Scan saved at 1:52:39 AM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exe
F:\Program Files\HijackThis!\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.go.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - F:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - F:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - F:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - F:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - F:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "F:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.turnerta...ient/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126415121325
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128043069328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE0C6F35-A439-418E-BC8D-FEA2BA761F46}: NameServer = 207.69.188.186 207.69.188.185
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
********
1:17 AM: | Start of Session, Saturday, October 22, 2005 |
1:17 AM: Spy Sweeper started
1:17 AM: Sweep initiated using definitions version 560
1:17 AM: Starting Memory Sweep
1:20 AM: Memory Sweep Complete, Elapsed Time: 00:02:49
1:20 AM: Starting Registry Sweep
1:20 AM: Found Adware: purityscan
1:20 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (ID = 137986)
1:20 AM: Found Adware: media-motor
1:20 AM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
1:20 AM: Found Adware: maxifiles
1:20 AM: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
1:20 AM: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
1:20 AM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
1:20 AM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
1:20 AM: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
1:20 AM: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
1:20 AM: Found Adware: directrevenue-abetterinternet
1:20 AM: HKU\WRSS_Profile_S-1-5-21-682003330-1614895754-839522115-500\software\aurora\ (18 subtraces) (ID = 360174)
1:21 AM: Registry Sweep Complete, Elapsed Time:00:00:36
1:21 AM: Starting Cookie Sweep
1:21 AM: Found Spy Cookie: 2o7.net cookie
1:21 AM: heidi@2o7[2].txt (ID = 1957)
1:21 AM: Found Spy Cookie: coremetrics cookie
1:21 AM: [email protected][1].txt (ID = 2472)
1:21 AM: Found Spy Cookie: go.com cookie
1:21 AM: [email protected][2].txt (ID = 2729)
1:21 AM: gary@go[2].txt (ID = 2728)
1:21 AM: [email protected][1].txt (ID = 2729)
1:21 AM: [email protected][1].txt (ID = 2729)
1:21 AM: [email protected][2].txt (ID = 2729)
1:21 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:21 AM: Starting File Sweep
1:21 AM: Found Adware: ist sidefind
1:21 AM: c:\program files\sidefind (ID = -2147480325)
1:21 AM: x.bmp (ID = 69314)
1:22 AM: cwebpage.dll (ID = 69301)
1:25 AM: Found Trojan Horse: trojan downloader matcash
1:25 AM: autoit3.exe (ID = 119348)
1:29 AM: backup-20051015-223302-100.dll (ID = 156267)
1:44 AM: File Sweep Complete, Elapsed Time: 00:23:22
1:44 AM: Full Sweep has completed. Elapsed time 00:26:52
1:44 AM: Traces Found: 74
1:47 AM: Removal process initiated
1:47 AM: Quarantining All Traces: directrevenue-abetterinternet
1:47 AM: Quarantining All Traces: purityscan
1:47 AM: Quarantining All Traces: trojan downloader matcash
1:47 AM: Quarantining All Traces: ist sidefind
1:47 AM: Quarantining All Traces: maxifiles
1:47 AM: Quarantining All Traces: media-motor
1:47 AM: Quarantining All Traces: 2o7.net cookie
1:47 AM: Quarantining All Traces: coremetrics cookie
1:47 AM: Quarantining All Traces: go.com cookie
1:47 AM: Removal process completed. Elapsed time 00:00:21
********
1:14 AM: | Start of Session, Saturday, October 22, 2005 |
1:14 AM: Spy Sweeper started
1:15 AM: Your spyware definitions have been updated.
1:16 AM: The Spy Communication shield has blocked access to: ad.trafficmp.com
1:16 AM: The Spy Communication shield has blocked access to: ad.trafficmp.com
1:17 AM: | End of Session, Saturday, October 22, 2005 |