******** 10:08 AM: |··· Start of Session, Friday, August 05, 2005 ···| 10:08 AM: Spy Sweeper started 10:08 AM: Sweep initiated using definitions version 507 10:08 AM: Starting Memory Sweep 10:10 AM: Memory Sweep Complete, Elapsed Time: 00:01:45 10:10 AM: Starting Registry Sweep 10:10 AM: Found Adware: coolwebsearch (cws) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 10:10 AM: Found Adware: premium search hostfile hijack 10:10 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 10:10 AM: Found Adware: cws_easysearch 10:10 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 10:10 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 10:10 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 10:10 AM: Found Adware: gain-supported software 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 10:10 AM: Found Adware: dashbar hijack 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 10:10 AM: Found Adware: hotbar 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 10:10 AM: Found Adware: ieplugin 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 10:10 AM: Found Adware: drsnsrch.com hijack 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 10:10 AM: Found Adware: websearch toolbar 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 10:10 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 10:10 AM: Found Adware: psguard 10:10 AM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 10:10 AM: Registry Sweep Complete, Elapsed Time:00:00:14 10:11 AM: Starting Cookie Sweep 10:11 AM: Found Spy Cookie: yieldmanager cookie 10:11 AM: nikunj@ad.yieldmanager[1].txt (ID = 3751) 10:11 AM: Found Spy Cookie: adknowledge cookie 10:11 AM: nikunj@adknowledge[1].txt (ID = 2073) 10:11 AM: Found Spy Cookie: azjmp cookie 10:11 AM: nikunj@azjmp[2].txt (ID = 2271) 10:11 AM: Found Spy Cookie: bluestreak cookie 10:11 AM: nikunj@bluestreak[1].txt (ID = 2315) 10:11 AM: Found Spy Cookie: fastclick cookie 10:11 AM: nikunj@fastclick[2].txt (ID = 2652) 10:11 AM: Found Spy Cookie: overture cookie 10:11 AM: nikunj@perf.overture[1].txt (ID = 3106) 10:11 AM: Found Spy Cookie: revenue.net cookie 10:11 AM: nikunj@revenue[2].txt (ID = 3258) 10:11 AM: Found Spy Cookie: onestat.com cookie 10:11 AM: nikunj@stat.onestat[2].txt (ID = 3098) 10:11 AM: Found Spy Cookie: statcounter cookie 10:11 AM: nikunj@statcounter[2].txt (ID = 3448) 10:11 AM: Found Spy Cookie: trafficmp cookie 10:11 AM: nikunj@trafficmp[2].txt (ID = 3582) 10:11 AM: Found Spy Cookie: adserver cookie 10:11 AM: nikunj@z1.adserver[1].txt (ID = 2142) 10:11 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 10:11 AM: Starting File Sweep 10:14 AM: File Sweep Complete, Elapsed Time: 00:03:20 10:14 AM: Full Sweep has completed. Elapsed time 00:05:26 10:14 AM: Traces Found: 1032 10:15 AM: Removal process initiated 10:15 AM: Quarantining All Traces: coolwebsearch (cws) 10:15 AM: Quarantining All Traces: premium search hostfile hijack 10:15 AM: Quarantining All Traces: cws_easysearch 10:15 AM: Quarantining All Traces: gain-supported software 10:15 AM: Quarantining All Traces: dashbar hijack 10:15 AM: Quarantining All Traces: hotbar 10:15 AM: Quarantining All Traces: ieplugin 10:15 AM: Quarantining All Traces: drsnsrch.com hijack 10:15 AM: Quarantining All Traces: websearch toolbar 10:15 AM: Quarantining All Traces: psguard 10:15 AM: Warning: Failed to remove "HKEY_LOCAL_MACHINE\software\shudderltd\". 10:15 AM: Failed to quarantine psguard 10:15 AM: Failed to quarantine HKLM: software\shudderltd\ 10:15 AM: Quarantining All Traces: yieldmanager cookie 10:15 AM: Quarantining All Traces: adknowledge cookie 10:15 AM: Quarantining All Traces: azjmp cookie 10:15 AM: Quarantining All Traces: bluestreak cookie 10:15 AM: Quarantining All Traces: fastclick cookie 10:15 AM: Quarantining All Traces: overture cookie 10:15 AM: Quarantining All Traces: revenue.net cookie 10:15 AM: Quarantining All Traces: onestat.com cookie 10:15 AM: Quarantining All Traces: statcounter cookie 10:15 AM: Quarantining All Traces: trafficmp cookie 10:15 AM: Quarantining All Traces: adserver cookie 10:15 AM: Removal process completed. Elapsed time 00:00:10 ******** 9:17 PM: |··· Start of Session, Thursday, August 04, 2005 ···| 9:17 PM: Spy Sweeper started 9:17 PM: Sweep initiated using definitions version 507 9:17 PM: Starting Memory Sweep 9:17 PM: Found Adware: premium search hostfile hijack 9:17 PM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\dutsnuhebsd.dll (ID = 107412) 9:20 PM: Memory Sweep Complete, Elapsed Time: 00:02:28 9:20 PM: Starting Registry Sweep 9:20 PM: Found Adware: coolwebsearch (cws) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 9:20 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 9:20 PM: Found Adware: cws_easysearch 9:20 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 9:20 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 9:20 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 9:20 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 9:20 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 9:20 PM: Found Adware: easysearchbar 9:20 PM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 9:20 PM: Found Adware: gain-supported software 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 9:20 PM: Found Adware: dashbar hijack 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 9:20 PM: Found Adware: hotbar 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 9:20 PM: Found Adware: ieplugin 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 9:20 PM: Found Adware: drsnsrch.com hijack 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 9:20 PM: Found Adware: websearch toolbar 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 9:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 9:20 PM: Found Adware: psguard 9:20 PM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 9:20 PM: Registry Sweep Complete, Elapsed Time:00:00:19 9:20 PM: Starting Cookie Sweep 9:20 PM: Found Spy Cookie: bluestreak cookie 9:20 PM: nikunj@bluestreak[1].txt (ID = 2315) 9:20 PM: Found Spy Cookie: fastclick cookie 9:20 PM: nikunj@fastclick[2].txt (ID = 2652) 9:20 PM: Found Spy Cookie: revenue.net cookie 9:20 PM: nikunj@revenue[2].txt (ID = 3258) 9:20 PM: Found Spy Cookie: adserver cookie 9:20 PM: nikunj@z1.adserver[1].txt (ID = 2142) 9:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 9:20 PM: Starting File Sweep 9:20 PM: dutsnuhebsd.dll (ID = 107412) 9:25 PM: Warning: Failed to read file "c:\windows\temp\cs6ac26.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 9:25 PM: Warning: Failed to read file "c:\windows\temp\cs6ac31.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 9:25 PM: Warning: Failed to read file "c:\windows\temp\cs6ac36.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 9:26 PM: File Sweep Complete, Elapsed Time: 00:05:52 9:26 PM: Full Sweep has completed. Elapsed time 00:08:48 9:26 PM: Traces Found: 1032 ******** 12:01 AM: |··· Start of Session, Thursday, August 04, 2005 ···| 12:01 AM: Spy Sweeper started 12:01 AM: Sweep initiated using definitions version 507 12:01 AM: Starting Memory Sweep 12:02 AM: Found Adware: premium search hostfile hijack 12:02 AM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\mfwtcnopqhk.dll (ID = 107412) 12:04 AM: Memory Sweep Complete, Elapsed Time: 00:02:32 12:04 AM: Starting Registry Sweep 12:04 AM: Found Adware: coolwebsearch (cws) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 12:04 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:04 AM: Found Adware: cws_easysearch 12:04 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:04 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:04 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:04 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:04 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:04 AM: Found Adware: easysearchbar 12:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 12:04 AM: Found Adware: gain-supported software 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:04 AM: Found Adware: dashbar hijack 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:04 AM: Found Adware: hotbar 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:04 AM: Found Adware: ieplugin 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 12:04 AM: Found Adware: drsnsrch.com hijack 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 12:04 AM: Found Adware: websearch toolbar 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:04 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 12:04 AM: Found Adware: psguard 12:04 AM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 12:04 AM: Registry Sweep Complete, Elapsed Time:00:00:19 12:04 AM: Starting Cookie Sweep 12:04 AM: Found Spy Cookie: 66.246.209 cookie 12:04 AM: nikunj@66.246.209[1].txt (ID = 1998) 12:04 AM: Found Spy Cookie: adknowledge cookie 12:04 AM: nikunj@adknowledge[1].txt (ID = 2073) 12:04 AM: Found Spy Cookie: pointroll cookie 12:04 AM: nikunj@ads.pointroll[1].txt (ID = 3148) 12:04 AM: Found Spy Cookie: azjmp cookie 12:04 AM: nikunj@azjmp[2].txt (ID = 2271) 12:04 AM: Found Spy Cookie: belnk cookie 12:04 AM: nikunj@belnk[1].txt (ID = 2293) 12:04 AM: Found Spy Cookie: bluestreak cookie 12:04 AM: nikunj@bluestreak[2].txt (ID = 2315) 12:04 AM: Found Spy Cookie: enhance cookie 12:04 AM: nikunj@c.enhance[1].txt (ID = 2614) 12:04 AM: Found Spy Cookie: goclick cookie 12:04 AM: nikunj@c.goclick[1].txt (ID = 2733) 12:04 AM: Found Spy Cookie: casalemedia cookie 12:04 AM: nikunj@casalemedia[1].txt (ID = 2355) 12:04 AM: nikunj@dist.belnk[2].txt (ID = 2293) 12:04 AM: Found Spy Cookie: fastclick cookie 12:04 AM: nikunj@fastclick[1].txt (ID = 2652) 12:04 AM: Found Spy Cookie: maxserving cookie 12:04 AM: nikunj@maxserving[1].txt (ID = 2967) 12:04 AM: Found Spy Cookie: overture cookie 12:04 AM: nikunj@perf.overture[1].txt (ID = 3106) 12:04 AM: Found Spy Cookie: questionmarket cookie 12:04 AM: nikunj@questionmarket[1].txt (ID = 3218) 12:04 AM: Found Spy Cookie: serving-sys cookie 12:04 AM: nikunj@serving-sys[2].txt (ID = 3344) 12:04 AM: Found Spy Cookie: statcounter cookie 12:04 AM: nikunj@statcounter[2].txt (ID = 3448) 12:04 AM: Found Spy Cookie: trafficmp cookie 12:04 AM: nikunj@trafficmp[1].txt (ID = 3582) 12:04 AM: Found Spy Cookie: burstbeacon cookie 12:04 AM: nikunj@www.burstbeacon[2].txt (ID = 2335) 12:04 AM: Found Spy Cookie: adserver cookie 12:04 AM: nikunj@z1.adserver[1].txt (ID = 2142) 12:04 AM: Found Spy Cookie: zedo cookie 12:04 AM: nikunj@zedo[2].txt (ID = 3763) 12:04 AM: guest@c.goclick[2].txt (ID = 2733) 12:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01 12:04 AM: Starting File Sweep 12:04 AM: mfwtcnopqhk.dll (ID = 107412) 12:04 AM: ijetgviryxi.dll (ID = 107412) 12:09 AM: File Sweep Complete, Elapsed Time: 00:04:33 12:09 AM: Full Sweep has completed. Elapsed time 00:07:31 12:09 AM: Traces Found: 1050 12:09 AM: Removal process initiated 12:09 AM: Quarantining All Traces: premium search hostfile hijack 12:09 AM: Quarantining All Traces: coolwebsearch (cws) 12:09 AM: Quarantining All Traces: cws_easysearch 12:09 AM: Quarantining All Traces: easysearchbar 12:09 AM: Quarantining All Traces: gain-supported software 12:09 AM: Quarantining All Traces: dashbar hijack 12:09 AM: Quarantining All Traces: hotbar 12:09 AM: Quarantining All Traces: ieplugin 12:09 AM: Quarantining All Traces: drsnsrch.com hijack 12:09 AM: Quarantining All Traces: websearch toolbar 12:09 AM: Quarantining All Traces: psguard 12:09 AM: Warning: Failed to remove "HKEY_LOCAL_MACHINE\software\shudderltd\". 12:09 AM: Failed to quarantine psguard 12:09 AM: Failed to quarantine HKLM: software\shudderltd\ 12:09 AM: Quarantining All Traces: 66.246.209 cookie 12:09 AM: Quarantining All Traces: adknowledge cookie 12:09 AM: Quarantining All Traces: pointroll cookie 12:09 AM: Quarantining All Traces: azjmp cookie 12:09 AM: Quarantining All Traces: belnk cookie 12:09 AM: Quarantining All Traces: bluestreak cookie 12:09 AM: Quarantining All Traces: enhance cookie 12:09 AM: Quarantining All Traces: goclick cookie 12:09 AM: Quarantining All Traces: casalemedia cookie 12:09 AM: Quarantining All Traces: fastclick cookie 12:09 AM: Quarantining All Traces: maxserving cookie 12:09 AM: Quarantining All Traces: overture cookie 12:09 AM: Quarantining All Traces: questionmarket cookie 12:09 AM: Quarantining All Traces: serving-sys cookie 12:09 AM: Quarantining All Traces: statcounter cookie 12:09 AM: Quarantining All Traces: trafficmp cookie 12:09 AM: Quarantining All Traces: burstbeacon cookie 12:09 AM: Quarantining All Traces: adserver cookie 12:09 AM: Quarantining All Traces: zedo cookie 12:10 AM: Preparing to restart your computer. Please wait... 12:10 AM: Removal process completed. Elapsed time 00:00:25 9:17 PM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 9:17 PM: Detected running threat: premium search hostfile hijack 9:17 PM: |··· End of Session, Thursday, August 04, 2005 ···| ******** 12:16 PM: |··· Start of Session, Monday, August 01, 2005 ···| 12:16 PM: Spy Sweeper started 12:16 PM: Sweep initiated using definitions version 507 12:16 PM: Starting Memory Sweep 12:19 PM: Found Adware: premium search hostfile hijack 12:19 PM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\vmlyjabolef.dll (ID = 107412) 12:19 PM: Memory Sweep Complete, Elapsed Time: 00:03:39 12:19 PM: Starting Registry Sweep 12:20 PM: Found Adware: coolwebsearch (cws) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 12:20 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:20 PM: Found Adware: cws_easysearch 12:20 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:20 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:20 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:20 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:20 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:20 PM: Found Adware: easysearchbar 12:20 PM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 12:20 PM: Found Adware: gain-supported software 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:20 PM: Found Adware: dashbar hijack 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:20 PM: Found Adware: hotbar 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:20 PM: Found Adware: ieplugin 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 12:20 PM: Found Adware: drsnsrch.com hijack 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 12:20 PM: Found Adware: websearch toolbar 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 12:20 PM: Found Adware: psguard 12:20 PM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 12:20 PM: Registry Sweep Complete, Elapsed Time:00:00:42 12:20 PM: Starting Cookie Sweep 12:20 PM: Found Spy Cookie: adknowledge cookie 12:20 PM: nikunj@adknowledge[2].txt (ID = 2073) 12:20 PM: Found Spy Cookie: pointroll cookie 12:20 PM: nikunj@ads.pointroll[2].txt (ID = 3148) 12:20 PM: Found Spy Cookie: azjmp cookie 12:20 PM: nikunj@azjmp[2].txt (ID = 2271) 12:20 PM: Found Spy Cookie: belnk cookie 12:20 PM: nikunj@belnk[1].txt (ID = 2293) 12:20 PM: Found Spy Cookie: casalemedia cookie 12:20 PM: nikunj@casalemedia[1].txt (ID = 2355) 12:20 PM: nikunj@dist.belnk[2].txt (ID = 2293) 12:20 PM: Found Spy Cookie: fastclick cookie 12:20 PM: nikunj@fastclick[1].txt (ID = 2652) 12:20 PM: Found Spy Cookie: maxserving cookie 12:20 PM: nikunj@maxserving[1].txt (ID = 2967) 12:20 PM: Found Spy Cookie: overture cookie 12:20 PM: nikunj@perf.overture[1].txt (ID = 3106) 12:20 PM: Found Spy Cookie: statcounter cookie 12:20 PM: nikunj@statcounter[2].txt (ID = 3448) 12:20 PM: Found Spy Cookie: trafficmp cookie 12:20 PM: nikunj@trafficmp[2].txt (ID = 3582) 12:20 PM: Found Spy Cookie: burstbeacon cookie 12:20 PM: nikunj@www.burstbeacon[2].txt (ID = 2335) 12:20 PM: Found Spy Cookie: adserver cookie 12:20 PM: nikunj@z1.adserver[1].txt (ID = 2142) 12:20 PM: Found Spy Cookie: zedo cookie 12:20 PM: nikunj@zedo[2].txt (ID = 3763) 12:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:20 PM: Starting File Sweep 12:21 PM: vmlyjabolef.dll (ID = 107412) 12:25 PM: File Sweep Complete, Elapsed Time: 00:04:23 12:25 PM: Full Sweep has completed. Elapsed time 00:08:42 12:25 PM: Traces Found: 1042 5:02 PM: Processing Startup Alerts 5:02 PM: Removed Startup entry: secserv.exe 9:55 AM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 9:55 AM: Detected running threat: premium search hostfile hijack 7:01 PM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 7:01 PM: Detected running threat: premium search hostfile hijack 12:01 AM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 12:01 AM: Detected running threat: premium search hostfile hijack 12:01 AM: |··· End of Session, Thursday, August 04, 2005 ···| ******** 11:52 AM: |··· Start of Session, Monday, August 01, 2005 ···| 11:52 AM: Spy Sweeper started 11:52 AM: Sweep initiated using definitions version 507 11:52 AM: Starting Memory Sweep 11:54 AM: Found Adware: premium search hostfile hijack 11:54 AM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\vmlyjabolef.dll (ID = 107412) 11:55 AM: Memory Sweep Complete, Elapsed Time: 00:02:39 11:55 AM: Starting Registry Sweep 11:55 AM: Found Adware: coolwebsearch (cws) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 11:55 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 11:55 AM: Found Adware: cws_easysearch 11:55 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 11:55 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 11:55 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 11:55 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 11:55 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 11:55 AM: Found Adware: easysearchbar 11:55 AM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 11:55 AM: Found Adware: gain-supported software 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 11:55 AM: Found Adware: dashbar hijack 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 11:55 AM: Found Adware: hotbar 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 11:55 AM: Found Adware: ieplugin 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 11:55 AM: Found Adware: drsnsrch.com hijack 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 11:55 AM: Found Adware: websearch toolbar 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 11:55 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 11:55 AM: Found Adware: psguard 11:55 AM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 11:55 AM: Registry Sweep Complete, Elapsed Time:00:00:26 11:55 AM: Starting Cookie Sweep 11:55 AM: Found Spy Cookie: adknowledge cookie 11:56 AM: nikunj@adknowledge[2].txt (ID = 2073) 11:56 AM: Found Spy