[stratxxx]

Using previous logs, I have cleaned smitfraud.c virus. everything is clean except pandasoftware activescan still shows that I have smitfraud.c registry.


Incident Status Location Adware:Adware/Smitfraud No disinfected Windows Registry

Logfile of HijackThis v1.99.1
Scan saved at 8:23:21 AM, on 7/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ICO.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\stratec\Start Menu\Programs\Startup\nod32kui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\stratec\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = brtprox7:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;10.*;;localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Startup: nod32kui.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinINSTALL Scheduler (WinINSTALLScheduler) - VERITAS Software Corporation - C:\WINNT\system32\sswschnt.exe

Edited by stratxxx, 10 July 2005 - 12:50 AM.

[Advertisements]

Welcome stratxxx to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop!
Be sure to follow ALL instructions!


Download SmitRem
your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

[g2i2r4]

Welcome stratxxx to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop!
Be sure to follow ALL instructions!


Download SmitRem
your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

[stratxxx]

I appreciate your help! I followed your first set of instructions including:

smitRem: Here is the txt log

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~

logfiles


~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!

Ad-aware: 1.6 updated and only found some non-critical things which I removed.

Ewido: installed and updated and system scan run. Here is the log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:50:25 PM, 7/10/2005
+ Report-Checksum: 145D9B91

+ Scan result:

C:\boot.exe_tobedeleted -> Dialer.Generic : Cleaned with backup
C:\Program Files\Radmin\raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup
C:\WINNT\system32\raddrv.dll -> Not-A-Virus.RiskWare.RemoteAdmin.RAdmin.20 : Cleaned with backup


::Report End

New HJT:
Logfile of HijackThis v1.99.1
Scan saved at 2:00:27 PM, on 7/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ICO.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\stratec\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.albemarle.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = brtprox7:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;10.*;;localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Startup: nod32kui.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinINSTALL Scheduler (WinINSTALLScheduler) - VERITAS Software Corporation - C:\WINNT\system32\sswschnt.exe

Didn't know if I was supposed to panda scan now so I'll add reply this and do it and add reply again.

[g2i2r4]

Yes please. Do the Panda scan and save the log to post here.

[stratxxx]

I ran Panda Activescan with autoclean check. I get the same error as my original post namely:

Incident Status Location

Adware:Adware/Smitfraud No disinfected Windows Registry

My HJT log should be what I posted last. Nothing run between running HJT and Activescan.

THanks in advance for your help,
stratxxx

[g2i2r4]

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINNT\system32\sswschnt.exe

Click "Open", then click the "Submit" button. Copy the results and paste them here.


Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.

[stratxxx]

Jotti Virus Scan follows:

Service load: 0% 100%

File: sswschnt.exe
Status: OK
MD5 76b043be6e1fee10107bb3f026263a4a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

HJT uninstall list:

Access IBM Cleanup Utility
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
BlackBerry Desktop Manager 3.6
BlackICE
CCHelp
CCScore
CR2
CutePDF Writer 2.2
DirectX 9 Hotfix - KB839643
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSvpaht
ESSvpot
ewido security suite
GrabIt 1.5.2 Beta(build 902)
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Connections Drivers
Intel® PROSet
Internet Update
iPod Updater 2004-11-15
IrfanView (remove only)
irock! Download Manager
iTunes
Kodak EasyShare printer dock
Kodak EasyShare software
KSU
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Standard
Microsoft VGX Q833989
Microsoft XML Parser and SDK
Mouse Suite
MWSnap 3
Nero - Burning Rom
NOD32 Antivirus System
Nortel Networks Contivity VPN Client
Notifier
OTtBP
OTtBPSDK
PCDLNCH
PowerArchiver
QuickTime
Remote Administrator v2.1
SFR
SFR2
Shockwave
SoundMAX
Spybot - Search & Destroy 1.3
ThinkCentre Wallpaper
Update Rollup 1 for Windows 2000 SP4
VCAMCEN
VPRINTOL
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB897715
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)

You're a nice person for helping people like this...

