Thanks, Rawe
When I ran Spysweeper, besides the items it found, I got an alert that read:
Hosts File Shield for www.dcsresearch.com: 64.91.255.87 has been added, but Internet lookup reports - no IP Address Returned.
I wasn't sure if I should click Remove, so I left it alone.
Spysweeper log********
10:17 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:17 AM: Spy Sweeper started
10:17 AM: Sweep initiated using definitions version 505
10:17 AM: Starting Memory Sweep
10:23 AM: Memory Sweep Complete, Elapsed Time: 00:05:58
10:23 AM: Starting Registry Sweep
10:23 AM: Found Adware: clipgenie
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\clipgenie\ (5 subtraces) (ID = 4366798)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\traynotifier\clipgenie\ (4 subtraces) (ID = 4366803)
10:23 AM: Found Adware: ebates money maker
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386609)
10:23 AM: Found Adware: ieplugin
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\intexp\ (43 subtraces) (ID = 4389221)
10:23 AM: Found Adware: drsnsrch.com hijacker
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 4389253)
10:23 AM: Found Adware: ieplugin hijacker
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\main\ || search bar (ID = 4389262)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\main\ || search page (ID = 4389263)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 4389268)
10:23 AM: Found Adware: ietoolbar
10:23 AM: HKLM\software\classes\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4389294)
10:23 AM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 4389297)
10:23 AM: HKCR\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4389307)
10:23 AM: Found Adware: locators toolbar
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: Found System Monitor: networkessentials
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\support software\ (11 subtraces) (ID = 4397385)
10:23 AM: Found Adware: sidesearch
10:23 AM: HKLM\software\lycos\ (1 subtraces) (ID = 4403232)
10:23 AM: Found Adware: abetterinternet
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || au3n5a7tionscode (ID = 4407471)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aub3d5om (ID = 4407472)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc1o3d5eofsfinalad (ID = 4407473)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3n5tfyl (ID = 4407474)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3n5trmsgsdisp (ID = 4407475)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3u5rrentsmode (ID = 4407476)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aud3s5tssend (ID = 4407477)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aue3v5nt (ID = 4407478)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3d5ofsinst (ID = 4407479)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3g5nores (ID = 4407480)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progscab (ID = 4407481)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progsex (ID = 4407482)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progslstest (ID = 4407483)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aul3n5title (ID = 4407484)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aum3o5dessync (ID = 4407485)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aup3d5om (ID = 4407486)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky1s (ID = 4407488)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky2s (ID = 4407489)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky3s (ID = 4407490)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky4s (ID = 4407491)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsbath (ID = 4407492)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshschecksin (ID = 4407493)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsmots (ID = 4407494)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsyssinf (ID = 4407495)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3i5m7eofsfinalad (ID = 4407496)
10:23 AM: Registry Sweep Complete, Elapsed Time:00:00:27
10:23 AM: Starting Cookie Sweep
10:23 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:23 AM: Starting File Sweep
10:24 AM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
10:24 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
10:29 AM: mbkwnst.exe (ID = 4105538)
10:29 AM: btgrab.inf (ID = 4127870)
10:29 AM: mbkwnst.inf (ID = 4105540)
10:35 AM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
10:40 AM: c:\program files\lycos\sidesearch (1 subtraces) (ID = 4119934)
10:40 AM: c:\program files\support software (ID = 4114104)
10:41 AM: c:\program files\mbkwbar (1 subtraces) (ID = 4105547)
10:42 AM: mbkwbar.exe (ID = 4105534)
10:42 AM: Found Adware: clearsearch
10:42 AM: dcemr295.dll (ID = 4093478)
10:42 AM: 8yny45gh.dll (ID = 4093783)
10:42 AM: vtiq2u8a.dll (ID = 4093824)
10:42 AM: opr8gqjw.dll (ID = 4093859)
10:42 AM: rj94kffx.dll (ID = 4093501)
10:42 AM: vo3mvv14.dll (ID = 4093783)
10:42 AM: ldga59pp.dll (ID = 4093575)
10:42 AM: oyohfc5e.dll (ID = 4093859)
10:43 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat". The process cannot access the file because it is being used by another process
10:43 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: lycos sidesearch.lnk (ID = 4119908)
10:44 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: c:\documents and settings\default\application data\lycos (ID = 4119932)
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: File Sweep Complete, Elapsed Time: 00:20:47
10:44 AM: Full Sweep has completed. Elapsed time 00:27:19
10:44 AM: Traces Found: 147
10:47 AM: Removal process initiated
10:47 AM: Quarantining All Traces: clipgenie
10:47 AM: Quarantining All Traces: ebates money maker
10:47 AM: Quarantining All Traces: ieplugin
10:47 AM: Quarantining All Traces: drsnsrch.com hijacker
10:47 AM: Quarantining All Traces: ieplugin hijacker
10:47 AM: Quarantining All Traces: ietoolbar
10:47 AM: Quarantining All Traces: locators toolbar
10:47 AM: Quarantining All Traces: networkessentials
10:47 AM: Quarantining All Traces: sidesearch
10:47 AM: Quarantining All Traces: abetterinternet
10:47 AM: Quarantining All Traces: clearsearch
10:47 AM: Removal process completed. Elapsed time 00:00:26
********
10:14 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:14 AM: Spy Sweeper started
10:15 AM: Your spyware definitions have been updated.
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
10:17 AM: |··· End of Session, Saturday, July 16, 2005 ···|
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:04:52 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} -
http://fdl.msn.com/p...13/invinstl.exeO18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe