sweep Complete, Elapsed Time: 00:13:03
2:14 PM: Starting Registry Sweep
2:15 PM: Found Adware: 180search assistant/zango
2:15 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
2:15 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
2:15 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
2:15 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
2:15 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
2:15 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
2:15 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
2:15 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
2:15 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
2:15 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
2:15 PM: Found Adware: ist powerscan
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
2:15 PM: HKCR\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137128)
2:15 PM: HKCR\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137170)
2:15 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
2:15 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
2:15 PM: HKCR\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137352)
2:15 PM: HKLM\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137470)
2:15 PM: HKLM\software\classes\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137505)
2:15 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
2:15 PM: HKLM\software\classes\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137683)
2:15 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
2:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137987)
2:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\winnt\downloaded program files\mediaticketsinstaller.ocx (ID = 139078)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediatickets\ (12 subtraces) (ID = 139080)
2:15 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
2:15 PM: Found Adware: ist yoursitebar
2:15 PM: HKLM\software\classes\ysb.ysbobj.1\ (3 subtraces) (ID = 147846)
2:15 PM: HKCR\ysb.ysbobj.1\ (3 subtraces) (ID = 147865)
2:15 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
2:15 PM: Found Adware: ist surf accuracy
2:15 PM: HKLM\software\sacc\ (4 subtraces) (ID = 203068)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
2:15 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
2:15 PM: Found Trojan Horse: trojan-backdoor-netpt
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_netpt\ (12 subtraces) (ID = 1125342)
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_perffont\ (8 subtraces) (ID = 1125354)
2:15 PM: HKLM\system\currentcontrolset\services\netpt\ (11 subtraces) (ID = 1125365)
2:15 PM: HKLM\system\currentcontrolset\services\perffont\ (12 subtraces) (ID = 1128287)
2:15 PM: Found Adware: maxifiles
2:15 PM: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
2:15 PM: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
2:15 PM: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
2:15 PM: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
2:15 PM: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
2:15 PM: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
2:15 PM: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
2:15 PM: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
2:15 PM: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
2:15 PM: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
2:15 PM: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
2:15 PM: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
2:16 PM: HKU\S-1-5-21-796845957-152049171-1060284298-500\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\180search assistant\ (1 subtraces) (ID = 972193)
2:16 PM: Registry Sweep Complete, Elapsed Time:00:01:24
2:16 PM: Starting Cookie Sweep
2:16 PM: Found Spy Cookie: 247realmedia cookie
2:16 PM: administrator@247realmedia[1].txt (ID = 1953)
2:16 PM: Found Spy Cookie: 2o7.net cookie
2:16 PM: administrator@2o7[2].txt (ID = 1957)
2:16 PM: Found Spy Cookie: yieldmanager cookie
2:16 PM: administrator@ad.yieldmanager[2].txt (ID = 3751)
2:16 PM: Found Spy Cookie: epilot cookie
2:16 PM: administrator@adcenter.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: hbmediapro cookie
2:16 PM: administrator@adopt.hbmediapro[2].txt (ID = 2768)
2:16 PM: Found Spy Cookie: adrevolver cookie
2:16 PM: administrator@adrevolver[1].txt (ID = 2088)
2:16 PM: administrator@adrevolver[3].txt (ID = 2088)
2:16 PM: Found Spy Cookie: pointroll cookie
2:16 PM: administrator@ads.pointroll[1].txt (ID = 3148)
2:16 PM: Found Spy Cookie: apmebf cookie
2:16 PM: administrator@apmebf[1].txt (ID = 2229)
2:16 PM: Found Spy Cookie: ask cookie