[g2i2r4]

You're a nice person for helping people like this...

Thanks.


I need to consult my collegues, looks like all is well (besides panda calling out).

I'll be back.

[g2i2r4]

Just consulted one of the main experts.

Please update Ewido to the latest definitions and have it scan the computer. Save the log to post here.

Also update AdAware SE and have it scan. Remove items found in red.

Reboot and let's see what Panda has to say now.

[stratxxx]

Ewido says no:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:46:18 PM, 7/10/2005
+ Report-Checksum: EAAE7D3

+ Scan result:

No infected objects found.


::Report End

Adaware says no:

Panda says ....roooaaaaarrrrrrrr yes:

Incident Status Location

Adware:Adware/Smitfraud No disinfected Windows Registry

Hey, g2i2r4, you have been a big help and I don't want to tie you up for people who might have bigger problems than me. If this Panda registry thing is not a big deal, I'm fine to just leave it. I'm clean everywhere else but we can't clean the registry. If you want to fight it some more, I'm at your service.
stratxxx

[g2i2r4]

Hey, g2i2r4, you have been a big help and I don't want to tie you up for people who might have bigger problems than me.  If this Panda registry thing is not a big deal, I'm fine to just leave it.  I'm clean everywhere else but we can't clean the registry.  If you want to fight it some more, I'm at your service.
stratxxx

I'll work on this as long as you want me to.
Let's see what this does.

You have Spybot 1.3
There is a newer version (1.4).

Uninstall the one you have now. Then download the newer one.
http://www.safer-net...rors/index.html
Update it and let it scan.

[stratxxx]

Spybot 1.4 downloaded and I'm clean:
--- Search result list ---
Congratulations!: No immediate threats were found. ()

It is 10:20pm in Amsterdam where I'm actually living now. I'll look at the posts tomorrow. THanks for all you help today. Have a nice evening wherever you are.
Stratxxx

[g2i2r4]

I'm about 200 km away (Groningen)

I have to admit having absolutely no idea what to do to find that item.

We've done everything exept hitting it with a hammer.

I'd like to call it a quite. Here's my towl. It's my first.
A Registry entrie on it's own can't hurt you I guess.

I'm sorry I cannot help you any further. We just don't know where to start looking for it

EDIT:
We Geeks to Go! never had to quite!! Please move on to my next post and forget this one!

Edited by g2i2r4, 10 July 2005 - 05:22 PM.

[g2i2r4]

One of my collegues (bananafanafo) had a suggestion. Please give it a try.

Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.

[stratxxx]

Spysweeper got it! Log below. Ran Panda Active Scan and I'm clean. Thanks!!

********
8:02 AM: |··· Start of Session, Tuesday, July 12, 2005 ···|
8:02 AM: Spy Sweeper started
8:02 AM: Sweep initiated using definitions version 504
8:02 AM: Starting Memory Sweep
8:05 AM: Memory Sweep Complete, Elapsed Time: 00:03:27
8:05 AM: Starting Registry Sweep
8:06 AM: Found Adware: cws_analyzeie
8:06 AM: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4283386)
8:06 AM: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4283408)
8:06 AM: Found Adware: psguard desktop hijacker
8:06 AM: HKLM\software\microsoft\windows\currentversion\uninstall\internet update\ (3 subtraces) (ID = 4303830)
8:06 AM: Registry Sweep Complete, Elapsed Time:00:00:41
8:06 AM: Starting Cookie Sweep
8:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:06 AM: Starting File Sweep
8:08 AM: File Sweep Complete, Elapsed Time: 00:01:57
8:08 AM: Full Sweep has completed. Elapsed time 00:06:16
8:08 AM: Traces Found: 6
8:08 AM: Removal process initiated
8:08 AM: Quarantining All Traces: cws_analyzeie
8:08 AM: Quarantining All Traces: psguard desktop hijacker
8:08 AM: Removal process completed. Elapsed time 00:00:04