Cookie: azjmp cookie 11:56 AM: nikunj@azjmp[2].txt (ID = 2271) 11:56 AM: Found Spy Cookie: belnk cookie 11:56 AM: nikunj@belnk[1].txt (ID = 2293) 11:56 AM: Found Spy Cookie: casalemedia cookie 11:56 AM: nikunj@casalemedia[1].txt (ID = 2355) 11:56 AM: nikunj@dist.belnk[2].txt (ID = 2293) 11:56 AM: Found Spy Cookie: fastclick cookie 11:56 AM: nikunj@fastclick[1].txt (ID = 2652) 11:56 AM: Found Spy Cookie: maxserving cookie 11:56 AM: nikunj@maxserving[1].txt (ID = 2967) 11:56 AM: Found Spy Cookie: overture cookie 11:56 AM: nikunj@perf.overture[1].txt (ID = 3106) 11:56 AM: Found Spy Cookie: statcounter cookie 11:56 AM: nikunj@statcounter[1].txt (ID = 3448) 11:56 AM: Found Spy Cookie: trafficmp cookie 11:56 AM: nikunj@trafficmp[1].txt (ID = 3582) 11:56 AM: Found Spy Cookie: burstbeacon cookie 11:56 AM: nikunj@www.burstbeacon[1].txt (ID = 2335) 11:56 AM: Found Spy Cookie: adserver cookie 11:56 AM: nikunj@z1.adserver[1].txt (ID = 2142) 11:56 AM: Found Spy Cookie: zedo cookie 11:56 AM: nikunj@zedo[2].txt (ID = 3763) 11:56 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02 11:56 AM: Starting File Sweep 11:56 AM: vmlyjabolef.dll (ID = 107412) 12:00 PM: File Sweep Complete, Elapsed Time: 00:04:07 12:00 PM: Full Sweep has completed. Elapsed time 00:07:24 12:00 PM: Traces Found: 1041 12:16 PM: |··· End of Session, Monday, August 01, 2005 ···| ******** 10:40 AM: |··· Start of Session, Monday, August 01, 2005 ···| 10:40 AM: Spy Sweeper started 10:40 AM: Sweep initiated using definitions version 507 10:40 AM: Starting Memory Sweep 10:42 AM: Found Adware: premium search hostfile hijack 10:42 AM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\gbmporyzmrq.dll (ID = 107412) 10:43 AM: Memory Sweep Complete, Elapsed Time: 00:02:25 10:43 AM: Starting Registry Sweep 10:43 AM: Found Adware: coolwebsearch (cws) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 10:43 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 10:43 AM: Found Adware: cws_easysearch 10:43 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 10:43 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 10:43 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 10:43 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 10:43 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 10:43 AM: Found Adware: easysearchbar 10:43 AM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 10:43 AM: Found Adware: gain-supported software 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 10:43 AM: Found Adware: dashbar hijack 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 10:43 AM: Found Adware: hotbar 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 10:43 AM: Found Adware: ieplugin 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 10:43 AM: Found Adware: drsnsrch.com hijack 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 10:43 AM: Found Adware: websearch toolbar 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 10:43 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 10:43 AM: Found Adware: psguard 10:43 AM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 10:43 AM: Registry Sweep Complete, Elapsed Time:00:00:16 10:43 AM: Starting Cookie Sweep 10:43 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 10:43 AM: Starting File Sweep 10:43 AM: c:\program files\psguard (10 subtraces) (ID = -2147480440) 10:43 AM: gbmporyzmrq.dll (ID = 107412) 10:48 AM: File Sweep Complete, Elapsed Time: 00:04:27 10:48 AM: Full Sweep has completed. Elapsed time 00:07:16 10:48 AM: Traces Found: 1039 10:49 AM: Removal process initiated 10:49 AM: Quarantining All Traces: premium search hostfile hijack 10:49 AM: Quarantining All Traces: coolwebsearch (cws) 10:49 AM: Quarantining All Traces: cws_easysearch 10:49 AM: Quarantining All Traces: easysearchbar 10:49 AM: Quarantining All Traces: gain-supported software 10:49 AM: Quarantining All Traces: dashbar hijack 10:49 AM: Quarantining All Traces: hotbar 10:49 AM: Quarantining All Traces: ieplugin 10:49 AM: Quarantining All Traces: drsnsrch.com hijack 10:49 AM: Quarantining All Traces: websearch toolbar 10:49 AM: Quarantining All Traces: psguard 10:49 AM: Warning: Failed to remove "HKEY_LOCAL_MACHINE\software\shudderltd\". 10:49 AM: Failed to quarantine psguard 10:49 AM: Failed to quarantine HKLM: software\shudderltd\ 10:49 AM: Removal process completed. Elapsed time 00:00:40 11:47 AM: Processing Startup Alerts 11:47 AM: Removed Startup entry: secserv.exe 11:48 AM: Processing Hosts File Alerts 11:48 AM: Fixed Hosts File entry: www.google.ae 11:48 AM: Fixed Hosts File entry: www.google.am 11:48 AM: Fixed Hosts File entry: www.google.as 11:48 AM: Fixed Hosts File entry: www.google.at 11:48 AM: Fixed Hosts File entry: www.google.az 11:48 AM: Fixed Hosts File entry: www.google.be 11:48 AM: Fixed Hosts File entry: www.google.bi 11:48 AM: Fixed Hosts File entry: www.google.ca 11:48 AM: Fixed Hosts File entry: www.google.cd 11:48 AM: Fixed Hosts File entry: www.google.cg 11:48 AM: Fixed Hosts File entry: www.google.ch 11:48 AM: Fixed Hosts File entry: www.google.ci 11:48 AM: Fixed Hosts File entry: www.google.cl 11:48 AM: Fixed Hosts File entry: www.google.co.cr 11:48 AM: Fixed Hosts File entry: www.google.co.hu 11:48 AM: Fixed Hosts File entry: www.google.co.il 11:48 AM: Fixed Hosts File entry: www.google.co.in 11:48 AM: Fixed Hosts File entry: www.google.co.je 11:48 AM: Fixed Hosts File entry: www.google.co.jp 11:48 AM: Fixed Hosts File entry: www.google.co.ke 11:48 AM: Fixed Hosts File entry: www.google.co.kr 11:48 AM: Fixed Hosts File entry: www.google.co.ls 11:48 AM: Fixed Hosts File entry: www.google.co.nz 11:48 AM: Fixed Hosts File entry: www.google.co.th 11:48 AM: Fixed Hosts File entry: www.google.co.ug 11:48 AM: Fixed Hosts File entry: www.google.co.uk 11:48 AM: Fixed Hosts File entry: www.google.co.ve 11:48 AM: Fixed Hosts File entry: www.google.com 11:48 AM: Fixed Hosts File entry: www.google.com.ag 11:48 AM: Fixed Hosts File entry: www.google.com.ar 11:48 AM: Fixed Hosts File entry: www.google.com.au 11:48 AM: Fixed Hosts File entry: www.google.com.br 11:48 AM: Fixed Hosts File entry: www.google.com.co 11:48 AM: Fixed Hosts File entry: www.google.com.cu 11:48 AM: Fixed Hosts File entry: www.google.com.do 11:48 AM: Fixed Hosts File entry: www.google.com.ec 11:48 AM: Fixed Hosts File entry: www.google.com.fj 11:48 AM: Fixed Hosts File entry: www.google.com.gi 11:48 AM: Fixed Hosts File entry: www.google.com.gr 11:48 AM: Fixed Hosts File entry: www.google.com.gt 11:48 AM: Fixed Hosts File entry: www.google.com.hk 11:48 AM: Fixed Hosts File entry: www.google.com.ly 11:48 AM: Fixed Hosts File entry: www.google.com.mt 11:48 AM: Fixed Hosts File entry: www.google.com.mx 11:48 AM: Fixed Hosts File entry: www.google.com.my 11:48 AM: Fixed Hosts File entry: www.google.com.na 11:48 AM: Fixed Hosts File entry: www.google.com.nf 11:48 AM: Fixed Hosts File entry: www.google.com.ni 11:48 AM: Fixed Hosts File entry: www.google.com.np 11:48 AM: Fixed Hosts File entry: www.google.com.pa 11:48 AM: Fixed Hosts File entry: www.google.com.pe 11:48 AM: Fixed Hosts File entry: www.google.com.ph 11:48 AM: Fixed Hosts File entry: www.google.com.pk 11:48 AM: Fixed Hosts File entry: www.google.com.pr 11:48 AM: Fixed Hosts File entry: www.google.com.py 11:48 AM: Fixed Hosts File entry: www.google.com.sa 11:48 AM: Fixed Hosts File entry: www.google.com.sg 11:48 AM: Fixed Hosts File entry: www.google.com.sv 11:48 AM: Fixed Hosts File entry: www.google.com.tr 11:48 AM: Fixed Hosts File entry: www.google.com.tw 11:48 AM: Fixed Hosts File entry: www.google.com.ua 11:48 AM: Fixed Hosts File entry: www.google.com.uy 11:48 AM: Fixed Hosts File entry: www.google.com.vc 11:48 AM: Fixed Hosts File entry: www.google.com.vn 11:48 AM: Fixed Hosts File entry: www.google.de 11:48 AM: Fixed Hosts File entry: www.google.dj 11:48 AM: Fixed Hosts File entry: www.google.dk 11:48 AM: Fixed Hosts File entry: www.google.es 11:48 AM: Fixed Hosts File entry: www.google.fi 11:48 AM: Fixed Hosts File entry: www.google.fm 11:48 AM: Fixed Hosts File entry: www.google.fr 11:48 AM: Fixed Hosts File entry: www.google.gg 11:48 AM: Fixed Hosts File entry: www.google.gl 11:48 AM: Fixed Hosts File entry: www.google.gm 11:48 AM: Fixed Hosts File entry: www.google.hn 11:48 AM: Fixed Hosts File entry: www.google.ie 11:48 AM: Fixed Hosts File entry: www.google.it 11:48 AM: Fixed Hosts File entry: www.google.kz 11:48 AM: Fixed Hosts File entry: www.google.li 11:48 AM: Fixed Hosts File entry: www.google.lt 11:48 AM: Fixed Hosts File entry: www.google.lu 11:48 AM: Fixed Hosts File entry: www.google.lv 11:48 AM: Fixed Hosts File entry: www.google.mn 11:48 AM: Fixed Hosts File entry: www.google.ms 11:48 AM: Fixed Hosts File entry: www.google.mu 11:48 AM: Fixed Hosts File entry: www.google.mw 11:48 AM: Fixed Hosts File entry: www.google.nl 11:48 AM: Fixed Hosts File entry: www.google.no 11:48 AM: Fixed Hosts File entry: www.google.off.ai 11:48 AM: Fixed Hosts File entry: www.google.pl 11:48 AM: Fixed Hosts File entry: www.google.pn 11:48 AM: Fixed Hosts File entry: www.google.pt 11:48 AM: Fixed Hosts File entry: www.google.ro 11:48 AM: Fixed Hosts File entry: www.google.ru 11:48 AM: Fixed Hosts File entry: www.google.rw 11:48 AM: Fixed Hosts File entry: www.google.se 11:48 AM: Fixed Hosts File entry: www.google.sh 11:48 AM: Fixed Hosts File entry: www.google.sk 11:48 AM: Fixed Hosts File entry: www.google.sm 11:48 AM: Fixed Hosts File entry: www.google.td 11:48 AM: Fixed Hosts File entry: www.google.tm 11:48 AM: Fixed Hosts File entry: www.google.tt 11:48 AM: Fixed Hosts File entry: www.google.uz 11:48 AM: Fixed Hosts File entry: www.google.vg 11:48 AM: Fixed Hosts File entry: google.ae 11:48 AM: Fixed Hosts File entry: google.am 11:48 AM: Fixed Hosts File entry: google.as 11:48 AM: Fixed Hosts File entry: google.at 11:48 AM: Fixed Hosts File entry: google.az 11:48 AM: Fixed Hosts File entry: google.be 11:48 AM: Fixed Hosts File entry: google.bi 11:48 AM: Fixed Hosts File entry: google.ca 11:48 AM: Fixed Hosts File entry: google.cd 11:48 AM: Fixed Hosts File entry: google.cg 11:48 AM: Fixed Hosts File entry: google.ch 11:48 AM: Fixed Hosts File entry: google.ci 11:48 AM: Fixed Hosts File entry: google.cl 11:48 AM: Fixed Hosts File entry: google.co.cr 11:48 AM: Fixed Hosts File entry: google.co.hu 11:48 AM: Fixed Hosts File entry: google.co.il 11:48 AM: Fixed Hosts File entry: google.co.in 11:48 AM: Fixed Hosts File entry: google.co.je 11:48 AM: Fixed Hosts File entry: google.co.jp 11:48 AM: Fixed Hosts File entry: google.co.ke 11:48 AM: Fixed Hosts File entry: google.co.kr 11:48 AM: Fixed Hosts File entry: google.co.ls 11:48 AM: Fixed Hosts File entry: google.co.nz 11:48 AM: Fixed Hosts File entry: google.co.th 11:48 AM: Fixed Hosts File entry: google.co.ug 11:48 AM: Fixed Hosts File entry: google.co.uk 11:48 AM: Fixed Hosts File entry: google.co.ve 11:48 AM: Fixed Hosts File entry: google.com 11:48 AM: Fixed Hosts File entry: google.com.ag 11:48 AM: Fixed Hosts File entry: google.com.ar 11:48 AM: Fixed Hosts File entry: google.com.au 11:48 AM: Fixed Hosts File entry: google.com.br 11:48 AM: Fixed Hosts File entry: google.com.co 11:48 AM: Fixed Hosts File entry: google.com.cu 11:48 AM: Fixed Hosts File entry: google.com.do 11:48 AM: Fixed Hosts File entry: google.com.ec 11:48 AM: Fixed Hosts File entry: google.com.fj 11:48 AM: Fixed Hosts File entry: google.com.gi 11:48 AM: Fixed Hosts File entry: google.com.gr 11:48 AM: Fixed Hosts File entry: google.com.gt 11:48 AM: Fixed Hosts File entry: google.com.hk 11:48 AM: Fixed Hosts File entry: google.com.ly 11:48 AM: Fixed Hosts File entry: google.com.mt 11:48 AM: Fixed Hosts File entry: google.com.mx 11:48 AM: Fixed Hosts File entry: google.com.my 11:48 AM: Fixed Hosts File entry: google.com.na 11:48 AM: Fixed Hosts File entry: google.com.nf 11:48 AM: Fixed Hosts File entry: google.com.ni 11:48 AM: Fixed Hosts File entry: google.com.np 11:48 AM: Fixed Hosts File entry: google.com.pa 11:48 AM: Fixed Hosts File entry: google.com.pe 11:48 AM: Fixed Hosts File entry: google.com.ph 11:48 AM: Fixed Hosts File entry: google.com.pk 11:48 AM: Fixed Hosts File entry: google.com.pr 11:48 AM: Fixed Hosts File entry: google.com.py 11:48 AM: Fixed Hosts File entry: google.com.sa 11:48 AM: Fixed Hosts File entry: google.com.sg 11:48 AM: Fixed Hosts File entry: google.com.sv 11:48 AM: Fixed Hosts File entry: google.com.tr 11:48 AM: Fixed Hosts File entry: google.com.tw 11:48 AM: Fixed Hosts File entry: google.com.ua 11:48 AM: Fixed Hosts File entry: google.com.uy 11:48 AM: Fixed Hosts File entry: google.com.vc 11:48 AM: Fixed Hosts File entry: google.com.vn 11:48 AM: Fixed Hosts File entry: google.de 11:48 AM: Fixed Hosts File entry: google.dj 11:48 AM: Fixed Hosts File entry: google.dk 11:48 AM: Fixed Hosts File entry: google.es 11:48 AM: Fixed Hosts File entry: google.fi 11:48 AM: Fixed Hosts File entry: google.fm 11:48 AM: Fixed Hosts File entry: google.fr 11:48 AM: Fixed Hosts File entry: google.gg 11:48 AM: Fixed Hosts File entry: google.gl 11:48 AM: Fixed Hosts File entry: google.gm 11:48 AM: Fixed Hosts File entry: google.hn 11:48 AM: Fixed Hosts File entry: google.ie 11:48 AM: Fixed Hosts File entry: google.it 11:48 AM: Fixed Hosts File entry: google.kz 11:48 AM: Fixed Hosts File entry: google.li 11:48 AM: Fixed Hosts File entry: google.lt 11:48 AM: Fixed Hosts File entry: google.lu 11:48 AM: Fixed Hosts File entry: google.lv 11:48 AM: Fixed Hosts File entry: google.mn 11:48 AM: Fixed Hosts File entry: google.ms 11:48 AM: Fixed Hosts File entry: google.mu 11:48 AM: Fixed Hosts File entry: google.mw 11:48 AM: Fixed Hosts File entry: google.nl 11:48 AM: Fixed Hosts File entry: google.no 11:48 AM: Fixed Hosts File entry: google.off.ai 11:48 AM: Fixed Hosts File entry: google.pl 11:48 AM: Fixed Hosts File entry: google.pn 11:48 AM: Fixed Hosts File entry: google.pt 11:48 AM: Fixed Hosts File entry: google.ro 11:48 AM: Fixed Hosts File entry: google.ru 11:48 AM: Fixed Hosts File entry: google.rw 11:48 AM: Fixed Hosts File entry: google.se 11:48 AM: Fixed Hosts File entry: google.sh 11:48 AM: Fixed Hosts File entry: google.sk 11:48 AM: Fixed Hosts File entry: google.sm 11:48 AM: Fixed Hosts File entry: google.td 11:48 AM: Fixed Hosts File entry: google.tm 11:48 AM: Fixed Hosts File entry: google.tt 11:48 AM: Fixed Hosts File entry: google.uz 11:48 AM: Fixed Hosts File entry: google.vg 11:48 AM: Fixed Hosts File entry: search.yahoo.com 11:48 AM: Fixed Hosts File entry: ar.search.yahoo.com 11:48 AM: Fixed Hosts File entry: br.search.yahoo.com 11:48 AM: Fixed Hosts File entry: ca.search.yahoo.com 11:48 AM: Fixed Hosts File entry: cf.search.yahoo.com 11:48 AM: Fixed Hosts File entry: mx.search.yahoo.com 11:48 AM: Fixed Hosts File entry: espanol.search.yahoo.com 11:48 AM: Fixed Hosts File entry: au.search.yahoo.com 11:48 AM: Fixed Hosts File entry: ct.search.yahoo.com 11:48 AM: Fixed Hosts File entry: fr.search.yahoo.com 11:48 AM: Fixed Hosts File entry: de.search.yahoo.com 11:48 AM: Fixed Hosts File entry: it.search.yahoo.com 11:48 AM: Fixed Hosts File entry: uk.search.yahoo.com 11:48 AM: Fixed Hosts File entry: search.msn.com 11:48 AM: Fixed Hosts File entry: search.xtramsn.co.nz 11:48 AM: Fixed Hosts File entry: search.msn.de 11:48 AM: Fixed Hosts File entry: search.msn.se 11:48 AM: Fixed Hosts File entry: beta.search.msn.com 11:48 AM: Fixed Hosts File entry: beta.search.ninemsn.com.au 11:48 AM: Fixed Hosts File entry: beta.search.msn.dk 11:48 AM: Fixed Hosts File entry: beta.search.msn.nl 11:48 AM: Fixed Hosts File entry: beta.search.msn.co.in 11:48 AM: Fixed Hosts File entry: www.alexa.com 11:52 AM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 11:52 AM: Detected running threat: premium search hostfile hijack 11:52 AM: |··· End of Session, Monday, August 01, 2005 ···| ******** 12:34 AM: |··· Start of Session, Monday, August 01, 2005 ···| 12:34 AM: Spy Sweeper started 12:34 AM: Sweep initiated using definitions version 507 12:34 AM: Starting Memory Sweep 12:37 AM: Found Adware: premium search hostfile hijack 12:37 AM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\cdcbitwtwjm.dll (ID = 107412) 12:37 AM: Memory Sweep Complete, Elapsed Time: 00:02:40 12:37 AM: Starting Registry Sweep 12:37 AM: Found Adware: coolwebsearch (cws) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 12:37 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:37 AM: Found Adware: cws_easysearch 12:37 AM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 12:37 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:37 AM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 12:37 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:37 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 12:37 AM: Found Adware: easysearchbar 12:37 AM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 12:37 AM: Found Adware: gain-supported software 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 12:37 AM: Found Adware: dashbar hijack 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 12:37 AM: Found Adware: hotbar 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 12:37 AM: Found Adware: ieplugin 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 12:37 AM: Found Adware: drsnsrch.com hijack 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 12:37 AM: Found Adware: websearch toolbar 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 12:37 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 12:37 AM: Found Adware: psguard 12:37 AM: HKLM\software\shudderltd\ (22 subtraces) (ID = 514661) 12:37 AM: Registry Sweep Complete, Elapsed Time:00:00:24 12:38 AM: Starting Cookie Sweep 12:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:38 AM: Starting File Sweep 12:38 AM: Warning: Failed to open file "c:\windows\system32\spool\printers\fp00001.shd". The process cannot access the file because it is being used by another process 12:38 AM: c:\program files\psguard (10 subtraces) (ID = -2147480440) 12:38 AM: cdcbitwtwjm.dll (ID = 107412) 10:37 AM: Processing Hosts File Alerts 10:37 AM: Fixed Hosts File entry: www.google.ae 10:37 AM: Fixed Hosts File entry: www.google.am 10:37 AM: Fixed Hosts File entry: www.google.as 10:37 AM: Fixed Hosts File entry: www.google.at 10:37 AM: Fixed Hosts File entry: www.google.az 10:37 AM: Fixed Hosts File entry: www.google.be 10:37 AM: Fixed Hosts File entry: www.google.bi 10:37 AM: Fixed Hosts File entry: www.google.ca 10:37 AM: Fixed Hosts File entry: www.google.cd 10:37 AM: Fixed Hosts File entry: www.google.cg 10:37 AM: Fixed Hosts File entry: www.google.ch 10:37 AM: Fixed Hosts