Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Insidious Replicating spyware [RESOLVED]

Started by 971821 , Aug 05 2005 02:30 PM

This topic is locked

#1
971821

Posted 05 August 2005 - 02:30 PM

Member

Member
10 posts

Have used all the on line guides and most available programs to try and remove some nasty stuff, with little luck. Cannot get rid of the eetu and possibly others. Am desperate for help.

Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 4:29:40 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UlIA\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
I:\Ewido security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Sysclean.com\lpt762\sysclean.com
I:\Sysclean.com\lpt762\sysclean.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.peoplepc.com/home
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F77D9241-5122-46D3-9016-C5AAF07BDE23} (HTMLEdit Class) - http://www.ldsd.org/...THTMLEditor.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\nyobjapi.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UlIA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - I:\Ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - I:\Ewido security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2
Rawe

Posted 05 August 2005 - 02:42 PM

Visiting Staff

Member
4,746 posts

Hello and welcome to GTG!

Ok, we'll take care of this then.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file - C:\Program Files\rdso\eetu.exe
Double click on that file.
HJT asks you if you want to reboot, now. Click "no".
Do that for the following files also. When you get to the last one, click "yes" when HJT asks you to reboot.

I:\Sysclean.com\lpt762\sysclean.exe

Next, please reboot your computer in Safe Mode by doing the following;
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open Ad-aware and do a Full System Scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Run CleanUp! making sure to reboot!

Boot up into normal mode and run the following two online scans;
Trend Micro
Panda Activescan

Let them fix anything they can, and post the results from Ewido, both online scans & a fresh HiJackThis log.

- Rawe :tazz:

#3
971821

Posted 05 August 2005 - 09:20 PM

Member

Topic Starter
Member
10 posts

Thanks for the quick response.

Am still getting pop ups and redirects, mostly winfixer

Sitebar.A and trojan vlince.A not removed

Completed all, here is the results:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:02 PM, on 8/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\UlIA\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
I:\Ewido security suite\ewidoctrl.exe
I:\Ewido security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.peoplepc.com/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F77D9241-5122-46D3-9016-C5AAF07BDE23} (HTMLEdit Class) - http://www.ldsd.org/...THTMLEditor.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\nyobjapi.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UlIA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - I:\Ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - I:\Ewido security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Trend Micro Housecall Virus Scan37 viruses detected

Results:
We have detected 37 infected file(s) with 37 virus(es) on your
computer. Only 0 out of 0 infected files are displayed.
Detected FileAssociated Virus Name
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080173.exeTROJ_QOOLOGIC.H
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080174.exeTROJ_AGENT.VI
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080175.exeTROJ_AGENT.VI
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080178.exeTROJ_DLOADER.OS
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080179.dllTROJ_QOOLOGIC.P
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080184.exeTROJ_QOOLOGIC.H
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080186.exeTROJ_APROPO.H
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080188.exeTROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080189.exeTROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080192.EXETROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080194.exeTROJ_SMALL.APE
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080197.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080198.cplTROJ_QOOLOGIC.P
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080199.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080200.dllTROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080201.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080202.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080203.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080204.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080206.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080207.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080208.exeTROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080209.dllTROJ_QOOLOGIC.N
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080210.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080211.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080213.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080214.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080215.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080216.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080217.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080218.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080219.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080220.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080221.dllTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080224.DLLTROJ_VLINCE.A
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080376.DLLTROJ_VLINCE.A
C:\WINDOWS\SYSTEM32\__delete_on_reboot__guard.tmpTROJ_VLINCE.A

Trojan/Worm CheckNo worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed.
Trojan/Worm NameTrojan/Worm Type

Spyware Check6 spyware programs detected

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 6 spyware(s) on your computer. Only 0 out of
0 spywares are displayed.
Spyware NameSpyware Type
COOKIE_1020Cookie
COOKIE_2060Cookie
SPYW_BIGBRO.10Spyware
SPYW_TIMESINK.ASpyware
SPYW_SITEBAR.ASpyware
ADW_APROPOS.OAdware

Microsoft Vulnerability CheckNo vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix

Incident Status Location

Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/popmonster No disinfected C:\DOCUMENTS AND SETTINGS\RR\FAVORITES\SHOPPING\Best Buy.url
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/wupd No disinfected Windows Registry

#4
Rawe

Posted 06 August 2005 - 06:09 AM

Visiting Staff

Member
4,746 posts

Hi again.

Ok..

Using Windows Explorer, locate the following file & folder, delete if present;

C:\DOCUMENTS AND SETTINGS\RR\FAVORITES\SHOPPING\Best Buy.url
C:\WINDOWS\etb <= Entire Folder

Run CleanUp! and let the system reboot.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Standard
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Post the SpySweeper and Kaspersky log along with a NEW Panda ActiveScan log.

- Rawe :tazz:

#5
971821

Posted 06 August 2005 - 12:19 PM

Member

Topic Starter
Member
10 posts

Loads of stuff here. Thanks, again for helping.
Results of Spysweep, Kaspersky and Panda:

Spysweep:

11:16 AM: |··· Start of Session, Saturday, August 06, 2005 ···|
11:16 AM: Spy Sweeper started
11:16 AM: Sweep initiated using definitions version 511
11:17 AM: Starting Memory Sweep
11:17 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\reched20.dll". Cannot open file "C:\WINDOWS\SYSTEM32\reched20.dll". The process cannot access the file because it is being used by another process
11:17 AM: Found Adware: icannnews
11:17 AM: Detected running threat: C:\WINDOWS\SYSTEM32\reched20.dll (ID = 51)
11:17 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\tQpi3.dll". Cannot open file "C:\WINDOWS\SYSTEM32\tQpi3.dll". The process cannot access the file because it is being used by another process
11:17 AM: Detected running threat: C:\WINDOWS\SYSTEM32\tQpi3.dll (ID = 51)
11:18 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\reched20.dll". Cannot open file "C:\WINDOWS\SYSTEM32\reched20.dll". The process cannot access the file because it is being used by another process
11:18 AM: Memory Sweep Complete, Elapsed Time: 00:01:30
11:18 AM: Starting Registry Sweep
11:18 AM: Registry Sweep Complete, Elapsed Time:00:00:12
11:18 AM: Starting Cookie Sweep
11:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:18 AM: Starting File Sweep
11:19 AM: Warning: Failed to read file "c:\windows\temp\perflib_perfdata_5cc.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:19 AM: Found Adware: upspiral toolbar
11:19 AM: 00004782.exe (ID = 82040)
11:20 AM: Warning: Failed to read file "c:\windows\system32\reched20.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:21 AM: Warning: Failed to read file "c:\windows\system32\tqpi3.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:22 AM: __delete_on_reboot__sarvdeps.dll (ID = 125214)
11:23 AM: Found Adware: begin2search
11:23 AM: 00004798.ico (ID = 51041)
11:23 AM: Found Trojan Horse: trojan-downloader-pacisoft
11:23 AM: 00004424.ico (ID = 113921)
11:23 AM: 00004422.ico (ID = 125992)
11:23 AM: Found Adware: browseraid
11:23 AM: 00004390.xml (ID = 51947)
11:23 AM: 00004420.ico (ID = 113920)
11:23 AM: Found Trojan Horse: downloadul
11:23 AM: 00004807.inf (ID = 59212)
11:23 AM: File Sweep Complete, Elapsed Time: 00:05:06
11:23 AM: Full Sweep has completed. Elapsed time 00:06:59
11:23 AM: Traces Found: 10
11:25 AM: Removal process initiated
11:25 AM: Quarantining All Traces: icannnews
11:25 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\reched20.dll File locked exclusively. Restoration will not be possible.
11:25 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\tQpi3.dll File locked exclusively. Restoration will not be possible.
11:25 AM: icannnews is in use. It will be removed on reboot.
11:25 AM: C:\WINDOWS\SYSTEM32\reched20.dll is in use. It will be removed on reboot.
11:25 AM: C:\WINDOWS\SYSTEM32\tQpi3.dll is in use. It will be removed on reboot.
11:25 AM: Quarantining All Traces: upspiral toolbar
11:25 AM: Quarantining All Traces: begin2search
11:25 AM: Quarantining All Traces: trojan-downloader-pacisoft
11:25 AM: Quarantining All Traces: browseraid
11:25 AM: Quarantining All Traces: downloadul
11:25 AM: Warning: Quarantine process could not restart Explorer.
11:26 AM: Removal process completed. Elapsed time 00:01:18
********
10:50 AM: |··· Start of Session, Saturday, August 06, 2005 ···|
10:50 AM: Spy Sweeper started
10:50 AM: Sweep initiated using definitions version 511
10:50 AM: Starting Memory Sweep
10:51 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\tQpi3.dll". Cannot open file "C:\WINDOWS\SYSTEM32\tQpi3.dll". The process cannot access the file because it is being used by another process
10:51 AM: Found Adware: icannnews
10:51 AM: Detected running threat: C:\WINDOWS\SYSTEM32\tQpi3.dll (ID = 51)
10:51 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\nyobjapi.dll". Cannot open file "C:\WINDOWS\SYSTEM32\nyobjapi.dll". The process cannot access the file because it is being used by another process
10:51 AM: Detected running threat: C:\WINDOWS\SYSTEM32\nyobjapi.dll (ID = 51)
10:52 AM: Memory Sweep Complete, Elapsed Time: 00:01:30
10:52 AM: Starting Registry Sweep
10:52 AM: Found Adware: addestroyer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\vb and vba program settings\addestroyer\ (3 subtraces) (ID = 102749)
10:52 AM: Found Adware: bookedspace
10:52 AM: HKLM\software\configuration manager\cfgmgr52\ (312 subtraces) (ID = 104873)
10:52 AM: Found Adware: browseraid
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 105078)
10:52 AM: Found Adware: cas
10:52 AM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105366)
10:52 AM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105369)
10:52 AM: Found Adware: clearsearch
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: Found Adware: elitebar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1010\software\lq\ (5 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
10:52 AM: Found Adware: elitebar searchmiracle hijacker
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\ || searchurl (ID = 125775)
10:52 AM: Found Adware: ieplugin
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\intexp\ (7 subtraces) (ID = 128173)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\intexp\ (2 subtraces) (ID = 128173)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\intexp\ (2 subtraces) (ID = 128173)
10:52 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
10:52 AM: Found Adware: drsnsrch.com hijack
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212)
10:52 AM: Found Adware: internetoptimizer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\avenue media\ (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\avenue media\ (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\avenue media\ (7 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\avenue media\ (6 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\avenue media\ (11 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\policies\avenue media\ (ID = 128928)
10:52 AM: Found Adware: istbar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\ist\ (5 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: Found Adware: lopdotcom