2:16 PM: administrator@ask[1].txt (ID = 2245)
2:16 PM: Found Spy Cookie: belnk cookie
2:16 PM: administrator@belnk[1].txt (ID = 2292)
2:16 PM: Found Spy Cookie: overture cookie
2:16 PM: administrator@bidtool.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: bilbo.counted.com cookie
2:16 PM: administrator@bilbo.counted[2].txt (ID = 2306)
2:16 PM: Found Spy Cookie: goclick cookie
2:16 PM: administrator@c.goclick[2].txt (ID = 2733)
2:16 PM: Found Spy Cookie: casalemedia cookie
2:16 PM: administrator@casalemedia[1].txt (ID = 2354)
2:16 PM: administrator@content.overture[1].txt (ID = 3106)
2:16 PM: administrator@dist.belnk[2].txt (ID = 2293)
2:16 PM: Found Spy Cookie: findwhat cookie
2:16 PM: administrator@findwhat[1].txt (ID = 2674)
2:16 PM: Found Spy Cookie: oinadserve cookie
2:16 PM: administrator@oinadserve[2].txt (ID = 3091)
2:16 PM: administrator@overture[1].txt (ID = 3105)
2:16 PM: administrator@perf.overture[1].txt (ID = 3106)
2:16 PM: Found Spy Cookie: qksrv cookie
2:16 PM: administrator@qksrv[1].txt (ID = 3213)
2:16 PM: Found Spy Cookie: questionmarket cookie
2:16 PM: administrator@questionmarket[1].txt (ID = 3217)
2:16 PM: Found Spy Cookie: server.iad.liveperson cookie
2:16 PM: administrator@server.iad.liveperson[2].txt (ID = 3341)
2:16 PM: Found Spy Cookie: serving-sys cookie
2:16 PM: administrator@serving-sys[2].txt (ID = 3343)
2:16 PM: Found Spy Cookie: servlet cookie
2:16 PM: administrator@servlet[1].txt (ID = 3345)
2:16 PM: Found Spy Cookie: statcounter cookie
2:16 PM: administrator@statcounter[2].txt (ID = 3447)
2:16 PM: Found Spy Cookie: tacoda cookie
2:16 PM: administrator@tacoda[2].txt (ID = 6444)
2:16 PM: Found Spy Cookie: tribalfusion cookie
2:16 PM: administrator@tribalfusion[1].txt (ID = 3589)
2:16 PM: Found Spy Cookie: clickxchange adware cookie
2:16 PM: administrator@www.clickxchange[2].txt (ID = 2409)
2:16 PM: administrator@www.epilot[1].txt (ID = 2622)
2:16 PM: Found Spy Cookie: portland.co cookie
2:16 PM: administrator@www.portland.co[1].txt (ID = 3180)
2:16 PM: Found Spy Cookie: adserver cookie
2:16 PM: administrator@z1.adserver[1].txt (ID = 2142)
2:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:08
2:16 PM: Starting File Sweep
2:16 PM: c:\program files\toolbar888 (9 subtraces) (ID = -2147456311)
2:16 PM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
2:16 PM: Found Adware: winhound
2:16 PM: c:\documents and settings\administrator\application data\winhound.com (11 subtraces) (ID = -2147462035)
2:16 PM: c:\program files\winhound (1 subtraces) (ID = -2147462133)
2:17 PM: mc-110-12-0000344.exe (ID = 246327)
2:18 PM: mc-110-12-0000344.exe (ID = 190798)
2:18 PM: freeprodtb.exe (ID = 244762)
2:18 PM: services32.exe (ID = 184143)
2:25 PM: autoit3.exe (ID = 185254)
2:25 PM: dc12.exe (ID = 258578)
2:25 PM: Found Trojan Horse: sdbot
2:25 PM: rp5[1].exe (ID = 271539)
2:26 PM: mediaticketsinstaller.ocx (ID = 73162)
2:26 PM: basis.xml (ID = 244764)
2:31 PM: backup-20060328-064524-240.inf (ID = 73158)
2:31 PM: launcher[1].exe (ID = 243410)
2:33 PM: netpt.sys (ID = 235796)
2:41 PM: toolbar888.dll (ID = 244763)
2:42 PM: mediaticketsinstaller.inf (ID = 73158)
2:44 PM: win32ssr.exe (ID = 271539)
2:44 PM: tds[2].exe (ID = 258578)
2:50 PM: mediaticketsinstaller.ocx (ID = 73162)
2:50 PM: drdata[1].avi (ID = 190798)
2:53 PM: mc-110-12-0000344.exe (ID = 190798)
2:54 PM: freeprodtb[1].exe (ID = 244762)
2:54 PM: a.exe (ID = 271539)
2:55 PM: tds[1].exe (ID = 258578)
2:56 PM: mediaticketsinstaller.ocx (ID = 73162)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: perfont.exe (ID = 258578)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: mc-110-12-0000344[1].exe (ID = 246327)
2:59 PM: File Sweep Complete, Elapsed Time: 00:42:38
2:59 PM: Full Sweep has completed. Elapsed time 00:57:23
2:59 PM: Traces Found: 528
3:56 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
3:58 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:00 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:02 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:18 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:32 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:33 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:34 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:36 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:37 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:44 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
7:26 PM: Removal process initiated
7:26 PM: Quarantining All Traces: 180search assistant/zango
7:26 PM: Quarantining All Traces: psguard\winhound fakealert
7:27 PM: psguard\winhound fakealert is in use. It will be removed on reboot.
7:27 PM: C:\WINNT\system32\oleext.dll is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: purityscan
7:27 PM: Quarantining All Traces: sdbot
7:27 PM: Quarantining All Traces: trojan downloader matcash
7:27 PM: trojan downloader matcash is in use. It will be removed on reboot.
7:27 PM: services32.exe is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: maxifiles
7:28 PM: maxifiles is in use. It will be removed on reboot.
7:28 PM: mc-110-12-0000344.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: trojan-backdoor-netpt
7:28 PM: Quarantining All Traces: ist powerscan
7:28 PM: Quarantining All Traces: ist surf accuracy
7:28 PM: Quarantining All Traces: ist yoursitebar
7:28 PM: Quarantining All Traces: winhound
7:28 PM: Quarantining All Traces: 247realmedia cookie
7:28 PM: Quarantining All Traces: 2o7.net cookie
7:28 PM: Quarantining All Traces: adrevolver cookie
7:28 PM: Quarantining All Traces: adserver cookie
7:28 PM: Quarantining All Traces: apmebf cookie
7:28 PM: Quarantining All Traces: ask cookie
7:28 PM: Quarantining All Traces: belnk cookie
7:28 PM: Quarantining All Traces: bilbo.counted.com cookie
7:28 PM: Quarantining All Traces: casalemedia cookie
7:28 PM: Quarantining All Traces: clickxchange adware cookie
7:28 PM: Quarantining All Traces: epilot cookie
7:28 PM: Quarantining All Traces: findwhat cookie
7:28 PM: Quarantining All Traces: goclick cookie
7:28 PM: Quarantining All Traces: hbmediapro cookie
7:28 PM: Quarantining All Traces: oinadserve cookie
7:28 PM: Quarantining All Traces: overture cookie
7:28 PM: Quarantining All Traces: pointroll cookie
7:28 PM: Quarantining All Traces: portland.co cookie
7:28 PM: Quarantining All Traces: qksrv cookie
7:28 PM: Quarantining All Traces: questionmarket cookie
7:28 PM: Quarantining All Traces: server.iad.liveperson cookie
7:28 PM: Quarantining All Traces: serving-sys cookie
7:28 PM: Quarantining All Traces: servlet cookie
7:28 PM: Quarantining All Traces: statcounter cookie
7:28 PM: Quarantining All Traces: tacoda cookie
7:28 PM: Quarantining All Traces: tribalfusion cookie
7:28 PM: Quarantining All Traces: yieldmanager cookie
7:29 PM: Removal process completed. Elapsed time 00:02:46
********
1:56 PM: | Start of Session, Tuesday, March 28, 2006 |
1:56 PM: Spy Sweeper started
1:58 PM: Updating spyware definitions
2:01 PM: Your spyware definitions have been updated.
2:01 PM: | End of Session, Tuesday, March 28, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 10:00:53 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\cash17.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\FNTS~1\notepad.exe
C:\Documents and Settings\Default User\Application Data\a?sembly\??chost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTick...cab?refid=5172
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

Ok - still a little more to do

Since Spysweeper detected PSGuard, let's make sure we remove it all.

Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.

Please Boot to Safe Mode.

Go to Start>Run type Services.msc
-Locate the following two services
-Right click and choose Stop if not greyed out
-Choose Properties
-Change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following one at a time and delete them
Now scan with HijackThis and check the following if they exist
Now close ALL Browsers and choose Fix Checked

Continuing in Safe Mode....

-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that and one more HijackThis log

Let me know if you are still having any problems..

Things seem better now...


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 03/29/2006
The current time is: 10:40:21.22

Running from
C:\Documents and Settings\administrator\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!



WinHound.com key was successfully removed!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'explorer.exe'
Killing PID 552 'explorer.exe'
Error 0x5 : Access is denied.


Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~


~~~~ C:\WINNT\system32\wininet.dll Clean! ~~~~

Great! Smitrem cleaned your WinHound infection - so good thing we ran it

How about the new HijackThis log?

Sorry got it right here...

Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

Well your HijackThis log looks fine, other than I see NO Antivirus whatsoever?

You really need to take a look here and install one of these Antiviruses & Firewalls
http://www.daniweb.com/techtalkforums/thread27519.html

Also unless you plan on purchasing Spysweeper you can uninstall it now.