File entry: www.google.ci 10:37 AM: Fixed Hosts File entry: www.google.cl 10:37 AM: Fixed Hosts File entry: www.google.co.cr 10:37 AM: Fixed Hosts File entry: www.google.co.hu 10:37 AM: Fixed Hosts File entry: www.google.co.il 10:37 AM: Fixed Hosts File entry: www.google.co.in 10:37 AM: Fixed Hosts File entry: www.google.co.je 10:37 AM: Fixed Hosts File entry: www.google.co.jp 10:37 AM: Fixed Hosts File entry: www.google.co.ke 10:37 AM: Fixed Hosts File entry: www.google.co.kr 10:37 AM: Fixed Hosts File entry: www.google.co.ls 10:37 AM: Fixed Hosts File entry: www.google.co.nz 10:37 AM: Fixed Hosts File entry: www.google.co.th 10:37 AM: Fixed Hosts File entry: www.google.co.ug 10:37 AM: Fixed Hosts File entry: www.google.co.uk 10:37 AM: Fixed Hosts File entry: www.google.co.ve 10:37 AM: Fixed Hosts File entry: www.google.com 10:37 AM: Fixed Hosts File entry: www.google.com.ag 10:37 AM: Fixed Hosts File entry: www.google.com.ar 10:37 AM: Fixed Hosts File entry: www.google.com.au 10:37 AM: Fixed Hosts File entry: www.google.com.br 10:37 AM: Fixed Hosts File entry: www.google.com.co 10:37 AM: Fixed Hosts File entry: www.google.com.cu 10:37 AM: Fixed Hosts File entry: www.google.com.do 10:37 AM: Fixed Hosts File entry: www.google.com.ec 10:37 AM: Fixed Hosts File entry: www.google.com.fj 10:37 AM: Fixed Hosts File entry: www.google.com.gi 10:37 AM: Fixed Hosts File entry: www.google.com.gr 10:37 AM: Fixed Hosts File entry: www.google.com.gt 10:37 AM: Fixed Hosts File entry: www.google.com.hk 10:37 AM: Fixed Hosts File entry: www.google.com.ly 10:37 AM: Fixed Hosts File entry: www.google.com.mt 10:37 AM: Fixed Hosts File entry: www.google.com.mx 10:37 AM: Fixed Hosts File entry: www.google.com.my 10:37 AM: Fixed Hosts File entry: www.google.com.na 10:37 AM: Fixed Hosts File entry: www.google.com.nf 10:37 AM: Fixed Hosts File entry: www.google.com.ni 10:37 AM: Fixed Hosts File entry: www.google.com.np 10:37 AM: Fixed Hosts File entry: www.google.com.pa 10:37 AM: Fixed Hosts File entry: www.google.com.pe 10:37 AM: Fixed Hosts File entry: www.google.com.ph 10:37 AM: Fixed Hosts File entry: www.google.com.pk 10:37 AM: Fixed Hosts File entry: www.google.com.pr 10:37 AM: Fixed Hosts File entry: www.google.com.py 10:37 AM: Fixed Hosts File entry: www.google.com.sa 10:37 AM: Fixed Hosts File entry: www.google.com.sg 10:37 AM: Fixed Hosts File entry: www.google.com.sv 10:37 AM: Fixed Hosts File entry: www.google.com.tr 10:37 AM: Fixed Hosts File entry: www.google.com.tw 10:37 AM: Fixed Hosts File entry: www.google.com.ua 10:37 AM: Fixed Hosts File entry: www.google.com.uy 10:37 AM: Fixed Hosts File entry: www.google.com.vc 10:37 AM: Fixed Hosts File entry: www.google.com.vn 10:37 AM: Fixed Hosts File entry: www.google.de 10:37 AM: Fixed Hosts File entry: www.google.dj 10:37 AM: Fixed Hosts File entry: www.google.dk 10:37 AM: Fixed Hosts File entry: www.google.es 10:37 AM: Fixed Hosts File entry: www.google.fi 10:37 AM: Fixed Hosts File entry: www.google.fm 10:37 AM: Fixed Hosts File entry: www.google.fr 10:37 AM: Fixed Hosts File entry: www.google.gg 10:37 AM: Fixed Hosts File entry: www.google.gl 10:37 AM: Fixed Hosts File entry: www.google.gm 10:37 AM: Fixed Hosts File entry: www.google.hn 10:37 AM: Fixed Hosts File entry: www.google.ie 10:37 AM: Fixed Hosts File entry: www.google.it 10:37 AM: Fixed Hosts File entry: www.google.kz 10:37 AM: Fixed Hosts File entry: www.google.li 10:37 AM: Fixed Hosts File entry: www.google.lt 10:37 AM: Fixed Hosts File entry: www.google.lu 10:37 AM: Fixed Hosts File entry: www.google.lv 10:37 AM: Fixed Hosts File entry: www.google.mn 10:37 AM: Fixed Hosts File entry: www.google.ms 10:37 AM: Fixed Hosts File entry: www.google.mu 10:37 AM: Fixed Hosts File entry: www.google.mw 10:37 AM: Fixed Hosts File entry: www.google.nl 10:37 AM: Fixed Hosts File entry: www.google.no 10:37 AM: Fixed Hosts File entry: www.google.off.ai 10:37 AM: Fixed Hosts File entry: www.google.pl 10:37 AM: Fixed Hosts File entry: www.google.pn 10:37 AM: Fixed Hosts File entry: www.google.pt 10:37 AM: Fixed Hosts File entry: www.google.ro 10:37 AM: Fixed Hosts File entry: www.google.ru 10:37 AM: Fixed Hosts File entry: www.google.rw 10:37 AM: Fixed Hosts File entry: www.google.se 10:37 AM: Fixed Hosts File entry: www.google.sh 10:37 AM: Fixed Hosts File entry: www.google.sk 10:37 AM: Fixed Hosts File entry: www.google.sm 10:37 AM: Fixed Hosts File entry: www.google.td 10:37 AM: Fixed Hosts File entry: www.google.tm 10:37 AM: Fixed Hosts File entry: www.google.tt 10:37 AM: Fixed Hosts File entry: www.google.uz 10:37 AM: Fixed Hosts File entry: www.google.vg 10:37 AM: Fixed Hosts File entry: google.ae 10:37 AM: Fixed Hosts File entry: google.am 10:37 AM: Fixed Hosts File entry: google.as 10:37 AM: Fixed Hosts File entry: google.at 10:37 AM: Fixed Hosts File entry: google.az 10:37 AM: Fixed Hosts File entry: google.be 10:37 AM: Fixed Hosts File entry: google.bi 10:37 AM: Fixed Hosts File entry: google.ca 10:37 AM: Fixed Hosts File entry: google.cd 10:37 AM: Fixed Hosts File entry: google.cg 10:37 AM: Fixed Hosts File entry: google.ch 10:37 AM: Fixed Hosts File entry: google.ci 10:37 AM: Fixed Hosts File entry: google.cl 10:37 AM: Fixed Hosts File entry: google.co.cr 10:37 AM: Fixed Hosts File entry: google.co.hu 10:37 AM: Fixed Hosts File entry: google.co.il 10:37 AM: Fixed Hosts File entry: google.co.in 10:37 AM: Fixed Hosts File entry: google.co.je 10:37 AM: Fixed Hosts File entry: google.co.jp 10:37 AM: Fixed Hosts File entry: google.co.ke 10:37 AM: Fixed Hosts File entry: google.co.kr 10:37 AM: Fixed Hosts File entry: google.co.ls 10:37 AM: Fixed Hosts File entry: google.co.nz 10:37 AM: Fixed Hosts File entry: google.co.th 10:37 AM: Fixed Hosts File entry: google.co.ug 10:37 AM: Fixed Hosts File entry: google.co.uk 10:37 AM: Fixed Hosts File entry: google.co.ve 10:37 AM: Fixed Hosts File entry: google.com 10:37 AM: Fixed Hosts File entry: google.com.ag 10:37 AM: Fixed Hosts File entry: google.com.ar 10:37 AM: Fixed Hosts File entry: google.com.au 10:37 AM: Fixed Hosts File entry: google.com.br 10:37 AM: Fixed Hosts File entry: google.com.co 10:37 AM: Fixed Hosts File entry: google.com.cu 10:37 AM: Fixed Hosts File entry: google.com.do 10:37 AM: Fixed Hosts File entry: google.com.ec 10:37 AM: Fixed Hosts File entry: google.com.fj 10:37 AM: Fixed Hosts File entry: google.com.gi 10:37 AM: Fixed Hosts File entry: google.com.gr 10:37 AM: Fixed Hosts File entry: google.com.gt 10:37 AM: Fixed Hosts File entry: google.com.hk 10:37 AM: Fixed Hosts File entry: google.com.ly 10:37 AM: Fixed Hosts File entry: google.com.mt 10:37 AM: Fixed Hosts File entry: google.com.mx 10:37 AM: Fixed Hosts File entry: google.com.my 10:37 AM: Fixed Hosts File entry: google.com.na 10:37 AM: Fixed Hosts File entry: google.com.nf 10:37 AM: Fixed Hosts File entry: google.com.ni 10:37 AM: Fixed Hosts File entry: google.com.np 10:37 AM: Fixed Hosts File entry: google.com.pa 10:37 AM: Fixed Hosts File entry: google.com.pe 10:37 AM: Fixed Hosts File entry: google.com.ph 10:37 AM: Fixed Hosts File entry: google.com.pk 10:37 AM: Fixed Hosts File entry: google.com.pr 10:37 AM: Fixed Hosts File entry: google.com.py 10:37 AM: Fixed Hosts File entry: google.com.sa 10:37 AM: Fixed Hosts File entry: google.com.sg 10:37 AM: Fixed Hosts File entry: google.com.sv 10:37 AM: Fixed Hosts File entry: google.com.tr 10:37 AM: Fixed Hosts File entry: google.com.tw 10:37 AM: Fixed Hosts File entry: google.com.ua 10:37 AM: Fixed Hosts File entry: google.com.uy 10:37 AM: Fixed Hosts File entry: google.com.vc 10:37 AM: Fixed Hosts File entry: google.com.vn 10:37 AM: Fixed Hosts File entry: google.de 10:37 AM: Fixed Hosts File entry: google.dj 10:37 AM: Fixed Hosts File entry: google.dk 10:37 AM: Fixed Hosts File entry: google.es 10:37 AM: Fixed Hosts File entry: google.fi 10:37 AM: Fixed Hosts File entry: google.fm 10:37 AM: Fixed Hosts File entry: google.fr 10:37 AM: Fixed Hosts File entry: google.gg 10:37 AM: Fixed Hosts File entry: google.gl 10:37 AM: Fixed Hosts File entry: google.gm 10:37 AM: Fixed Hosts File entry: google.hn 10:37 AM: Fixed Hosts File entry: google.ie 10:37 AM: Fixed Hosts File entry: google.it 10:37 AM: Fixed Hosts File entry: google.kz 10:37 AM: Fixed Hosts File entry: google.li 10:37 AM: Fixed Hosts File entry: google.lt 10:37 AM: Fixed Hosts File entry: google.lu 10:37 AM: Fixed Hosts File entry: google.lv 10:37 AM: Fixed Hosts File entry: google.mn 10:37 AM: Fixed Hosts File entry: google.ms 10:37 AM: Fixed Hosts File entry: google.mu 10:37 AM: Fixed Hosts File entry: google.mw 10:37 AM: Fixed Hosts File entry: google.nl 10:37 AM: Fixed Hosts File entry: google.no 10:37 AM: Fixed Hosts File entry: google.off.ai 10:37 AM: Fixed Hosts File entry: google.pl 10:37 AM: Fixed Hosts File entry: google.pn 10:37 AM: Fixed Hosts File entry: google.pt 10:37 AM: Fixed Hosts File entry: google.ro 10:37 AM: Fixed Hosts File entry: google.ru 10:37 AM: Fixed Hosts File entry: google.rw 10:37 AM: Fixed Hosts File entry: google.se 10:37 AM: Fixed Hosts File entry: google.sh 10:37 AM: Fixed Hosts File entry: google.sk 10:37 AM: Fixed Hosts File entry: google.sm 10:37 AM: Fixed Hosts File entry: google.td 10:37 AM: Fixed Hosts File entry: google.tm 10:37 AM: Fixed Hosts File entry: google.tt 10:37 AM: Fixed Hosts File entry: google.uz 10:37 AM: Fixed Hosts File entry: google.vg 10:37 AM: Fixed Hosts File entry: search.yahoo.com 10:37 AM: Fixed Hosts File entry: ar.search.yahoo.com 10:37 AM: Fixed Hosts File entry: br.search.yahoo.com 10:37 AM: Fixed Hosts File entry: ca.search.yahoo.com 10:37 AM: Fixed Hosts File entry: cf.search.yahoo.com 10:37 AM: Fixed Hosts File entry: mx.search.yahoo.com 10:37 AM: Fixed Hosts File entry: espanol.search.yahoo.com 10:37 AM: Fixed Hosts File entry: au.search.yahoo.com 10:37 AM: Fixed Hosts File entry: ct.search.yahoo.com 10:37 AM: Fixed Hosts File entry: fr.search.yahoo.com 10:37 AM: Fixed Hosts File entry: de.search.yahoo.com 10:37 AM: Fixed Hosts File entry: it.search.yahoo.com 10:37 AM: Fixed Hosts File entry: uk.search.yahoo.com 10:37 AM: Fixed Hosts File entry: search.msn.com 10:37 AM: Fixed Hosts File entry: search.xtramsn.co.nz 10:37 AM: Fixed Hosts File entry: search.msn.de 10:37 AM: Fixed Hosts File entry: search.msn.se 10:37 AM: Fixed Hosts File entry: beta.search.msn.com 10:37 AM: Fixed Hosts File entry: beta.search.ninemsn.com.au 10:37 AM: Fixed Hosts File entry: beta.search.msn.dk 10:37 AM: Fixed Hosts File entry: beta.search.msn.nl 10:37 AM: Fixed Hosts File entry: beta.search.msn.co.in 10:37 AM: Fixed Hosts File entry: www.alexa.com 10:37 AM: Processing Internet Explorer Favorites Alerts 10:37 AM: Removed IE Favorite: Spyware Remover 10:37 AM: Removed IE Favorite: Play in the most popular online casino 10:37 AM: Removed IE Favorite: Online Poker 10:37 AM: Removed IE Favorite: Online Pharmacy 10:37 AM: Removed IE Favorite: Online Directory of Pure Porn 10:37 AM: Removed IE Favorite: Online AntiVirus and Spyware Remover 10:37 AM: Removed IE Favorite: Free Real-time Dating Service 10:37 AM: Removed IE Favorite: Free Online Casino 10:37 AM: Removed IE Favorite: Email Spam Filter 10:37 AM: Removed IE Favorite: Cheap Viagra 10:37 AM: Removed IE Favorite: Buy Viagra Online 10:37 AM: Removed IE Favorite: Anti Spyware Soft 10:37 AM: Processing Startup Alerts 10:37 AM: Removed Startup entry: secserv.exe 10:37 AM: Removed Startup entry: PSGuard spyware remover 10:38 AM: Processing Startup Alerts 10:38 AM: Removed Startup entry: secserv.exe 10:38 AM: Processing Startup Alerts 10:38 AM: Removed Startup entry: secserv.exe 10:40 AM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 10:40 AM: Detected running threat: premium search hostfile hijack 10:40 AM: |··· End of Session, Monday, August 01, 2005 ···| ******** 9:00 PM: |··· Start of Session, Sunday, July 31, 2005 ···| 9:00 PM: Spy Sweeper started 9:00 PM: Sweep initiated using definitions version 507 9:00 PM: Starting Memory Sweep 9:03 PM: Found Adware: premium search hostfile hijack 9:03 PM: Detected running threat: C:\Documents and Settings\Nikunj\Local Settings\Temp\ctmzwngfshe.dll (ID = 107412) 9:03 PM: Memory Sweep Complete, Elapsed Time: 00:02:57 9:03 PM: Starting Registry Sweep 9:03 PM: Found Adware: coolwebsearch (cws) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 9:03 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 9:03 PM: Found Adware: cws_easysearch 9:03 PM: HKCR\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117159) 9:03 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 9:03 PM: HKLM\software\classes\clsid\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (3 subtraces) (ID = 117160) 9:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 9:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{5483427f-93b8-1470-5a89-e6b56484cdb2}\ (ID = 117161) 9:03 PM: Found Adware: easysearchbar 9:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\premiumsearch startpage\ (2 subtraces) (ID = 125578) 9:03 PM: Found Adware: gain-supported software 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 9:03 PM: Found Adware: dashbar hijack 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 9:03 PM: Found Adware: hotbar 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 9:03 PM: Found Adware: ieplugin 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 9:03 PM: Found Adware: drsnsrch.com hijack 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 9:03 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 9:03 PM: Found Adware: psguard desktop hijacker 9:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet update\ (3 subtraces) (ID = 136964) 9:04 PM: Found Adware: websearch toolbar 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 9:04 PM: Found Trojan Horse: sysnet 9:04 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sysnet\ (2 subtraces) (ID = 381857) 9:04 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 9:04 PM: Registry Sweep Complete, Elapsed Time:00:00:16 9:04 PM: Starting Cookie Sweep 9:04 PM: Found Spy Cookie: 10102 cookie 9:04 PM: nikunj@10102[2].txt (ID = 1920) 9:04 PM: Found Spy Cookie: 10103 cookie 9:04 PM: nikunj@10103[2].txt (ID = 1922) 9:04 PM: Found Spy Cookie: 10105 cookie 9:04 PM: nikunj@10105[1].txt (ID = 1924) 9:04 PM: Found Spy Cookie: 2o7.net cookie 9:04 PM: nikunj@2o7[2].txt (ID = 1958) 9:04 PM: Found Spy Cookie: 64.62.232 cookie 9:04 PM: nikunj@64.62.232[1].txt (ID = 1988) 9:04 PM: nikunj@64.62.232[2].txt (ID = 1988) 9:04 PM: nikunj@64.62.232[3].txt (ID = 1988) 9:04 PM: nikunj@64.62.232[4].txt (ID = 1988) 9:04 PM: nikunj@64.62.232[5].txt (ID = 1988) 9:04 PM: Found Spy Cookie: 888 cookie 9:04 PM: nikunj@888[1].txt (ID = 2020) 9:04 PM: nikunj@888[2].txt (ID = 2020) 9:04 PM: Found Spy Cookie: abcsearch cookie 9:04 PM: nikunj@abcsearch[2].txt (ID = 2034) 9:04 PM: Found Spy Cookie: yieldmanager cookie 9:04 PM: nikunj@ad.yieldmanager[1].txt (ID = 3751) 9:04 PM: Found Spy Cookie: adamg cookie 9:04 PM: nikunj@adamg[1].txt (ID = 2056) 9:04 PM: Found Spy Cookie: adknowledge cookie 9:04 PM: nikunj@adknowledge[1].txt (ID = 2073) 9:04 PM: Found Spy Cookie: specificclick.com cookie 9:04 PM: nikunj@adopt.specificclick[2].txt (ID = 3400) 9:04 PM: Found Spy Cookie: addynamix cookie 9:04 PM: nikunj@ads.addynamix[1].txt (ID = 2062) 9:04 PM: Found Spy Cookie: pointroll cookie 9:04 PM: nikunj@ads.pointroll[2].txt (ID = 3148) 9:04 PM: Found Spy Cookie: aff01511 cookie 9:04 PM: nikunj@aff01511[1].txt (ID = 2186) 9:04 PM: Found Spy Cookie: aff506 cookie 9:04 PM: nikunj@aff506[1].txt (ID = 2190) 9:04 PM: Found Spy Cookie: aff6007 cookie 9:04 PM: nikunj@aff6007[1].txt (ID = 2194) 9:04 PM: Found Spy Cookie: aff6008 cookie 9:04 PM: nikunj@aff6008[1].txt (ID = 2196) 9:04 PM: Found Spy Cookie: falkag cookie 9:04 PM: nikunj@as-eu.falkag[1].txt (ID = 2650) 9:04 PM: nikunj@as-us.falkag[2].txt (ID = 2650) 9:04 PM: Found Spy Cookie: askmen cookie 9:04 PM: nikunj@askmen[1].txt (ID = 2248) 9:04 PM: Found Spy Cookie: ask cookie 9:04 PM: nikunj@ask[1].txt (ID = 2246) 9:04 PM: Found Spy Cookie: aycm5 cookie 9:04 PM: nikunj@aycm5[1].txt (ID = 2267) 9:04 PM: Found Spy Cookie: azjmp cookie 9:04 PM: nikunj@azjmp[1].txt (ID = 2271) 9:04 PM: Found Spy Cookie: searchingbooth cookie 9:04 PM: nikunj@banners.searchingbooth[1].txt (ID = 3322) 9:04 PM: Found Spy Cookie: banners cookie 9:04 PM: nikunj@banners[1].txt (ID = 2283) 9:04 PM: Found Spy Cookie: burstnet cookie 9:04 PM: nikunj@burstnet[2].txt (ID = 2337) 9:04 PM: Found Spy Cookie: top-banners cookie 9:04 PM: nikunj@campaigns.top-banners[1].txt (ID = 3548) 9:04 PM: Found Spy Cookie: captnemo cookie 9:04 PM: nikunj@CaptNemo[1].txt (ID = 2349) 9:04 PM: Found Spy Cookie: cassava cookie 9:04 PM: nikunj@cassava[1].txt (ID = 2363) 9:04 PM: Found Spy Cookie: cyberjester cookie 9:04 PM: nikunj@cyberjester[1].txt (ID = 2486) 9:04 PM: Found Spy Cookie: dutchmen cookie 9:04 PM: nikunj@Dutchmen[2].txt (ID = 2546) 9:04 PM: Found Spy Cookie: dw05 cookie 9:04 PM: nikunj@dw05[1].txt (ID = 2548) 9:04 PM: Found Spy Cookie: ru4 cookie 9:04 PM: nikunj@edge.ru4[2].txt (ID = 3269) 9:04 PM: Found Spy Cookie: elmer cookie 9:04 PM: nikunj@elmer[1].txt (ID = 2602) 9:04 PM: Found Spy Cookie: fastclick cookie 9:04 PM: nikunj@fastclick[1].txt (ID = 2652) 9:04 PM: Found Spy Cookie: clickandtrack cookie 9:04 PM: nikunj@hits.clickandtrack[2].txt (ID = 2397) 9:04 PM: Found Spy Cookie: hpm001 cookie 9:04 PM: nikunj@hpm001[1].txt (ID = 2808) 9:04 PM: Found Spy Cookie: kiddo cookie 9:04 PM: nikunj@Kiddo[1].txt (ID = 2902) 9:04 PM: Found Spy Cookie: littlejohn cookie 9:04 PM: nikunj@LittleJohn[1].txt (ID = 2929) 9:04 PM: Found Spy Cookie: maxserving cookie 9:04 PM: nikunj@maxserving[1].txt (ID = 2967) 9:04 PM: nikunj@media.top-banners[1].txt (ID = 3548) 9:04 PM: Found Spy Cookie: partypoker cookie 9:04 PM: nikunj@partypoker[2].txt (ID = 3112) 9:04 PM: Found Spy Cookie: paypopup cookie 9:04 PM: nikunj@paypopup[2].txt (ID = 3120) 9:04 PM: Found Spy Cookie: overture cookie 9:04 PM: nikunj@perf.overture[1].txt (ID = 3106) 9:04 PM: Found Spy Cookie: questionmarket cookie 9:04 PM: nikunj@questionmarket[1].txt (ID = 3218) 9:04 PM: Found Spy Cookie: realmedia cookie 9:04 PM: nikunj@realmedia[2].txt (ID = 3236) 9:04 PM: Found Spy Cookie: adjuggler cookie 9:04 PM: nikunj@rotator.adjuggler[1].txt (ID = 2071) 9:04 PM: Found Spy Cookie: server.iad.liveperson cookie 9:04 PM: nikunj@server.iad.liveperson[1].txt (ID = 3342) 9:04 PM: Found Spy Cookie: snakeman cookie 9:04 PM: nikunj@Snakeman[1].txt (ID = 3392) 9:04 PM: Found Spy Cookie: statcounter cookie 9:04 PM: nikunj@statcounter[1].txt (ID = 3448) 9:04 PM: Found Spy Cookie: trafficmp cookie 9:04 PM: nikunj@trafficmp[2].txt (ID = 3582) 9:04 PM: Found Spy Cookie: tribalfusion cookie 9:04 PM: nikunj@tribalfusion[2].txt (ID = 3590) 9:04 PM: Found Spy Cookie: burstbeacon cookie 9:04 PM: nikunj@www.burstbeacon[2].txt (ID = 2335) 9:04 PM: Found Spy Cookie: letitfind cookie 9:04 PM: nikunj@www.letitfind[1].txt (ID = 2919) 9:04 PM: Found Spy Cookie: adserver cookie 9:04 PM: nikunj@z1.adserver[1].txt (ID = 2142) 9:04 PM: Found Spy Cookie: zedo cookie 9:04 PM: nikunj@zedo[1].txt (ID = 3763) 9:04 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02 9:04 PM: Starting File Sweep 9:04 PM: c:\program files\asys (1 subtraces) (ID = -2147477847) 9:04 PM: c:\program files\epicenter (1 subtraces) (ID = -2147477846) 9:04 PM: Found Adware: effective-i toolbar 9:04 PM: ucmoreiex[1].exe (ID = 59853) 9:04 PM: ucmoreiex.exe (ID = 59853) 9:04 PM: ctmzwngfshe.dll (ID = 107412) 9:04 PM: snuninst.exe (ID = 110129) 9:04 PM: Found Adware: targetsaver 9:04 PM: tsupdate[1].ini (ID = 112322) 9:05 PM: Found Adware: begin2search 9:05 PM: pinkkas21.ico (ID = 51041) 9:05 PM: Found Trojan Horse: trojan-downloader-traf34 9:05 PM: gsm3-0511.exe (ID = 81005) 9:05 PM: qwrza.exe (ID = 78284) 9:05 PM: qwrzl.exe (ID = 78246) 9:05 PM: pinkkas21[1].ico (ID = 51041) 9:05 PM: vocabulary (ID = 78283) 9:06 PM: Found Adware: roings search enhancment 9:06 PM: diamond[2].cab (ID = 94665) 9:07 PM: tsuninst.exe (ID = 78276) 9:07 PM: diamond[1].cab (ID = 94665) 9:07 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267) 9:07 PM: qwrzc.dll (ID = 78253) 9:07 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281) 9:07 PM: class-barrel (ID = 78229) 9:07 PM: sysnet.exe (ID = 110109) 9:07 PM: Found Adware: psguard 9:07 PM: psguardinstall.exe (ID = 115328) 9:07 PM: affupdate[1].ini (ID = 78227) 9:07 PM: File Sweep Complete, Elapsed Time: 00:03:37 9:07 PM: Full Sweep has completed. Elapsed time 00:07:01 9:07 PM: Traces Found: 1097 9:08 PM: Removal process initiated 9:08 PM: Quarantining All Traces: premium search hostfile hijack 9:08 PM: Quarantining All Traces: coolwebsearch (cws) 9:08 PM: Quarantining All Traces: cws_easysearch 9:08 PM: Quarantining All Traces: easysearchbar 9:08 PM: Quarantining All Traces: gain-supported software 9:08 PM: Quarantining All Traces: dashbar hijack 9:08 PM: Quarantining All Traces: hotbar 9:08 PM: Quarantining All Traces: ieplugin 9:08 PM: Quarantining All Traces: drsnsrch.com hijack 9:08 PM: Quarantining All Traces: psguard desktop hijacker 9:08 PM: Quarantining All Traces: websearch toolbar 9:08 PM: Quarantining All Traces: sysnet 9:08 PM: Quarantining All Traces: 10102 cookie 9:08 PM: Quarantining All Traces: 10103 cookie 9:08 PM: Quarantining All Traces: 10105 cookie 9:08 PM: Quarantining All Traces: 2o7.net cookie 9:08 PM: Quarantining All Traces: 64.62.232 cookie 9:08 PM: Quarantining All Traces: 888 cookie 9:08 PM: Quarantining All Traces: abcsearch cookie 9:08 PM: Quarantining All Traces: yieldmanager cookie 9:08 PM: Quarantining All Traces: adamg cookie 9:08 PM: Quarantining All Traces: adknowledge cookie 9:08 PM: Quarantining All Traces: specificclick.com cookie 9:08 PM: Quarantining All Traces: addynamix cookie 9:08 PM: Quarantining All Traces: pointroll cookie 9:08 PM: Quarantining All Traces: aff01511 cookie 9:08 PM: Quarantining All Traces: aff506 cookie 9:08 PM: Quarantining All Traces: aff6007 cookie 9:08 PM: Quarantining All Traces: aff6008 cookie 9:08 PM: Quarantining All Traces: falkag cookie 9:08 PM: Quarantining All Traces: askmen cookie 9:08 PM: Quarantining All Traces: ask cookie 9:08 PM: Quarantining All Traces: aycm5 cookie 9:08 PM: Quarantining All Traces: azjmp cookie 9:08 PM: Quarantining All Traces: searchingbooth cookie 9:08 PM: Quarantining All Traces: banners cookie 9:08 PM: Quarantining All Traces: burstnet cookie 9:08 PM: Quarantining All Traces: top-banners cookie 9:08 PM: Quarantining All Traces: captnemo cookie 9:08 PM: Quarantining All Traces: cassava cookie 9:08 PM: Quarantining All Traces: cyberjester cookie 9:08 PM: Quarantining All Traces: dutchmen cookie 9:08 PM: Quarantining All Traces: dw05 cookie 9:08 PM: Quarantining All Traces: ru4 cookie 9:08 PM: Quarantining All Traces: elmer cookie 9:08 PM: Quarantining All Traces: fastclick cookie 9:08 PM: Quarantining All Traces: clickandtrack cookie 9:08 PM: Quarantining All Traces: hpm001 cookie 9:08 PM: Quarantining All Traces: kiddo cookie 9:08 PM: Quarantining All Traces: littlejohn cookie 9:08 PM: Quarantining All Traces: maxserving cookie 9:08 PM: Quarantining All Traces: partypoker cookie 9:08 PM: Quarantining All Traces: paypopup cookie 9:08 PM: Quarantining All Traces: overture cookie 9:08 PM: Quarantining All Traces: questionmarket cookie 9:08 PM: Quarantining All Traces: realmedia cookie 9:08 PM: Quarantining All Traces: adjuggler cookie 9:08 PM: Quarantining All Traces: server.iad.liveperson cookie 9:08 PM: Quarantining All Traces: snakeman cookie 9:08 PM: Quarantining All Traces: statcounter cookie 9:08 PM: Quarantining All Traces: trafficmp cookie 9:08 PM: Quarantining All Traces: tribalfusion cookie 9:08 PM: Quarantining All Traces: burstbeacon cookie 9:08 PM: Quarantining All Traces: letitfind cookie 9:08 PM: Quarantining All Traces: adserver cookie 9:08 PM: Quarantining All Traces: zedo cookie 9:08 PM: Quarantining All Traces: effective-i toolbar 9:08 PM: Quarantining All Traces: targetsaver 9:08 PM: Quarantining All Traces: begin2search 9:08 PM: Quarantining All Traces: trojan-downloader-traf34 9:08 PM: Quarantining All Traces: roings search enhancment 9:08 PM: Quarantining All Traces: psguard 9:09 PM: Removal process completed. Elapsed time 00:01:49 12:34 AM: Found: Memory-resident threat premium search hostfile hijack, version 1.0.0.0 12:34 AM: Detected running threat: premium search hostfile hijack 12:34 AM: |··· End of Session, Monday, August 01, 2005 ···| ******** 7:42 PM: |··· Start of Session, Sunday, July 31, 2005 ···| 7:42 PM: Spy Sweeper started 7:42 PM: Sweep initiated using definitions version 507 7:42 PM: Starting Memory Sweep 7:42 PM: Found Adware: clkoptimizer 7:42 PM: Detected running threat: C:\WINDOWS\system32\dhlgjgl.dll (ID = 120439) 7:42 PM: Detected running threat: C:\WINDOWS\system32\jborar.exe (ID = 120384) 7:44 PM: Found Adware: windows afa internet enhancement 7:44 PM: Detected running threat: C:\WINDOWS\system\crlhho.exe (ID = 90524) 7:44 PM: Detected running threat: C:\WINDOWS\system32\n.dll (ID = 90522) 7:44 PM: Found Adware: rich editor 7:44 PM: Detected running threat: C:\WINDOWS\system32\richedtr.dll (ID = 109658) 7:44 PM: Detected running threat: C:\WINDOWS\system32\redtrsha.dll (ID = 109657) 7:44 PM: Memory Sweep Complete, Elapsed Time: 00:02:37 7:44 PM: Starting Registry Sweep 7:45 PM: Found Adware: coolwebsearch (cws) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 7:45 PM: Found Adware: gain-supported software 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 7:45 PM: Found Adware: dashbar hijack 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 7:45 PM: Found Adware: hotbar 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 7:45 PM: Found Adware: ieplugin 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 7:45 PM: Found Adware: drsnsrch.com hijack 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 7:45 PM: Found Adware: websearch toolbar 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 7:45 PM: HKCR\clsid\{c370527a-24a7-4583-be01-72e59000eb17}\ (3 subtraces) (ID = 147271) 7:45 PM: HKLM\software\classes\clsid\{c370527a-24a7-4583-be01-72e59000eb17}\ (3 subtraces) (ID = 147272) 7:45 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{c370527a-24a7-4583-be01-72e59000eb17}\ (ID = 147273) 7:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\wafaie\ (2 subtraces) (ID = 147277) 7:45 PM: Found Adware: abetterinternet 7:45 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359578) 7:45 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359584) 7:45 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359588) 7:45 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359725) 7:45 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359731) 7:45 PM: HKLM\software\classes\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359735) 7:45 PM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 359756) 7:45 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 360169) 7:45 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 360170) 7:45 PM: Found Adware: cws_youriskalka.com hijack 7:45 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\microsoft\internet explorer\searchurl\ || provider (ID = 361520) 7:45 PM: HKCR\lowsol.richeditor\ (5 subtraces) (ID = 372961) 7:45 PM: HKCR\lowsol.richeditor.1\ (3 subtraces) (ID = 372967) 7:45 PM: HKCR\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\inprocserver32\ (2 subtraces) (ID = 372976) 7:45 PM: HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373009) 7:45 PM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109) 7:45 PM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114) 7:45 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (ID = 373115) 7:45 PM: HKLM\software\microsoft\windows\currentversion\run\ || richup (ID = 373124) 7:45 PM: HKLM\software\riched\ (29 subtraces) (ID = 373158) 7:45 PM: HKLM\software\classes\lowsol.richeditor\ (5 subtraces) (ID = 373176) 7:45 PM: HKLM\software\classes\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (11 subtraces) (ID = 373189) 7:45 PM: HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373224) 7:45 PM: Found Adware: cas 7:45 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\cmapp\ (12 subtraces) (ID = 381792) 7:45 PM: Found Trojan Horse: sysnet 7:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sysnet\ (2 subtraces) (ID = 381857) 7:45 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 7:45 PM: HKLM\software\classes\lowsol.richeditor.1\ (3 subtraces) (ID = 479490) 7:45 PM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 480791) 7:45 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 498504) 7:45 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 498516) 7:45 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 499294) 7:45 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 499295) 7:45 PM: Registry Sweep Complete, Elapsed Time:00:00:23 7:45 PM: Starting Cookie Sweep 7:45 PM: Found Spy Cookie: 10103 cookie 7:45 PM: nikunj@10103[2].txt (ID = 1922) 7:45 PM: Found Spy Cookie: 2o7.net cookie 7:45 PM: nikunj@2o7[2].txt (ID = 1958) 7:45 PM: Found Spy Cookie: 64.62.232 cookie 7:45 PM: nikunj@64.62.232[2].txt (ID = 1988) 7:45 PM: nikunj@64.62.232[3].txt (ID = 1988) 7:45 PM: nikunj@64.62.232[4].txt (ID = 1988) 7:45 PM: nikunj@64.62.232[5].txt (ID = 1988) 7:45 PM: Found Spy Cookie: 888 cookie 7:45 PM: nikunj@888[1].txt (ID = 2020) 7:45 PM: nikunj@888[2].txt (ID = 2020) 7:45 PM: Found Spy Cookie: abcsearch cookie 7:45 PM: nikunj@abcsearch[2].txt (ID = 2034) 7:45 PM: Found Spy Cookie: yieldmanager cookie 7:45 PM: nikunj@ad.yieldmanager[2].txt (ID = 3751) 7:45 PM: Found Spy Cookie: adknowledge cookie 7:45 PM: nikunj@adknowledge[1].txt (ID = 2073) 7:45 PM: Found Spy Cookie: addynamix cookie 7:45 PM: nikunj@ads.addynamix[1].txt (ID = 2062) 7:45 PM: Found Spy Cookie: pointroll cookie 7:45 PM: nikunj@ads.pointroll[2].txt (ID = 3148) 7:45 PM: Found Spy Cookie: aff6008 cookie 7:45 PM: nikunj@aff6008[1].txt (ID = 2196) 7:45 PM: Found Spy Cookie: falkag cookie 7:45 PM: nikunj@as-eu.falkag[1].txt (ID = 2650) 7:45 PM: nikunj@as-us.falkag[1].txt (ID = 2650) 7:45 PM: Found Spy Cookie: ask cookie 7:45 PM: nikunj@ask[1].txt (ID = 2246) 7:45 PM: Found Spy Cookie: azjmp cookie 7:45 PM: nikunj@azjmp[1].txt (ID = 2271) 7:45 PM: Found Spy Cookie: searchingbooth cookie 7:45 PM: nikunj@banners.searchingbooth[1].txt (ID = 3322) 7:45 PM: Found Spy Cookie: banners cookie 7:45 PM: nikunj@banners[1].txt (ID = 2283) 7:45 PM: Found Spy Cookie: burstnet cookie 7:45 PM: nikunj@burstnet[2].txt (ID = 2337) 7:45 PM: Found Spy Cookie: captnemo cookie 7:45 PM: nikunj@CaptNemo[1].txt (ID = 2349) 7:45 PM: Found Spy Cookie: cassava cookie 7:45 PM: nikunj@cassava[1].txt (ID = 2363) 7:45 PM: Found Spy Cookie: ru4 cookie 7:45 PM: nikunj@edge.ru4[2].txt (ID = 3269) 7:45 PM: Found Spy Cookie: fastclick cookie 7:45 PM: nikunj@fastclick[1].txt (ID = 2652) 7:45 PM: Found Spy Cookie: gonzalez cookie 7:45 PM: nikunj@Gonzalez[1].txt (ID = 2741) 7:45 PM: Found Spy Cookie: clickandtrack cookie 7:45 PM: nikunj@hits.clickandtrack[2].txt (ID = 2397) 7:45 PM: Found Spy Cookie: littlejohn cookie 7:45 PM: nikunj@LittleJohn[1].txt (ID = 2929) 7:45 PM: Found Spy Cookie: maxserving cookie 7:45 PM: nikunj@maxserving[1].txt (ID = 2967) 7:45 PM: Found Spy Cookie: mcverry cookie 7:45 PM: nikunj@mcverry[1].txt (ID = 2971) 7:45 PM: Found Spy Cookie: top-banners cookie 7:45 PM: nikunj@media.top-banners[1].txt (ID = 3548) 7:45 PM: Found Spy Cookie: monica cookie 7:45 PM: nikunj@Monica[1].txt (ID = 3001) 7:45 PM: Found Spy Cookie: partypoker cookie 7:45 PM: nikunj@partypoker[2].txt (ID = 3112) 7:45 PM: Found Spy Cookie: paypopup cookie 7:45 PM: nikunj@paypopup[1].txt (ID = 3120) 7:45 PM: Found Spy Cookie: overture cookie 7:45 PM: nikunj@perf.overture[1].txt (ID = 3106) 7:45 PM: Found Spy Cookie: pinhead cookie 7:45 PM: nikunj@Pinhead[2].txt (ID = 3140) 7:45 PM: Found Spy Cookie: questionmarket cookie 7:45 PM: nikunj@questionmarket[1].txt (ID = 3218) 7:45 PM: Found Spy Cookie: realmedia cookie 7:45 PM: nikunj@realmedia[1].txt (ID = 3236) 7:45 PM: Found Spy Cookie: statcounter cookie 7:45 PM: nikunj@statcounter[1].txt (ID = 3448) 7:45 PM: Found Spy Cookie: trafficmp cookie 7:45 PM: nikunj@trafficmp[1].txt (ID = 3582) 7:45 PM: Found Spy Cookie: tribalfusion cookie 7:45 PM: nikunj@tribalfusion[2].txt (ID = 3590) 7:45 PM: Found Spy Cookie: burstbeacon cookie 7:45 PM: nikunj@www.burstbeacon[2].txt (ID = 2335) 7:45 PM: Found Spy Cookie: letitfind cookie 7:45 PM: nikunj@www.letitfind[2].txt (ID = 2919) 7:45 PM: Found Spy Cookie: adserver cookie 7:45 PM: nikunj@z1.adserver[1].txt (ID = 2142) 7:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01 7:45 PM: Starting File Sweep 7:45 PM: c:\program files\cmapp (8 subtraces) (ID = -2147477896) 7:45 PM: c:\program files\asys (2 subtraces) (ID = -2147477847) 7:45 PM: c:\program files\epicenter (1 subtraces) (ID = -2147477846) 7:45 PM: Found Adware: effective-i toolbar 7:45 PM: ucmoreiex[1].exe (ID = 59853) 7:45 PM: ucmoreiex.exe (ID = 59853) 7:45 PM: snuninst.exe (ID = 110129) 7:45 PM: crlhho.exe (ID = 90524) 7:45 PM: Found Adware: apropos 7:45 PM: aproposclientinstaller[1].exe (ID = 116631) 7:46 PM: Found Adware: targetsaver 7:46 PM: tsupdate[1].ini (ID = 112322) 7:46 PM: qbuninstaller.exe (ID = 90526) 7:46 PM: my404[1].exe (ID = 90521) 7:46 PM: my404.exe (ID = 90521) 7:46 PM: n[1].dll (ID = 90523) 7:46 PM: n.dll (ID = 90522) 7:46 PM: temp.frd6a2 (ID = 63392) 7:46 PM: dist001.exe (ID = 52230) 7:46 PM: casstub.exe (ID = 52230) 7:46 PM: Found Adware: begin2search 7:46 PM: pinkkas21.ico (ID = 51041) 7:46 PM: Found Trojan Horse: trojan-downloader-traf34 7:46 PM: gsm3-0511.exe (ID = 81005) 7:46 PM: Found Trojan Horse: trojan-downloader-pacisoft 7:46 PM: pcs_0029[1].exe (ID = 71761) 7:46 PM: qwrza.exe (ID = 78284) 7:46 PM: qwrzl.exe (ID = 78246) 7:46 PM: pinkkas21[1].ico (ID = 51041) 7:46 PM: psof1.exe (ID = 71763) 7:46 PM: Found Trojan Horse: trojan-downloader-bookedspace 7:46 PM: bsva-egihsg52.exe (ID = 95082) 7:46 PM: pkvab.dat (ID = 120384) 7:46 PM: bmonrno.exe (ID = 120433) 7:46 PM: Found Adware: cashback 7:46 PM: cb8040f[1].exe (ID = 110793) 7:46 PM: cmappmf.dll (ID = 52236) 7:46 PM: casmf.dll (ID = 107220) 7:47 PM: vocabulary (ID = 78283) 7:47 PM: r.exe (ID = 54418) 7:47 PM: casclient.exe (ID = 107219) 7:47 PM: cassetup.exe (ID = 107221) 7:47 PM: Found Adware: opensite 7:47 PM: ucsearch.inf (ID = 71630) 7:47 PM: cassetup[1].exe (ID = 107221) 7:47 PM: vcmnet11.exe (ID = 90527) 7:47 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || C:\WINDOWS\VCMnet11.exe (ID = 0) 7:47 PM: Found Adware: 180search assistant 7:47 PM: stubinstaller4292[1].exe (ID = 70634) 7:47 PM: s.exe (ID = 54440) 7:47 PM: abiuninst[1].htm (ID = 83087) 7:47 PM: abiuninst[1].exe (ID = 83089) 7:47 PM: thin-143-1-x-x[1].exe (ID = 83558) 7:47 PM: Found Adware: roings search enhancment 7:47 PM: m67m.ocx (ID = 74058) 7:47 PM: Found Trojan Horse: topconverting downloader 7:47 PM: website[1].ocx (ID = 79658) 7:47 PM: aurorahandler[1].dll (ID = 111237) 7:47 PM: aurorahandler.dll (ID = 111237) 7:47 PM: Found Adware: weirdontheweb 7:47 PM: weirdontheweb_topc[1].exe (ID = 87898) 7:47 PM: weirdontheweb_topc.exe (ID = 87898) 7:47 PM: Found Trojan Horse: trojan downloader pops-stop 7:47 PM: thin_installer.exe (ID = 109660) 7:47 PM: thin_installer[1].exe (ID = 109660) 7:47 PM: Found Adware: savenow - whenusave 7:47 PM: vvsninst.exe (ID = 74460) 7:47 PM: temp.fr6601 (ID = 83087) 7:47 PM: thin-114-1-x-x[1].exe (ID = 83548) 7:47 PM: thin-114-1-x-x.exe (ID = 83548) 7:47 PM: Found Adware: surfsidekick 7:47 PM: ssk3_b5[1].exe (ID = 77682) 7:47 PM: ssk3_b5.exe (ID = 77682) 7:47 PM: stubinstaller5975[1].exe (ID = 70637) 7:47 PM: stubinstaller5975.exe (ID = 70637) 7:47 PM: Found Adware: elitebar 7:47 PM: protector[1].exe (ID = 59987) 7:47 PM: eliteifc32.exe (ID = 59987) 7:47 PM: elitejel32.exe (ID = 59987) 7:47 PM: Found Adware: internetoptimizer 7:47 PM: optimize[1].exe (ID = 64096) 7:47 PM: optimize.exe (ID = 64096) 7:47 PM: eliteetr32.exe (ID = 59987) 7:48 PM: aproposclientinstaller[1].exe (ID = 116631) 7:48 PM: installerv3.exe (ID = 113942) 7:48 PM: Found Adware: bookedspace 7:48 PM: cfgmgr52.dll (ID = 51659) 7:48 PM: Found Adware: shopathomeselect 7:48 PM: p5c39877.exe (ID = 75761) 7:48 PM: res8f8.tmp (ID = 70517) 7:48 PM: sskknwrd.dll (ID = 77733) 7:48 PM: 180sainstallernusac.exe (ID = 70460) 7:48 PM: del8f7.tmp (ID = 70634) 7:48 PM: cxtpls_loader.exe (ID = 93586) 7:48 PM: Found Adware: icondroppers 7:48 PM: hisistheurls.exe (ID = 62594) 7:48 PM: hisistheurls[1].exe (ID = 62594) 7:48 PM: myurlsagain.exe (ID = 62593) 7:48 PM: shop1005[1].exe (ID = 75944) 7:48 PM: shop1004.exe (ID = 75944) 7:48 PM: Found Adware: my daily horoscope 7:48 PM: setup.exe (ID = 70236) 7:48 PM: setup.exe (ID = 70236) 7:48 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars 7:48 PM: ventura-hot_246765.exe (ID = 107491) 7:48 PM: nsn873.dll (ID = 80729) 7:48 PM: zqbfzfck.exe (ID = 51663) 7:48 PM: Found Adware: bargain buddy 7:48 PM: installer_siac[1].exe (ID = 50703) 7:48 PM: installer_siac.exe (ID = 50703) 7:48 PM: jabno.dll (ID = 120438) 7:48 PM: tsuninst.exe (ID = 78276) 7:48 PM: Found Adware: virtualbouncer 7:48 PM: wrapperouter.exe (ID = 82854) 7:48 PM: Found Adware: visfx 7:48 PM: vfx8.0-1.exe (ID = 110122) 7:48 PM: asfjkk32.tmp (ID = 109659) 7:48 PM: hg3a5fav.dat (ID = 75801) 7:48 PM: cbaegeld.dll (ID = 75582) 7:48 PM: Found Adware: navisearch 7:48 PM: nls8039[1].exe (ID = 111973) 7:48 PM: Found Trojan Horse: trojan-downloader-topinstalls 7:48 PM: wintask.exe (ID = 81002) 7:48 PM: exp.exe (ID = 81002) 7:48 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267) 7:48 PM: qwrzc.dll (ID = 78253) 7:48 PM: exp (ID = 81002) 7:48 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281) 7:48 PM: class-barrel (ID = 78229) 7:48 PM: nitk.exe (ID = 120384) 7:48 PM: dhlgjgl.dll (ID = 120439) 7:48 PM: jborar.exe (ID = 120384) 7:48 PM: richedtr.dll (ID = 109658) 7:48 PM: redtrsha.dll (ID = 109657) 7:48 PM: richup.exe (ID = 109659) 7:48 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || richup (ID = 0) 7:48 PM: ncohutdn.exe (ID = 112497) 7:48 PM: mydpsspc.exe (ID = 112496) 7:48 PM: sysnet.exe (ID = 110109) 7:48 PM: cursors.xml (ID = 84688) 7:48 PM: xlmurin.wzg (ID = 87854) 7:48 PM: gykhxlmu.rmr (ID = 84892) 7:49 PM: temp.fr236d (ID = 84894) 7:49 PM: temp.fr4442 (ID = 84889) 7:49 PM: temp.fr11fe (ID = 86338) 7:49 PM: temp.fr6e8c (ID = 84923) 7:49 PM: setup.inf (ID = 70238) 7:49 PM: Found Adware: twain-tech 7:49 PM: twtini.inf (ID = 81897) 7:49 PM: sf[1].txt (ID = 110126) 7:49 PM: affupdate[1].ini (ID = 78227) 7:49 PM: twaintec.inf (ID = 81890) 7:49 PM: auto_update[1] (ID = 50056) 7:49 PM: sf[1].txt (ID = 110126) 7:49 PM: sf.txt (ID = 110126) 7:49 PM: rf[1].txt (ID = 110125) 7:49 PM: rf.txt (ID = 110125) 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df9604.