10:52 AM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
10:52 AM: Found Adware: 180search assistant/zango
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\sais\ (11 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\sais\ (14 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\sais\ (22 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\sais\ (19 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\salm\ (11 subtraces) (ID = 135792)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\salm\ (19 subtraces) (ID = 135792)
10:52 AM: Found Trojan Horse: trojan-downloader-pacisoft
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\psof1\ (15 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\psof1\ (16 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\psof1\ (2 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\psof1\ (2 subtraces) (ID = 136530)
10:52 AM: Found Adware: powerscan
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\powerscan\ (ID = 136823)
10:52 AM: Found Adware: redzip toolbar
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\microsoft\windows\currentversion\explorer\ || insid (ID = 139328)
10:52 AM: Found System Monitor: sc-keylog
10:52 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
10:52 AM: Found Adware: searchtoolbar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1010\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
10:52 AM: Found Adware: bho_sidefind
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: Found Adware: surfsidekick
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\surfsidekick3\ (3 subtraces) (ID = 143412)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\surfsidekick3\ (3 subtraces) (ID = 143412)
10:52 AM: Found Trojan Horse: trojan-backdoor-soundcheck
10:52 AM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
10:52 AM: Found Adware: virtualbouncer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\vb and vba program settings\vbouncer\ (8 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\vb and vba program settings\vbouncer\ (8 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\vb and vba program settings\vbouncer\ (7 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\vb and vba program settings\vbouncer\ (7 subtraces) (ID = 145564)
10:52 AM: Found Adware: winad
10:52 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
10:52 AM: Found Adware: yoursitebar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {86227d9c-0efe-4f8a-aa55-30386a3f5686} (ID = 147853)
10:52 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
10:52 AM: HKLM\software\yoursitebar\ (6 subtraces) (ID = 147860)
10:52 AM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
10:52 AM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
10:52 AM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
10:52 AM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
10:52 AM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
10:52 AM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
10:52 AM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
10:52 AM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\cas\client\ (11 subtraces) (ID = 359309)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\cas\client\ (11 subtraces) (ID = 359309)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\windows\currentversion\run\ || cas client (ID = 359312)
10:52 AM: Found Adware: shopnavupdater
10:52 AM: HKCR\snb.band\ (5 subtraces) (ID = 359491)
10:52 AM: HKCR\sntb.bottomframe\ (5 subtraces) (ID = 359492)
10:52 AM: HKCR\sntb.leftframe\ (5 subtraces) (ID = 359493)
10:52 AM: HKCR\sntb.popupbrowser\ (5 subtraces) (ID = 359494)
10:52 AM: HKCR\sntb.popupwindow\ (5 subtraces) (ID = 359495)
10:52 AM: HKLM\software\classes\snb.band\ (5 subtraces) (ID = 359501)
10:52 AM: HKLM\software\classes\sntb.bottomframe\ (5 subtraces) (ID = 359502)
10:52 AM: HKLM\software\classes\sntb.leftframe\ (5 subtraces) (ID = 359503)
10:52 AM: HKLM\software\classes\sntb.popupbrowser\ (5 subtraces) (ID = 359505)
10:52 AM: HKLM\software\classes\sntb.popupwindow\ (5 subtraces) (ID = 359507)
10:52 AM: HKLM\software\classes\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359508)
10:52 AM: HKCR\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359513)
10:52 AM: Found Adware: abetterinternet
10:52 AM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 359756)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\aurorahandler\ (3 subtraces) (ID = 360172)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurorahandler\ (21 subtraces) (ID = 360172)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurora\ (1 subtraces) (ID = 360174)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\aurora\ (1 subtraces) (ID = 360174)
10:52 AM: Found Adware: rich editor
10:52 AM: HKCR\lowsol.richeditor\ (5 subtraces) (ID = 372961)
10:52 AM: HKCR\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373009)
10:52 AM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109)
10:52 AM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114)
10:52 AM: HKLM\software\riched\ (12 subtraces) (ID = 373158)
10:52 AM: HKLM\software\classes\lowsol.richeditor\ (5 subtraces) (ID = 373176)
10:52 AM: HKLM\software\classes\typelib\{33add70f-53ab-4f97-b4b6-997881820f6d}\ (9 subtraces) (ID = 373224)
10:52 AM: HKCR\interface\{544b6a3f-4024-4403-9661-69b8410be505}\ (8 subtraces) (ID = 479497)
10:52 AM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 480791)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\aurorahandler\ (3 subtraces) (ID = 480802)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurorahandler\ (21 subtraces) (ID = 480802)
10:52 AM: Found Adware: drsnsrch hijacker
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\dsrch\ (11 subtraces) (ID = 509156)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurorahandler\ || aut9i1m4eofsfinalad (ID = 512963)
10:52 AM: Registry Sweep Complete, Elapsed Time:00:00:16
10:52 AM: Starting Cookie Sweep
10:52 AM: Found Spy Cookie: abetterinternet cookie
10:52 AM: sr@abetterinternet[2].txt (ID = 2035)
10:52 AM: Found Spy Cookie: yieldmanager cookie
10:52 AM: [email protected][1].txt (ID = 3751)
10:52 AM: Found Spy Cookie: hbmediapro cookie
10:52 AM: [email protected][2].txt (ID = 2768)
10:52 AM: Found Spy Cookie: atwola cookie
10:52 AM: sr@atwola[1].txt (ID = 2255)
10:52 AM: Found Spy Cookie: a cookie
10:52 AM: sr@a[2].txt (ID = 2027)
10:52 AM: Found Spy Cookie: belnk cookie
10:52 AM: sr@belnk[1].txt (ID = 2292)
10:52 AM: Found Spy Cookie: btgrab cookie
10:52 AM: [email protected][2].txt (ID = 2333)
10:52 AM: Found Spy Cookie: classmates cookie
10:52 AM: sr@classmates[1].txt (ID = 2384)
10:52 AM: Found Spy Cookie: cliks cookie
10:52 AM: sr@cliks[2].txt (ID = 2414)
10:52 AM: [email protected][2].txt (ID = 2293)
10:52 AM: Found Spy Cookie: webservicehosts cookie
10:52 AM: [email protected][2].txt (ID = 3663)
10:52 AM: Found Spy Cookie: kmpads cookie
10:52 AM: sr@kmpads[2].txt (ID = 2909)
10:52 AM: Found Spy Cookie: offeroptimizer cookie
10:52 AM: sr@offeroptimizer[2].txt (ID = 3087)
10:52 AM: Found Spy Cookie: touchclarity cookie
10:52 AM: [email protected][1].txt (ID = 3567)
10:52 AM: Found Spy Cookie: partypoker cookie
10:52 AM: sr@partypoker[2].txt (ID = 3111)
10:52 AM: Found Spy Cookie: 64.62.232 cookie
10:52 AM: [email protected][1].txt (ID = 1987)
10:52 AM: [email protected][2].txt (ID = 1987)
10:52 AM: [email protected][3].txt (ID = 1987)
10:52 AM: [email protected][4].txt (ID = 1987)
10:52 AM: [email protected][6].txt (ID = 1987)
10:52 AM: Found Spy Cookie: about cookie
10:52 AM: crr@about[1].txt (ID = 2037)
10:52 AM: [email protected][2].txt (ID = 3751)
10:52 AM: Found Spy Cookie: adknowledge cookie
10:52 AM: crr@adknowledge[1].txt (ID = 2072)
10:52 AM: [email protected][2].txt (ID = 2768)
10:52 AM: Found Spy Cookie: hotbar cookie
10:52 AM: [email protected][2].txt (ID = 4207)
10:52 AM: Found Spy Cookie: searchingbooth cookie
10:52 AM: [email protected][2].txt (ID = 3322)
10:52 AM: Found Spy Cookie: aff01511 cookie
10:52 AM: crr@aff01511[1].txt (ID = 2185)
10:52 AM: Found Spy Cookie: aff6007 cookie
10:52 AM: crr@aff6007[1].txt (ID = 2193)
10:52 AM: Found Spy Cookie: deskwizz cookie
10:52 AM: [email protected][1].txt (ID = 2518)
10:52 AM: Found Spy Cookie: ask cookie
10:52 AM: crr@ask[1].txt (ID = 2245)
10:52 AM: [email protected][2].txt (ID = 2293)
10:52 AM: crr@atwola[1].txt (ID = 2255)
10:52 AM: Found Spy Cookie: azjmp cookie
10:52 AM: crr@azjmp[2].txt (ID = 2270)
10:52 AM: [email protected][1].txt (ID = 3322)
10:52 AM: crr@belnk[1].txt (ID = 2292)
10:52 AM: Found Spy Cookie: burstnet cookie
10:52 AM: crr@burstnet[2].txt (ID = 2336)
10:52 AM: Found Spy Cookie: top-banners cookie
10:52 AM: [email protected][1].txt (ID = 3548)
10:52 AM: crr@classmates[2].txt (ID = 2384)
10:52 AM: Found Spy Cookie: directtrack cookie
10:52 AM: crr@directtrack[1].txt (ID = 2527)
10:52 AM: [email protected][1].txt (ID = 2293)
10:52 AM: [email protected][2].txt (ID = 3663)
10:52 AM: Found Spy Cookie: dutchmen cookie
10:52 AM: crr@Dutchmen[1].txt (ID = 2545)
10:52 AM: Found Spy Cookie: go.com cookie
10:52 AM: [email protected][1].txt (ID = 2729)
10:52 AM: Found Spy Cookie: exitexchange cookie
10:52 AM: crr@exitexchange[1].txt (ID = 2633)
10:52 AM: [email protected][1].txt (ID = 2038)
10:52 AM: crr@go[2].txt (ID = 2728)
10:52 AM: Found Spy Cookie: spywarelabs install cookie
10:52 AM: [email protected][1].txt (ID = 3421)
10:52 AM: crr@kmpads[2].txt (ID = 2909)
10:52 AM: Found Spy Cookie: zango cookie
10:52 AM: [email protected][1].txt (ID = 3761)
10:52 AM: [email protected][1].txt (ID = 3548)
10:52 AM: Found Spy Cookie: mygeek cookie
10:52 AM: crr@mygeek[1].txt (ID = 3041)
10:52 AM: Found Spy Cookie: aptimus cookie
10:52 AM: [email protected][2].txt (ID = 2235)
10:52 AM: crr@offeroptimizer[1].txt (ID = 3087)
10:52 AM: [email protected][2].txt (ID = 3567)
10:52 AM: crr@partypoker[1].txt (ID = 3111)
10:52 AM: Found Spy Cookie: paypopup cookie
10:52 AM: crr@paypopup[1].txt (ID = 3119)
10:52 AM: Found Spy Cookie: rednova cookie
10:52 AM: crr@rednova[1].txt (ID = 3245)
10:52 AM: [email protected][2].txt (ID = 2528)
10:52 AM: [email protected][1].txt (ID = 2729)
10:52 AM: [email protected][1].txt (ID = 2729)
10:52 AM: Found Spy Cookie: reliablestats cookie
10:52 AM: [email protected][1].txt (ID = 3254)
10:52 AM: Found Spy Cookie: tracking cookie
10:52 AM: crr@tracking[2].txt (ID = 3571)
10:52 AM: Found Spy Cookie: epilot cookie
10:52 AM: [email protected][1].txt (ID = 2622)
10:52 AM: Found Spy Cookie: finditlive cookie
10:52 AM: [email protected][2].txt (ID = 2671)
10:52 AM: Found Spy Cookie: jumptothat cookie
10:52 AM: [email protected][2].txt (ID = 2894)
10:52 AM: Found Spy Cookie: letitfind cookie
10:52 AM: [email protected][1].txt (ID = 2919)
10:52 AM: Found Spy Cookie: seek-media cookie
10:52 AM: [email protected][2].txt (ID = 3328)
10:52 AM: Found Spy Cookie: seek-zone cookie
10:52 AM: [email protected][1].txt (ID = 3330)
10:52 AM: Found Spy Cookie: sidefind cookie
10:52 AM: [email protected][2].txt (ID = 3374)
10:52 AM: Found Spy Cookie: wesearchall cookie
10:52 AM: [email protected][1].txt (ID = 3684)
10:52 AM: Found Spy Cookie: ysbweb cookie
10:52 AM: crr@ysbweb[1].txt (ID = 3756)
10:52 AM: Found Spy Cookie: websponsors cookie
10:52 AM: [email protected][2].txt (ID = 3665)
10:52 AM: [email protected][2].txt (ID = 3751)
10:52 AM: rjr@adknowledge[2].txt (ID = 2072)
10:52 AM: [email protected][1].txt (ID = 2768)
10:52 AM: [email protected][1].txt (ID = 2293)
10:52 AM: rjr@atwola[2].txt (ID = 2255)
10:52 AM: rjr@belnk[2].txt (ID = 2292)
10:52 AM: [email protected][1].txt (ID = 2293)
10:52 AM: Found Spy Cookie: clickandtrack cookie
10:52 AM: [email protected][2].txt (ID = 2397)
10:52 AM: Found Spy Cookie: com.com cookie
10:52 AM: [email protected][2].txt (ID = 2446)
10:52 AM: rjr@mygeek[1].txt (ID = 3041)
10:52 AM: [email protected][2].txt (ID = 3567)
10:52 AM: rjr@partypoker[2].txt (ID = 3111)
10:52 AM: Found Spy Cookie: rn11 cookie
10:52 AM: rjr@rn11[2].txt (ID = 3261)
10:52 AM: Found Spy Cookie: rightmedia cookie
10:52 AM: jay@rightmedia[2].txt (ID = 3259)
10:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:05
10:52 AM: Starting File Sweep
10:52 AM: c:\documents and settings\crr\start menu\programs\power scan (1 subtraces) (ID = -2147480462)
10:52 AM: c:\documents and settings\crr\start menu\programs\addestroyer (1 subtraces) (ID = -2147481465)
10:52 AM: Found Adware: apropos
10:52 AM: c:\documents and settings\crr\local settings\temp\autoupdate0 (2 subtraces) (ID = -2147481415)
10:52 AM: Found Trojan Horse: trojan-downloader-bookedspace
10:52 AM: c:\windows\cfgmgr52 (95 subtraces) (ID = -2147479590)
10:52 AM: c:\documents and settings\crr\start menu\programs\virtual bouncer (3 subtraces) (ID = -2147480099)
10:52 AM: Found Adware: savenow - whenusave
10:52 AM: c:\documents and settings\crr\start menu\programs\whenu (3 subtraces) (ID = -2147480383)
10:52 AM: aurora[1].exe (ID = 115288)
10:52 AM: aurora[1].exe (ID = 115288)
10:52 AM: 00002179.dll (ID = 109657)
10:53 AM: 00002180.dll (ID = 109658)
10:53 AM: Found Adware: ezula ilookup
10:53 AM: b.com (ID = 60398)
10:53 AM: cassetup.exe (ID = 107221)
10:53 AM: istsvc[1].exe (ID = 107294)
10:53 AM: activex[1].ocx (ID = 93701)
10:53 AM: istrecover[1].exe (ID = 64496)
10:53 AM: poller[1].exe (ID = 116487)
10:53 AM: aurora[1].exe (ID = 115288)
10:53 AM: svcproc[1].exe (ID = 83533)
10:53 AM: sskknwrd.dll (ID = 77733)
10:53 AM: virtual bouncer.lnk (ID = 82843)
10:53 AM: Found Adware: java byteverify
10:53 AM: classload[1].jar (ID = 64817)
10:53 AM: Found Trojan Horse: trojan downloader pops-stop
10:53 AM: thin_installer[1].exe (ID = 109660)
10:53 AM: addestroyer.lnk (ID = 49032)
10:53 AM: addestroyer.lnk (ID = 49032)
10:53 AM: Found Adware: upspiral toolbar
10:53 AM: unist2.exe (ID = 82040)
10:53 AM: 00002178.exe (ID = 109659)
10:53 AM: Found Adware: navisearch
10:53 AM: nls8039[1].exe (ID = 111973)
10:53 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars
10:53 AM: 00002183.exe (ID = 107491)
10:53 AM: drpmon[1].dll (ID = 83270)
10:53 AM: 0006_regular[1].cab (ID = 64478)
10:53 AM: protector[1].exe (ID = 59987)
10:53 AM: thin_installer.exe (ID = 109660)
10:53 AM: pcs_0029[1].exe (ID = 71761)
10:53 AM: 00002160.exe (ID = 95082)
10:53 AM: appwrap[1].exe (ID = 122598)
10:53 AM: banner.exe (ID = 83143)
10:53 AM: installer[1].exe (ID = 115471)
10:54 AM: Found Adware: cashback
10:54 AM: cb8040f[1].exe (ID = 110793)
10:54 AM: Found Adware: shopathomeselect
10:54 AM: sahinstaller[1].exe (ID = 115290)
10:54 AM: Found Adware: bargain buddy
10:54 AM: installer_marketing32.exe (ID = 50685)
10:54 AM: xboxab[1].ico (ID = 113921)
10:54 AM: sony%20psp1[1].ico (ID = 125992)
10:54 AM: 00002176.exe (ID = 113942)
10:54 AM: ssk3_b5 seedcorn 4.exe (ID = 77679)
10:54 AM: Found Adware: begin2search
10:54 AM: pinkkas21[1].ico (ID = 51041)
10:54 AM: guard.tmp (ID = 125214)
10:54 AM: virushunter4[1].ico (ID = 113920)
10:54 AM: aurorahandler[1].dll (ID = 111237)
10:54 AM: stubinstaller5041[1].ex_ (ID = 107355)
10:54 AM: abiuninst[1].exe (ID = 83089)
10:54 AM: abiuninst[1].htm (ID = 83087)
10:54 AM: mediagateway2 (ID = 121286)
10:54 AM: aproposclientinstaller[1].exe (ID = 116631)
10:54 AM: del5e.tmp (ID = 107355)
10:54 AM: istdownload[1].exe (ID = 110330)
10:54 AM: iinstall.exe (ID = 110330)
10:54 AM: ssk3_b5 seedcorn 4.exe (ID = 77679)
10:54 AM: sidefind[1].exe (ID = 107461)
10:54 AM: sidefind.exe (ID = 107461)
10:54 AM: sahagent[1].exe (ID = 115273)
10:54 AM: setup.inf (ID = 50158)
10:54 AM: umqltg4cl_.exe (ID = 75603)
10:54 AM: asfjkk32.tmp (ID = 109659)
10:55 AM: wrapperouter.exe (ID = 82854)
10:55 AM: webplugin[1].cab (ID = 107277)
10:55 AM: 00004367.exe (ID = 60440)
10:55 AM: 00002164.dll (ID = 120160)
10:55 AM: del156.tmp (ID = 107355)
10:55 AM: wrapperouter.exe (ID = 82854)
10:55 AM: mediagateway2 (ID = 121286)
10:55 AM: sskknwrd.dll (ID = 77733)
10:55 AM: aurora.exe (ID = 115288)
10:55 AM: Warning: Failed to read file "c:\windows\system32\tqpi3.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
10:55 AM: res157.tmp (ID = 107353)
10:55 AM: thinst94-1inst[1].exe (ID = 120269)
10:55 AM: resc.tmp (ID = 93785)
10:56 AM: appwrap[2].exe (ID = 114110)
10:56 AM: auf0.exe (ID = 116631)
10:56 AM: 00002172.exe (ID = 93622)
10:56 AM: Found Adware: clkoptimizer
10:56 AM: f178205593.exe (ID = 93646)
10:56 AM: cassetup.exe (ID = 107221)
10:56 AM: cassetup[1].exe (ID = 107221)
10:56 AM: ysb_regular[1].cab (ID = 121230)
10:56 AM: aurora[1].exe (ID = 115288)
10:56 AM: pcs_0006[1].exe (ID = 71761)
10:56 AM: 00002182.dll (ID = 75991)
10:56 AM: thin_installer.exe (ID = 109660)
10:56 AM: ysb[1].dll (ID = 91036)
10:57 AM: auto_update_install.exe (ID = 50058)
10:57 AM: 00002161.exe (ID = 120161)
10:57 AM: 180sainstallersilsais1.exe (ID = 107349)
10:57 AM: appwrap[1].exe (ID = 60398)
10:57 AM: autoupdaterinstaller[1].exe (ID = 50055)
10:57 AM: sidefind13[1].dll (ID = 76049)
10:57 AM: power scan.lnk (ID = 72676)
10:57 AM: res5f.tmp (ID = 107353)
10:57 AM: optimize[1].exe (ID = 64089)
10:57 AM: optimize.exe (ID = 64089)
10:57 AM: bb[1].exe (ID = 50567)
10:57 AM: bb.exe (ID = 50567)
10:57 AM: package_marketing27[1].exe (ID = 110382)
10:57 AM: pinkkas21.ico (ID = 51041)
10:57 AM: xboxab.ico (ID = 113921)
10:57 AM: sony psp1.ico (ID = 125992)
10:57 AM: stlb2.xml (ID = 51947)
10:57 AM: sahagent.exe (ID = 75884)
10:57 AM: virushunter4.ico (ID = 113920)
10:57 AM: sfbho13[1].dll (ID = 76029)
10:57 AM: Warning: Failed to read file "c:\windows\system32\nyobjapi.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
10:57 AM: 180sainstallernusalm.exe (ID = 93780)
10:57 AM: f87437437.exe (ID = 93646)
10:57 AM: sskcwrd.dll (ID = 77712)
10:57 AM: sskcwrd.dll (ID = 77712)
10:57 AM: Found Adware: sexfiles dialers
10:57 AM: dating.lnk (ID = 75396)
10:57 AM: Found Adware: moneytree
10:57 AM: nem220[1].dll (ID = 64043)
10:57 AM: Found Trojan Horse: topconverting downloader
10:57 AM: website[1].ocx (ID = 79658)
10:57 AM: Found Trojan Horse: downloadul
10:57 AM: ckwsfqqk.inf (ID = 59212)
10:57 AM: Found Adware: gain-supported software
10:57 AM: bundle.inf (ID = 61287)
10:57 AM: setup.inf (ID = 50870)
10:57 AM: auto_update[1].txt (ID = 50056)
10:57 AM: sf[1].txt (ID = 110126)
10:57 AM: nls[1].cfg (ID = 114713)
10:58 AM: File Sweep Complete, Elapsed Time: 00:05:40
