Susan,
A2 found nothing.
When I Ediwo complete scan would run it would encounter a problem and needs to shut down. So, I ran a fast system scan and got this:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 8:28:59 PM, 12/4/2005
+ Report-Checksum: 330E22D
+ Scan result:
C:\WINDOWS\system32\nshC.dll -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\system32\nsy10.dll -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
::Report End
Spysweeper found:
********
7:45 PM: | Start of Session, Sunday, December 04, 2005 |
7:45 PM: Spy Sweeper started
7:45 PM: Sweep initiated using definitions version 577
7:45 PM: Starting Memory Sweep
7:47 PM: Memory Sweep Complete, Elapsed Time: 00:02:10
7:47 PM: Starting Registry Sweep
7:47 PM: Found Adware: maxifiles
7:47 PM: HKLM\software\classes\xbtb07618.xbtb07618.1\ (3 subtraces) (ID = 134854)
7:47 PM: HKLM\software\classes\xbtb07618.xbtb07618\ (5 subtraces) (ID = 134855)
7:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb07618.xbtb07618toolbar\ (2 subtraces) (ID = 134857)
7:47 PM: HKCR\xbtb07618.xbtb07618.1\ (3 subtraces) (ID = 134867)
7:47 PM: HKCR\xbtb07618.xbtb07618\ (5 subtraces) (ID = 134868)
7:47 PM: HKLM\software\microsoft\internet explorer\extensions\{77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f}\ (8 subtraces) (ID = 728078)
7:47 PM: Found Adware: begin2search
7:47 PM: HKCR\zippyl.amo\ (5 subtraces) (ID = 732260)
7:47 PM: HKCR\zippyl.amo.1\ (3 subtraces) (ID = 732266)
7:47 PM: HKCR\zippyl.iiittt\ (5 subtraces) (ID = 732270)
7:47 PM: HKCR\zippyl.iiittt.1\ (3 subtraces) (ID = 732276)
7:47 PM: HKCR\zippyl.momo\ (5 subtraces) (ID = 732280)
7:47 PM: HKCR\zippyl.momo.1\ (3 subtraces) (ID = 732286)
7:47 PM: HKCR\zippyl.ohb\ (5 subtraces) (ID = 732290)
7:47 PM: HKCR\zippyl.ohb.1\ (3 subtraces) (ID = 732296)
7:47 PM: HKCR\clsid\{8037f7f0-80b6-453a-a7cb-5371a4a09bb8}\ (11 subtraces) (ID = 732300)
7:47 PM: HKCR\clsid\{c8186977-4d5e-4c2b-a5ab-98d59f05c610}\ (11 subtraces) (ID = 732312)
7:47 PM: HKCR\clsid\{d86f8319-7c7a-4f2c-927b-6fd286dc4371}\ (22 subtraces) (ID = 732324)
7:47 PM: HKCR\clsid\{f90b494e-39e5-497d-ae7e-72a2bdca76d3}\ (11 subtraces) (ID = 732347)
7:47 PM: HKCR\typelib\{7812d585-c5f0-458e-9922-c9b4ebe837e8}\ (9 subtraces) (ID = 732359)
7:47 PM: HKLM\software\classes\zippyl.iiittt\clsid\ (1 subtraces) (ID = 734843)
7:47 PM: HKLM\software\classes\zippyl.iiittt.1\ (3 subtraces) (ID = 734847)
7:47 PM: HKLM\software\classes\zippyl.momo\ (5 subtraces) (ID = 734851)
7:47 PM: HKLM\software\classes\zippyl.momo.1\ (3 subtraces) (ID = 734857)
7:47 PM: HKLM\software\classes\zippyl.ohb\ (5 subtraces) (ID = 734861)
7:47 PM: HKLM\software\classes\zippyl.ohb.1\ (3 subtraces) (ID = 734867)
7:47 PM: HKLM\software\classes\clsid\{8037f7f0-80b6-453a-a7cb-5371a4a09bb8}\ (11 subtraces) (ID = 734871)
7:47 PM: HKLM\software\classes\clsid\{c8186977-4d5e-4c2b-a5ab-98d59f05c610}\ (11 subtraces) (ID = 734883)
7:47 PM: HKLM\software\classes\clsid\{d86f8319-7c7a-4f2c-927b-6fd286dc4371}\ (22 subtraces) (ID = 734895)
7:47 PM: HKLM\software\classes\clsid\{f90b494e-39e5-497d-ae7e-72a2bdca76d3}\ (11 subtraces) (ID = 734918)
7:47 PM: HKLM\software\classes\zippyl.amo\ (5 subtraces) (ID = 734930)
7:47 PM: HKLM\software\classes\zippyl.amo.1\ (3 subtraces) (ID = 734936)
7:47 PM: HKLM\software\classes\zippyl.iiittt\ (5 subtraces) (ID = 734940)
7:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{8037f7f0-80b6-453a-a7cb-5371a4a09bb8}\ (ID = 734942)
7:47 PM: HKLM\software\classes\typelib\{7812d585-c5f0-458e-9922-c9b4ebe837e8}\ (9 subtraces) (ID = 734946)
7:47 PM: Found Adware: command
7:47 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
7:47 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:47 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:47 PM: HKCR\typelib\{5279231e-fabe-4abf-83a8-7c7e17e3ce1a}\ (9 subtraces) (ID = 1020940)
7:47 PM: HKLM\software\classes\typelib\{5279231e-fabe-4abf-83a8-7c7e17e3ce1a}\ (9 subtraces) (ID = 1021009)
7:47 PM: HKU\S-1-5-21-606747145-220523388-682003330-1003\software\director\ || baseurl (ID = 980277)
7:47 PM: HKU\S-1-5-21-606747145-220523388-682003330-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
7:48 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
7:48 PM: Registry Sweep Complete, Elapsed Time:00:00:13
7:48 PM: Starting Cookie Sweep
7:48 PM: Found Spy Cookie: atlas dmt cookie
7:48 PM: chris@atdmt[1].txt (ID = 2253)
7:48 PM: Found Spy Cookie: enhance cookie
7:48 PM:
system@c.enhance[1].txt (ID = 2614)
7:48 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:48 PM: Starting File Sweep
7:48 PM: Found Trojan Horse: trojan downloader matcash
7:48 PM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
7:48 PM: Found Adware: apropos
7:48 PM: c:\documents and settings\chris\local settings\temp\~compoundinst0 (1 subtraces) (ID = -2147481413)
7:48 PM: Found Adware: targetsaver
7:48 PM: tsupdate2[1].ini (ID = 193498)
7:53 PM: tsinstall_4_0_4_0_b4.exe (ID = 193496)
7:53 PM: tsuninst.exe (ID = 193501)
7:54 PM: services32.exe (ID = 184143)
7:54 PM: autoit3.exe (ID = 185254)
7:54 PM: freeprodtb.exe (ID = 198662)
7:54 PM: mc-110-12-0000140.exe (ID = 184140)
7:54 PM: mc-110-12-0000140.exe (ID = 190798)
7:54 PM: mc-110-12-0000140.exe (ID = 190798)
7:54 PM: HKU\S-1-5-21-606747145-220523388-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run || services32 (ID = 0)
7:54 PM: mqwfm.exe (ID = 195131)
7:54 PM: HKU\S-1-5-21-606747145-220523388-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run || mqwf (ID = 0)
7:54 PM: mqwfa.exe (ID = 195128)
7:54 PM: mqwfc.dll (ID = 195129)
7:54 PM: vocabulary (ID = 78283)
7:54 PM: class-barrel (ID = 78229)
7:55 PM: mqwfl.exe (ID = 195130)
7:55 PM: mqwfp.exe (ID = 195132)
7:55 PM: kz1vurg.vbs (ID = 185675)
7:55 PM: File Sweep Complete, Elapsed Time: 00:07:39
7:55 PM: Full Sweep has completed. Elapsed time 00:10:04
7:55 PM: Traces Found: 323
7:56 PM: Removal process initiated
7:56 PM: Quarantining All Traces: trojan downloader matcash
7:56 PM: Quarantining All Traces: apropos
7:56 PM: Quarantining All Traces: begin2search
7:56 PM: Quarantining All Traces: maxifiles
7:56 PM: maxifiles is in use. It will be removed on reboot.
7:56 PM: mc-110-12-0000140.exe is in use. It will be removed on reboot.
7:56 PM: Quarantining All Traces: command
7:56 PM: Quarantining All Traces: targetsaver
7:56 PM: Quarantining All Traces: atlas dmt cookie
7:56 PM: Quarantining All Traces: enhance cookie
7:57 PM: Removal process completed. Elapsed time 00:01:08
********
7:44 PM: | Start of Session, Sunday, December 04, 2005 |
7:44 PM: Spy Sweeper started
7:44 PM: Messenger service has been disabled.
7:45 PM: Your spyware definitions have been updated.
7:45 PM: | End of Session, Sunday, December 04, 2005 |
New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:43:27 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search -
res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Thanks for the help!!
Penny