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df600b.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df781f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df5dca.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df94ff.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dff942.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df3253.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df1327.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df57a5.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df82c0.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df46ec.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df813f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df727.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df6c44.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfadb2.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df9588.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfccb5.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df72e.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df6446.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfebbe.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfab6d.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df44ba.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df8017.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfeedb.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfae33.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df5a74.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df96f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df518f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df15a6.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df836b.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfb8c8.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 7:49 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df21d7.tmp". System Error. Code: 2. The system cannot find the file specified 7:49 PM: File Sweep Complete, Elapsed Time: 00:03:53 7:49 PM: Full Sweep has completed. Elapsed time 00:07:02 7:49 PM: Traces Found: 1397 8:54 PM: Removal process initiated 8:54 PM: Quarantining All Traces: clkoptimizer 8:54 PM: clkoptimizer is in use. It will be removed on reboot. 8:54 PM: dhlgjgl.dll is in use. It will be removed on reboot. 8:54 PM: C:\WINDOWS\system32\dhlgjgl.dll is in use. It will be removed on reboot. 8:54 PM: C:\WINDOWS\system32\jborar.exe is in use. It will be removed on reboot. 8:54 PM: Quarantining All Traces: windows afa internet enhancement 8:54 PM: Quarantining All Traces: rich editor 8:55 PM: Quarantining All Traces: coolwebsearch (cws) 8:55 PM: Quarantining All Traces: gain-supported software 8:55 PM: Quarantining All Traces: dashbar hijack 8:55 PM: Quarantining All Traces: hotbar 8:55 PM: Quarantining All Traces: ieplugin 8:55 PM: Quarantining All Traces: drsnsrch.com hijack 8:55 PM: Quarantining All Traces: websearch toolbar 8:55 PM: Quarantining All Traces: cws_youriskalka.com hijack 8:55 PM: Quarantining All Traces: cas 8:55 PM: Quarantining All Traces: trojan-downloader-pacisoft 8:55 PM: Quarantining All Traces: trojan-downloader-bookedspace 8:55 PM: Quarantining All Traces: cashback 8:55 PM: Quarantining All Traces: opensite 8:55 PM: Quarantining All Traces: 180search assistant 8:55 PM: Quarantining All Traces: roings search enhancment 8:55 PM: Quarantining All Traces: topconverting downloader 8:55 PM: Quarantining All Traces: weirdontheweb 8:55 PM: Quarantining All Traces: trojan downloader pops-stop 8:55 PM: Quarantining All Traces: savenow - whenusave 8:55 PM: Quarantining All Traces: surfsidekick 8:55 PM: Quarantining All Traces: elitebar 8:55 PM: Quarantining All Traces: internetoptimizer 8:55 PM: Quarantining All Traces: bookedspace 8:55 PM: Quarantining All Traces: shopathomeselect 8:55 PM: Quarantining All Traces: icondroppers 8:55 PM: Quarantining All Traces: my daily horoscope 8:55 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars 8:55 PM: Quarantining All Traces: bargain buddy 8:55 PM: Quarantining All Traces: virtualbouncer 8:55 PM: Quarantining All Traces: visfx 8:55 PM: Quarantining All Traces: navisearch 8:55 PM: Quarantining All Traces: trojan-downloader-topinstalls 8:55 PM: Quarantining All Traces: twain-tech 8:56 PM: Quarantining All Traces: abetterinternet 8:56 PM: Quarantining All Traces: apropos 8:56 PM: Preparing to restart your computer. Please wait... 8:56 PM: Removal process completed. Elapsed time 00:02:23 8:59 PM: Spy Installation Shield: found: Adware: psguard, version 1.0.0.0 -- Execution Denied 8:59 PM: Processing Startup Alerts 8:59 PM: Removed Startup entry: C:\WINDOWS\VCMnet11.exe 8:59 PM: Removed Startup entry: apisvc.exe 8:59 PM: Removed Startup entry: secserv.exe 8:59 PM: Removed Startup entry: intel32.exe 8:59 PM: Processing Hosts File Alerts 8:59 PM: Fixed Hosts File entry: www.google.ae 8:59 PM: Fixed Hosts File entry: www.google.am 8:59 PM: Fixed Hosts File entry: www.google.as 8:59 PM: Fixed Hosts File entry: www.google.at 8:59 PM: Fixed Hosts File entry: www.google.az 8:59 PM: Fixed Hosts File entry: www.google.be 8:59 PM: Fixed Hosts File entry: www.google.bi 8:59 PM: Fixed Hosts File entry: www.google.ca 8:59 PM: Fixed Hosts File entry: www.google.cd 8:59 PM: Fixed Hosts File entry: www.google.cg 8:59 PM: Fixed Hosts File entry: www.google.ch 8:59 PM: Fixed Hosts File entry: www.google.ci 8:59 PM: Fixed Hosts File entry: www.google.cl 8:59 PM: Fixed Hosts File entry: www.google.co.cr 8:59 PM: Fixed Hosts File entry: www.google.co.hu 8:59 PM: Fixed Hosts File entry: www.google.co.il 8:59 PM: Fixed Hosts File entry: www.google.co.in 8:59 PM: Fixed Hosts File entry: www.google.co.je 8:59 PM: Fixed Hosts File entry: www.google.co.jp 8:59 PM: Fixed Hosts File entry: www.google.co.ke 8:59 PM: Fixed Hosts File entry: www.google.co.kr 8:59 PM: Fixed Hosts File entry: www.google.co.ls 8:59 PM: Fixed Hosts File entry: www.google.co.nz 8:59 PM: Fixed Hosts File entry: www.google.co.th 8:59 PM: Fixed Hosts File entry: www.google.co.ug 8:59 PM: Fixed Hosts File entry: www.google.co.uk 8:59 PM: Fixed Hosts File entry: www.google.co.ve 8:59 PM: Fixed Hosts File entry: www.google.com 8:59 PM: Fixed Hosts File entry: www.google.com.ag 8:59 PM: Fixed Hosts File entry: www.google.com.ar 8:59 PM: Fixed Hosts File entry: www.google.com.au 8:59 PM: Fixed Hosts File entry: www.google.com.br 8:59 PM: Fixed Hosts File entry: www.google.com.co 8:59 PM: Fixed Hosts File entry: www.google.com.cu 8:59 PM: Fixed Hosts File entry: www.google.com.do 8:59 PM: Fixed Hosts File entry: www.google.com.ec 8:59 PM: Fixed Hosts File entry: www.google.com.fj 8:59 PM: Fixed Hosts File entry: www.google.com.gi 8:59 PM: Fixed Hosts File entry: www.google.com.gr 8:59 PM: Fixed Hosts File entry: www.google.com.gt 8:59 PM: Fixed Hosts File entry: www.google.com.hk 8:59 PM: Fixed Hosts File entry: www.google.com.ly 8:59 PM: Fixed Hosts File entry: www.google.com.mt 8:59 PM: Fixed Hosts File entry: www.google.com.mx 8:59 PM: Fixed Hosts File entry: www.google.com.my 8:59 PM: Fixed Hosts File entry: www.google.com.na 8:59 PM: Fixed Hosts File entry: www.google.com.nf 8:59 PM: Fixed Hosts File entry: www.google.com.ni 8:59 PM: Fixed Hosts File entry: www.google.com.np 8:59 PM: Fixed Hosts File entry: www.google.com.pa 8:59 PM: Fixed Hosts File entry: www.google.com.pe 8:59 PM: Fixed Hosts File entry: www.google.com.ph 8:59 PM: Fixed Hosts File entry: www.google.com.pk 8:59 PM: Fixed Hosts File entry: www.google.com.pr 8:59 PM: Fixed Hosts File entry: www.google.com.py 8:59 PM: Fixed Hosts File entry: www.google.com.sa 8:59 PM: Fixed Hosts File entry: www.google.com.sg 8:59 PM: Fixed Hosts File entry: www.google.com.sv 8:59 PM: Fixed Hosts File entry: www.google.com.tr 8:59 PM: Fixed Hosts File entry: www.google.com.tw 8:59 PM: Fixed Hosts File entry: www.google.com.ua 8:59 PM: Fixed Hosts File entry: www.google.com.uy 8:59 PM: Fixed Hosts File entry: www.google.com.vc 8:59 PM: Fixed Hosts File entry: www.google.com.vn 8:59 PM: Fixed Hosts File entry: www.google.de 8:59 PM: Fixed Hosts File entry: www.google.dj 8:59 PM: Fixed Hosts File entry: www.google.dk 8:59 PM: Fixed Hosts File entry: www.google.es 8:59 PM: Fixed Hosts File entry: www.google.fi 8:59 PM: Fixed Hosts File entry: www.google.fm 8:59 PM: Fixed Hosts File entry: www.google.fr 8:59 PM: Fixed Hosts File entry: www.google.gg 8:59 PM: Fixed Hosts File entry: www.google.gl 8:59 PM: Fixed Hosts File entry: www.google.gm 8:59 PM: Fixed Hosts File entry: www.google.hn 8:59 PM: Fixed Hosts File entry: www.google.ie 8:59 PM: Fixed Hosts File entry: www.google.it 8:59 PM: Fixed Hosts File entry: www.google.kz 8:59 PM: Fixed Hosts File entry: www.google.li 8:59 PM: Fixed Hosts File entry: www.google.lt 8:59 PM: Fixed Hosts File entry: www.google.lu 8:59 PM: Fixed Hosts File entry: www.google.lv 8:59 PM: Fixed Hosts File entry: www.google.mn 8:59 PM: Fixed Hosts File entry: www.google.ms 8:59 PM: Fixed Hosts File entry: www.google.mu 8:59 PM: Fixed Hosts File entry: www.google.mw 8:59 PM: Fixed Hosts File entry: www.google.nl 8:59 PM: Fixed Hosts File entry: www.google.no 8:59 PM: Fixed Hosts File entry: www.google.off.ai 8:59 PM: Fixed Hosts File entry: www.google.pl 8:59 PM: Fixed Hosts File entry: www.google.pn 8:59 PM: Fixed Hosts File entry: www.google.pt 8:59 PM: Fixed Hosts File entry: www.google.ro 8:59 PM: Fixed Hosts File entry: www.google.ru 8:59 PM: Fixed Hosts File entry: www.google.rw 8:59 PM: Fixed Hosts File entry: www.google.se 8:59 PM: Fixed Hosts File entry: www.google.sh 8:59 PM: Fixed Hosts File entry: www.google.sk 8:59 PM: Fixed Hosts File entry: www.google.sm 8:59 PM: Fixed Hosts File entry: www.google.td 8:59 PM: Fixed Hosts File entry: www.google.tm 8:59 PM: Fixed Hosts File entry: www.google.tt 8:59 PM: Fixed Hosts File entry: www.google.uz 8:59 PM: Fixed Hosts File entry: www.google.vg 8:59 PM: Fixed Hosts File entry: google.ae 8:59 PM: Fixed Hosts File entry: google.am 8:59 PM: Fixed Hosts File entry: google.as 8:59 PM: Fixed Hosts File entry: google.at 8:59 PM: Fixed Hosts File entry: google.az 8:59 PM: Fixed Hosts File entry: google.be 8:59 PM: Fixed Hosts File entry: google.bi 8:59 PM: Fixed Hosts File entry: google.ca 8:59 PM: Fixed Hosts File entry: google.cd 8:59 PM: Fixed Hosts File entry: google.cg 8:59 PM: Fixed Hosts File entry: google.ch 8:59 PM: Fixed Hosts File entry: google.ci 8:59 PM: Fixed Hosts File entry: google.cl 8:59 PM: Fixed Hosts File entry: google.co.cr 8:59 PM: Fixed Hosts File entry: google.co.hu 8:59 PM: Fixed Hosts File entry: google.co.il 8:59 PM: Fixed Hosts File entry: google.co.in 8:59 PM: Fixed Hosts File entry: google.co.je 8:59 PM: Fixed Hosts File entry: google.co.jp 8:59 PM: Fixed Hosts File entry: google.co.ke 8:59 PM: Fixed Hosts File entry: google.co.kr 8:59 PM: Fixed Hosts File entry: google.co.ls 8:59 PM: Fixed Hosts File entry: google.co.nz 8:59 PM: Fixed Hosts File entry: google.co.th 8:59 PM: Fixed Hosts File entry: google.co.ug 8:59 PM: Fixed Hosts File entry: google.co.uk 8:59 PM: Fixed Hosts File entry: google.co.ve 8:59 PM: Fixed Hosts File entry: google.com 8:59 PM: Fixed Hosts File entry: google.com.ag 8:59 PM: Fixed Hosts File entry: google.com.ar 8:59 PM: Fixed Hosts File entry: google.com.au 8:59 PM: Fixed Hosts File entry: google.com.br 8:59 PM: Fixed Hosts File entry: google.com.co 8:59 PM: Fixed Hosts File entry: google.com.cu 8:59 PM: Fixed Hosts File entry: google.com.do 8:59 PM: Fixed Hosts File entry: google.com.ec 8:59 PM: Fixed Hosts File entry: google.com.fj 8:59 PM: Fixed Hosts File entry: google.com.gi 8:59 PM: Fixed Hosts File entry: google.com.gr 8:59 PM: Fixed Hosts File entry: google.com.gt 8:59 PM: Fixed Hosts File entry: google.com.hk 8:59 PM: Fixed Hosts File entry: google.com.ly 8:59 PM: Fixed Hosts File entry: google.com.mt 8:59 PM: Fixed Hosts File entry: google.com.mx 8:59 PM: Fixed Hosts File entry: google.com.my 8:59 PM: Fixed Hosts File entry: google.com.na 8:59 PM: Fixed Hosts File entry: google.com.nf 8:59 PM: Fixed Hosts File entry: google.com.ni 8:59 PM: Fixed Hosts File entry: google.com.np 8:59 PM: Fixed Hosts File entry: google.com.pa 8:59 PM: Fixed Hosts File entry: google.com.pe 8:59 PM: Fixed Hosts File entry: google.com.ph 8:59 PM: Fixed Hosts File entry: google.com.pk 8:59 PM: Fixed Hosts File entry: google.com.pr 8:59 PM: Fixed Hosts File entry: google.com.py 8:59 PM: Fixed Hosts File entry: google.com.sa 8:59 PM: Fixed Hosts File entry: google.com.sg 8:59 PM: Fixed Hosts File entry: google.com.sv 8:59 PM: Fixed Hosts File entry: google.com.tr 8:59 PM: Fixed Hosts File entry: google.com.tw 8:59 PM: Fixed Hosts File entry: google.com.ua 8:59 PM: Fixed Hosts File entry: google.com.uy 8:59 PM: Fixed Hosts File entry: google.com.vc 8:59 PM: Fixed Hosts File entry: google.com.vn 8:59 PM: Fixed Hosts File entry: google.de 8:59 PM: Fixed Hosts File entry: google.dj 8:59 PM: Fixed Hosts File entry: google.dk 8:59 PM: Fixed Hosts File entry: google.es 8:59 PM: Fixed Hosts File entry: google.fi 8:59 PM: Fixed Hosts File entry: google.fm 8:59 PM: Fixed Hosts File entry: google.fr 8:59 PM: Fixed Hosts File entry: google.gg 8:59 PM: Fixed Hosts File entry: google.gl 8:59 PM: Fixed Hosts File entry: google.gm 8:59 PM: Fixed Hosts File entry: google.hn 8:59 PM: Fixed Hosts File entry: google.ie 8:59 PM: Fixed Hosts File entry: google.it 8:59 PM: Fixed Hosts File entry: google.kz 8:59 PM: Fixed Hosts File entry: google.li 8:59 PM: Fixed Hosts File entry: google.lt 8:59 PM: Fixed Hosts File entry: google.lu 8:59 PM: Fixed Hosts File entry: google.lv 8:59 PM: Fixed Hosts File entry: google.mn 8:59 PM: Fixed Hosts File entry: google.ms 8:59 PM: Fixed Hosts File entry: google.mu 8:59 PM: Fixed Hosts File entry: google.mw 8:59 PM: Fixed Hosts File entry: google.nl 8:59 PM: Fixed Hosts File entry: google.no 8:59 PM: Fixed Hosts File entry: google.off.ai 8:59 PM: Fixed Hosts File entry: google.pl 8:59 PM: Fixed Hosts File entry: google.pn 8:59 PM: Fixed Hosts File entry: google.pt 8:59 PM: Fixed Hosts File entry: google.ro 8:59 PM: Fixed Hosts File entry: google.ru 8:59 PM: Fixed Hosts File entry: google.rw 8:59 PM: Fixed Hosts File entry: google.se 8:59 PM: Fixed Hosts File entry: google.sh 8:59 PM: Fixed Hosts File entry: google.sk 8:59 PM: Fixed Hosts File entry: google.sm 8:59 PM: Fixed Hosts File entry: google.td 8:59 PM: Fixed Hosts File entry: google.tm 8:59 PM: Fixed Hosts File entry: google.tt 8:59 PM: Fixed Hosts File entry: google.uz 8:59 PM: Fixed Hosts File entry: google.vg 8:59 PM: Fixed Hosts File entry: search.yahoo.com 8:59 PM: Fixed Hosts File entry: ar.search.yahoo.com 8:59 PM: Fixed Hosts File entry: br.search.yahoo.com 8:59 PM: Fixed Hosts File entry: ca.search.yahoo.com 8:59 PM: Fixed Hosts File entry: cf.search.yahoo.com 8:59 PM: Fixed Hosts File entry: mx.search.yahoo.com 8:59 PM: Fixed Hosts File entry: espanol.search.yahoo.com 8:59 PM: Fixed Hosts File entry: au.search.yahoo.com 8:59 PM: Fixed Hosts File entry: ct.search.yahoo.com 8:59 PM: Fixed Hosts File entry: fr.search.yahoo.com 8:59 PM: Fixed Hosts File entry: de.search.yahoo.com 8:59 PM: Fixed Hosts File entry: it.search.yahoo.com 8:59 PM: Fixed Hosts File entry: uk.search.yahoo.com 8:59 PM: Fixed Hosts File entry: search.msn.com 8:59 PM: Fixed Hosts File entry: search.xtramsn.co.nz 8:59 PM: Fixed Hosts File entry: search.msn.de 8:59 PM: Fixed Hosts File entry: search.msn.se 8:59 PM: Fixed Hosts File entry: beta.search.msn.com 8:59 PM: Fixed Hosts File entry: beta.search.ninemsn.com.au 8:59 PM: Fixed Hosts File entry: beta.search.msn.dk 8:59 PM: Fixed Hosts File entry: beta.search.msn.nl 8:59 PM: Fixed Hosts File entry: beta.search.msn.co.in 8:59 PM: Fixed Hosts File entry: www.alexa.com 8:59 PM: Processing Startup Alerts 8:59 PM: Removed Startup entry: secserv.exe 8:59 PM: Processing Startup Alerts 8:59 PM: Removed Startup entry: secserv.exe 9:00 PM: |··· End of Session, Sunday, July 31, 2005 ···| ******** 6:11 PM: |··· Start of Session, Sunday, July 31, 2005 ···| 6:11 PM: Spy Sweeper started 6:11 PM: Sweep initiated using definitions version 507 6:11 PM: Starting Memory Sweep 6:11 PM: Found Adware: clkoptimizer 6:11 PM: Detected running threat: C:\WINDOWS\system32\dhlgjgl.dll (ID = 120439) 6:11 PM: Found Adware: windows afa internet enhancement 6:11 PM: Detected running threat: C:\WINDOWS\system32\n.dll (ID = 90522) 6:11 PM: Found Adware: rich editor 6:11 PM: Detected running threat: C:\WINDOWS\system32\richedtr.dll (ID = 109658) 6:11 PM: Detected running threat: C:\WINDOWS\system32\redtrsha.dll (ID = 109657) 6:12 PM: Detected running threat: C:\WINDOWS\system32\jborar.exe (ID = 120384) 6:13 PM: Detected running threat: C:\WINDOWS\system\crlhho.exe (ID = 90524) 6:13 PM: Memory Sweep Complete, Elapsed Time: 00:02:22 6:13 PM: Starting