10:58 AM: Full Sweep has completed. Elapsed time 00:07:42
10:58 AM: Traces Found: 1394
11:06 AM: Removal process initiated
11:07 AM: Quarantining All Traces: icannnews
11:07 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\tQpi3.dll File locked exclusively. Restoration will not be possible.
11:07 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\nyobjapi.dll File locked exclusively. Restoration will not be possible.
11:07 AM: icannnews is in use. It will be removed on reboot.
11:07 AM: C:\WINDOWS\SYSTEM32\tQpi3.dll is in use. It will be removed on reboot.
11:07 AM: C:\WINDOWS\SYSTEM32\nyobjapi.dll is in use. It will be removed on reboot.
11:07 AM: Quarantining All Traces: addestroyer
11:07 AM: Quarantining All Traces: bookedspace
11:07 AM: Quarantining All Traces: browseraid
11:07 AM: Quarantining All Traces: cas
11:07 AM: Quarantining All Traces: clearsearch
11:07 AM: Quarantining All Traces: elitebar
11:07 AM: Quarantining All Traces: elitebar searchmiracle hijacker
11:07 AM: Quarantining All Traces: ieplugin
11:07 AM: Quarantining All Traces: drsnsrch.com hijack
11:07 AM: Quarantining All Traces: internetoptimizer
11:07 AM: Quarantining All Traces: istbar
11:07 AM: Quarantining All Traces: lopdotcom
11:07 AM: Quarantining All Traces: 180search assistant/zango
11:08 AM: Quarantining All Traces: trojan-downloader-pacisoft
11:08 AM: Quarantining All Traces: powerscan
11:08 AM: Quarantining All Traces: redzip toolbar
11:08 AM: Quarantining All Traces: sc-keylog
11:08 AM: Quarantining All Traces: searchtoolbar
11:08 AM: Quarantining All Traces: bho_sidefind
11:08 AM: Quarantining All Traces: surfsidekick
11:08 AM: Quarantining All Traces: trojan-backdoor-soundcheck
11:08 AM: Quarantining All Traces: virtualbouncer
11:08 AM: Quarantining All Traces: winad
11:08 AM: Quarantining All Traces: yoursitebar
11:08 AM: Quarantining All Traces: shopnavupdater
11:08 AM: Quarantining All Traces: abetterinternet
11:08 AM: Quarantining All Traces: rich editor
11:08 AM: Quarantining All Traces: drsnsrch hijacker
11:08 AM: Quarantining All Traces: abetterinternet cookie
11:08 AM: Quarantining All Traces: yieldmanager cookie
11:08 AM: Quarantining All Traces: hbmediapro cookie
11:08 AM: Quarantining All Traces: atwola cookie
11:08 AM: Quarantining All Traces: a cookie
11:08 AM: Quarantining All Traces: belnk cookie
11:08 AM: Quarantining All Traces: btgrab cookie
11:08 AM: Quarantining All Traces: classmates cookie
11:08 AM: Quarantining All Traces: cliks cookie
11:08 AM: Quarantining All Traces: webservicehosts cookie
11:08 AM: Quarantining All Traces: kmpads cookie
11:08 AM: Quarantining All Traces: offeroptimizer cookie
11:08 AM: Quarantining All Traces: touchclarity cookie
11:08 AM: Quarantining All Traces: partypoker cookie
11:08 AM: Quarantining All Traces: 64.62.232 cookie
11:08 AM: Quarantining All Traces: about cookie
11:08 AM: Quarantining All Traces: adknowledge cookie
11:08 AM: Quarantining All Traces: hotbar cookie
11:08 AM: Quarantining All Traces: searchingbooth cookie
11:08 AM: Quarantining All Traces: aff01511 cookie
11:08 AM: Quarantining All Traces: aff6007 cookie
11:08 AM: Quarantining All Traces: deskwizz cookie
11:08 AM: Quarantining All Traces: ask cookie
11:08 AM: Quarantining All Traces: azjmp cookie
11:08 AM: Quarantining All Traces: burstnet cookie
11:08 AM: Quarantining All Traces: top-banners cookie
11:08 AM: Quarantining All Traces: directtrack cookie
11:08 AM: Quarantining All Traces: dutchmen cookie
11:08 AM: Quarantining All Traces: go.com cookie
11:08 AM: Quarantining All Traces: exitexchange cookie
11:08 AM: Quarantining All Traces: spywarelabs install cookie
11:08 AM: Quarantining All Traces: zango cookie
11:08 AM: Quarantining All Traces: mygeek cookie
11:08 AM: Quarantining All Traces: aptimus cookie
11:08 AM: Quarantining All Traces: paypopup cookie
11:08 AM: Quarantining All Traces: rednova cookie
11:08 AM: Quarantining All Traces: reliablestats cookie
11:08 AM: Quarantining All Traces: tracking cookie
11:08 AM: Quarantining All Traces: epilot cookie
11:08 AM: Quarantining All Traces: finditlive cookie
11:08 AM: Quarantining All Traces: jumptothat cookie
11:08 AM: Quarantining All Traces: letitfind cookie
11:08 AM: Quarantining All Traces: seek-media cookie
11:08 AM: Quarantining All Traces: seek-zone cookie
11:08 AM: Quarantining All Traces: sidefind cookie
11:08 AM: Quarantining All Traces: wesearchall cookie
11:08 AM: Quarantining All Traces: ysbweb cookie
11:08 AM: Quarantining All Traces: websponsors cookie
11:08 AM: Quarantining All Traces: clickandtrack cookie
11:08 AM: Quarantining All Traces: com.com cookie
11:08 AM: Quarantining All Traces: rn11 cookie
11:08 AM: Quarantining All Traces: rightmedia cookie
11:08 AM: Quarantining All Traces: apropos
11:09 AM: Quarantining All Traces: trojan-downloader-bookedspace
11:09 AM: Quarantining All Traces: savenow - whenusave
11:09 AM: Quarantining All Traces: ezula ilookup
11:09 AM: Quarantining All Traces: java byteverify
11:09 AM: Quarantining All Traces: trojan downloader pops-stop
11:09 AM: Quarantining All Traces: upspiral toolbar
11:09 AM: Quarantining All Traces: navisearch
11:09 AM: Quarantining All Traces: trojan-downloader-mainstreamdollars
11:09 AM: Quarantining All Traces: cashback
11:09 AM: Quarantining All Traces: shopathomeselect
11:09 AM: Quarantining All Traces: bargain buddy
11:09 AM: Quarantining All Traces: begin2search
11:09 AM: Quarantining All Traces: clkoptimizer
11:09 AM: Quarantining All Traces: sexfiles dialers
11:09 AM: Quarantining All Traces: moneytree
11:09 AM: Quarantining All Traces: topconverting downloader
11:09 AM: Quarantining All Traces: downloadul
11:09 AM: Quarantining All Traces: gain-supported software
11:09 AM: Warning: Quarantine could not read registry value for HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurorahandler\aut9i1m4eofsfinalad\. Failed to export registry value "WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\aurorahandler\aut9i1m4eofsfinalad". Key/Value does not exist
11:11 AM: Removal process completed. Elapsed time 00:04:48
********

