HackThis Log!! Help!!!!!! (Dial_Relaid.J & SpyQuake!!!) (RESOLVED)

**Lloyd** · 27-04-2006

Phew. . . that one took a very long time... but here it goes;

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, April 26, 2006 8:55:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/04/2006
Kaspersky Anti-Virus database records: 190068
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 110404
Number of viruses found: 15
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 01:06:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01/WISE0016.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01 WiseSFX: infected - 4 skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01 WiseSFX Dropper: infected - 4 skipped
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\A 2088A48d01 Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\Documents and Settings\Jadyne\Application Data\Netscape\NSB\Profiles\fv2r1nse.default\Cache\ F9C56518d01/data0045 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jadyne\Application Data\Netscape\NSB\Profiles\fv2r1nse.default\Cache\ F9C56518d01/data0046 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\Documents and Settings\Jadyne\Application Data\Netscape\NSB\Profiles\fv2r1nse.default\Cache\ F9C56518d01 NSIS: infected - 2 skipped
C:\Documents and Settings\Jadyne\Desktop\new hack\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaTickets.y skipped
C:\Documents and Settings\Jadyne\Desktop\new hack\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Jadyne\Desktop\new hack\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Jadyne\Local Settings\Temporary Internet Files\Content.IE5\O9YVKLIZ\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Netscape\Netscape Internet Service\Extras\nsb-install-8-0.exe/data0523 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Netscape\Netscape Internet Service\Extras\nsb-install-8-0.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP10\A0000451.exe/data0523 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP10\A0000451.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP35\A0004530.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP35\A0004531.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP35\A0004532.exe/data0045 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP35\A0004532.exe/data0046 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP35\A0004532.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP36\A0004696.ocx Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP36\A0004749.exe Infected: not-a-virus

ownloader.Win32.DigStream skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP36\A0004750.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP36\A0004763.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP36\A0004764.exe Infected: not-a-virus:AdWare.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0007122.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0007257.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0007262.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0007264.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0008296.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP37\A0008300.dll Infected: Trojan.Win32.Agent.qt skipped

Scan process completed.

think it said 15 viruses!!!!! and 34 infected others!!!!
sorry it took so long to get back at you this time. thank you again for coming to my assistance. have a good day.

**VopThis** · 27-04-2006

1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".
3) Then Click the "All Files" button.

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\A 2088A48d01
C:\Documents and Settings\Jadyne\Application Data\Netscape\NSB\Profiles\fv2r1nse.default\Cache\ F9C56518d01
C:\Documents and Settings\Jadyne\Desktop\new hack\OiUninstaller.exe
C:\Documents and Settings\Jadyne\Local Settings\Temporary Internet Files\Content.IE5\O9YVKLIZ\!update-3595[1].0000
C:\Netscape\Netscape Internet Service\Extras\nsb-install-8-0.exe
C:\WINDOWS\SYSTEM32\winrzf32.dll

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
http://www.webroot.com/consumer/prod...de=af1&rc=3597
OR
http://www.webroot.com/shoppingcart/...php?bjpc=64011

Click the Free Trial link to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.

Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

REBOOT and Post the SpySweeper session log here along with a fresh HiJackThis log.

**Lloyd** · 27-04-2006

Thanx. will do.

**Lloyd** · 27-04-2006

Here goes the logfiles newly renovated:

Logfile of HijackThis v1.99.1
Scan saved at 2

47 AM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\CompuServe 2000\cstray.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jadyne\Desktop\xili\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\prefs.j s)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Cs earchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Netscape\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 2000 Tray Icon.lnk = C:\Program Files\CompuServe 2000\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...ad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

and heres the webroot file....:

********
1:36 AM: | Start of Session, Thursday, April 27, 2006 |
1:36 AM: Spy Sweeper started
1:36 AM: Sweep initiated using definitions version 665
1:36 AM: Starting Memory Sweep
1:41 AM: Memory Sweep Complete, Elapsed Time: 00:04:12
1:41 AM: Starting Registry Sweep
1:41 AM: Found Trojan Horse: trojan agent winlogonhook
1:41 AM: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101)
1:41 AM: Registry Sweep Complete, Elapsed Time:00:00:19
1:41 AM: Starting Cookie Sweep
1:41 AM: Found Spy Cookie: 888 cookie
1:41 AM: jadyne@888[1].txt (ID = 2019)
1:41 AM: Found Spy Cookie: about cookie
1:41 AM: jadyne@about[2].txt (ID = 2037)
1:41 AM: Found Spy Cookie: adknowledge cookie
1:41 AM: jadyne@adknowledge[1].txt (ID = 2072)
1:41 AM: Found Spy Cookie: hbmediapro cookie
1:41 AM: jadyne@adopt.hbmediapro[2].txt (ID = 2768)
1:41 AM: Found Spy Cookie: hotbar cookie
1:41 AM: jadyne@adopt.hotbar[2].txt (ID = 4207)
1:41 AM: Found Spy Cookie: adrevolver cookie
1:41 AM: jadyne@adrevolver[3].txt (ID = 2088)
1:41 AM: Found Spy Cookie: adultfriendfinder cookie
1:41 AM: jadyne@adultfriendfinder[2].txt (ID = 2165)
1:41 AM: Found Spy Cookie: apmebf cookie
1:41 AM: jadyne@apmebf[1].txt (ID = 2229)
1:41 AM: Found Spy Cookie: ask cookie
1:41 AM: jadyne@ask[1].txt (ID = 2245)
1:41 AM: Found Spy Cookie: atlas dmt cookie
1:41 AM: jadyne@atdmt[1].txt (ID = 2253)
1:41 AM: Found Spy Cookie: belnk cookie
1:41 AM: jadyne@ath.belnk[2].txt (ID = 2293)
1:41 AM: Found Spy Cookie: atwola cookie
1:41 AM: jadyne@atwola[2].txt (ID = 2255)

This bugger keeps moving around all the time!!!!!!

I dont know if this information helps but when the webroot spy sweeper was running the Trend virus pop-ups saying dial_relaid.j were coming on. . . only reason I say this is because I dont know how to turn off all programs except for the one I want running so that no other windows will open while the spy sweeper does its job, because it says keep all windows closed but those virus pop-ups come on by themselves, . Does this happen because the virus is trying to move around to try to escape the destroying program?

Well im goin to sleep 4 a couple of hours i'll check back in like 3 hours.

Thank You again for all your help and effort.

**VopThis** · 27-04-2006

THe following HijackThis line should now go away once fixed:

O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)

This bugger keeps moving around all the time!!!!!!

The majority of SpySweeper items are low risks cookie items.

Are you saying that the following line items keep appearing?:

1:41 AM: Found Trojan Horse: trojan agent winlogonhook
1:41 AM: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101)

Try running SpySweeper in SAFE MODE or try what was suggested here:
http://forums.majorgeeks.com/showthread.php?t=88615

I will continue to research this. Just make sure that there is no OPERATIONAL fax/modem that is in a position to dial out.

**Lloyd** · 27-04-2006

Just make sure that there is no OPERATIONAL fax/modem that is in a position to dial out.

When you say Operational, you mean that the fax machine itself has to be powered on, right?, because i have a fax and its hooked up to the computer but i leave the power off on the fax until I need to use it to send or recieve one.

**Lloyd** · 27-04-2006

oh yeah when i said it keeps moving around i meant that the virus or whatever literaly was moving, like to a different folder or somewhere. because while i was searching for :

C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\5 69C8ECBd01
C:\Documents and Settings\Jadyne\Application Data\Mozilla\Profiles\default\eaj2cx9g.slt\Cache\A 2088A48d01
C:\Documents and Settings\Jadyne\Application Data\Netscape\NSB\Profiles\fv2r1nse.default\Cache\ F9C56518d01
C:\Documents and Settings\Jadyne\Desktop\new hack\OiUninstaller.exe
C:\Documents and Settings\Jadyne\Local Settings\Temporary Internet Files\Content.IE5\O9YVKLIZ\!update-3595[1].0000
C:\Netscape\Netscape Internet Service\Extras\nsb-install-8-0.exe
C:\WINDOWS\SYSTEM32\winrzf32.dll

:

I found that the OiUninstaller.exe and the trojan had moved to a folder i had recently made on the desktop to store those files even before I trired to find them because; when I went into my search for the computer for those specific files those two popped up in the folder i had just made not even 45 seconds earlier

**VopThis** · 27-04-2006

When you say Operational, you mean that the fax machine itself has to be powered on, right?

Possibly but not necessarily.

I was referring to any fax/modem in your PC that the dialer might be able to utilize via any direct connection to a phone jack (if any). You want to prevent any possibility for outgoing calls being made without your permission.