Registry Sweep 6:14 PM: Found Adware: coolwebsearch (cws) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 6:14 PM: Found Adware: gain-supported software 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 6:14 PM: Found Adware: dashbar hijack 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 6:14 PM: Found Adware: hotbar 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 6:14 PM: Found Adware: ieplugin 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 6:14 PM: Found Adware: drsnsrch.com hijack 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 6:14 PM: Found Adware: websearch toolbar 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 6:14 PM: HKCR\clsid\{c370527a-24a7-4583-be01-72e59000eb17}\ (3 subtraces) (ID = 147271) 6:14 PM: HKLM\software\classes\clsid\{c370527a-24a7-4583-be01-72e59000eb17}\ (3 subtraces) (ID = 147272) 6:14 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{c370527a-24a7-4583-be01-72e59000eb17}\ (ID = 147273) 6:14 PM: HKLM\software\microsoft\windows\currentversion\uninstall\wafaie\ (2 subtraces) (ID = 147277) 6:14 PM: Found Adware: abetterinternet 6:14 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359578) 6:14 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359584) 6:14 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359588) 6:14 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359725) 6:14 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359731) 6:14 PM: HKLM\software\classes\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359735) 6:14 PM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 359756) 6:14 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 360169) 6:14 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 360170) 6:14 PM: Found Adware: cws_youriskalka.com hijack 6:14 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\microsoft\internet explorer\searchurl\ || provider (ID = 361520) 6:14 PM: HKCR\lowsol.richeditor\ (5 subtraces) (ID = 372961) 6:14 PM: HKCR\lowsol.richeditor.1\ (3 subtraces) (ID = 372967) 6:14 PM: HKCR\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\inprocserver32\ (2 subtraces) (ID = 372976) 6:14 PM: HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373009) 6:14 PM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109) 6:14 PM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114) 6:14 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (ID = 373115) 6:14 PM: HKLM\software\microsoft\windows\currentversion\run\ || richup (ID = 373124) 6:14 PM: HKLM\software\riched\ (29 subtraces) (ID = 373158) 6:14 PM: HKLM\software\classes\lowsol.richeditor\ (5 subtraces) (ID = 373176) 6:14 PM: HKLM\software\classes\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (11 subtraces) (ID = 373189) 6:14 PM: HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373224) 6:14 PM: Found Adware: cas 6:14 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\cmapp\ (12 subtraces) (ID = 381792) 6:14 PM: Found Trojan Horse: sysnet 6:14 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sysnet\ (2 subtraces) (ID = 381857) 6:14 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 6:14 PM: HKLM\software\classes\lowsol.richeditor.1\ (3 subtraces) (ID = 479490) 6:14 PM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 480791) 6:14 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 498504) 6:14 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 498516) 6:14 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 499294) 6:14 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 499295) 6:14 PM: Registry Sweep Complete, Elapsed Time:00:00:17 6:14 PM: Starting Cookie Sweep 6:14 PM: Found Spy Cookie: 10103 cookie 6:14 PM: nikunj@10103[1].txt (ID = 1922) 6:14 PM: Found Spy Cookie: 888 cookie 6:14 PM: nikunj@888[1].txt (ID = 2020) 6:14 PM: nikunj@888[2].txt (ID = 2020) 6:14 PM: Found Spy Cookie: abcsearch cookie 6:14 PM: nikunj@abcsearch[1].txt (ID = 2034) 6:14 PM: Found Spy Cookie: yieldmanager cookie 6:14 PM: nikunj@ad.yieldmanager[2].txt (ID = 3751) 6:14 PM: Found Spy Cookie: adamg cookie 6:14 PM: nikunj@adamg[2].txt (ID = 2056) 6:14 PM: Found Spy Cookie: adknowledge cookie 6:14 PM: nikunj@adknowledge[1].txt (ID = 2073) 6:14 PM: Found Spy Cookie: pointroll cookie 6:14 PM: nikunj@ads.pointroll[2].txt (ID = 3148) 6:14 PM: Found Spy Cookie: aff504 cookie 6:14 PM: nikunj@aff504[2].txt (ID = 2188) 6:14 PM: Found Spy Cookie: aff6001 cookie 6:14 PM: nikunj@aff6001[1].txt (ID = 2192) 6:14 PM: Found Spy Cookie: aff6008 cookie 6:14 PM: nikunj@aff6008[1].txt (ID = 2196) 6:14 PM: Found Spy Cookie: falkag cookie 6:14 PM: nikunj@as-eu.falkag[1].txt (ID = 2650) 6:14 PM: nikunj@as-us.falkag[1].txt (ID = 2650) 6:14 PM: Found Spy Cookie: ask cookie 6:14 PM: nikunj@ask[1].txt (ID = 2246) 6:14 PM: Found Spy Cookie: azjmp cookie 6:14 PM: nikunj@azjmp[2].txt (ID = 2271) 6:14 PM: Found Spy Cookie: bigblue cookie 6:14 PM: nikunj@BigBlue[1].txt (ID = 2303) 6:14 PM: Found Spy Cookie: bigjohn cookie 6:14 PM: nikunj@bigjohn[1].txt (ID = 2305) 6:14 PM: Found Spy Cookie: burstnet cookie 6:14 PM: nikunj@burstnet[2].txt (ID = 2337) 6:14 PM: Found Spy Cookie: cassava cookie 6:14 PM: nikunj@cassava[1].txt (ID = 2363) 6:14 PM: Found Spy Cookie: cyberjester cookie 6:14 PM: nikunj@cyberjester[1].txt (ID = 2486) 6:14 PM: Found Spy Cookie: dutchmen cookie 6:14 PM: nikunj@Dutchmen[1].txt (ID = 2546) 6:14 PM: Found Spy Cookie: ru4 cookie 6:14 PM: nikunj@edge.ru4[2].txt (ID = 3269) 6:14 PM: Found Spy Cookie: fastclick cookie 6:14 PM: nikunj@fastclick[2].txt (ID = 2652) 6:14 PM: Found Spy Cookie: littlejohn cookie 6:14 PM: nikunj@LittleJohn[1].txt (ID = 2929) 6:14 PM: Found Spy Cookie: maxserving cookie 6:14 PM: nikunj@maxserving[1].txt (ID = 2967) 6:14 PM: Found Spy Cookie: top-banners cookie 6:14 PM: nikunj@media.top-banners[1].txt (ID = 3548) 6:14 PM: Found Spy Cookie: overture cookie 6:14 PM: nikunj@perf.overture[1].txt (ID = 3106) 6:14 PM: Found Spy Cookie: pinhead cookie 6:14 PM: nikunj@Pinhead[1].txt (ID = 3140) 6:14 PM: Found Spy Cookie: questionmarket cookie 6:14 PM: nikunj@questionmarket[1].txt (ID = 3218) 6:14 PM: Found Spy Cookie: realmedia cookie 6:14 PM: nikunj@realmedia[1].txt (ID = 3236) 6:14 PM: Found Spy Cookie: statcounter cookie 6:14 PM: nikunj@statcounter[1].txt (ID = 3448) 6:14 PM: Found Spy Cookie: trafficmp cookie 6:14 PM: nikunj@trafficmp[1].txt (ID = 3582) 6:14 PM: Found Spy Cookie: tribalfusion cookie 6:14 PM: nikunj@tribalfusion[2].txt (ID = 3590) 6:14 PM: Found Spy Cookie: burstbeacon cookie 6:14 PM: nikunj@www.burstbeacon[2].txt (ID = 2335) 6:14 PM: Found Spy Cookie: letitfind cookie 6:14 PM: nikunj@www.letitfind[2].txt (ID = 2919) 6:14 PM: Found Spy Cookie: adserver cookie 6:14 PM: nikunj@z1.adserver[1].txt (ID = 2142) 6:14 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01 6:14 PM: Starting File Sweep 6:14 PM: c:\program files\cmapp (8 subtraces) (ID = -2147477896) 6:14 PM: c:\program files\asys (2 subtraces) (ID = -2147477847) 6:14 PM: c:\program files\epicenter (1 subtraces) (ID = -2147477846) 6:14 PM: Found Adware: effective-i toolbar 6:14 PM: ucmoreiex[1].exe (ID = 59853) 6:14 PM: ucmoreiex.exe (ID = 59853) 6:14 PM: snuninst.exe (ID = 110129) 6:14 PM: crlhho.exe (ID = 90524) 6:14 PM: Found Adware: apropos 6:14 PM: aproposclientinstaller[1].exe (ID = 116631) 6:14 PM: Found Adware: targetsaver 6:14 PM: tsupdate[1].ini (ID = 112322) 6:15 PM: qbuninstaller.exe (ID = 90526) 6:15 PM: my404[1].exe (ID = 90521) 6:15 PM: my404.exe (ID = 90521) 6:15 PM: n[1].dll (ID = 90523) 6:15 PM: n.dll (ID = 90522) 6:15 PM: temp.frd6a2 (ID = 63392) 6:15 PM: dist001.exe (ID = 52230) 6:15 PM: casstub.exe (ID = 52230) 6:15 PM: Found Adware: begin2search 6:15 PM: pinkkas21.ico (ID = 51041) 6:15 PM: Found Trojan Horse: trojan-downloader-traf34 6:15 PM: gsm3-0511.exe (ID = 81005) 6:15 PM: Found Trojan Horse: trojan-downloader-pacisoft 6:15 PM: pcs_0029[1].exe (ID = 71761) 6:15 PM: qwrza.exe (ID = 78284) 6:15 PM: qwrzl.exe (ID = 78246) 6:15 PM: pinkkas21[1].ico (ID = 51041) 6:15 PM: psof1.exe (ID = 71763) 6:15 PM: Found Trojan Horse: trojan-downloader-bookedspace 6:15 PM: bsva-egihsg52.exe (ID = 95082) 6:15 PM: pkvab.dat (ID = 120384) 6:15 PM: bmonrno.exe (ID = 120433) 6:15 PM: Found Adware: cashback 6:15 PM: cb8040f[1].exe (ID = 110793) 6:15 PM: cmappmf.dll (ID = 52236) 6:15 PM: casmf.dll (ID = 107220) 6:16 PM: vocabulary (ID = 78283) 6:16 PM: r.exe (ID = 54418) 6:16 PM: casclient.exe (ID = 107219) 6:16 PM: cassetup.exe (ID = 107221) 6:16 PM: Found Adware: opensite 6:16 PM: ucsearch.inf (ID = 71630) 6:16 PM: cassetup[1].exe (ID = 107221) 6:16 PM: vcmnet11.exe (ID = 90527) 6:16 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || C:\WINDOWS\VCMnet11.exe (ID = 0) 6:16 PM: Found Adware: 180search assistant 6:16 PM: stubinstaller4292[1].exe (ID = 70634) 6:16 PM: s.exe (ID = 54440) 6:16 PM: abiuninst[1].htm (ID = 83087) 6:16 PM: abiuninst[1].exe (ID = 83089) 6:16 PM: thin-143-1-x-x[1].exe (ID = 83558) 6:16 PM: Found Adware: roings search enhancment 6:16 PM: m67m.ocx (ID = 74058) 6:16 PM: Found Trojan Horse: topconverting downloader 6:16 PM: website[1].ocx (ID = 79658) 6:16 PM: aurorahandler[1].dll (ID = 111237) 6:16 PM: aurorahandler.dll (ID = 111237) 6:16 PM: Found Adware: weirdontheweb 6:16 PM: weirdontheweb_topc[1].exe (ID = 87898) 6:16 PM: weirdontheweb_topc.exe (ID = 87898) 6:16 PM: Found Trojan Horse: trojan downloader pops-stop 6:16 PM: thin_installer.exe (ID = 109660) 6:16 PM: thin_installer[1].exe (ID = 109660) 6:16 PM: Found Adware: savenow - whenusave 6:16 PM: vvsninst.exe (ID = 74460) 6:16 PM: temp.fr6601 (ID = 83087) 6:16 PM: thin-114-1-x-x[1].exe (ID = 83548) 6:16 PM: thin-114-1-x-x.exe (ID = 83548) 6:16 PM: Found Adware: surfsidekick 6:16 PM: ssk3_b5[1].exe (ID = 77682) 6:16 PM: ssk3_b5.exe (ID = 77682) 6:17 PM: stubinstaller5975[1].exe (ID = 70637) 6:17 PM: stubinstaller5975.exe (ID = 70637) 6:17 PM: Found Adware: elitebar 6:17 PM: protector[1].exe (ID = 59987) 6:17 PM: eliteifc32.exe (ID = 59987) 6:17 PM: elitejel32.exe (ID = 59987) 6:17 PM: Found Adware: internetoptimizer 6:17 PM: optimize[1].exe (ID = 64096) 6:17 PM: optimize.exe (ID = 64096) 6:17 PM: eliteetr32.exe (ID = 59987) 6:17 PM: aproposclientinstaller[1].exe (ID = 116631) 6:17 PM: installerv3.exe (ID = 113942) 6:17 PM: Found Adware: bookedspace 6:17 PM: cfgmgr52.dll (ID = 51659) 6:17 PM: Found Adware: shopathomeselect 6:17 PM: p5c39877.exe (ID = 75761) 6:17 PM: res8f8.tmp (ID = 70517) 6:17 PM: 180sainstallernusac.exe (ID = 70460) 6:17 PM: del8f7.tmp (ID = 70634) 6:17 PM: cxtpls_loader.exe (ID = 93586) 6:17 PM: Found Adware: icondroppers 6:17 PM: hisistheurls.exe (ID = 62594) 6:17 PM: hisistheurls[1].exe (ID = 62594) 6:17 PM: myurlsagain.exe (ID = 62593) 6:17 PM: shop1005[1].exe (ID = 75944) 6:17 PM: shop1004.exe (ID = 75944) 6:17 PM: sskknwrd.dll (ID = 77733) 6:17 PM: Found Adware: my daily horoscope 6:17 PM: setup.exe (ID = 70236) 6:17 PM: setup.exe (ID = 70236) 6:17 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars 6:17 PM: ventura-hot_246765.exe (ID = 107491) 6:17 PM: nsn873.dll (ID = 80729) 6:17 PM: zqbfzfck.exe (ID = 51663) 6:17 PM: Found Adware: bargain buddy 6:17 PM: installer_siac[1].exe (ID = 50703) 6:17 PM: installer_siac.exe (ID = 50703) 6:17 PM: jabno.dll (ID = 120438) 6:17 PM: tsuninst.exe (ID = 78276) 6:17 PM: Found Adware: virtualbouncer 6:17 PM: wrapperouter.exe (ID = 82854) 6:17 PM: Found Adware: visfx 6:17 PM: vfx8.0-1.exe (ID = 110122) 6:17 PM: asfjkk32.tmp (ID = 109659) 6:17 PM: hg3a5fav.dat (ID = 75801) 6:17 PM: cbaegeld.dll (ID = 75582) 6:17 PM: Found Adware: navisearch 6:17 PM: nls8039[1].exe (ID = 111973) 6:17 PM: diamond[2].cab (ID = 94665) 6:17 PM: Found Trojan Horse: trojan-downloader-topinstalls 6:17 PM: wintask.exe (ID = 81002) 6:17 PM: exp.exe (ID = 81002) 6:17 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267) 6:17 PM: qwrzc.dll (ID = 78253) 6:17 PM: exp (ID = 81002) 6:17 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281) 6:17 PM: class-barrel (ID = 78229) 6:17 PM: nitk.exe (ID = 120384) 6:17 PM: dhlgjgl.dll (ID = 120439) 6:17 PM: jborar.exe (ID = 120384) 6:17 PM: richedtr.dll (ID = 109658) 6:17 PM: redtrsha.dll (ID = 109657) 6:17 PM: richup.exe (ID = 109659) 6:17 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || richup (ID = 0) 6:17 PM: ncohutdn.exe (ID = 112497) 6:17 PM: mydpsspc.exe (ID = 112496) 6:17 PM: sysnet.exe (ID = 110109) 6:17 PM: cursors.xml (ID = 84688) 6:17 PM: xlmurin.wzg (ID = 87854) 6:17 PM: gykhxlmu.rmr (ID = 84892) 6:17 PM: temp.fr236d (ID = 84894) 6:17 PM: temp.fr4442 (ID = 84889) 6:17 PM: temp.fr11fe (ID = 86338) 6:18 PM: temp.fr6e8c (ID = 84923) 6:18 PM: setup.inf (ID = 70238) 6:18 PM: Found Adware: twain-tech 6:18 PM: twtini.inf (ID = 81897) 6:18 PM: sf[1].txt (ID = 110126) 6:18 PM: affupdate[1].ini (ID = 78227) 6:18 PM: twaintec.inf (ID = 81890) 6:18 PM: auto_update[1] (ID = 50056) 6:18 PM: sf[1].txt (ID = 110126) 6:18 PM: sf.txt (ID = 110126) 6:18 PM: rf[1].txt (ID = 110125) 6:18 PM: rf.txt (ID = 110125) 6:18 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df9604.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 6:18 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df600b.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 6:18 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df781f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 6:18 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df6027.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 6:18 PM: File Sweep Complete, Elapsed Time: 00:03:58 6:18 PM: Full Sweep has completed. Elapsed time 00:06:46 6:18 PM: Traces Found: 1390 7:42 PM: |··· End of Session, Sunday, July 31, 2005 ···| ******** 1:17 PM: |··· Start of Session, Sunday, July 31, 2005 ···| 1:17 PM: Spy Sweeper started 1:17 PM: Sweep initiated using definitions version 507 1:17 PM: Starting Memory Sweep 1:18 PM: Found Adware: clkoptimizer 1:18 PM: Detected running threat: C:\WINDOWS\system32\dhlgjgl.dll (ID = 120439) 1:18 PM: Detected running threat: C:\WINDOWS\system32\jabno.dll (ID = 120438) 1:19 PM: Detected running threat: C:\WINDOWS\system32\jborar.exe (ID = 120384) 1:20 PM: Found Adware: rich editor 1:20 PM: Detected running threat: C:\WINDOWS\system32\richedtr.dll (ID = 109658) 1:20 PM: Detected running threat: C:\WINDOWS\system32\redtrsha.dll (ID = 109657) 1:20 PM: Memory Sweep Complete, Elapsed Time: 00:03:02 1:20 PM: Starting Registry Sweep 1:20 PM: Found Adware: coolwebsearch (cws) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 109820) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 112421) 1:20 PM: Found Adware: gain-supported software 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\DashBar (11 subtraces) (ID = 126814) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\DashBar (11 subtraces) (ID = 126814) 1:20 PM: Found Adware: dashbar hijack 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 126821) 1:20 PM: Found Adware: hotbar 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 127565) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 127565) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 127573) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 127574) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587) 1:20 PM: Found Adware: ieplugin 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 128173) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 128173) 1:20 PM: Found Adware: drsnsrch.com hijack 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212) 1:20 PM: Found Adware: websearch toolbar 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 146368) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 146513) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 146513) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 146513) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 146514) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 146514) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 146514) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\Server (3 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\UrlSearchHooks (2 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\Server (3 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\PlugIns (2 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\Server (3 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\UrlSearchHooks (1 subtraces) (ID = 146543) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\URLSearchHooks (1 subtraces) (ID = 146545) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\URLSearchHooks (2 subtraces) (ID = 146545) 1:20 PM: Found Adware: abetterinternet 1:20 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359578) 1:20 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359584) 1:20 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359588) 1:20 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359725) 1:20 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359731) 1:20 PM: HKLM\software\classes\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 359735) 1:20 PM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 359756) 1:20 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 360169) 1:20 PM: HKCR\clsid\{4aa870ac-8427-42a4-b92e-ecd956197489}\ (11 subtraces) (ID = 360170) 1:20 PM: Found Adware: cws_youriskalka.com hijack 1:20 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\microsoft\internet explorer\searchurl\ || provider (ID = 361520) 1:20 PM: HKCR\lowsol.richeditor\ (5 subtraces) (ID = 372961) 1:20 PM: HKCR\lowsol.richeditor.1\ (3 subtraces) (ID = 372967) 1:20 PM: HKCR\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\inprocserver32\ (2 subtraces) (ID = 372976) 1:20 PM: HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373009) 1:20 PM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109) 1:20 PM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114) 1:20 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (ID = 373115) 1:20 PM: HKLM\software\microsoft\windows\currentversion\run\ || richup (ID = 373124) 1:20 PM: HKLM\software\riched\ (29 subtraces) (ID = 373158) 1:20 PM: HKLM\software\classes\lowsol.richeditor\ (5 subtraces) (ID = 373176) 1:20 PM: HKLM\software\classes\clsid\{f79a2c4b-8776-4ed7-8b2f-4786a4a3500a}\ (11 subtraces) (ID = 373189) 1:20 PM: HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373224) 1:20 PM: Found Adware: cas 1:20 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\cmapp\ (12 subtraces) (ID = 381792) 1:20 PM: Found Trojan Horse: sysnet 1:20 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sysnet\ (2 subtraces) (ID = 381857) 1:20 PM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934) 1:20 PM: HKLM\software\classes\lowsol.richeditor.1\ (3 subtraces) (ID = 479490) 1:20 PM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 480791) 1:20 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 498504) 1:20 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 498516) 1:20 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 499294) 1:20 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 499295) 1:20 PM: Registry Sweep Complete, Elapsed Time:00:00:21 1:20 PM: Starting Cookie Sweep 1:20 PM: Found Spy Cookie: 10103 cookie 1:20 PM: nikunj@10103[1].txt (ID = 1922) 1:20 PM: Found Spy Cookie: 888 cookie 1:20 PM: nikunj@888[1].txt (ID = 2020) 1:20 PM: nikunj@888[2].txt (ID = 2020) 1:20 PM: Found Spy Cookie: abcsearch cookie 1:20 PM: nikunj@abcsearch[1].txt (ID = 2034) 1:20 PM: Found Spy Cookie: yieldmanager cookie 1:20 PM: nikunj@ad.yieldmanager[2].txt (ID = 3751) 1:20 PM: Found Spy Cookie: adamg cookie 1:20 PM: nikunj@adamg[2].txt (ID = 2056) 1:20 PM: Found Spy Cookie: adknowledge cookie 1:20 PM: nikunj@adknowledge[1].txt (ID = 2073) 1:20 PM: Found Spy Cookie: pointroll cookie 1:20 PM: nikunj@ads.pointroll[2].txt (ID = 3148) 1:20 PM: Found Spy Cookie: aff504 cookie 1:20 PM: nikunj@aff504[2].txt (ID = 2188) 1:20 PM: Found Spy Cookie: aff6001 cookie 1:20 PM: nikunj@aff6001[1].txt (ID = 2192) 1:20 PM: Found Spy Cookie: aff6008 cookie 1:20 PM: nikunj@aff6008[1].txt (ID = 2196) 1:20 PM: Found Spy Cookie: falkag cookie 1:20 PM: nikunj@as-eu.falkag[1].txt (ID = 2650) 1:20 PM: nikunj@as-us.falkag[1].txt (ID = 2650) 1:20 PM: Found Spy Cookie: ask cookie 1:20 PM: nikunj@ask[1].txt (ID = 2246) 1:20 PM: Found Spy Cookie: azjmp cookie 1:20 PM: nikunj@azjmp[2].txt (ID = 2271) 1:20 PM: Found Spy Cookie: bigblue cookie 1:20 PM: nikunj@BigBlue[1].txt (ID = 2303) 1:20 PM: Found Spy Cookie: bigjohn cookie 1:20 PM: nikunj@bigjohn[1].txt (ID = 2305) 1:20 PM: Found Spy Cookie: burstnet cookie 1:20 PM: nikunj@burstnet[2].txt (ID = 2337) 1:20 PM: Found Spy Cookie: cassava cookie 1:20 PM: nikunj@cassava[1].txt (ID = 2363) 1:20 PM: Found Spy Cookie: cyberjester cookie 1:20 PM: nikunj@cyberjester[1].txt (ID = 2486) 1:20 PM: Found Spy Cookie: dutchmen cookie 1:20 PM: nikunj@Dutchmen[1].txt (ID = 2546) 1:20 PM: Found Spy Cookie: ru4 cookie 1:20 PM: nikunj@edge.ru4[2].txt (ID = 3269) 1:20 PM: Found Spy Cookie: fastclick cookie 1:20 PM: nikunj@fastclick[2].txt (ID = 2652) 1:20 PM: Found Spy Cookie: littlejohn cookie 1:20 PM: nikunj@LittleJohn[1].txt (ID = 2929) 1:20 PM: Found Spy Cookie: maxserving cookie 1:20 PM: nikunj@maxserving[1].txt (ID = 2967) 1:20 PM: Found Spy Cookie: overture cookie 1:20 PM: nikunj@perf.overture[1].txt (ID = 3106) 1:20 PM: Found Spy Cookie: pinhead cookie 1:20 PM: nikunj@Pinhead[1].txt (ID = 3140) 1:20 PM: Found Spy Cookie: questionmarket cookie 1:20 PM: nikunj@questionmarket[1].txt (ID = 3218) 1:20 PM: Found Spy Cookie: realmedia cookie 1:20 PM: nikunj@realmedia[1].txt (ID = 3236) 1:20 PM: Found Spy Cookie: statcounter cookie 1:20 PM: nikunj@statcounter[1].txt (ID = 3448) 1:20 PM: Found Spy Cookie: trafficmp cookie 1:20 PM: nikunj@trafficmp[1].txt (ID = 3582) 1:20 PM: Found Spy Cookie: tribalfusion cookie 1:20 PM: nikunj@tribalfusion[2].txt (ID = 3590) 1:20 PM: Found Spy Cookie: burstbeacon cookie 1:20 PM: nikunj@www.burstbeacon[2].txt (ID = 2335) 1:20 PM: Found Spy Cookie: letitfind cookie 1:20 PM: nikunj@www.letitfind[2].txt (ID = 2919) 1:20 PM: Found Spy Cookie: adserver cookie 1:20 PM: nikunj@z1.adserver[1].txt (ID = 2142) 1:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01 1:21 PM: Starting File Sweep 1:21 PM: c:\program files\cmapp (8 subtraces) (ID = -2147477896) 1:21 PM: c:\program files\asys (2 subtraces) (ID = -2147477847) 1:21 PM: c:\program files\epicenter (1 subtraces) (ID = -2147477846) 1:21 PM: Found Adware: effective-i toolbar 1:21 PM: ucmoreiex[1].exe (ID = 59853) 1:21 PM: ucmoreiex.exe (ID = 59853) 1:21 PM: snuninst.exe (ID = 110129) 1:21 PM: Found Adware: apropos 1:21 PM: aproposclientinstaller[1].exe (ID = 116631) 1:21 PM: Found Adware: targetsaver 1:21 PM: tsupdate[1].ini (ID = 112322) 1:22 PM: temp.frd6a2 (ID = 63392) 1:22 PM: dist001.exe (ID = 52230) 1:22 PM: casstub.exe (ID = 52230) 1:22 PM: Found Adware: begin2search 1:22 PM: pinkkas21.ico (ID = 51041) 1:22 PM: Found Trojan Horse: trojan-downloader-traf34 1:22 PM: gsm3-0511.exe (ID = 81005) 1:22 PM: Found Trojan Horse: trojan-downloader-pacisoft 1:22 PM: pcs_0029[1].exe (ID = 71761) 1:22 PM: qwrza.exe (ID = 78284) 1:22 PM: qwrzl.exe (ID = 78246) 1:22 PM: pinkkas21[1].ico (ID = 51041) 1:22 PM: psof1.exe (ID = 71763) 1:22 PM: Found Trojan Horse: trojan-downloader-bookedspace 1:22 PM: bsva-egihsg52.exe (ID = 95082) 1:22 PM: pkvab.dat (ID = 120384) 1:22 PM: bmonrno.exe (ID = 120433) 1:22 PM: Found Adware: cashback 1:22 PM: cb8040f[1].exe (ID = 110793) 1:22 PM: cmappmf.dll (ID = 52236) 1:22 PM: casmf.dll (ID = 107220) 1:22 PM: vocabulary (ID = 78283) 1:22 PM: r.exe (ID = 54418) 1:22 PM: casclient.exe (ID = 107219) 1:22 PM: cassetup.exe (ID = 107221) 1:22 PM: Found Adware: opensite 1:22 PM: ucsearch.inf (ID = 71630) 1:22 PM: cassetup[1].exe (ID = 107221) 1:22 PM: Found Adware: windows afa internet enhancement 1:22 PM: vcmnet11.exe (ID = 90527) 1:22 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || C:\WINDOWS\VCMnet11.exe (ID = 0) 1:22 PM: Found Adware: 180search assistant 1:22 PM: stubinstaller4292[1].exe (ID = 70634) 1:22 PM: s.exe (ID = 54440) 1:23 PM: abiuninst[1].htm (ID = 83087) 1:23 PM: abiuninst[1].exe (ID = 83089) 1:23 PM: thin-143-1-x-x[1].exe (ID = 83558) 1:23 PM: Found Adware: roings search enhancment 1:23 PM: m67m.ocx (ID = 74058) 1:23 PM: Found Trojan Horse: topconverting downloader 1:23 PM: website[1].ocx (ID = 79658) 1:23 PM: aurorahandler[1].dll (ID = 111237) 1:23 PM: qbuninstaller.exe (ID = 90525) 1:23 PM: aurorahandler.dll (ID = 111237) 1:23 PM: Found Adware: weirdontheweb 1:23 PM: weirdontheweb_topc[1].exe (ID = 87898) 1:23 PM: weirdontheweb_topc.exe (ID = 87898) 1:23 PM: Found Trojan Horse: trojan downloader pops-stop 1:23 PM: thin_installer.exe (ID = 109660) 1:23 PM: thin_installer[1].exe (ID = 109660) 1:23 PM: Found Adware: savenow - whenusave 1:23 PM: vvsninst.exe (ID = 74460) 1:23 PM: temp.fr6601 (ID = 83087) 1:23 PM: thin-114-1-x-x[1].exe (ID = 83548) 1:23 PM: thin-114-1-x-x.exe (ID = 83548) 1:23 PM: Found Adware: surfsidekick 1:23 PM: ssk3_b5[1].exe (ID = 77682) 1:23 PM: ssk3_b5.exe (ID = 77682) 1:23 PM: stubinstaller5975[1].exe (ID = 70637) 1:23 PM: stubinstaller5975.exe (ID = 70637) 1:23 PM: Found Adware: elitebar 1:23 PM: protector[1].exe (ID = 59987) 1:23 PM: eliteifc32.exe (ID = 59987) 1:23 PM: elitejel32.exe (ID = 59987) 1:23 PM: Found Adware: internetoptimizer 1:23 PM: optimize[1].exe (ID = 64096) 1:23 PM: optimize.exe (ID = 64096) 1:23 PM: eliteetr32.exe (ID = 59987) 1:23 PM: aproposclientinstaller[1].exe (ID = 116631) 1:23 PM: installerv3.exe (ID = 113942) 1:23 PM: Found Adware: bookedspace 1:23 PM: cfgmgr52.dll (ID = 51659) 1:23 PM: sskknwrd.dll (ID = 77733) 1:23 PM: Found Adware: shopathomeselect 1:23 PM: p5c39877.exe (ID = 75761) 1:23 PM: res8f8.tmp (ID = 70517) 1:23 PM: 180sainstallernusac.exe (ID = 70460) 1:23 PM: del8f7.tmp (ID = 70634) 1:23 PM: cxtpls_loader.exe (ID = 93586) 1:23 PM: Found Adware: icondroppers 1:23 PM: hisistheurls.exe (ID = 62594) 1:23 PM: hisistheurls[1].exe (ID = 62594) 1:23 PM: myurlsagain.exe (ID = 62593) 1:23 PM: shop1005[1].exe (ID = 75944) 1:23 PM: shop1004.exe (ID = 75944) 1:23 PM: Found Adware: my daily horoscope 1:23 PM: setup.exe (ID = 70236) 1:23 PM: setup.exe (ID = 70236) 1:23 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars 1:23 PM: ventura-hot_246765.exe (ID = 107491) 1:23 PM: nsn873.dll (ID = 80729) 1:23 PM: zqbfzfck.exe (ID = 51663) 1:24 PM: Found Adware: bargain buddy 1:24 PM: installer_siac[1].exe (ID = 50703) 1:24 PM: installer_siac.exe (ID = 50703) 1:24 PM: jabno.dll (ID = 120438) 1:24 PM: tsuninst.exe (ID = 78276) 1:24 PM: Found Adware: virtualbouncer 1:24 PM: wrapperouter.exe (ID = 82854) 1:24 PM: Found Adware: visfx 1:24 PM: vfx8.0-1.exe (ID = 110122) 1:24 PM: asfjkk32.tmp (ID = 109659) 1:24 PM: hg3a5fav.dat (ID = 75801) 1:24 PM: cbaegeld.dll (ID = 75582) 1:24 PM: Found Adware: navisearch 1:24 PM: nls8039[1].exe (ID = 111973) 1:24 PM: diamond[2].cab (ID = 94665) 1:24 PM: Found Trojan Horse: trojan-downloader-topinstalls 1:24 PM: wintask.exe (ID = 81002) 1:24 PM: exp.exe (ID = 81002) 1:24 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267) 1:24 PM: qwrzc.dll (ID = 78253) 1:24 PM: exp (ID = 81002) 1:24 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281) 1:24 PM: class-barrel (ID = 78229) 1:24 PM: nitk.exe (ID = 120384) 1:24 PM: dhlgjgl.dll (ID = 120439) 1:24 PM: jborar.exe (ID = 120384) 1:24 PM: richedtr.dll (ID = 109658) 1:24 PM: redtrsha.dll (ID = 109657) 1:24 PM: richup.exe (ID = 109659) 1:24 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || richup (ID = 0) 1:24 PM: ncohutdn.exe (ID = 112497) 1:24 PM: mydpsspc.exe (ID = 112496) 1:24 PM: sysnet.exe (ID = 110109) 1:24 PM: cursors.xml (ID = 84688) 1:24 PM: xlmurin.wzg (ID = 87854) 1:24 PM: gykhxlmu.rmr (ID = 84892) 1:24 PM: temp.fr236d (ID = 84894) 1:24 PM: temp.fr4442 (ID = 84889) 1:24 PM: temp.fr11fe (ID = 86338) 1:24 PM: temp.fr6e8c (ID = 84923) 1:24 PM: setup.inf (ID = 70238) 1:24 PM: Found Adware: twain-tech 1:24 PM: twtini.inf (ID = 81897) 1:24 PM: sf[1].txt (ID = 110126) 1:24 PM: affupdate[1].ini (ID = 78227) 1:24 PM: twaintec.inf (ID = 81890) 1:24 PM: auto_update[1] (ID = 50056) 1:24 PM: sf[1].txt (ID = 110126) 1:24 PM: sf.txt (ID = 110126) 1:24 PM: rf[1].txt (ID = 110125) 1:24 PM: rf.txt (ID = 110125) 1:24 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df301f.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 1:24 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dffa4a.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 1:24 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~dfed36.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 1:24 PM: Warning: Failed to read file "c:\documents and settings\nikunj\local settings\temp\~df346c.tmp". System Error. Code: 32. The process cannot access the file because it is being used by another process 1:24 PM: File Sweep Complete, Elapsed Time: 00:03:59 1:25 PM: Full Sweep has completed. Elapsed time 00:07:32 1:25 PM: Traces Found: 1371 6:11 PM: Found: Memory-resident threat clkoptimizer, version 1.0.0.0 6:11 PM: Detected running threat: clkoptimizer 6:11 PM: |··· End of Session, Sunday, July 31, 2005 ···| ******** 10:53 AM: |··· Start of Session, Saturday, July 30, 2005 ···| 10:53 AM: Spy Sweeper started 10:53 AM: Sweep initiated using definitions version 505 10:53 AM: Starting Memory Sweep 10:53 AM: Spy Installation Shield: found: Adware: shopathomeselect, version 1 -- Execution Denied 10:53 AM: Spy Installation Shield: found: Adware: bargain buddy, version 1 -- Execution Denied 10:53 AM: Spy Installation Shield: found: Adware: effective-i toolbar, version 1 -- Execution Denied 10:55 AM: Found Adware: windows afa internet enhancement 10:55 AM: Detected running threat: C:\WINDOWS\system\bkmv.exe (ID = 4135459) 10:55 AM: Found Trojan Horse: topconverting downloader 10:55 AM: Detected running threat: C:\WINDOWS\Downloaded Program Files\website.ocx (ID = 4123985) 10:57 AM: Memory Sweep Complete, Elapsed Time: 00:04:15 10:57 AM: Starting Registry Sweep 10:58 AM: Found Adware: coolwebsearch (cws) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 4370702) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 4373303) 10:58 AM: Found Adware: gain-supported software 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\ (12 subtraces) (ID = 4387801) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\ (12 subtraces) (ID = 4387801) 10:58 AM: Found Adware: dashbar hijack 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 4387808) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 4387808) 10:58 AM: Found Adware: hotbar 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 4388560) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 4388560) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 4388568) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 4388569) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388580) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388582) 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388582) 10:58 AM: Found Adware: ieplugin 10:58 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 4389221) 10:59 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 4389221) 10:59 AM: Found Adware: drsnsrch.com hijacker 10:59 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 4389253) 10:59 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 4389255) 10:59 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 4389260) 11:02 AM: HKCR\clsid\{38601801-2ff5-4a62-95da-d2007161c1b4}\ (3 subtraces) (ID = 4405335) 11:02 AM: HKCR\clsid\{79849612-a98f-45b8-95e9-4d13c7b6b35c}\ (18 subtraces) (ID = 4405336) 11:02 AM: HKCR\interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1}\ (8 subtraces) (ID = 4405337) 11:02 AM: HKCR\interface\{ace5b10b-92a3-4103-8583-3684bb09409f}\ (8 subtraces) (ID = 4405338) 11:02 AM: HKCR\loader2.loader2ctrl.1\ (3 subtraces) (ID = 4405339) 11:02 AM: HKLM\software\classes\clsid\{38601801-2ff5-4a62-95da-d2007161c1b4}\ (3 subtraces) (ID = 4405342) 11:02 AM: HKLM\software\classes\clsid\{79849612-a98f-45b8-95e9-4d13c7b6b35c}\ (18 subtraces) (ID = 4405343) 11:02 AM: HKLM\software\classes\interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1}\ (8 subtraces) (ID = 4405344) 11:02 AM: HKLM\software\classes\interface\{ace5b10b-92a3-4103-8583-3684bb09409f}\ (8 subtraces) (ID = 4405345) 11:02 AM: HKLM\software\classes\loader2.loader2ctrl.1\ (3 subtraces) (ID = 4405346) 11:02 AM: HKLM\software\classes\tpusn\ (1 subtraces) (ID = 4405348) 11:02 AM: HKLM\software\classes\typelib\{487e7682-b976-41fb-a944-e8b83689a454}\ (9 subtraces) (ID = 4405349) 11:02 AM: HKLM\software\microsoft\code store database\distribution units\{79849612-a98f-45b8-95e9-4d13c7b6b35c}\ (10 subtraces) (ID = 4405350) 11:02 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/website.ocx\ (2 subtraces) (ID = 4405360) 11:02 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\website.ocx (ID = 4405374) 11:02 AM: HKCR\tpusn\ (1 subtraces) (ID = 4405378) 11:02 AM: HKCR\typelib\{487e7682-b976-41fb-a944-e8b83689a454}\ (9 subtraces) (ID = 4405379) 11:03 AM: Found Adware: websearch toolbar 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 4408056) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 4408152) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 4408201) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 4408201) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 4408201) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 4408202) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 4408202) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 4408202) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 4408231) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 4408231) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 4408231) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 4408233) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 4408233) 11:03 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 4408233) 11:03 AM: Registry Sweep Complete, Elapsed Time:00:05:52 11:03 AM: Starting Cookie Sweep 11:03 AM: Found Cookie: 10101 cookie 11:03 AM: nikunj@10101[1].txt (ID = 180333) 11:03 AM: Found Cookie: 64.62.232 cookie 11:03 AM: nikunj@64.62.232[2].txt (ID = 180403) 11:03 AM: nikunj@64.62.232[3].txt (ID = 180403) 11:03 AM: nikunj@64.62.232[4].txt (ID = 180403) 11:03 AM: nikunj@64.62.232[5].txt (ID = 180403) 11:03 AM: nikunj@64.62.232[6].txt (ID = 180403) 11:03 AM: Found Cookie: yieldmanager cookie 11:03 AM: nikunj@ad.yieldmanager[2].txt (ID = 182189) 11:03 AM: Found Cookie: hbmediapro cookie 11:03 AM: nikunj@adopt.hbmediapro[2].txt (ID = 181194) 11:03 AM: Found Cookie: addynamix cookie 11:03 AM: nikunj@ads.addynamix[1].txt (ID = 180477) 11:03 AM: Found Cookie: pointroll cookie 11:03 AM: nikunj@ads.pointroll[2].txt (ID = 181578) 11:03 AM: Found Cookie: aff504 cookie 11:03 AM: nikunj@aff504[1].txt (ID = 180607) 11:03 AM: Found Cookie: ask cookie 11:03 AM: nikunj@ask[1].txt (ID = 180665) 11:03 AM: Found Cookie: aycm6 cookie 11:03 AM: nikunj@aycm6[1].txt (ID = 180690) 11:03 AM: Found Cookie: azjmp cookie 11:03 AM: nikunj@azjmp[2].txt (ID = 180692) 11:03 AM: Found Cookie: searchingbooth cookie 11:03 AM: nikunj@banners.searchingbooth[1].txt (ID = 181754) 11:03 AM: Found Cookie: enhance cookie 11:03 AM: nikunj@c.enhance[1].txt (ID = 181040) 11:03 AM: Found Cookie: top-banners cookie 11:03 AM: nikunj@campaigns.top-banners[1].txt (ID = 181982) 11:03 AM: Found Cookie: captnemo cookie 11:03 AM: nikunj@CaptNemo[2].txt (ID = 180770) 11:03 AM: Found Cookie: centrport net cookie 11:03 AM: nikunj@centrport[2].txt (ID = 180796) 11:03 AM: Found Cookie: directtrack cookie 11:03 AM: nikunj@directtrack[1].txt (ID = 180947) 11:03 AM: Found Cookie: dutchmen cookie 11:03 AM: nikunj@Dutchmen[2].txt (ID = 180967) 11:03 AM: Found Cookie: elmer cookie 11:03 AM: nikunj@elmer[1].txt (ID = 181028) 11:03 AM: Found Cookie: internetfuel cookie 11:03 AM: nikunj@exitexchange[2].txt (ID = 181303) 11:03 AM: Found Cookie: topconverting cookie 11:03 AM: nikunj@frame.topconverting[1].txt (ID = 181988) 11:03 AM: Found Cookie: gonzalez cookie 11:03 AM: nikunj@Gonzalez[1].txt (ID = 181167) 11:03 AM: Found Cookie: hpm001 cookie 11:03 AM: nikunj@hpm001[1].txt (ID = 181236) 11:03 AM: Found Cookie: ic-live cookie 11:03 AM: nikunj@ic-live[1].txt (ID = 181250) 11:03 AM: Found Cookie: mcverry cookie 11:03 AM: nikunj@mcverry[1].txt (ID = 181401) 11:03 AM: nikunj@media.top-banners[1].txt (ID = 181982) 11:03 AM: Found Cookie: overture cookie 11:03 AM: nikunj@overture[1].txt (ID = 181538) 11:03 AM: Found Cookie: partypoker cookie 11:03 AM: nikunj@partypoker[2].txt (ID = 181544) 11:03 AM: nikunj@perf.overture[1].txt (ID = 181538) 11:03 AM: Found Cookie: questionmarket cookie 11:03 AM: nikunj@questionmarket[1].txt (ID = 181648) 11:03 AM: Found Cookie: realmedia cookie 11:03 AM: nikunj@realmedia[1].txt (ID = 181666) 11:03 AM: nikunj@ridemg.directtrack[2].txt (ID = 180947) 11:03 AM: Found Cookie: trafficmp cookie 11:03 AM: nikunj@trafficmp[2].txt (ID = 182018) 11:03 AM: Found Cookie: wizzle cookie 11:03 AM: nikunj@wizzle[2].txt (ID = 182134) 11:03 AM: Found Cookie: find-direct cookie 11:03 AM: nikunj@www.find-direct[2].txt (ID = 181093) 11:03 AM: Found Cookie: letitfind cookie 11:03 AM: nikunj@www.letitfind[1].txt (ID = 181349) 11:03 AM: nikunj@yieldmanager[1].txt (ID = 182188) 11:03 AM: Found Cookie: adserver cookie 11:03 AM: nikunj@z1.adserver[1].txt (ID = 180561) 11:03 AM: Cookie Sweep Complete, Elapsed Time: 00:00:07 11:03 AM: Starting File Sweep 11:05 AM: Sweep Canceled 11:05 AM: File Sweep Complete, Elapsed Time: 00:02:01 11:05 AM: Traces Found: 1251 11:06 AM: Removal process initiated 11:08 AM: Quarantining All Traces: windows afa internet enhancement 11:08 AM: Quarantining All Traces: topconverting downloader 11:08 AM: Quarantining All Traces: coolwebsearch (cws) 11:08 AM: Quarantining All Traces: gain-supported software 11:08 AM: Quarantining All Traces: dashbar hijack 11:08 AM: Quarantining All Traces: hotbar 11:08 AM: Quarantining All Traces: ieplugin 11:08 AM: Quarantining All Traces: drsnsrch.com hijacker 11:08 AM: Quarantining All Traces: websearch toolbar 11:08 AM: Quarantining All Traces: 10101 cookie 11:08 AM: Quarantining All Traces: 64.62.232 cookie 11:08 AM: Quarantining All Traces: yieldmanager cookie 11:08 AM: Quarantining All Traces: hbmediapro cookie 11:08 AM: Quarantining All Traces: addynamix cookie 11:08 AM: Quarantining All Traces: pointroll cookie 11:08 AM: Quarantining All Traces: aff504 cookie 11:08 AM: Quarantining All Traces: ask cookie 11:08 AM: Quarantining All Traces: aycm6 cookie 11:08 AM: Quarantining All Traces: azjmp cookie 11:08 AM: Quarantining All Traces: searchingbooth cookie 11:08 AM: Quarantining All Traces: enhance cookie 11:08 AM: Quarantining All Traces: top-banners cookie 11:08 AM: Quarantining All Traces: captnemo cookie 11:08 AM: Quarantining All Traces: centrport net cookie 11:08 AM: Quarantining All Traces: directtrack cookie 11:08 AM: Quarantining All Traces: dutchmen cookie 11:08 AM: Quarantining All Traces: elmer cookie 11:08 AM: Quarantining All Traces: internetfuel cookie 11:08 AM: Quarantining All Traces: topconverting cookie 11:08 AM: Quarantining All Traces: gonzalez cookie 11:08 AM: Quarantining All Traces: hpm001 cookie 11:08 AM: Quarantining All Traces: ic-live cookie 11:08 AM: Quarantining All Traces: mcverry cookie 11:08 AM: Quarantining All Traces: overture cookie 11:08 AM: Quarantining All Traces: partypoker cookie 11:08 AM: Quarantining All Traces: questionmarket cookie 11:08 AM: Quarantining All Traces: realmedia cookie 11:08 AM: Quarantining All Traces: trafficmp cookie 11:08 AM: Quarantining All Traces: wizzle cookie 11:08 AM: Quarantining All Traces: find-direct cookie 11:08 AM: Quarantining All Traces: letitfind cookie 11:08 AM: Quarantining All Traces: adserver cookie 11:08 AM: Removal process completed. Elapsed time 00:01:51 1:13 PM: Your spyware definitions have been updated. 1:17 PM: Found: Memory-resident threat clkoptimizer, version 1.0.0.0 1:17 PM: Detected running threat: clkoptimizer 1:17 PM: |··· End of Session, Sunday, July 31, 2005 ···| ******** 10:28 AM: |··· Start of Session, Saturday, July 30, 2005 ···| 10:28 AM: Spy Sweeper started 10:28 AM: Sweep initiated using definitions version 505 10:28 AM: Starting Memory Sweep 10:29 AM: Found Adware: windows afa internet enhancement 10:29 AM: Detected running threat: C:\WINDOWS\system\bkmv.exe (ID = 4135459) 10:31 AM: Memory Sweep Complete, Elapsed Time: 00:02:34 10:31 AM: Starting Registry Sweep 10:31 AM: Found Adware: coolwebsearch (cws) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\keywords\ (79 subtraces) (ID = 4370702) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\windows\currentversion\run\ || xp_system (ID = 4373303) 10:31 AM: Found Adware: gain-supported software 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\gator.com\ (12 subtraces) (ID = 4387801) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\gator.com\ (12 subtraces) (ID = 4387801) 10:31 AM: Found Adware: dashbar hijack 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 4387808) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\main\ || search bar (ID = 4387808) 10:31 AM: Found Adware: hotbar 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\hotbar\ (208 subtraces) (ID = 4388560) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\hotbar\ (461 subtraces) (ID = 4388560) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (1 subtraces) (ID = 4388568) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (1 subtraces) (ID = 4388569) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388580) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388582) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 4388582) 10:31 AM: Found Adware: ieplugin 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\intexp\ (10 subtraces) (ID = 4389221) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\intexp\ (2 subtraces) (ID = 4389221) 10:31 AM: Found Adware: drsnsrch.com hijacker 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 4389253) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\main\ || search page (ID = 4389255) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 4389260) 10:31 AM: Found Adware: websearch toolbar 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\btiein\ (4 subtraces) (ID = 4408056) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 4408152) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 4408155) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 4408201) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 4408201) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 4408201) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 4408202) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 4408202) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 4408202) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\toolbar\ (30 subtraces) (ID = 4408231) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\toolbar\ (22 subtraces) (ID = 4408231) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\toolbar\ (22 subtraces) (ID = 4408231) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1003\software\wintools\ (19 subtraces) (ID = 4408233) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-1010\software\wintools\ (16 subtraces) (ID = 4408233) 10:31 AM: HKU\WRSS_Profile_S-1-5-21-1757981266-1364589140-682003330-501\software\wintools\ (17 subtraces) (ID = 4408233) 10:31 AM: Registry Sweep Complete, Elapsed Time:00:00:16 10:31 AM: Starting Cookie Sweep 10:31 AM: Found Cookie: pointroll cookie 10:31 AM: nikunj@ads.pointroll[2].txt (ID = 181578) 10:31 AM: Found Cookie: ask cookie 10:31 AM: nikunj@ask[1].txt (ID = 180665) 10:31 AM: Found Cookie: centrport net cookie 10:31 AM: nikunj@centrport[2].txt (ID = 180796) 10:31 AM: Found Cookie: directtrack cookie 10:31 AM: nikunj@directtrack[1].txt (ID = 180947) 10:31 AM: Found Cookie: internetfuel cookie 10:31 AM: nikunj@exitexchange[1].txt (ID = 181303) 10:31 AM: Found Cookie: top-banners cookie 10:31 AM: nikunj@media.top-banners[1].txt (ID = 181982) 10:31 AM: Found Cookie: questionmarket cookie 10:31 AM: nikunj@questionmarket[1].txt (ID = 181648) 10:31 AM: nikunj@ridemg.directtrack[2].txt (ID = 180947) 10:31 AM: Found Cookie: trafficmp cookie 10:31 AM: nikunj@trafficmp[1].txt (ID = 182018) 10:31 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 10:31 AM: Starting File Sweep 10:31 AM: Warning: Failed to open file "c:\windows\system32\spool\printers\fp00000.shd". The process cannot access the file because it is being used by another process 10:32 AM: temp.frd6a2 (ID = 4105492) 10:32 AM: Found Adware: cas 10:32 AM: dist001.exe (ID = 4093180) 10:32 AM: casstub.exe (ID = 4093180) 10:32 AM: Found Adware: begin2search 10:32 AM: pinkkas21.ico (ID = 4091716) 10:32 AM: Found Trojan Horse: trojan-downloader-traf34 10:32 AM: gsm3-0511.exe (ID = 4125479) 10:32 AM: Found Trojan Horse: trojan-downloader-pacisoft 10:32 AM: pcs_0029[1].exe (ID = 4114921) 10:32 AM: Found Adware: targetsaver 10:32 AM: qwrza.exe (ID = 4122524) 10:32 AM: qwrzl.exe (ID = 4122485) 10:32 AM: pinkkas21[1].ico (ID = 4091716) 10:32 AM: psof1.exe (ID = 4114923) 10:32 AM: Found Trojan Horse: trojan-downloader-bookedspace 10:32 AM: bsva-egihsg52.exe (ID = 4124683) 10:32 AM: Found Adware: cashback 10:32 AM: cb8040f[1].exe (ID = 4093202) 10:32 AM: cmappmf.dll (ID = 4093176) 10:32 AM: casmf.dll (ID = 4093175) 10:33 AM: vocabulary (ID = 4122523) 10:33 AM: r.exe (ID = 4095611) 10:33 AM: casclient.exe (ID = 4093173) 10:33 AM: cassetup.exe (ID = 4093178) 10:33 AM: Found Adware: opensite 10:33 AM: ucsearch.inf (ID = 4114767) 10:33 AM: cassetup[1].exe (ID = 4093178) 10:33 AM: vcmnet11.exe (ID = 4135466) 10:33 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || C:\WINDOWS\VCMnet11.exe (ID = 0) 10:33 AM: Found Adware: 180search assistant 10:33 AM: stubinstaller4292[1].exe (ID = 4113582) 10:33 AM: s.exe (ID = 4095633) 10:33 AM: Found Adware: abetterinternet 10:33 AM: abiuninst[1].htm (ID = 4127732) 10:33 AM: abiuninst[1].exe (ID = 4127734) 10:33 AM: thin-143-1-x-x[1].exe (ID = 4128234) 10:33 AM: Found Adware: roings search enhancment 10:33 AM: m67m.ocx (ID = 4117662) 10:33 AM: aurorahandler[1].dll (ID = 4128384) 10:33 AM: qbuninstaller.exe (ID = 4135464) 10:33 AM: aurorahandler.dll (ID = 4128384) 10:33 AM: Found Trojan Horse: trojan downloader pops-stop 10:33 AM: thin_installer.exe (ID = 4125310) 10:33 AM: thin_installer[1].exe (ID = 4125310) 10:33 AM: Found Adware: savenow - whenusave 10:33 AM: vvsninst.exe (ID = 4118101) 10:33 AM: temp.fr6601 (ID = 4127732) 10:33 AM: Found Adware: elitebar 10:33 AM: protector[1].exe (ID = 4101524) 10:33 AM: eliteifc32.exe (ID = 4101524) 10:33 AM: elitejel32.exe (ID = 4101524) 10:33 AM: eliteetr32.exe (ID = 4101524) 10:34 AM: Found Adware: surfsidekick 10:34 AM: sskknwrd.dll (ID = 4121943) 10:34 AM: installerv3.exe (ID = 4125309) 10:34 AM: Found Adware: bookedspace 10:34 AM: cfgmgr52.dll (ID = 4092435) 10:34 AM: Found Adware: shopathomeselect 10:34 AM: p5c39877.exe (ID = 4119552) 10:34 AM: res8f8.tmp (ID = 4113449) 10:34 AM: bkmv.exe (ID = 4135459) 10:34 AM: 180sainstallernusac.exe (ID = 4113378) 10:34 AM: del8f7.tmp (ID = 4113582) 10:34 AM: Found Adware: apropos 10:34 AM: cxtpls_loader.exe (ID = 4090643) 10:34 AM: Found Adware: icondroppers 10:34 AM: hisistheurls.exe (ID = 4104671) 10:34 AM: hisistheurls[1].exe (ID = 4104671) 10:34 AM: myurlsagain.exe (ID = 4104670) 10:34 AM: Found Adware: my daily horoscope 10:34 AM: setup.exe (ID = 4113124) 10:34 AM: setup.exe (ID = 4113124) 10:34 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars 10:34 AM: ventura-hot_246765.exe (ID = 4125179) 10:34 AM: nsn873.dll (ID = 4125165) 10:34 AM: zqbfzfck.exe (ID = 4092439) 10:34 AM: tsuninst.exe (ID = 4122516) 10:34 AM: Found Adware: virtualbouncer 10:34 AM: wrapperouter.exe (ID = 4127479) 10:34 AM: Found Adware: visfx 10:34 AM: vfx8.0-1.exe (ID = 4127681) 10:34 AM: hg3a5fav.dat (ID = 4119611) 10:34 AM: cbaegeld.dll (ID = 4119360) 10:34 AM: Found Trojan Horse: trojan-downloader-topinstalls 10:34 AM: wintask.exe (ID = 4125476) 10:34 AM: exp.exe (ID = 4125476) 10:34 AM: tsinstall_4_0_3_8_b17.exe (ID = 4122507) 10:34 AM: qwrzc.dll (ID = 4122493) 10:34 AM: exp (ID = 4125476) 10:34 AM: tsupdate_4_0_3_9_b2.exe (ID = 4122521) 10:34 AM: class-barrel (ID = 4122468) 10:35 AM: sskuknwrd.dll (ID = 4121964) 10:35 AM: cursors.xml (ID = 4129487) 10:35 AM: xlmurin.wzg (ID = 4132676) 10:35 AM: gykhxlmu.rmr (ID = 4129692) 10:35 AM: temp.fr236d (ID = 4129694) 10:35 AM: temp.fr4442 (ID = 4129689) 10:35 AM: temp.fr11fe (ID = 4131156) 10:35 AM: temp.fr6e8c (ID = 4129724) 10:35 AM: setup.inf (ID = 4113126) 10:35 AM: Found Adware: twain-tech 10:35 AM: twtini.inf (ID = 4126438) 10:35 AM: affupdate[1].ini (ID = 4122466) 10:35 AM: twaintec.inf (ID = 4126432) 10:35 AM: auto_update[1] (ID = 4090597) 10:35 AM: File Sweep Complete, Elapsed Time: 00:04:00 10:35 AM: Full Sweep has completed. Elapsed time 00:06:59 10:35 AM: Traces Found: 1170 10:52 AM: Spy Installation Shield: found: Adware: weirdontheweb, version 1 -- Execution Denied 10:52 AM: Spy Installation Shield: found: Adware: abetterinternet, version 1 -- Execution Denied 10:52 AM: Spy Installation Shield: found: Adware: surfsidekick, version 2 -- Execution Denied 10:52 AM: Spy Installation Shield: found: Adware: 180search assistant, version 1 -- Execution Denied 10:53 AM: Spy Installation Shield: found: Adware: internetoptimizer, version 1 -- Execution Denied 10:53 AM: |··· End of Session, Saturday, July 30, 2005 ···| ******** 8:56 PM: |··· Start of Session, Friday, July 29, 2005 ···| 8:56 PM: Spy Sweeper started 8:56 PM: Sweep initiated using definitions version 505 8:56 PM: Starting Memory Sweep 8:58 PM: Memory Sweep Complete, Elapsed Time: 00:02:11 8:58 PM: Starting Registry Sweep 8:58 PM: Found Adware: addestroyer 8:58 PM: HKCR\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 4363535) 8:58 PM: HKCR\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 4363536) 8:58 PM: HKCR\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 4363537) 8:58 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 4363539) 8:58 PM: HKCR\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 4363540) 8:58 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 4363541) 8:58 PM: HKCR\popoops2.popoops\ (3 subtraces) (ID = 4363542) 8:58 PM: HKCR\swlad1.swlad\ (3 subtraces) (ID = 4363543) 8:58 PM: HKLM\software\classes\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}\ (13 subtraces) (ID = 4363544) 8:58 PM: HKLM\software\classes\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}\ (13 subtraces) (ID = 4363545) 8:58 PM: HKLM\software\classes\interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}\ (8 subtraces) (ID = 4363546) 8:58 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 4363548) 8:58 PM: HKLM\software\classes\interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}\ (8 subtraces) (ID = 4363549) 8:58 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 4363550) 8:58 PM: HKLM\software\classes\popoops2.popoops\ (3 subtraces) (ID = 4363551) 8:58 PM: HKLM\software\classes\swlad1.swlad\ (3 subtraces) (ID = 4363552) 8:58 PM: HKLM\software\classes\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 4363553) 8:58 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 4363554) 8:58 PM: HKCR\typelib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}\ (9 subtraces) (ID = 4363557) 8:58 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 4363558) 8:58 PM: Found Adware: apropos 8:58 PM: HKCR\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 4364535) 8:58 PM: HKCR\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 4364538) 8:58 PM: HKCR\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 4364547) 8:58 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\aprps\ (7 subtraces) (ID = 4364549) 8:58 PM: HKLM\software\aprps\ (8 subtraces) (ID = 4364550) 8:58 PM: HKLM\software\classes\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 4364573) 8:58 PM: HKLM\software\classes\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 4364576) 8:58 PM: HKLM\software\classes\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 4364583) 8:58 PM: Found Adware: begin2search 8:58 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 4364935) 8:58 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 4364936) 8:58 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 4364937) 8:58 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 4364938) 8:58 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 4364939) 8:58 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 4364940) 8:58 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 4364941) 8:58 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 4364942) 8:58 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 4364949) 8:58 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 4364958) 8:58 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 4364959) 8:58 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 4364960) 8:58 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 4364964) 8:58 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 4364966) 8:58 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 4364967) 8:58 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 4364968) 8:58 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 4364979) 8:58 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 4364981) 8:58 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 4364985) 8:58 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 4364986) 8:58 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 4364987) 8:58 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 4364988) 8:58 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 4364989) 8:58 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 4364990) 8:58 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 4364991) 8:58 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 4364992) 8:58 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 4364999) 8:58 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 4365008) 8:58 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 4365009) 8:58 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 4365010) 8:58 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 4365014) 8:58 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 4365016) 8:58 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 4365017) 8:58 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 4365018) 8:58 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 4365029) 8:58 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 4365031) 8:58 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 4365035) 8:58 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 4365078) 8:58 PM: Found Adware: bookedspace 8:58 PM: HKCR\appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}\ (1 subtraces) (ID = 4365710) 8:58 PM: HKLM\software\classes\appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}\ (1 subtraces) (ID = 4365720) 8:58 PM: HKLM\software\configuration manager\cfgmgr52\ (250 subtraces) (ID = 4365728) 8:58 PM: Found Adware: cas 8:58 PM: HKCR\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 4366237) 8:58 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\cas\client\ (11 subtraces) (ID = 4366240) 8:58 PM: HKLM\software\classes\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 4366241) 8:58 PM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366244) 8:58 PM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366246) 8:58 PM: Found Adware: coolwebsearch (cws) 8:58 PM: HKU\S-1-5-21-1757981266-1364589140-682003330-1004\software\microsoft\internet explo