Kaspersky:

10:49 AM: |··· Start of Session, Saturday, August 06, 2005 ···|
10:49 AM: Spy Sweeper started
10:49 AM: Your spyware definitions have been updated.
10:50 AM: |··· End of Session, Saturday, August 06, 2005 ···|
11:16 AM: |··· Start of Session, Saturday, August 06, 2005 ···|
11:16 AM: Spy Sweeper started
11:16 AM: Sweep initiated using definitions version 511
11:17 AM: Starting Memory Sweep
11:17 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\reched20.dll". Cannot open file "C:\WINDOWS\SYSTEM32\reched20.dll". The process cannot access the file because it is being used by another process
11:17 AM: Found Adware: icannnews
11:17 AM: Detected running threat: C:\WINDOWS\SYSTEM32\reched20.dll (ID = 51)
11:17 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\tQpi3.dll". Cannot open file "C:\WINDOWS\SYSTEM32\tQpi3.dll". The process cannot access the file because it is being used by another process
11:17 AM: Detected running threat: C:\WINDOWS\SYSTEM32\tQpi3.dll (ID = 51)
11:18 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\reched20.dll". Cannot open file "C:\WINDOWS\SYSTEM32\reched20.dll". The process cannot access the file because it is being used by another process
11:18 AM: Memory Sweep Complete, Elapsed Time: 00:01:30
11:18 AM: Starting Registry Sweep
11:18 AM: Registry Sweep Complete, Elapsed Time:00:00:12
11:18 AM: Starting Cookie Sweep
11:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:18 AM: Starting File Sweep
11:19 AM: Warning: Failed to read file "c:\windows\temp\perflib_perfdata_5cc.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:19 AM: Found Adware: upspiral toolbar
11:19 AM: 00004782.exe (ID = 82040)
11:20 AM: Warning: Failed to read file "c:\windows\system32\reched20.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:21 AM: Warning: Failed to read file "c:\windows\system32\tqpi3.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
11:22 AM: __delete_on_reboot__sarvdeps.dll (ID = 125214)
11:23 AM: Found Adware: begin2search
11:23 AM: 00004798.ico (ID = 51041)
11:23 AM: Found Trojan Horse: trojan-downloader-pacisoft
11:23 AM: 00004424.ico (ID = 113921)
11:23 AM: 00004422.ico (ID = 125992)
11:23 AM: Found Adware: browseraid
11:23 AM: 00004390.xml (ID = 51947)
11:23 AM: 00004420.ico (ID = 113920)
11:23 AM: Found Trojan Horse: downloadul
11:23 AM: 00004807.inf (ID = 59212)
11:23 AM: File Sweep Complete, Elapsed Time: 00:05:06
11:23 AM: Full Sweep has completed. Elapsed time 00:06:59
11:23 AM: Traces Found: 10
11:25 AM: Removal process initiated
11:25 AM: Quarantining All Traces: icannnews
11:25 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\reched20.dll File locked exclusively. Restoration will not be possible.
11:25 AM: Warning: Could not create quarantine file for: C:\WINDOWS\SYSTEM32\tQpi3.dll File locked exclusively. Restoration will not be possible.
11:25 AM: icannnews is in use. It will be removed on reboot.
11:25 AM: C:\WINDOWS\SYSTEM32\reched20.dll is in use. It will be removed on reboot.
11:25 AM: C:\WINDOWS\SYSTEM32\tQpi3.dll is in use. It will be removed on reboot.
11:25 AM: Quarantining All Traces: upspiral toolbar
11:25 AM: Quarantining All Traces: begin2search
11:25 AM: Quarantining All Traces: trojan-downloader-pacisoft
11:25 AM: Quarantining All Traces: browseraid
11:25 AM: Quarantining All Traces: downloadul
11:25 AM: Warning: Quarantine process could not restart Explorer.
11:26 AM: Removal process completed. Elapsed time 00:01:18
********
10:50 AM: |··· Start of Session, Saturday, August 06, 2005 ···|
10:50 AM: Spy Sweeper started
10:50 AM: Sweep initiated using definitions version 511
10:50 AM: Starting Memory Sweep
10:51 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\tQpi3.dll". Cannot open file "C:\WINDOWS\SYSTEM32\tQpi3.dll". The process cannot access the file because it is being used by another process
10:51 AM: Found Adware: icannnews
10:51 AM: Detected running threat: C:\WINDOWS\SYSTEM32\tQpi3.dll (ID = 51)
10:51 AM: Warning: Failed to check file "C:\WINDOWS\SYSTEM32\nyobjapi.dll". Cannot open file "C:\WINDOWS\SYSTEM32\nyobjapi.dll". The process cannot access the file because it is being used by another process
10:51 AM: Detected running threat: C:\WINDOWS\SYSTEM32\nyobjapi.dll (ID = 51)
10:52 AM: Memory Sweep Complete, Elapsed Time: 00:01:30
10:52 AM: Starting Registry Sweep
10:52 AM: Found Adware: addestroyer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\vb and vba program settings\addestroyer\ (3 subtraces) (ID = 102749)
10:52 AM: Found Adware: bookedspace
10:52 AM: HKLM\software\configuration manager\cfgmgr52\ (312 subtraces) (ID = 104873)
10:52 AM: Found Adware: browseraid
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 105078)
10:52 AM: Found Adware: cas
10:52 AM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105366)
10:52 AM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105369)
10:52 AM: Found Adware: clearsearch
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
10:52 AM: Found Adware: elitebar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1010\software\lq\ (5 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\lq\ (22 subtraces) (ID = 125741)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
10:52 AM: Found Adware: elitebar searchmiracle hijacker
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\ || searchurl (ID = 125775)
10:52 AM: Found Adware: ieplugin
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\intexp\ (7 subtraces) (ID = 128173)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\intexp\ (2 subtraces) (ID = 128173)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\intexp\ (2 subtraces) (ID = 128173)
10:52 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
10:52 AM: Found Adware: drsnsrch.com hijack
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\main\ || search page (ID = 128207)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 128212)
10:52 AM: Found Adware: internetoptimizer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\avenue media\ (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\avenue media\ (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\avenue media\ (7 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\avenue media\ (6 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\avenue media\ (11 subtraces) (ID = 128887)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\policies\avenue media\ (ID = 128928)
10:52 AM: Found Adware: istbar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\ist\ (5 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\ist\ (1 subtraces) (ID = 129108)
10:52 AM: Found Adware: lopdotcom
10:52 AM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
10:52 AM: Found Adware: 180search assistant/zango
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\sais\ (11 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\sais\ (14 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\sais\ (22 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\sais\ (19 subtraces) (ID = 135790)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\salm\ (11 subtraces) (ID = 135792)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1011\software\salm\ (19 subtraces) (ID = 135792)
10:52 AM: Found Trojan Horse: trojan-downloader-pacisoft
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\psof1\ (15 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\psof1\ (16 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\psof1\ (2 subtraces) (ID = 136530)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\psof1\ (2 subtraces) (ID = 136530)
10:52 AM: Found Adware: powerscan
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\powerscan\ (ID = 136823)
10:52 AM: Found Adware: redzip toolbar
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\microsoft\windows\currentversion\explorer\ || insid (ID = 139328)
10:52 AM: Found System Monitor: sc-keylog
10:52 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
10:52 AM: Found Adware: searchtoolbar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1010\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
10:52 AM: Found Adware: bho_sidefind
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
10:52 AM: HKU\S-1-5-21-1260153011-1797618588-3831952528-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:52 AM: Found Adware: surfsidekick
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\surfsidekick3\ (3 subtraces) (ID = 143412)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\surfsidekick3\ (3 subtraces) (ID = 143412)
10:52 AM: Found Trojan Horse: trojan-backdoor-soundcheck
10:52 AM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
10:52 AM: Found Adware: virtualbouncer
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1007\software\vb and vba program settings\vbouncer\ (8 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\vb and vba program settings\vbouncer\ (8 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1009\software\vb and vba program settings\vbouncer\ (7 subtraces) (ID = 145564)
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-501\software\vb and vba program settings\vbouncer\ (7 subtraces) (ID = 145564)
10:52 AM: Found Adware: winad
10:52 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
10:52 AM: Found Adware: yoursitebar
10:52 AM: HKU\WRSS_Profile_S-1-5-21-1260153011-1797618588-3831952528-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {86227d9c-0efe-4f8a-aa55-30386a3f5686} (ID = 147853)
10:52 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
10:52 AM: HKLM\software\yoursitebar\ (6 subtraces) (ID = 147860)
10:52 AM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
10:52 AM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
10:52 AM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
10:52 AM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
10:52 AM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
10:52 AM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
10:52 AM: H

#6
Rawe

Posted 06 August 2005 - 12:26 PM

Visiting Staff

Member
4,746 posts

Ok, that was your SpySweeper log :tazz:

Now I need the Kaspersky & Panda log.. Oh yea, and rest of your SpySweeper log too.

#7
971821

Posted 06 August 2005 - 12:33 PM

Member

Topic Starter
Member
10 posts

Last post was too long, here is Kaspersky:

KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 06, 2005 13:12:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/08/2005
Kaspersky Anti-Virus database records: 134083
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\

Scan Statistics:
Total number of scanned objects: 116745
Number of viruses found: 23
Number of infected objects: 152
Number of suspicious objects: 0
Duration of the scan process: 5418 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00027229.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\008561F6.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00E86F69.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\012F0316.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\015E5B11.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02360EB6.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\032A536C.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\086F65F8.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D837DB4.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E2D658B.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0F035FC4.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0F7905CD.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0FC67D7F.exe Infected: Trojan-PSW.Win32.PWSteal.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11A61465.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11CC386A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\130A45AC.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\131226BA.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13AF1DC3.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\167C319B.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B01FF1.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A83351B.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1AD856B9.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B564E34.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1CE95073.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D2C2769.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\21A96027.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\24233F4F.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25D362E4.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\267437F7.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27407D18.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28EF303E.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A0201C5.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A1C412B.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B102653.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B1B3D36.com Infected: Backdoor.Win32.Agent.jn
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CC5282A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2E450A3A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31FB4BDC.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\320E408D.pif Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32AC2995.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32B1595B.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33926B88.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3565704D.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\35B32727.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36D343BD.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\380D33BE.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\389233BE.exe Infected: Backdoor.Win32.IRCBot.dh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\38A55918.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\395A30DB.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\398D0A75.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\399E68B7.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A22112C.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A5551C6.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A597BC3.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C572F6F.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3CC36FD0.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EE64DEC.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EEC21E5.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3FB13A32.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3FF2627D.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41126A5D.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41B95E9C.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45A74D23.exe Infected: Trojan-PSW.Win32.PWSteal.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\465B2FB9.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\490606AD.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A1A0706.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A1F4259.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A204349.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B241869.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4DFC6EA9.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FA9300D.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\50DE4C70.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\510F34F2.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5117610F.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51520386.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51FB28EC.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\526C5671.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\554B54FE.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\55A108AA.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56114626.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56352BB4.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57171471.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57C65FB2.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58FE7C7B.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B25745B.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5BBF3739.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C1E2400.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C681FBC.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5CEE30BB.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5CFD1B1A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D1E6A87.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5DB44BA0.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5DDF3B13.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E7B6686.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E802726.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60973B60.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60CE3736.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\621A2A7D.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6257245A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\638B6682.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65FD198C.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66271F3A.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\673F3A05.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67BE558C.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\681B4ECA.exe Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68804CA5.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\691E13C0.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A244A56.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6AB61BB7.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F29182E.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F5431C5.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6FE425FB.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\70037D06.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\70885315.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\717F5173.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71C90035.exe Infected: Trojan-Downloader.Win32.IstBar.jm
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71CC2A32.dat Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71CC2A32.exe Infected: Trojan-Downloader.Win32.IstBar.gi
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71D0542E.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71D0542E.exe Infected: Trojan-Downloader.Win32.IstBar.ja
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72DF5196.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\739C1DA3.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\757E2A22.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75D67854.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76FB6236.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7729144E.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78117A22.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\791B4D96.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\791F7793.exe Infected: IM-Worm.Win32.Kelvir.cw
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\799B4758.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79E5439A.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A976BAB.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7C0A25C9.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7CCE3BCC.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7CD165C9.exe Infected: IM-Worm.Win32.Kelvir.cv
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DCB1B3F.exe Infected: IM-Worm.Win32.Kelvir.dg
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP495\A0075790.exe Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP496\A0076063.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP496\A0076063.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP496\A0076063.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP496\A0076147.exe Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP505\A0079659.EXE/data0002 Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP505\A0079659.EXE/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP505\A0079659.EXE Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP505\A0079661.EXE Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080172.exe Infected: Trojan-Clicker.Win32.Agent.ei
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080181.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080185.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080187.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0080212.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP508\A0080415.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP508\A0080416.dll Infected: Trojan-Downloader.Win32.Apropo.ag

Scan process completed.

New panda in next post.

#8
971821

Posted 06 August 2005 - 12:34 PM

Member

Topic Starter
Member
10 posts

Panda results:

Incident Status Location

Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/popmonster No disinfected C:\DOCUMENTS AND SETTINGS\RR\FAVORITES\SHOPPING\Best Buy.url
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/wupd No disinfected Windows Registry

#9
Rawe

Posted 06 August 2005 - 12:55 PM

Visiting Staff

Member
4,746 posts

Ok..

Please print these instructions out, or write them down, as you can't read them during the fix.

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Using Windows Explorer, locate the following file and delete if present;

C:\DOCUMENTS AND SETTINGS\RR\FAVORITES\SHOPPING\Best Buy.url

Then, browse in to this folder;
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\

And delete ALL it's content.

Launch your Norton Anti-virus application, empty it's virus vault if there is anything.

Now, run CleanUp! and reboot into normal mode.

Post a fresh HiJackThis log along with a new Panda log here.

- Rawe :tazz:

#10
971821

Posted 06 August 2005 - 01:54 PM

Member

Topic Starter
Member
10 posts

Here is the new hijack and Panda:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:30 PM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\UlIA\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
I:\Ewido security suite\ewidoctrl.exe
I:\Ewido security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HijackThis\hijackthis_199\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.peoplepc.com/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F77D9241-5122-46D3-9016-C5AAF07BDE23} (HTMLEdit Class) - http://www.ldsd.org/...THTMLEditor.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\reched20.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UlIA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - I:\Ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - I:\Ewido security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Panda:

Incident Status Location

Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/consumeralertsystemNo disinfected Windows Registry

#11
Rawe

Posted 06 August 2005 - 02:05 PM

Visiting Staff

Member
4,746 posts

Hi again!

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
- C:\WINDOWS\system32\reched20.dll
Click on the submit button
Please post the results in your next reply.

- Rawe

#12
971821

Posted 06 August 2005 - 02:13 PM

Member

Topic Starter
Member
10 posts

This is what it said:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

#13
Rawe

Posted 06 August 2005 - 02:17 PM

Visiting Staff

Member
4,746 posts

Ok, please run HiJackThis and check the following objects for removal;

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://home.peoplepc.com/home
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\reched20.dll (file missing)

Make sure their checked, close any other open window and/or open browser - hit "Fix Checked".

Reboot and post a fresh log.

- Rawe :tazz:

#14
971821

Posted 06 August 2005 - 02:34 PM

Member

Topic Starter
Member
10 posts

Removed the 4 items and they did not reappear on this next log:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:27 PM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\UlIA\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
I:\Ewido security suite\ewidoctrl.exe
I:\Ewido security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {F77D9241-5122-46D3-9016-C5AAF07BDE23} (HTMLEdit Class) - http://www.ldsd.org/...THTMLEditor.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UlIA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - I:\Ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - I:\Ewido security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe