Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

multiple problems [RESOLVED]

Started by biggun1234 , Oct 14 2005 02:05 PM

This topic is locked

#16
Trevuren

Posted 15 October 2005 - 10:34 PM

Old Dog

Retired Staff
18,699 posts

1. Please run the following program:

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop
http://www.mvps.org/.../DelDomains.inf
Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
Then please restart your computer, and post a new HijackThis log.

2. * Please download Fix_Protocol_zones_ranges.reg by Nellie from MWR

* Open the zip file and extract the regfile to your desktop.

* Double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

* REBOOT your system.

* Finally, run HijackThis , click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

#17
biggun1234

Posted 16 October 2005 - 01:06 PM

Member

Topic Starter
Member
49 posts

here is the log after installing the first program:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:56 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [rifqr] C:\WINDOWS\system32\hjnqapd\rifqr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [qekrmujx] C:\WINDOWS\system32\whecdwm\qekrmujx.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mnlwmv] C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\azndup.exe reg_run
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [mqjwnm] C:\WINDOWS\system32\pcox\mqjwnm.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] F:\iau.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c8.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0031.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mnlwmvugoyfn - Unknown owner - C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
O23 - Service: mqjwnmpcox - Unknown owner - C:\WINDOWS\system32\pcox\mqjwnm.exe
O23 - Service: qekrmujxwhecdwm - Unknown owner - C:\WINDOWS\system32\whecdwm\qekrmujx.exe
O23 - Service: rifqrhjnqapd - Unknown owner - C:\WINDOWS\system32\hjnqapd\rifqr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: uclvfqagnjkr - Unknown owner - C:\WINDOWS\system32\qagnjkr\uclvf.exe

#18
biggun1234

Posted 16 October 2005 - 01:13 PM

Member

Topic Starter
Member
49 posts

Here is the log after running the .reg file.

Logfile of HijackThis v1.99.1
Scan saved at 12:12:29 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [rifqr] C:\WINDOWS\system32\hjnqapd\rifqr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [qekrmujx] C:\WINDOWS\system32\whecdwm\qekrmujx.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mnlwmv] C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\azndup.exe reg_run
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [mqjwnm] C:\WINDOWS\system32\pcox\mqjwnm.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] F:\iau.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c8.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0031.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mnlwmvugoyfn - Unknown owner - C:\WINDOWS\system32\ugoyfn\mnlwmv.exe
O23 - Service: mqjwnmpcox - Unknown owner - C:\WINDOWS\system32\pcox\mqjwnm.exe
O23 - Service: qekrmujxwhecdwm - Unknown owner - C:\WINDOWS\system32\whecdwm\qekrmujx.exe
O23 - Service: rifqrhjnqapd - Unknown owner - C:\WINDOWS\system32\hjnqapd\rifqr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: uclvfqagnjkr - Unknown owner - C:\WINDOWS\system32\qagnjkr\uclvf.exe

#19
Trevuren

Posted 16 October 2005 - 01:55 PM

Old Dog

Retired Staff
18,699 posts

Your system is infected with a very serious and very difficult infection called a "rootkit". It is one of the newest generation of infections out there and are experience in removing these is somewhat limited compared to the others. However we have malware specialists who have dealt with this before and will be working with me on getting rid of this baddie. Don't be surprised if you see another specialist post to your thread on occasion because this is going to be a collaborative effort. I cannot promise that we can cure your system of this infection, but I can promise you that we will do everything in our power to make things right with your system. This could be a lengthy process requiring numerous reports and a lot of the work will be done in Safe Mode.

1. Please update your current SpySweeper definitions and run a full scan while in Safe Mode. Save the report and post it in your next reply.

2. Still in Safe Mode, have HijackThis generate a Startup List and post the results in your next reply.

Open HJT, click Config>>Misc Tools>>place a checkmark in the 2 boxes that can be found beside the button "Generate Startup List" and click on the button. This will open a Notepad file containing the required information. Please save it to your desktop as Startup List and post it in your next reply.

3. Please print this out for reference.

* Go to your dektop and Right-Click on the MyComputer Icon
* Select properties
* Open the Hardware tab
* Select Device Manager
* Click on View
* Select Show Hidden Devices
* Navigate Down the list and expand Non-Plug and Play Devices
* Maximise that Widow so that all of the entries under Non-Plug and Play Devices is visible, then post a screenshot here for me please.
* If you cannot post a screenshot, then look through the list and make a note of any entries named something like guycrm or jjccfhju or similar random names.
* Do NOT do anything to them, just let me know what you find please.

4. Reboot your system and post all the above reports including a fresh HJT log.

Regards,

Trevuren

#20
biggun1234

Posted 16 October 2005 - 04:30 PM

Member

Topic Starter
Member
49 posts

wow...how did I get something like that??? Does this happen often? WHat does a rootkit do to your system? Thank you guys all so much for helping, I cannot thank you all enough.

#21
biggun1234

Posted 16 October 2005 - 04:48 PM

Member

Topic Starter
Member
49 posts

I have another quick question, how do you print a screenshot? Also, is there software out there like Spy Sweeper, but is freeware? Because I only have the trial version of spysweeper and I don't think I can update definitions without buying the program.

#22
ukbiker

Posted 16 October 2005 - 08:05 PM

Rest in Peace, ukbiker

Retired Staff
2,014 posts

Hi there Biggun

The trial version of spysweeper will let you update it no problem. This tool is vital to cleaning the rootkit up.

To get a screenshot -

The simple way to take a screen shot if you do not have a special screen image tool, such as ScreenHunter, MWSnap, SnagIt....etc....is as follows:

1. Select/Highlight the window you want as your image.
2. Hold down the [Alt] key and Press the [Print Screen] button
- the image is now saved in Windows clipboard
3. Open MS Paint utility (Start > Programs > Accessories > Paint)
4. Select "File" menu > "New"
5. Select "Edit" menu > "Paste"
- image is now visible in MS Paint
6. If needed, edit image. Remove or erase confidential data. etc.
7. Save image by using "File" menu > "Save As..."
8. Select proper file type in "Save as Type" selection.
- .GIF or .JPG images are best for posting
*** Do NOT save as .BMP file (they are too large !!)
9. Remember name and the location of file you just saved.

then add that file as an attachment in your post.

#23
biggun1234

Posted 16 October 2005 - 09:47 PM

Member

Topic Starter
Member
49 posts

Ok, I ran spy sweeper in safe mode and created a log. By the way, I noticed the sweeper log had previous scans from previous dates on it. I didn't want to mess with the log so I just left them on there. I also made a startup list in safe made mode and created a log. For the screen shots, I had to take 2 because I couldn't fit all of the programs in on one shot (hope its not too confusing). I took the shots in safe mode and they are attached to this reply. Then for the fresh HJT log, I performed this in normal mode.

Here is the spy sweeper log:

********
7:54 PM: | Start of Session, Sunday, October 16, 2005 |
7:54 PM: Spy Sweeper started
7:54 PM: Sweep initiated using definitions version 555
7:54 PM: Starting Memory Sweep
7:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:10
7:56 PM: Starting Registry Sweep
7:56 PM: Found Adware: apropos
7:56 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
7:56 PM: Found Adware: begin2search
7:56 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: Found Adware: hotsearchbar toolbar
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
7:56 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
7:56 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
7:56 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
7:56 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
7:56 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
7:56 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
7:56 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
7:56 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
7:56 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
7:56 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
7:56 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: Found Adware: cws_easy-search.biz hijacker
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
7:56 PM: Found Adware: drsnsrch.com hijack
7:56 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
7:56 PM: Found Adware: mirar webband
7:56 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
7:56 PM: Found Trojan Horse: trojan-downloader-pacisoft
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
7:56 PM: Found Adware: purityscan
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
7:56 PM: Found Adware: media-motor
7:56 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
7:56 PM: Found Adware: search fast communicator toolbar
7:56 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
7:56 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
7:56 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
7:56 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
7:56 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
7:56 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
7:56 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
7:56 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
7:56 PM: Found Adware: surfsidekick
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406)
7:56 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
7:56 PM: Found Adware: delfin
7:56 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
7:56 PM: Found Adware: winad
7:56 PM: HKLM\software\media gateway\ (2 subtraces) (ID = 359545)
7:56 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
7:56 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
7:56 PM: Found Adware: drsnsrch hijacker
7:56 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
7:56 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
7:56 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
7:56 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
7:56 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
7:56 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
7:56 PM: Found Adware: clkoptimizer
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
7:56 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
7:56 PM: Found Adware: visfx
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
7:56 PM: Found Adware: abetterinternet
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
7:56 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
7:56 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
7:56 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
7:56 PM: Found Adware: 180search assistant/zango
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
7:56 PM: Found Adware: shopathomeselect
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || apd123 (ID = 861469)
7:56 PM: HKLM\software\qstat\ || brr (ID = 877670)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: Found Adware: cws-aboutblank
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
7:56 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
7:56 PM: Registry Sweep Complete, Elapsed Time:00:00:31
7:56 PM: Starting Cookie Sweep
7:56 PM: Found Spy Cookie: 888 cookie
7:56 PM: owner@888[1].txt (ID = 2019)
7:56 PM: Found Spy Cookie: yieldmanager cookie
7:56 PM: [email protected][2].txt (ID = 3751)
7:56 PM: Found Spy Cookie: adknowledge cookie
7:56 PM: owner@adknowledge[1].txt (ID = 2072)
7:56 PM: Found Spy Cookie: adrevolver cookie
7:56 PM: owner@adrevolver[2].txt (ID = 2088)
7:56 PM: owner@adrevolver[3].txt (ID = 2088)
7:56 PM: Found Spy Cookie: adserver cookie
7:56 PM: owner@adserver[2].txt (ID = 2141)
7:56 PM: Found Spy Cookie: advertising cookie
7:56 PM: owner@advertising[1].txt (ID = 2175)
7:56 PM: Found Spy Cookie: ask cookie
7:56 PM: owner@ask[1].txt (ID = 2245)
7:56 PM: Found Spy Cookie: atlas dmt cookie
7:56 PM: owner@atdmt[2].txt (ID = 2253)
7:56 PM: Found Spy Cookie: belnk cookie
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: banner cookie
7:56 PM: owner@banner[1].txt (ID = 2276)
7:56 PM: owner@belnk[1].txt (ID = 2292)
7:56 PM: Found Spy Cookie: bluestreak cookie
7:56 PM: owner@bluestreak[1].txt (ID = 2314)
7:56 PM: Found Spy Cookie: casalemedia cookie
7:56 PM: owner@casalemedia[2].txt (ID = 2354)
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: fastclick cookie
7:56 PM: owner@fastclick[1].txt (ID = 2651)
7:56 PM: Found Spy Cookie: overture cookie
7:56 PM: [email protected][1].txt (ID = 3106)
7:56 PM: Found Spy Cookie: questionmarket cookie
7:56 PM: owner@questionmarket[1].txt (ID = 3217)
7:56 PM: Found Spy Cookie: realmedia cookie
7:56 PM: owner@realmedia[1].txt (ID = 3235)
7:56 PM: Found Spy Cookie: adjuggler cookie
7:56 PM: [email protected][1].txt (ID = 2071)
7:56 PM: Found Spy Cookie: servedby advertising cookie
7:56 PM: [email protected][2].txt (ID = 3335)
7:56 PM: Found Spy Cookie: reliablestats cookie
7:56 PM: [email protected][2].txt (ID = 3254)
7:56 PM: Found Spy Cookie: tradedoubler cookie
7:56 PM: owner@tradedoubler[1].txt (ID = 3575)
7:56 PM: Found Spy Cookie: trafficmp cookie
7:56 PM: owner@trafficmp[2].txt (ID = 3581)
7:56 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:56 PM: [email protected][2].txt (ID = 3032)
7:56 PM: Found Spy Cookie: zedo cookie
7:56 PM: owner@zedo[2].txt (ID = 3762)
7:56 PM: system@casalemedia[1].txt (ID = 2354)
7:56 PM: system@zedo[2].txt (ID = 3762)
7:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:56 PM: Starting File Sweep
7:57 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
7:57 PM: Found Adware: cws_ns3
7:57 PM: wmprfptb.prx:ypgwmu (ID = 56287)
7:57 PM: preuninstallcom.exe (ID = 74818)
7:57 PM: Found Adware: coolwebsearch (cws)
7:57 PM: wmprfjpn.prx:foorkk (ID = 54051)
7:57 PM: vmmreg32.dll:jmucx (ID = 56447)
7:57 PM: Found Trojan Horse: lzio
7:57 PM: qekrmujx.exe (ID = 159311)
7:57 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
7:57 PM: blue lace 16.bmp:pyxtq (ID = 56447)
7:58 PM: Found Adware: winantispyware 2005
7:58 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:58 PM: wmprfesp.prx:qnkqv (ID = 56447)
7:58 PM: wmprfheb.prx:incwp (ID = 56447)
7:58 PM: wmprfkor.prx:bovbr (ID = 56447)
7:58 PM: uclvf.exe (ID = 159311)
7:58 PM: sskknwrd.dll (ID = 77733)
7:58 PM: msnavpklog.txt:vcelr (ID = 56711)
7:58 PM: mnlwmv.exe (ID = 159311)
7:58 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mnlwmv (ID = 0)
7:58 PM: m67m.inf (ID = 74028)
7:58 PM: ocgen.log:faalko (ID = 56287)
7:59 PM: stb.exe (ID = 94666)
7:59 PM: ssk.exe (ID = 163864)
7:59 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:59 PM: mediagatewayx.dll (ID = 156819)
7:59 PM: mediaticketsinstaller.inf (ID = 73158)
8:00 PM: sskknwrd.dll (ID = 77733)
8:00 PM: msxmidi.exe.js:gwqvn (ID = 55098)
8:01 PM: auhccup1.dll:jpxurb (ID = 56287)
8:01 PM: active setup log.txt:rofppq (ID = 54051)
8:01 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
8:01 PM: btnetw3-995329.exe (ID = 155333)
8:01 PM: rifqr.exe (ID = 159311)
8:01 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
8:02 PM: wingenerics.dll (ID = 50187)
8:02 PM: comsetup.log:xdsnj (ID = 53966)
8:02 PM: ocmsn.log:jsouf (ID = 56447)
8:02 PM: orun32.isu:uurmb (ID = 53966)
8:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
8:03 PM: mqjwnm.exe (ID = 159311)
8:03 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mqjwnm (ID = 0)
8:04 PM: sskcwrd.dll (ID = 77712)
8:04 PM: Warning: Failed to access drive F:
8:04 PM: File Sweep Complete, Elapsed Time: 00:08:08
8:04 PM: Full Sweep has completed. Elapsed time 00:09:59
8:04 PM: Traces Found: 844
********
7:36 PM: | Start of Session, Sunday, October 16, 2005 |
7:36 PM: Spy Sweeper started
7:36 PM: Sweep initiated using definitions version 555
7:36 PM: Starting Memory Sweep
7:36 PM: Sweep Canceled
7:36 PM: Memory Sweep Complete, Elapsed Time: 00:00:07
7:36 PM: Traces Found: 0
7:54 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
7:54 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:27 PM: Sweep Canceled
9:27 PM: Memory Sweep Complete, Elapsed Time: 00:01:36
9:27 PM: Traces Found: 0
9:40 AM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:40 AM: Detected running threat: lzio
11:21 AM: Ignored memory-resident threat: lzio
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
4:36 PM: ActiveX Shield: found: Adware: winad, version 1.0.0.0 -- Installation denied
4:37 PM: Spy Installation Shield: found: Adware: winad, version 1.0.0.0 -- Execution Denied
4:37 PM: Processing Startup Alerts
4:37 PM: Removed Startup entry: mnlwmv
5:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
5:27 PM: Detected running threat: lzio
5:27 PM: Ignored memory-resident threat: lzio
7:38 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:38 PM: Detected running threat: lzio
7:38 PM: Ignored memory-resident threat: lzio
7:50 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:50 PM: Detected running threat: lzio
7:50 PM: Ignored memory-resident threat: lzio
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:17 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:17 PM: Detected running threat: lzio
9:17 PM: Ignored memory-resident threat: lzio
9:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:27 PM: Detected running threat: lzio
9:27 PM: Ignored memory-resident threat: lzio
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
11:58 AM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\RUNDLL32.EXE -- IE Security modification allowed at user request
12:10 PM: Error: Access violation at address 0055E852 in module 'WRSSSDK.exe'. Read of address 00000004.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:49 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
3:49 PM: Detected running threat: lzio
3:49 PM: Ignored memory-resident threat: lzio
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:36 PM: Only Sweep Folders Where Threats Are Known to Reside
7:36 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:25 PM: Sweep Canceled
9:25 PM: Memory Sweep Complete, Elapsed Time: 00:00:19
9:25 PM: Traces Found: 0
9:25 PM: Only Sweep Folders Where Threats Are Known to Reside
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
6:15 PM: | Start of Session, Friday, October 14, 2005 |
6:15 PM: Spy Sweeper started
6:15 PM: Sweep initiated using definitions version 555
6:15 PM: Starting Memory Sweep
6:15 PM: Sweep Canceled
6:15 PM: Memory Sweep Complete, Elapsed Time: 00:00:03
6:15 PM: Traces Found: 0
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:07 PM: Processing Startup Alerts
9:07 PM: Removed Startup entry: mnlwmv
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:13 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:13 PM: Detected running threat: lzio
9:15 PM: Ignored memory-resident threat: lzio
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:24 PM: Updating spyware definitions
9:24 PM: Your definitions are up to date.
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
4:46 PM: | Start of Session, Friday, October 14, 2005 |
4:46 PM: Spy Sweeper started
4:46 PM: Sweep initiated using definitions version 555
4:46 PM: Starting Memory Sweep
4:46 PM: Found Adware: abetterinternet
4:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\ypowlt.exe (ID = 158592)
4:48 PM: Found Trojan Horse: lzio
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\whecdwm\qekrmujx.exe (ID = 159311)
4:48 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\uudmzf.exe (ID = 158592)
4:48 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 63)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\fhlyvp.exe (ID = 158592)
4:49 PM: Memory Sweep Complete, Elapsed Time: 00:02:33
4:49 PM: Starting Registry Sweep
4:49 PM: Found Adware: apropos
4:49 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
4:49 PM: Found Adware: begin2search
4:49 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: Found Adware: hotsearchbar toolbar
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
4:49 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
4:49 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
4:49 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
4:49 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
4:49 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
4:49 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
4:49 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
4:49 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
4:49 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
4:49 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
4:49 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: Found Adware: coolwebsearch (cws)
4:49 PM: HKCR\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 107683)
4:49 PM: HKLM\software\classes\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 109067)
4:49 PM: Found Adware: cws_ns3
4:49 PM: HKCR\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 118827)
4:49 PM: HKCR\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 118859)
4:49 PM: HKLM\software\classes\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 120666)
4:49 PM: HKLM\software\classes\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 120698)
4:49 PM: Found Adware: delfin
4:49 PM: HKLM\software\motoin\ (2 subtraces) (ID = 124883)
4:49 PM: Found Adware: elitebar
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
4:49 PM: Found Adware: drsnsrch.com hijack
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 128208)
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
4:49 PM: Found Adware: mirar webband
4:49 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
4:49 PM: Found Trojan Horse: trojan-downloader-pacisoft
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
4:49 PM: Found Adware: purityscan
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
4:49 PM: Found Adware: media-motor
4:49 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
4:49 PM: Found Adware: search fast communicator toolbar
4:49 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
4:49 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
4:49 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
4:49 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
4:49 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
4:49 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
4:49 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
4:49 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
4:49 PM: Found Adware: surfsidekick
4:49 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
4:49 PM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 146140)
4:49 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
4:49 PM: Found Adware: quicklink search toolbar
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
4:49 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
4:49 PM: Found Adware: winad
4:49 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
4:49 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
4:49 PM: Found Adware: drsnsrch hijacker
4:49 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
4:49 PM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
4:49 PM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
4:49 PM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
4:49 PM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
4:49 PM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
4:49 PM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
4:49 PM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
4:49 PM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
4:49 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
4:49 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
4:49 PM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
4:49 PM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
4:49 PM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
4:49 PM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
4:49 PM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
4:49 PM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
4:49 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
4:49 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
4:49 PM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
4:49 PM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
4:49 PM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
4:49 PM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
4:49 PM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
4:49 PM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
4:49 PM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
4:49 PM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
4:49 PM: HKCR\dsrch.band.1\ (3 subtraces) (ID = 512692)
4:49 PM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
4:49 PM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
4:49 PM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
4:49 PM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
4:49 PM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
4:49 PM: HKLM\software\classes\dsrch.band.1\ (3 subtraces) (ID = 513072)
4:49 PM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
4:49 PM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
4:49 PM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
4:49 PM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
4:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
4:49 PM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 646382)
4:49 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
4:49 PM: Found Adware: bookedspace
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (3 subtraces) (ID = 662284)
4:49 PM: HKLM\software\microsoft\windows\currentversion\run\ || dinst (ID = 705664)
4:49 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 711393)
4:49 PM: Found Adware: visfx
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
4:49 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
4:49 PM: Found Adware: clkoptimizer
4:49 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
4:49 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
4:49 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
4:49 PM: Found Adware: 180search assistant/zango
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
4:49 PM: Found Adware: shopathomeselect
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
4:49 PM: HKLM\software\qstat\ || brr (ID = 877670)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: Found Adware: cws-aboutblank
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\aurora\ (27 subtraces) (ID = 360174)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\dsrch\ (11 subtraces) (ID = 509156)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:49 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
4:49 PM: Registry Sweep Complete, Elapsed Time:00:00:45
4:49 PM: Starting Cookie Sweep
4:49 PM: Found Spy Cookie: 2o7.net cookie
4:49 PM: owner@2o7[2].txt (ID = 1957)
4:49 PM: Found Spy Cookie: 888 cookie
4:49 PM: owner@888[1].txt (ID = 2019)
4:49 PM: Found Spy Cookie: yieldmanager cookie
4:49 PM: [email protected][1].txt (ID = 3751)
4:49 PM: Found Spy Cookie: adknowledge cookie
4:49 PM: owner@adknowledge[2].txt (ID = 2072)
4:49 PM: Found Spy Cookie: hbmediapro cookie
4:49 PM: [email protected][2].txt (ID = 2768)
4:49 PM: Found Spy Cookie: adrevolver cookie
4:49 PM: owner@adrevolver[1].txt (ID = 2088)
4:49 PM: owner@adrevolver[2].txt (ID = 2088)
4:49 PM: Found Spy Cookie: adserver cookie
4:49 PM: owner@adserver[1].txt (ID = 2141)
4:49 PM: Found Spy Cookie: advertising cookie
4:49 PM: owner@advertising[2].txt (ID = 2175)
4:49 PM: Found Spy Cookie: falkag cookie
4:49 PM: [email protected][1].txt (ID = 2650)
4:49 PM: [email protected][2].txt (ID = 2650)
4:49 PM: Found Spy Cookie: ask cookie
4:49 PM: owner@ask[1].txt (ID = 2245)
4:49 PM: Found Spy Cookie: atlas dmt cookie
4:49 PM: owner@atdmt[2].txt (ID = 2253)
4:49 PM: Found Spy Cookie: belnk cookie
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: atwola cookie
4:49 PM: owner@atwola[2].txt (ID = 2255)
4:49 PM: Found Spy Cookie: a cookie
4:49 PM: owner@a[2].txt (ID = 2027)
4:49 PM: Found Spy Cookie: banner cookie
4:49 PM: owner@banner[1].txt (ID = 2276)
4:49 PM: owner@belnk[2].txt (ID = 2292)
4:49 PM: Found Spy Cookie: btgrab cookie
4:49 PM: [email protected][2].txt (ID = 2333)
4:49 PM: Found Spy Cookie: gostats cookie
4:49 PM: [email protected][2].txt (ID = 2748)
4:49 PM: Found Spy Cookie: cliks cookie
4:49 PM: owner@cliks[1].txt (ID = 2414)
4:49 PM: Found Spy Cookie: sextracker cookie
4:49 PM: [email protected][1].txt (ID = 3362)
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: ru4 cookie
4:49 PM: [email protected][2].txt (ID = 3269)
4:49 PM: Found Spy Cookie: fastclick cookie
4:49 PM: owner@fastclick[1].txt (ID = 2651)
4:49 PM: owner@fastclick[2].txt (ID = 2651)
4:49 PM: owner@gostats[2].txt (ID = 2747)
4:49 PM: Found Spy Cookie: clickandtrack cookie
4:49 PM: [email protected][2].txt (ID = 2397)
4:49 PM: Found Spy Cookie: kmpads cookie
4:49 PM: owner@kmpads[1].txt (ID = 2909)
4:49 PM: Found Spy Cookie: offeroptimizer cookie
4:49 PM: owner@offeroptimizer[2].txt (ID = 3087)
4:49 PM: Found Spy Cookie: overture cookie
4:49 PM: [email protected][1].txt (ID = 3106)
4:49 PM: Found Spy Cookie: questionmarket cookie
4:49 PM: owner@questionmarket[2].txt (ID = 3217)
4:49 PM: Found Spy Cookie: realmedia cookie
4:49 PM: owner@realmedia[1].txt (ID = 3235)
4:49 PM: Found Spy Cookie: adjuggler cookie
4:49 PM: [email protected][2].txt (ID = 2071)
4:49 PM: Found Spy Cookie: servedby advertising cookie
4:49 PM: [email protected][1].txt (ID = 3335)
4:49 PM: owner@sextracker[2].txt (ID = 3361)
4:49 PM: Found Spy Cookie: reliablestats cookie
4:49 PM: [email protected][2].txt (ID = 3254)
4:49 PM: Found Spy Cookie: targetnet cookie
4:49 PM: owner@targetnet[1].txt (ID = 3489)
4:49 PM: Found Spy Cookie: toplist cookie
4:49 PM: owner@toplist[1].txt (ID = 3557)
4:49 PM: Found Spy Cookie: tradedoubler cookie
4:49 PM: owner@tradedoubler[1].txt (ID = 3575)
4:49 PM: Found Spy Cookie: trafficmp cookie
4:49 PM: owner@trafficmp[1].txt (ID = 3581)
4:49 PM: Found Spy Cookie: tribalfusion cookie
4:49 PM: owner@tribalfusion[2].txt (ID = 3589)
4:49 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:49 PM: [email protected][1].txt (ID = 3032)
4:49 PM: owner@yieldmanager[1].txt (ID = 3749)
4:49 PM: [email protected][1].txt (ID = 2142)
4:49 PM: Found Spy Cookie: casalemedia cookie
4:49 PM: system@casalemedia[2].txt (ID = 2354)
4:49 PM: [email protected][1].txt (ID = 3269)
4:49 PM: Found Spy Cookie: exitexchange cookie
4:49 PM: system@exitexchange[2].txt (ID = 2633)
4:49 PM: Found Spy Cookie: paypopup cookie
4:49 PM: system@paypopup[2].txt (ID = 3119)
4:49 PM: system@questionmarket[1].txt (ID = 3217)
4:49 PM: Found Spy Cookie: rednova cookie
4:49 PM: system@rednova[2].txt (ID = 3245)
4:49 PM: system@trafficmp[2].txt (ID = 3581)
4:49 PM: [email protected][1].txt (ID = 3246)
4:49 PM: Found Spy Cookie: zedo cookie
4:49 PM: system@zedo[2].txt (ID = 3762)
4:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
4:49 PM: Starting File Sweep
4:50 PM: Found Adware: webhancer
4:50 PM: c:\program files\whinstall (5 subtraces) (ID = -2147480064)
4:50 PM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
4:50 PM: Found Adware: virtualbouncer
4:50 PM: c:\program files\vbouncer (2 subtraces) (ID = -2147477376)
4:50 PM: c:\program files\surfsidekick 3 (ID = -2147480186)
4:50 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
4:50 PM: Found Adware: cas
4:50 PM: c:\program files\cmsystem (ID = -2147471610)
4:50 PM: backup-20051004-233143-932.inf (ID = 144896)
4:50 PM: wmprfptb.prx:ypgwmu (ID = 56287)
4:50 PM: backup-20051004-233142-977.dll.tcf (ID = 115632)
4:50 PM: wmprfchs.prx:byvgwy (ID = 56270)
4:50 PM: preuninstallcom.exe (ID = 74818)
4:50 PM: wmprfjpn.prx:foorkk (ID = 54051)
4:50 PM: backup-20050820-024611-298.dll.tcf (ID = 115632)
4:50 PM: vmmreg32.dll:jmucx (ID = 56447)
4:50 PM: backup-20051014-122146-985.dll (ID = 131321)
4:50 PM: wmsetup.log:bqjpah (ID = 54093)
4:51 PM: qekrmujx.exe (ID = 159311)
4:51 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:51 PM: fhlyvp.exe (ID = 158592)
4:51 PM: clock.avi:uqanf (ID = 56270)
4:51 PM: pcs_0031.exe (ID = 161706)
4:51 PM: backup-20051004-233142-567.dll (ID = 131321)
4:51 PM: backup-20051004-233143-657.dll (ID = 73425)
4:51 PM: blue lace 16.bmp:pyxtq (ID = 56447)
4:52 PM: 5b490ro6.exe (ID = 157331)
4:52 PM: Found Adware: winantispyware 2005
4:52 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:52 PM: wmprfesp.prx:qnkqv (ID = 56447)
4:52 PM: wmprfheb.prx:incwp (ID = 56447)
4:52 PM: wmprfkor.prx:bovbr (ID = 56447)
4:52 PM: uclvf.exe (ID = 159311)
4:53 PM: music store.ico:drvzty (ID = 56270)
4:53 PM: sskknwrd.dll (ID = 77733)
4:53 PM: t30debuglogfile.txt:trhmf (ID = 56194)
4:53 PM: msnavpklog.txt:vcelr (ID = 56711)
4:53 PM: Found Adware: cws_tiny0
4:53 PM: olx98nt.sys:mrqyr (ID = 56968)
4:53 PM: nsw.log:bpfgu (ID = 56968)
4:53 PM: m67m.inf (ID = 74028)
4:53 PM: sskbho.dll (ID = 163865)
4:53 PM: ocgen.log:faalko (ID = 56287)
4:54 PM: patch.exe:fraet (ID = 55707)
4:54 PM: ntq5e7dn.dll (ID = 157332)
4:54 PM: uudmzf.exe (ID = 158592)
4:54 PM: stb.exe (ID = 94666)
4:54 PM: ssk.exe (ID = 163864)
4:54 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:55 PM: 30r8imok.exe (ID = 157330)
4:55 PM: Found Adware: ist yoursitebar
4:55 PM: backup-20050820-024612-156.dll.tcf (ID = 133888)
4:55 PM: apd123.exe.tcf (ID = 161622)
4:55 PM: uninst.exe (ID = 73428)
4:55 PM: mon2007.dbd (ID = 57693)
4:55 PM: qldf.bin (ID = 131688)
4:55 PM: Found Adware: isearch toolbar
4:55 PM: mte2odm6odoxng.exe.tcf (ID = 145831)
4:55 PM: mediaticketsinstaller.inf (ID = 73158)
4:55 PM: qlink32.dll (ID = 73425)
4:55 PM: ypowlt.exe (ID = 158592)
4:56 PM: preuninstallql.exe (ID = 131326)
4:56 PM: uninst.exe (ID = 73428)
4:56 PM: sskknwrd.dll (ID = 77733)
4:56 PM: Found Trojan Horse: trojan_downloader_tibser
4:56 PM: odbc.ini:jrtka (ID = 81471)
4:57 PM: msxmidi.exe.js:gwqvn (ID = 55098)
4:57 PM: {2cea2f29-8fb4-4414-bc3b-fe8205b3cee1}.dat:yjzri (ID = 56711)
4:58 PM: dsr.exe.tcf (ID = 121121)
4:59 PM: installt.exe (ID = 82806)
4:59 PM: whinstaller.ini (ID = 83848)
4:59 PM: whagent.inf (ID = 83822)
5:00 PM: _default.pif:nmjryt (ID = 81471)
5:00 PM: auhccup1.dll:jpxurb (ID = 56287)
5:00 PM: {3ad02412-f082-4583-b4a2-5888e7e64911}.dat:gnbwse (ID = 56270)
5:00 PM: active setup log.txt:rofppq (ID = 54051)
5:00 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
5:00 PM: btnetw3-995329.exe (ID = 155333)
5:00 PM: rifqr.exe (ID = 159311)
5:00 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
5:01 PM: msnsetuplog.bak:lrcmzn (ID = 81471)
5:01 PM: notepad.exe.bak:uqcuj (ID = 56711)
5:01 PM: 9b7psqu9.exe.tcf (ID = 130510)
5:01 PM: mon1920.dbd (ID = 57692)
5:01 PM: wingenerics.dll (ID = 50187)
5:02 PM: patch.exe:qtlwgb (ID = 54093)
5:02 PM: dsr.dll.tcf (ID = 115632)
5:02 PM: comsetup.log:xdsnj (ID = 53966)
5:02 PM: ocmsn.log:jsouf (ID = 56447)
5:03 PM: mm81.ocx (ID = 144897)
5:03 PM: orun32.isu:uurmb (ID = 53966)
5:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
5:03 PM: clock.avi:uqanfo (ID = 54093)
5:04 PM: mqjwnm.exe (ID = 159311)
5:05 PM: vminst.log:dpczx (ID = 56966)
5:05 PM: kb885836.log:ilbgrd (ID = 81471)
5:05 PM: kb887822.log:bltlln (ID = 56270)
5:06 PM: mediaticketsinstaller.ocx.tcf (ID = 73164)
5:08 PM: sskcwrd.dll (ID = 77712)
5:08 PM: whagent.ini (ID = 83825)
5:08 PM: mon0204.ddx (ID = 57681)
5:08 PM: mon1125.ddx (ID = 57685)
5:08 PM: mon1909.ddx (ID = 57691)
5:08 PM: mon0504.ddx (ID = 57681)
5:08 PM: mon0904.ddx (ID = 57691)
5:08 PM: mon0412.ddx (ID = 57681)
5:08 PM: mon0106.ddx (ID = 57679)
5:08 PM: mon0315.ddx (ID = 57681)
5:08 PM: mon1204.ddx (ID = 57681)
5:08 PM: Found System Monitor: potentially rootkit-masked files
5:08 PM: 0000409d_4344abe5_0001ab3f (ID = 0)
5:08 PM: 00004dc8_434e0977_0004c4b4 (ID = 0)
5:08 PM: 000039ce_43496744_000ec82e (ID = 0)
5:08 PM: 000022ee_43464335_000a7d8c (ID = 0)
5:08 PM: 00005772_4348e5c1_00066ff3 (ID = 0)
5:08 PM: 000032c1_43462903_000a4083 (ID = 0)
5:08 PM: 00004e45_43461657_00000000 (ID = 0)
5:08 PM: 00000035_4346180f_0001ab3f (ID = 0)
5:09 PM: 0000261e_4343906f_0005f5e1 (ID = 0)
5:09 PM: 00001a49_43438fa8_000d59f8 (ID = 0)
5:09 PM: 00000732_43464221_0006ea05 (ID = 0)
5:09 PM: 00003ef6_434715dd_000a7d8c (ID = 0)
5:09 PM: 00003c61_434da2ea_000c65d4 (ID = 0)
5:09 PM: 00005cfd_4344ab9b_00081b32 (ID = 0)
5:09 PM: 0000441d_4348eeba_0002dc6c (ID = 0)
5:10 PM: 0000691d_434c1e17_000b71b0 (ID = 0)
5:10 PM: 00000f3e_43471514_00090f56 (ID = 0)
5:10 PM: 000072ae_434b3f14_000b71b0 (ID = 0)
5:10 PM: 000022ee_4343f490_00090f56 (ID = 0)
5:10 PM: 00003bf6_434616c7_00066ff3 (ID = 0)
5:10 PM: 00006e5d_4344aada_0001ab3f (ID = 0)
5:10 PM: 0000798b_43461714_0001e848 (ID = 0)
5:10 PM: 00005dd5_4345d2e2_000501bd (ID = 0)
5:10 PM: 00005064_43463d5b_00053ec6 (ID = 0)
5:10 PM: 0000567e_43462

Attached Thumbnails

#24
biggun1234

Posted 16 October 2005 - 09:51 PM

Member

Topic Starter
Member
49 posts

Hmmmm doesnt look like the reply got much of anything from the scans on here. I am going to attach the text files of the Spy Sweeper log and the HJT startup log in this reply.

Here is the fresh HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:40 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Spy_Sweeper_Session_Log.txt 73.39KB 99 downloads

startuplist.txt 35.74KB 102 downloads

#25
Trevuren

Posted 16 October 2005 - 10:14 PM

Old Dog

Retired Staff
18,699 posts

Please copy/Paste those 2 attachments into a reply for they are practically illegible and we need all the help that we can get. I would use the system as little as possible until this is resolved

Regards and well done

Trevuren

#26
biggun1234

Posted 17 October 2005 - 12:13 AM

Member

Topic Starter
Member
49 posts

ok I'll do that

Edited by biggun1234, 17 October 2005 - 12:16 AM.

#27
biggun1234

Posted 17 October 2005 - 12:14 AM

Member

Topic Starter
Member
49 posts

StartupList report, 10/16/2005, 8:21:15 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Registration-Studio 7SE.lnk = ?

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
yojjksx = C:\WINDOWS\yojjksx.exe
WinampAgent = F:\Program Files\Winamp\winampa.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
oqseas = C:\WINDOWS\system32\xautvcr.exe r
omvoopq = C:\WINDOWS\system32\qsznvh.exe r
ngclwp = C:\WINDOWS\system32\pfjsiv.exe r
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
iehh.exe = C:\WINDOWS\system32\iehh.exe
dsdxgqqx = C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
DigidesignMMERefresh = F:\Program Files\Digidesign\Drivers\MMERefresh.exe
d3tr32.exe = C:\WINDOWS\system32\d3tr32.exe
d3sq.exe = C:\WINDOWS\system32\d3sq.exe
cxvwaq = C:\WINDOWS\system32\lzoeor.exe r
Creative WebCam Tray = C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
bowgfxgi = C:\WINDOWS\System32\oakuodn.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
696.tmp = C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = "C:\WINDOWS\notepad.exe" "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...86/wmsp9dmo.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{26098EA2-C95D-48EA-89B4-63C5A63BD42F}]
CODEBASE = http://www.pacimedia...ll/pcs_0002.exe

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...01F/wmvadvd.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivi...n/ravonline.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[CSS Web Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
CODEBASE = http://www.freedom.n...cabs/cssweb.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

61883 Unit Device: System32\DRIVERS\61883.sys (manual start)
Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adyhxyb: \??\C:\WINDOWS\system32\ikvgip\adyhxyb.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\SYSTEM32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVC Device: System32\DRIVERS\avc.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\system32\drivers\CDAC11BA.EXE (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CdaC15BA: \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS (autostart)
cdfouvs: \??\C:\WINDOWS\system32\whecdwm\cdfouvs (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dal service: system32\drivers\dalwdm.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DigiFilter: System32\drivers\DigiFi~1.sys (system)
Digidesign MME Refresh Service: F:\Program Files\Digidesign\Drivers\MMERefresh.exe -s (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dsdxgqqxikvgip: C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (autostart)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
idrmkl: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
ivhjnfc: \??\C:\WINDOWS\system32\qagnjkr\ivhjnfc.sys (manual start)
jvdnncd: \??\C:\WINDOWS\system32\pcox\jvdnncd (manual start)
kafjrfr: \??\C:\WINDOWS\system32\hjnqapd\kafjrfr (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
mchInjDrv: \??\C:\WINDOWS\TEMP\mc21.tmp (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
neeucsn: \??\C:\WINDOWS\system32\ugoyfn\neeucsn (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Creative WebCam Live!: system32\DRIVERS\P0630Vid.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: System32\DRIVERS\sbp2port.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: SYSTEM32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Player Recovery Device Control Driver: System32\Drivers\StMp3Rec.sys (manual start)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{629945EB-4822-491D-8085-B2A660303DEE} (manual start)
SymWMI Service: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TPkcess: \??\C:\WINDOWS\system32\drivers\viadmio9.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
UnlockerDriver4 Driver: \??\C:\Program Files\Unlocker\UnlockerDriver4.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,326 bytes
Report generated in 0.204 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#28
biggun1234

Posted 17 October 2005 - 12:17 AM

Member

Topic Starter
Member
49 posts

********
7:54 PM: | Start of Session, Sunday, October 16, 2005 |
7:54 PM: Spy Sweeper started
7:54 PM: Sweep initiated using definitions version 555
7:54 PM: Starting Memory Sweep
7:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:10
7:56 PM: Starting Registry Sweep
7:56 PM: Found Adware: apropos
7:56 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
7:56 PM: Found Adware: begin2search
7:56 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: Found Adware: hotsearchbar toolbar
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
7:56 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
7:56 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
7:56 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
7:56 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
7:56 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
7:56 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
7:56 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
7:56 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
7:56 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
7:56 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
7:56 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: Found Adware: cws_easy-search.biz hijacker
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
7:56 PM: Found Adware: drsnsrch.com hijack
7:56 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
7:56 PM: Found Adware: mirar webband
7:56 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
7:56 PM: Found Trojan Horse: trojan-downloader-pacisoft
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
7:56 PM: Found Adware: purityscan
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
7:56 PM: Found Adware: media-motor
7:56 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
7:56 PM: Found Adware: search fast communicator toolbar
7:56 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
7:56 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
7:56 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
7:56 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
7:56 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
7:56 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
7:56 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
7:56 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
7:56 PM: Found Adware: surfsidekick
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406)
7:56 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
7:56 PM: Found Adware: delfin
7:56 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
7:56 PM: Found Adware: winad
7:56 PM: HKLM\software\media gateway\ (2 subtraces) (ID = 359545)
7:56 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
7:56 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
7:56 PM: Found Adware: drsnsrch hijacker
7:56 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
7:56 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
7:56 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
7:56 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
7:56 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
7:56 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
7:56 PM: Found Adware: clkoptimizer
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
7:56 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
7:56 PM: Found Adware: visfx
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
7:56 PM: Found Adware: abetterinternet
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
7:56 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
7:56 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
7:56 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
7:56 PM: Found Adware: 180search assistant/zango
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
7:56 PM: Found Adware: shopathomeselect
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || apd123 (ID = 861469)
7:56 PM: HKLM\software\qstat\ || brr (ID = 877670)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: Found Adware: cws-aboutblank
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
7:56 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
7:56 PM: Registry Sweep Complete, Elapsed Time:00:00:31
7:56 PM: Starting Cookie Sweep
7:56 PM: Found Spy Cookie: 888 cookie
7:56 PM: owner@888[1].txt (ID = 2019)
7:56 PM: Found Spy Cookie: yieldmanager cookie
7:56 PM: [email protected][2].txt (ID = 3751)
7:56 PM: Found Spy Cookie: adknowledge cookie
7:56 PM: owner@adknowledge[1].txt (ID = 2072)
7:56 PM: Found Spy Cookie: adrevolver cookie
7:56 PM: owner@adrevolver[2].txt (ID = 2088)
7:56 PM: owner@adrevolver[3].txt (ID = 2088)
7:56 PM: Found Spy Cookie: adserver cookie
7:56 PM: owner@adserver[2].txt (ID = 2141)
7:56 PM: Found Spy Cookie: advertising cookie
7:56 PM: owner@advertising[1].txt (ID = 2175)
7:56 PM: Found Spy Cookie: ask cookie
7:56 PM: owner@ask[1].txt (ID = 2245)
7:56 PM: Found Spy Cookie: atlas dmt cookie
7:56 PM: owner@atdmt[2].txt (ID = 2253)
7:56 PM: Found Spy Cookie: belnk cookie
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: banner cookie
7:56 PM: owner@banner[1].txt (ID = 2276)
7:56 PM: owner@belnk[1].txt (ID = 2292)
7:56 PM: Found Spy Cookie: bluestreak cookie
7:56 PM: owner@bluestreak[1].txt (ID = 2314)
7:56 PM: Found Spy Cookie: casalemedia cookie
7:56 PM: owner@casalemedia[2].txt (ID = 2354)
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: fastclick cookie
7:56 PM: owner@fastclick[1].txt (ID = 2651)
7:56 PM: Found Spy Cookie: overture cookie
7:56 PM: [email protected][1].txt (ID = 3106)
7:56 PM: Found Spy Cookie: questionmarket cookie
7:56 PM: owner@questionmarket[1].txt (ID = 3217)
7:56 PM: Found Spy Cookie: realmedia cookie
7:56 PM: owner@realmedia[1].txt (ID = 3235)
7:56 PM: Found Spy Cookie: adjuggler cookie
7:56 PM: [email protected][1].txt (ID = 2071)
7:56 PM: Found Spy Cookie: servedby advertising cookie
7:56 PM: [email protected][2].txt (ID = 3335)
7:56 PM: Found Spy Cookie: reliablestats cookie
7:56 PM: [email protected][2].txt (ID = 3254)
7:56 PM: Found Spy Cookie: tradedoubler cookie
7:56 PM: owner@tradedoubler[1].txt (ID = 3575)
7:56 PM: Found Spy Cookie: trafficmp cookie
7:56 PM: owner@trafficmp[2].txt (ID = 3581)
7:56 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:56 PM: [email protected][2].txt (ID = 3032)
7:56 PM: Found Spy Cookie: zedo cookie
7:56 PM: owner@zedo[2].txt (ID = 3762)
7:56 PM: system@casalemedia[1].txt (ID = 2354)
7:56 PM: system@zedo[2].txt (ID = 3762)
7:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:56 PM: Starting File Sweep
7:57 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
7:57 PM: Found Adware: cws_ns3
7:57 PM: wmprfptb.prx:ypgwmu (ID = 56287)
7:57 PM: preuninstallcom.exe (ID = 74818)
7:57 PM: Found Adware: coolwebsearch (cws)
7:57 PM: wmprfjpn.prx:foorkk (ID = 54051)
7:57 PM: vmmreg32.dll:jmucx (ID = 56447)
7:57 PM: Found Trojan Horse: lzio
7:57 PM: qekrmujx.exe (ID = 159311)
7:57 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
7:57 PM: blue lace 16.bmp:pyxtq (ID = 56447)
7:58 PM: Found Adware: winantispyware 2005
7:58 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:58 PM: wmprfesp.prx:qnkqv (ID = 56447)
7:58 PM: wmprfheb.prx:incwp (ID = 56447)
7:58 PM: wmprfkor.prx:bovbr (ID = 56447)
7:58 PM: uclvf.exe (ID = 159311)
7:58 PM: sskknwrd.dll (ID = 77733)
7:58 PM: msnavpklog.txt:vcelr (ID = 56711)
7:58 PM: mnlwmv.exe (ID = 159311)
7:58 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mnlwmv (ID = 0)
7:58 PM: m67m.inf (ID = 74028)
7:58 PM: ocgen.log:faalko (ID = 56287)
7:59 PM: stb.exe (ID = 94666)
7:59 PM: ssk.exe (ID = 163864)
7:59 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:59 PM: mediagatewayx.dll (ID = 156819)
7:59 PM: mediaticketsinstaller.inf (ID = 73158)
8:00 PM: sskknwrd.dll (ID = 77733)
8:00 PM: msxmidi.exe.js:gwqvn (ID = 55098)
8:01 PM: auhccup1.dll:jpxurb (ID = 56287)
8:01 PM: active setup log.txt:rofppq (ID = 54051)
8:01 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
8:01 PM: btnetw3-995329.exe (ID = 155333)
8:01 PM: rifqr.exe (ID = 159311)
8:01 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
8:02 PM: wingenerics.dll (ID = 50187)
8:02 PM: comsetup.log:xdsnj (ID = 53966)
8:02 PM: ocmsn.log:jsouf (ID = 56447)
8:02 PM: orun32.isu:uurmb (ID = 53966)
8:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
8:03 PM: mqjwnm.exe (ID = 159311)
8:03 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mqjwnm (ID = 0)
8:04 PM: sskcwrd.dll (ID = 77712)
8:04 PM: Warning: Failed to access drive F:
8:04 PM: File Sweep Complete, Elapsed Time: 00:08:08
8:04 PM: Full Sweep has completed. Elapsed time 00:09:59
8:04 PM: Traces Found: 844
********
7:36 PM: | Start of Session, Sunday, October 16, 2005 |
7:36 PM: Spy Sweeper started
7:36 PM: Sweep initiated using definitions version 555
7:36 PM: Starting Memory Sweep
7:36 PM: Sweep Canceled
7:36 PM: Memory Sweep Complete, Elapsed Time: 00:00:07
7:36 PM: Traces Found: 0
7:54 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
7:54 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:27 PM: Sweep Canceled
9:27 PM: Memory Sweep Complete, Elapsed Time: 00:01:36
9:27 PM: Traces Found: 0
9:40 AM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:40 AM: Detected running threat: lzio
11:21 AM: Ignored memory-resident threat: lzio
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
4:36 PM: ActiveX Shield: found: Adware: winad, version 1.0.0.0 -- Installation denied
4:37 PM: Spy Installation Shield: found: Adware: winad, version 1.0.0.0 -- Execution Denied
4:37 PM: Processing Startup Alerts
4:37 PM: Removed Startup entry: mnlwmv
5:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
5:27 PM: Detected running threat: lzio
5:27 PM: Ignored memory-resident threat: lzio
7:38 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:38 PM: Detected running threat: lzio
7:38 PM: Ignored memory-resident threat: lzio
7:50 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:50 PM: Detected running threat: lzio
7:50 PM: Ignored memory-resident threat: lzio
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:17 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:17 PM: Detected running threat: lzio
9:17 PM: Ignored memory-resident threat: lzio
9:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:27 PM: Detected running threat: lzio
9:27 PM: Ignored memory-resident threat: lzio
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
11:58 AM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\RUNDLL32.EXE -- IE Security modification allowed at user request
12:10 PM: Error: Access violation at address 0055E852 in module 'WRSSSDK.exe'. Read of address 00000004.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:49 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
3:49 PM: Detected running threat: lzio
3:49 PM: Ignored memory-resident threat: lzio
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:36 PM: Only Sweep Folders Where Threats Are Known to Reside
7:36 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:25 PM: Sweep Canceled
9:25 PM: Memory Sweep Complete, Elapsed Time: 00:00:19
9:25 PM: Traces Found: 0
9:25 PM: Only Sweep Folders Where Threats Are Known to Reside
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
6:15 PM: | Start of Session, Friday, October 14, 2005 |
6:15 PM: Spy Sweeper started
6:15 PM: Sweep initiated using definitions version 555
6:15 PM: Starting Memory Sweep
6:15 PM: Sweep Canceled
6:15 PM: Memory Sweep Complete, Elapsed Time: 00:00:03
6:15 PM: Traces Found: 0
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:07 PM: Processing Startup Alerts
9:07 PM: Removed Startup entry: mnlwmv
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:13 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:13 PM: Detected running threat: lzio
9:15 PM: Ignored memory-resident threat: lzio
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:24 PM: Updating spyware definitions
9:24 PM: Your definitions are up to date.
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
4:46 PM: | Start of Session, Friday, October 14, 2005 |
4:46 PM: Spy Sweeper started
4:46 PM: Sweep initiated using definitions version 555
4:46 PM: Starting Memory Sweep
4:46 PM: Found Adware: abetterinternet
4:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\ypowlt.exe (ID = 158592)
4:48 PM: Found Trojan Horse: lzio
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\whecdwm\qekrmujx.exe (ID = 159311)
4:48 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\uudmzf.exe (ID = 158592)
4:48 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 63)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\fhlyvp.exe (ID = 158592)
4:49 PM: Memory Sweep Complete, Elapsed Time: 00:02:33
4:49 PM: Starting Registry Sweep
4:49 PM: Found Adware: apropos
4:49 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
4:49 PM: Found Adware: begin2search
4:49 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: Found Adware: hotsearchbar toolbar
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
4:49 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
4:49 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
4:49 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
4:49 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
4:49 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
4:49 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
4:49 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
4:49 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
4:49 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
4:49 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
4:49 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: Found Adware: coolwebsearch (cws)
4:49 PM: HKCR\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 107683)
4:49 PM: HKLM\software\classes\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 109067)
4:49 PM: Found Adware: cws_ns3
4:49 PM: HKCR\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 118827)
4:49 PM: HKCR\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 118859)
4:49 PM: HKLM\software\classes\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 120666)
4:49 PM: HKLM\software\classes\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 120698)
4:49 PM: Found Adware: delfin
4:49 PM: HKLM\software\motoin\ (2 subtraces) (ID = 124883)
4:49 PM: Found Adware: elitebar
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
4:49 PM: Found Adware: drsnsrch.com hijack
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 128208)
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
4:49 PM: Found Adware: mirar webband
4:49 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
4:49 PM: Found Trojan Horse: trojan-downloader-pacisoft
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
4:49 PM: Found Adware: purityscan
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
4:49 PM: Found Adware: media-motor
4:49 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
4:49 PM: Found Adware: search fast communicator toolbar
4:49 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
4:49 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
4:49 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
4:49 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
4:49 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
4:49 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
4:49 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
4:49 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
4:49 PM: Found Adware: surfsidekick
4:49 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
4:49 PM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 146140)
4:49 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
4:49 PM: Found Adware: quicklink search toolbar
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
4:49 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
4:49 PM: Found Adware: winad
4:49 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
4:49 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
4:49 PM: Found Adware: drsnsrch hijacker
4:49 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
4:49 PM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
4:49 PM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
4:49 PM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
4:49 PM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
4:49 PM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
4:49 PM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
4:49 PM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
4:49 PM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
4:49 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
4:49 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
4:49 PM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
4:49 PM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
4:49 PM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
4:49 PM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
4:49 PM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
4:49 PM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
4:49 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
4:49 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
4:49 PM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
4:49 PM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
4:49 PM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
4:49 PM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
4:49 PM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
4:49 PM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
4:49 PM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
4:49 PM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
4:49 PM: HKCR\dsrch.band.1\ (3 subtraces) (ID = 512692)
4:49 PM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
4:49 PM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
4:49 PM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
4:49 PM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
4:49 PM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
4:49 PM: HKLM\software\classes\dsrch.band.1\ (3 subtraces) (ID = 513072)
4:49 PM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
4:49 PM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
4:49 PM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
4:49 PM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
4:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
4:49 PM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 646382)
4:49 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
4:49 PM: Found Adware: bookedspace
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (3 subtraces) (ID = 662284)
4:49 PM: HKLM\software\microsoft\windows\currentversion\run\ || dinst (ID = 705664)
4:49 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 711393)
4:49 PM: Found Adware: visfx
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
4:49 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
4:49 PM: Found Adware: clkoptimizer
4:49 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
4:49 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
4:49 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
4:49 PM: Found Adware: 180search assistant/zango
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
4:49 PM: Found Adware: shopathomeselect
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
4:49 PM: HKLM\software\qstat\ || brr (ID = 877670)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: Found Adware: cws-aboutblank
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\aurora\ (27 subtraces) (ID = 360174)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\dsrch\ (11 subtraces) (ID = 509156)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:49 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
4:49 PM: Registry Sweep Complete, Elapsed Time:00:00:45
4:49 PM: Starting Cookie Sweep
4:49 PM: Found Spy Cookie: 2o7.net cookie
4:49 PM: owner@2o7[2].txt (ID = 1957)
4:49 PM: Found Spy Cookie: 888 cookie
4:49 PM: owner@888[1].txt (ID = 2019)
4:49 PM: Found Spy Cookie: yieldmanager cookie
4:49 PM: [email protected][1].txt (ID = 3751)
4:49 PM: Found Spy Cookie: adknowledge cookie
4:49 PM: owner@adknowledge[2].txt (ID = 2072)
4:49 PM: Found Spy Cookie: hbmediapro cookie
4:49 PM: [email protected][2].txt (ID = 2768)
4:49 PM: Found Spy Cookie: adrevolver cookie
4:49 PM: owner@adrevolver[1].txt (ID = 2088)
4:49 PM: owner@adrevolver[2].txt (ID = 2088)
4:49 PM: Found Spy Cookie: adserver cookie
4:49 PM: owner@adserver[1].txt (ID = 2141)
4:49 PM: Found Spy Cookie: advertising cookie
4:49 PM: owner@advertising[2].txt (ID = 2175)
4:49 PM: Found Spy Cookie: falkag cookie
4:49 PM: [email protected][1].txt (ID = 2650)
4:49 PM: [email protected][2].txt (ID = 2650)
4:49 PM: Found Spy Cookie: ask cookie
4:49 PM: owner@ask[1].txt (ID = 2245)
4:49 PM: Found Spy Cookie: atlas dmt cookie
4:49 PM: owner@atdmt[2].txt (ID = 2253)
4:49 PM: Found Spy Cookie: belnk cookie
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: atwola cookie
4:49 PM: owner@atwola[2].txt (ID = 2255)
4:49 PM: Found Spy Cookie: a cookie
4:49 PM: owner@a[2].txt (ID = 2027)
4:49 PM: Found Spy Cookie: banner cookie
4:49 PM: owner@banner[1].txt (ID = 2276)
4:49 PM: owner@belnk[2].txt (ID = 2292)
4:49 PM: Found Spy Cookie: btgrab cookie
4:49 PM: [email protected][2].txt (ID = 2333)
4:49 PM: Found Spy Cookie: gostats cookie
4:49 PM: [email protected][2].txt (ID = 2748)
4:49 PM: Found Spy Cookie: cliks cookie
4:49 PM: owner@cliks[1].txt (ID = 2414)
4:49 PM: Found Spy Cookie: sextracker cookie
4:49 PM: [email protected][1].txt (ID = 3362)
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: ru4 cookie
4:49 PM: [email protected][2].txt (ID = 3269)
4:49 PM: Found Spy Cookie: fastclick cookie
4:49 PM: owner@fastclick[1].txt (ID = 2651)
4:49 PM: owner@fastclick[2].txt (ID = 2651)
4:49 PM: owner@gostats[2].txt (ID = 2747)
4:49 PM: Found Spy Cookie: clickandtrack cookie
4:49 PM: [email protected][2].txt (ID = 2397)
4:49 PM: Found Spy Cookie: kmpads cookie
4:49 PM: owner@kmpads[1].txt (ID = 2909)
4:49 PM: Found Spy Cookie: offeroptimizer cookie
4:49 PM: owner@offeroptimizer[2].txt (ID = 3087)
4:49 PM: Found Spy Cookie: overture cookie
4:49 PM: [email protected][1].txt (ID = 3106)
4:49 PM: Found Spy Cookie: questionmarket cookie
4:49 PM: owner@questionmarket[2].txt (ID = 3217)
4:49 PM: Found Spy Cookie: realmedia cookie
4:49 PM: owner@realmedia[1].txt (ID = 3235)
4:49 PM: Found Spy Cookie: adjuggler cookie
4:49 PM: [email protected][2].txt (ID = 2071)
4:49 PM: Found Spy Cookie: servedby advertising cookie
4:49 PM: [email protected][1].txt (ID = 3335)
4:49 PM: owner@sextracker[2].txt (ID = 3361)
4:49 PM: Found Spy Cookie: reliablestats cookie
4:49 PM: [email protected][2].txt (ID = 3254)
4:49 PM: Found Spy Cookie: targetnet cookie
4:49 PM: owner@targetnet[1].txt (ID = 3489)
4:49 PM: Found Spy Cookie: toplist cookie
4:49 PM: owner@toplist[1].txt (ID = 3557)
4:49 PM: Found Spy Cookie: tradedoubler cookie
4:49 PM: owner@tradedoubler[1].txt (ID = 3575)
4:49 PM: Found Spy Cookie: trafficmp cookie
4:49 PM: owner@trafficmp[1].txt (ID = 3581)
4:49 PM: Found Spy Cookie: tribalfusion cookie
4:49 PM: owner@tribalfusion[2].txt (ID = 3589)
4:49 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:49 PM: [email protected][1].txt (ID = 3032)
4:49 PM: owner@yieldmanager[1].txt (ID = 3749)
4:49 PM: [email protected][1].txt (ID = 2142)
4:49 PM: Found Spy Cookie: casalemedia cookie
4:49 PM: system@casalemedia[2].txt (ID = 2354)
4:49 PM: [email protected][1].txt (ID = 3269)
4:49 PM: Found Spy Cookie: exitexchange cookie
4:49 PM: system@exitexchange[2].txt (ID = 2633)
4:49 PM: Found Spy Cookie: paypopup cookie
4:49 PM: system@paypopup[2].txt (ID = 3119)
4:49 PM: system@questionmarket[1].txt (ID = 3217)
4:49 PM: Found Spy Cookie: rednova cookie
4:49 PM: system@rednova[2].txt (ID = 3245)
4:49 PM: system@trafficmp[2].txt (ID = 3581)
4:49 PM: [email protected][1].txt (ID = 3246)
4:49 PM: Found Spy Cookie: zedo cookie
4:49 PM: system@zedo[2].txt (ID = 3762)
4:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
4:49 PM: Starting File Sweep
4:50 PM: Found Adware: webhancer
4:50 PM: c:\program files\whinstall (5 subtraces) (ID = -2147480064)
4:50 PM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
4:50 PM: Found Adware: virtualbouncer
4:50 PM: c:\program files\vbouncer (2 subtraces) (ID = -2147477376)
4:50 PM: c:\program files\surfsidekick 3 (ID = -2147480186)
4:50 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
4:50 PM: Found Adware: cas
4:50 PM: c:\program files\cmsystem (ID = -2147471610)
4:50 PM: backup-20051004-233143-932.inf (ID = 144896)
4:50 PM: wmprfptb.prx:ypgwmu (ID = 56287)
4:50 PM: backup-20051004-233142-977.dll.tcf (ID = 115632)
4:50 PM: wmprfchs.prx:byvgwy (ID = 56270)
4:50 PM: preuninstallcom.exe (ID = 74818)
4:50 PM: wmprfjpn.prx:foorkk (ID = 54051)
4:50 PM: backup-20050820-024611-298.dll.tcf (ID = 115632)
4:50 PM: vmmreg32.dll:jmucx (ID = 56447)
4:50 PM: backup-20051014-122146-985.dll (ID = 131321)
4:50 PM: wmsetup.log:bqjpah (ID = 54093)
4:51 PM: qekrmujx.exe (ID = 159311)
4:51 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:51 PM: fhlyvp.exe (ID = 158592)
4:51 PM: clock.avi:uqanf (ID = 56270)
4:51 PM: pcs_0031.exe (ID = 161706)
4:51 PM: backup-20051004-233142-567.dll (ID = 131321)
4:51 PM: backup-20051004-233143-657.dll (ID = 73425)
4:51 PM: blue lace 16.bmp:pyxtq (ID = 56447)
4:52 PM: 5b490ro6.exe (ID = 157331)
4:52 PM: Found Adware: winantispyware 2005
4:52 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:52 PM: wmprfesp.prx:qnkqv (ID = 56447)
4:52 PM: wmprfheb.prx:incwp (ID = 56447)
4:52 PM: wmprfkor.prx:bovbr (ID = 56447)
4:52 PM: uclvf.exe (ID = 159311)
4:53 PM: music store.ico:drvzty (ID = 56270)
4:53 PM: sskknwrd.dll (ID = 77733)
4:53 PM: t30debuglogfile.txt:trhmf (ID = 56194)
4:53 PM: msnavpklog.txt:vcelr (ID = 56711)
4:53 PM: Found Adware: cws_tiny0
4:53 PM: olx98nt.sys:mrqyr (ID = 56968)
4:53 PM: nsw.log:bpfgu (ID = 56968)
4:53 PM: m67m.inf (ID = 74028)
4:53 PM: sskbho.dll (ID = 163865)
4:53 PM: ocgen.log:faalko (ID = 56287)
4:54 PM: patch.exe:fraet (ID = 55707)
4:54 PM: ntq5e7dn.dll (ID = 157332)
4:54 PM: uudmzf.exe (ID = 158592)
4:54 PM: stb.exe (ID = 94666)
4:54 PM: ssk.exe (ID = 163864)
4:54 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:55 PM: 30r8imok.exe (ID = 157330)
4:55 PM: Found Adware: ist yoursitebar
4:55 PM: backup-20050820-024612-156.dll.tcf (ID = 133888)
4:55 PM: apd123.exe.tcf (ID = 161622)
4:55 PM: uninst.exe (ID = 73428)
4:55 PM: mon2007.dbd (ID = 57693)
4:55 PM: qldf.bin (ID = 131688)
4:55 PM: Found Adware: isearch toolbar
4:55 PM: mte2odm6odoxng.exe.tcf (ID = 145831)
4:55 PM: mediaticketsinstaller.inf (ID = 73158)
4:55 PM: qlink32.dll (ID = 73425)
4:55 PM: ypowlt.exe (ID = 158592)
4:56 PM: preuninstallql.exe (ID = 131326)
4:56 PM: uninst.exe (ID = 73428)
4:56 PM: sskknwrd.dll (ID = 77733)
4:56 PM: Found Trojan Horse: trojan_downloader_tibser
4:56 PM: odbc.ini:jrtka (ID = 81471)
4:57 PM: msxmidi.exe.js:gwqvn (ID = 55098)
4:57 PM: {2cea2f29-8fb4-4414-bc3b-fe8205b3cee1}.dat:yjzri (ID = 56711)
4:58 PM: dsr.exe.tcf (ID = 121121)
4:59 PM: installt.exe (ID = 82806)
4:59 PM: whinstaller.ini (ID = 83848)
4:59 PM: whagent.inf (ID = 83822)
5:00 PM: _default.pif:nmjryt (ID = 81471)
5:00 PM: auhccup1.dll:jpxurb (ID = 56287)
5:00 PM: {3ad02412-f082-4583-b4a2-5888e7e64911}.dat:gnbwse (ID = 56270)
5:00 PM: active setup log.txt:rofppq (ID = 54051)
5:00 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
5:00 PM: btnetw3-995329.exe (ID = 155333)
5:00 PM: rifqr.exe (ID = 159311)
5:00 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
5:01 PM: msnsetuplog.bak:lrcmzn (ID = 81471)
5:01 PM: notepad.exe.bak:uqcuj (ID = 56711)
5:01 PM: 9b7psqu9.exe.tcf (ID = 130510)
5:01 PM: mon1920.dbd (ID = 57692)
5:01 PM: wingenerics.dll (ID = 50187)
5:02 PM: patch.exe:qtlwgb (ID = 54093)
5:02 PM: dsr.dll.tcf (ID = 115632)
5:02 PM: comsetup.log:xdsnj (ID = 53966)
5:02 PM: ocmsn.log:jsouf (ID = 56447)
5:03 PM: mm81.ocx (ID = 144897)
5:03 PM: orun32.isu:uurmb (ID = 53966)
5:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
5:03 PM: clock.avi:uqanfo (ID = 54093)
5:04 PM: mqjwnm.exe (ID = 159311)
5:05 PM: vminst.log:dpczx (ID = 56966)
5:05 PM: kb885836.log:ilbgrd (ID = 81471)
5:05 PM: kb887822.log:bltlln (ID = 56270)
5:06 PM: mediaticketsinstaller.ocx.tcf (ID = 73164)
5:08 PM: sskcwrd.dll (ID = 77712)
5:08 PM: whagent.ini (ID = 83825)
5:08 PM: mon0204.ddx (ID = 57681)
5:08 PM: mon1125.ddx (ID = 57685)
5:08 PM: mon1909.ddx (ID = 57691)
5:08 PM: mon0504.ddx (ID = 57681)
5:08 PM: mon0904.ddx (ID = 57691)
5:08 PM: mon0412.ddx (ID = 57681)
5:08 PM: mon0106.ddx (ID = 57679)
5:08 PM: mon0315.ddx (ID = 57681)
5:08 PM: mon1204.ddx (ID = 57681)
5:08 PM: Found System Monitor: potentially rootkit-masked files
5:08 PM: 0000409d_4344abe5_0001ab3f (ID = 0)
5:08 PM: 00004dc8_434e0977_0004c4b4 (ID = 0)
5:08 PM: 000039ce_43496744_000ec82e (ID = 0)
5:08 PM: 000022ee_43464335_000a7d8c (ID = 0)
5:08 PM: 00005772_4348e5c1_00066ff3 (ID = 0)
5:08 PM: 000032c1_43462903_000a4083 (ID = 0)
5:08 PM: 00004e45_43461657_00000000 (ID = 0)
5:08 PM: 00000035_4346180f_0001ab3f (ID = 0)
5:09 PM: 0000261e_4343906f_0005f5e1 (ID = 0)
5:09 PM: 00001a49_43438fa8_000d59f8 (ID = 0)
5:09 PM: 00000732_43464221_0006ea05 (ID = 0)
5:09 PM: 00003ef6_434715dd_000a7d8c (ID = 0)
5:09 PM: 00003c61_434da2ea_000c65d4 (ID = 0)
5:09 PM: 00005cfd_4344ab9b_00081b32 (ID = 0)
5:09 PM: 0000441d_4348eeba_0002dc6c (ID = 0)
5:10 PM: 0000691d_434c1e17_000b71b0 (ID = 0)
5:10 PM: 00000f3e_43471514_00090f56 (ID = 0)
5:10 PM: 000072ae_434b3f14_000b71b0 (ID = 0)
5:10 PM: 000022ee_4343f490_00090f56 (ID = 0)
5:10 PM: 00003bf6_434616c7_00066ff3 (ID = 0)
5:10 PM: 00006e5d_4344aada_0001ab3f (ID = 0)
5:10 PM: 0000798b_43461714_0001e848 (ID = 0)
5:10 PM: 00005dd5_4345d2e2_000501bd (ID = 0)
5:10 PM: 00005064_43463d5b_00053ec6 (ID = 0)
5:10 PM: 0000567e_43462a5d_000e1113 (ID = 0)
5:10 PM: 0000409d_43445185_00090f56 (ID = 0)
5:11 PM: 00002b0f_43446c4e_000d59f8 (ID = 0)
5:11 PM: 00005ea5_434b1ebd_0002dc6c (ID = 0)
5:11 PM: 000050bf_434e1280_0005b8d8 (ID = 0)
5:11 PM: 0000759a_434815af_000f0537 (ID = 0)
5:11 PM: 00005d03_434640db_000d59f8 (ID = 0)
5:11 PM: 00006586_43481f1e_0007270e (ID = 0)
5:11 PM: 00000029_434612aa_00007a12 (ID = 0)
5:11 PM: 00007a74_4344ce4e_0009c671 (ID = 0)
5:11 PM: 000039b3_43458b18_00089544 (ID = 0)
5:11 PM: 00001db5_4346ed41_0006

#29
biggun1234

Posted 17 October 2005 - 12:20 AM

Member

Topic Starter
Member
49 posts

Here is the rest of the last post

5:11 PM: 00001db5_4346ed41_0006acfc (ID = 0)
5:12 PM: 0000030a_434c3eb2_000a037a (ID = 0)
5:12 PM: 00005422_434616ef_000501bd (ID = 0)
5:12 PM: 000072b1_43481d88_00031975 (ID = 0)
5:12 PM: 00005e14_434c40df_0005f5e1 (ID = 0)
5:12 PM: 00004e45_434ec185_0004c4b4 (ID = 0)
5:12 PM: 00005579_434b1329_000487ab (ID = 0)
5:12 PM: 00006443_43481576_000bebc2 (ID = 0)
5:12 PM: 00003a8d_434af688_00053ec6 (ID = 0)
5:13 PM: 00003d6c_434a7a20_000ca2dd (ID = 0)
5:13 PM: 00000d66_434c42b4_00076417 (ID = 0)
5:13 PM: 00003d6c_4343aa27_000ca2dd (ID = 0)
5:13 PM: 000012c2_434b7e91_000a7d8c (ID = 0)
5:13 PM: 00005878_43438f92_00007a12 (ID = 0)
5:13 PM: 00005789_4349ac02_0007de29 (ID = 0)
5:13 PM: 00006b72_434af4c9_0001e848 (ID = 0)
5:14 PM: 00001350_4349ad59_00031975 (ID = 0)
5:14 PM: 00003f0e_43483b8e_0004c4b4 (ID = 0)
5:14 PM: 00000b31_4349aba9_00098968 (ID = 0)
5:14 PM: 00000fbf_434c41d2_0002dc6c (ID = 0)
5:14 PM: 00000677_4348176a_000d59f8 (ID = 0)
5:14 PM: 0000030a_434a078d_00016e36 (ID = 0)
5:14 PM: 0000513e_4348ea2e_0006ea05 (ID = 0)
5:14 PM: 000001eb_434a1384_00022551 (ID = 0)
5:15 PM: 0000798b_4343f539_000c65d4 (ID = 0)
5:15 PM: 00004d06_43438f32_0007de29 (ID = 0)
5:15 PM: 000023c9_434451a1_000f0537 (ID = 0)
5:15 PM: 00004db7_43438f32_0008d24d (ID = 0)
5:15 PM: 00005d03_434a0727_00053ec6 (ID = 0)
5:15 PM: 00002350_4347158f_00040d99 (ID = 0)
5:15 PM: 000054de_4349b2b3_0001ab3f (ID = 0)
5:15 PM: 000019da_434c046c_0005b8d8 (ID = 0)
5:15 PM: 00000fbf_4348319e_0007a120 (ID = 0)
5:15 PM: 00006014_43481cb6_000af79e (ID = 0)
5:15 PM: 00006ad4_434617ec_0001ab3f (ID = 0)
5:15 PM: 00000bdb_4344615a_000cdfe6 (ID = 0)
5:16 PM: 00007e87_43438f28_000b71b0 (ID = 0)
5:16 PM: 000015d5_43483f8e_0002dc6c (ID = 0)
5:16 PM: 0000759a_43438f88_00076417 (ID = 0)
5:16 PM: 00005e73_43463f9f_00090f56 (ID = 0)
5:16 PM: 000075ec_434b7f6e_0003567e (ID = 0)
5:16 PM: 00002277_43484d51_0007de29 (ID = 0)
5:16 PM: 000026e9_434eb5a7_000a037a (ID = 0)
5:17 PM: 0000773b_43458faf_00040d99 (ID = 0)
5:17 PM: 00004f2b_4344bf1b_000b34a7 (ID = 0)
5:17 PM: 00004d8e_4344c0c0_000aba95 (ID = 0)
5:17 PM: 00005968_434c05e7_000a4083 (ID = 0)
5:17 PM: 00006952_43454626_00000000 (ID = 0)
5:17 PM: 0000123b_4348fcf2_000e4e1c (ID = 0)
5:17 PM: 00007e87_43464075_000487ab (ID = 0)
5:17 PM: 000016d4_434e0f03_00098968 (ID = 0)
5:18 PM: 00003bb1_434c0528_000c65d4 (ID = 0)
5:18 PM: 00000029_43445dec_0001ab3f (ID = 0)
5:18 PM: 000078d4_43446a1d_0008d24d (ID = 0)
5:18 PM: 0000366b_43481628_00066ff3 (ID = 0)
5:18 PM: 00007a61_43472263_0007270e (ID = 0)
5:18 PM: 0000249e_4348320f_000b34a7 (ID = 0)
5:18 PM: 00007613_434627c2_0003d090 (ID = 0)
5:18 PM: 00003d6c_434da0e0_000632ea (ID = 0)
5:19 PM: 0000422d_434b4d42_0009c671 (ID = 0)
5:19 PM: 00000bdb_4346167b_00016e36 (ID = 0)
5:19 PM: 0000441d_434c0697_00031975 (ID = 0)
5:19 PM: 0000798b_43463448_00076417 (ID = 0)
5:19 PM: 0000153c_43461966_00040d99 (ID = 0)
5:19 PM: 00006c69_4348e67a_0007270e (ID = 0)
5:19 PM: 00007dd1_4346c0d4_000c28cb (ID = 0)
5:19 PM: 0000368e_4344622d_00022551 (ID = 0)
5:19 PM: 00000de5_434469d4_0006acfc (ID = 0)
5:20 PM: 0000428b_434f021a_0007270e (ID = 0)
5:20 PM: 0000054b_4349b090_00029f63 (ID = 0)
5:20 PM: 00001916_4349b468_0004c4b4 (ID = 0)
5:20 PM: 00000029_434a637c_0005b8d8 (ID = 0)
5:20 PM: 000015a1_4344619c_0009c671 (ID = 0)
5:20 PM: 00005af1_4344a3b4_000632ea (ID = 0)
5:20 PM: 000056ae_4344615b_0003d090 (ID = 0)
5:21 PM: 00001649_434a127f_0001ab3f (ID = 0)
5:21 PM: 00003a9e_434815d8_000c28cb (ID = 0)
5:21 PM: 00001edc_434726dd_0001e848 (ID = 0)
5:21 PM: 00006611_43483936_0003567e (ID = 0)
5:21 PM: 00006032_434616ee_0002625a (ID = 0)
5:21 PM: 00004823_43445dec_0005f5e1 (ID = 0)
5:21 PM: 00003908_4344baf1_000a7d8c (ID = 0)
5:21 PM: 00006b36_4350091e_000dd40a (ID = 0)
5:21 PM: 00004a80_4343f555_000baeb9 (ID = 0)
5:22 PM: 00006469_434c0bd1_00022551 (ID = 0)
5:22 PM: 00000902_43500b0e_000501bd (ID = 0)
5:22 PM: 00006df1_434ec609_00076417 (ID = 0)
5:22 PM: 0000422d_4349619e_00031975 (ID = 0)
5:22 PM: 000032de_4347ab8f_000d59f8 (ID = 0)
5:22 PM: 0000658c_434a015a_0007a120 (ID = 0)
5:23 PM: 0000123b_4347a8be_000baeb9 (ID = 0)
5:23 PM: 00000607_4347a809_000a037a (ID = 0)
5:23 PM: 000019da_4349b633_000bebc2 (ID = 0)
5:23 PM: 0000169a_434819da_000b71b0 (ID = 0)
5:23 PM: 00001366_4344516f_00044aa2 (ID = 0)
5:23 PM: 000041bb_434460f2_0007a120 (ID = 0)
5:23 PM: 00004531_4344adf1_0001e848 (ID = 0)
5:24 PM: 00005991_43501437_000f0537 (ID = 0)
5:24 PM: 00001316_4346257f_0000b71b (ID = 0)
5:24 PM: 000018d7_4344523c_00000000 (ID = 0)
5:24 PM: 00003419_43484af2_000d9701 (ID = 0)
5:24 PM: 00006ea1_434779a1_000e8b25 (ID = 0)
5:24 PM: 00005878_4349b31b_00076417 (ID = 0)
5:24 PM: 000004f0_4349766b_000ca2dd (ID = 0)
5:24 PM: 00003bf6_4350304c_0007270e (ID = 0)
5:24 PM: 000022da_4344c3a1_000cdfe6 (ID = 0)
5:24 PM: 000072ae_4343fec7_00007a12 (ID = 0)
5:24 PM: 0000242d_4344c3e0_000a037a (ID = 0)
5:24 PM: 00007b44_4346c373_00003d09 (ID = 0)
5:25 PM: 00006bfc_43464110_00007a12 (ID = 0)
5:25 PM: 00007ff4_4344bfd6_0006acfc (ID = 0)
5:25 PM: 00000029_434a0688_00089544 (ID = 0)
5:25 PM: 00007f0d_434b7f4e_000c65d4 (ID = 0)
5:25 PM: 00001a31_4347aec7_00053ec6 (ID = 0)
5:25 PM: 00000ddc_434389b9_0001ab3f (ID = 0)
5:25 PM: 00005e41_434c0aeb_000ca2dd (ID = 0)
5:26 PM: 0000199f_434c0aed_00044aa2 (ID = 0)
5:26 PM: 00002c49_434c430b_0001ab3f (ID = 0)
5:26 PM: 00000bb3_434a1384_000e4e1c (ID = 0)
5:26 PM: 00007fbe_434af688_000d9701 (ID = 0)
5:26 PM: 00007ac2_434b15b4_00029f63 (ID = 0)
5:26 PM: 000008ff_434c0a6e_000d1cef (ID = 0)
5:26 PM: 00002213_434c3ea4_000baeb9 (ID = 0)
5:26 PM: 00004d06_434b3fd3_00090f56 (ID = 0)
5:27 PM: 00006d22_43437daf_000dd40a (ID = 0)
5:27 PM: 0000513e_4348184e_00057bcf (ID = 0)
5:27 PM: 000073cb_4344b6cb_00089544 (ID = 0)
5:27 PM: 000008d2_43484d8b_0003d090 (ID = 0)
5:27 PM: 00006479_434c5604_000d9701 (ID = 0)
5:27 PM: 000026e9_4349b201_000ca2dd (ID = 0)
5:27 PM: 00004962_434756bb_000e1113 (ID = 0)
5:27 PM: 00002c3b_434616ee_00044aa2 (ID = 0)
5:27 PM: 00002784_43484806_0007270e (ID = 0)
5:27 PM: 00004efe_434c06df_000b71b0 (ID = 0)
5:28 PM: 00004402_434b4d8f_000a4083 (ID = 0)
5:28 PM: 00005f90_434ff5c2_0007de29 (ID = 0)
5:28 PM: 000049d0_434b7ede_000e1113 (ID = 0)
5:28 PM: 00000c7b_434b5555_000e4e1c (ID = 0)
5:28 PM: 00002e39_434c07eb_00098968 (ID = 0)
5:28 PM: 00003765_4346ca14_0000b71b (ID = 0)
5:29 PM: 00002725_4348ed2b_000d9701 (ID = 0)
5:29 PM: 00004d06_43502db0_0003567e (ID = 0)
5:29 PM: 000049d0_4346ca74_00057bcf (ID = 0)
5:29 PM: 00006732_43437dae_0007270e (ID = 0)
5:29 PM: 00007a54_4346c8a5_000f0537 (ID = 0)
5:29 PM: 00005fa4_4344ac73_0001ab3f (ID = 0)
5:29 PM: 00005a9c_4346c8ed_000af79e (ID = 0)
5:30 PM: 00005039_43458eed_00066ff3 (ID = 0)
5:30 PM: 00003960_43502bd5_0002dc6c (ID = 0)
5:30 PM: 00001238_4344a473_0002dc6c (ID = 0)
5:31 PM: 000066bb_434830d9_00066ff3 (ID = 0)
5:31 PM: 000032c1_434a05df_000a4083 (ID = 0)
5:31 PM: 00001eca_4344ad8e_00029f63 (ID = 0)
5:31 PM: 00003751_434c22d2_0008583b (ID = 0)
5:31 PM: 00000fc9_43446275_000e4e1c (ID = 0)
5:31 PM: 000073da_4349616f_0002dc6c (ID = 0)
5:32 PM: 00000029_4345892e_000af79e (ID = 0)
5:32 PM: 00004823_43458931_000af79e (ID = 0)
5:32 PM: 00003ef6_43458c62_00022551 (ID = 0)
5:32 PM: 00002db5_434833a2_0003d090 (ID = 0)
5:33 PM: 00005acb_4344c02d_00039387 (ID = 0)
5:33 PM: 00000029_4343845b_0008583b (ID = 0)
5:33 PM: 00006b36_434c3fef_000632ea (ID = 0)
5:33 PM: 000046cf_434c03ea_000f0537 (ID = 0)
5:33 PM: 00002959_434e10ba_000e1113 (ID = 0)
5:34 PM: 00005064_434c5486_0001312d (ID = 0)
5:34 PM: 00003a9e_4350304c_000dd40a (ID = 0)
5:35 PM: 000006e3_4348347d_00039387 (ID = 0)
5:35 PM: 00000c7b_434af689_0003567e (ID = 0)
5:35 PM: 00001739_4344bd2e_00094c5f (ID = 0)
5:35 PM: 000073da_4350144f_000a037a (ID = 0)
5:36 PM: 00004db7_43471518_000d9701 (ID = 0)
5:36 PM: 0000121f_4343f540_000dd40a (ID = 0)
5:36 PM: 00001e1f_4343e24c_0001ab3f (ID = 0)
5:36 PM: 00006443_434a6521_0008d24d (ID = 0)
5:36 PM: 00006d69_4348184e_0008d24d (ID = 0)
5:36 PM: 00004ae1_43501287_0006ea05 (ID = 0)
5:36 PM: 00002f14_434716aa_0003d090 (ID = 0)
5:36 PM: 00006b72_434bfdef_00089544 (ID = 0)
5:36 PM: 00005039_434831fd_0009c671 (ID = 0)
5:37 PM: 0000424c_434629df_000a4083 (ID = 0)
5:37 PM: 00004087_4345e7aa_0000f424 (ID = 0)
5:37 PM: 00006df1_43437ba3_0000b71b (ID = 0)
5:37 PM: 000072a6_43462946_0002625a (ID = 0)
5:37 PM: 000026e9_434460f3_0001312d (ID = 0)
5:37 PM: 0000759a_434ff9ec_0007270e (ID = 0)
5:37 PM: 00007bb9_43500b49_000bebc2 (ID = 0)
5:37 PM: 000058d5_4344aecc_00003d09 (ID = 0)
5:38 PM: 0000127e_434b4de5_000dd40a (ID = 0)
5:38 PM: 00000029_434a0d3f_000501bd (ID = 0)
5:38 PM: 0000409d_434461a7_000d59f8 (ID = 0)
5:38 PM: 00005e14_43483159_000baeb9 (ID = 0)
5:38 PM: 00006ea1_43481a51_0002625a (ID = 0)
5:38 PM: 0000249e_43471900_000b34a7 (ID = 0)
5:38 PM: 000022cd_43446249_0005b8d8 (ID = 0)
5:39 PM: 00000120_4349b30a_0003567e (ID = 0)
5:39 PM: 00003d6c_434eb593_000a4083 (ID = 0)
5:39 PM: 000074ad_434469a2_000a4083 (ID = 0)
5:39 PM: 00000bdb_434c3f47_00044aa2 (ID = 0)
5:39 PM: 00006d22_434af606_000c65d4 (ID = 0)
5:39 PM: 0000153c_43454d46_0007de29 (ID = 0)
5:39 PM: 00000dc3_4344c365_000dd40a (ID = 0)
5:39 PM: 00004cef_4344bcc0_000e4e1c (ID = 0)
5:40 PM: 00004eae_43496812_000501bd (ID = 0)
5:40 PM: 00002abc_4344bb3d_000501bd (ID = 0)
5:40 PM: 0000363a_434c21b5_00076417 (ID = 0)
5:40 PM: 0000440d_434bf276_000b71b0 (ID = 0)
5:40 PM: 00003f9a_434c06a4_0007a120 (ID = 0)
5:40 PM: 00006f07_4344ba20_0007270e (ID = 0)
5:40 PM: 00007eb7_43464406_0005b8d8 (ID = 0)
5:40 PM: 000045a1_43472b76_0006acfc (ID = 0)
5:40 PM: 0000759a_434642d1_00081b32 (ID = 0)
5:41 PM: 00004df2_43464376_000c28cb (ID = 0)
5:41 PM: 00000822_4345d239_00089544 (ID = 0)
5:41 PM: 000043db_4346ca95_000501bd (ID = 0)
5:41 PM: 00002bb8_434c13f2_0005f5e1 (ID = 0)
5:41 PM: 00007d4b_43484ddc_00039387 (ID = 0)
5:41 PM: 00005887_434839a9_000af79e (ID = 0)
5:41 PM: 0000293b_434e1117_0009c671 (ID = 0)
5:41 PM: 0000328d_43484792_0000b71b (ID = 0)
5:42 PM: 00000029_434bf31f_000baeb9 (ID = 0)
5:42 PM: 00005078_4349b5b8_00003d09 (ID = 0)
5:42 PM: 00003cd5_4343900a_000c28cb (ID = 0)
5:42 PM: 00002d12_434963f5_00057bcf (ID = 0)
5:42 PM: 000015bd_4344b281_000632ea (ID = 0)
5:42 PM: 00002ea6_434a06c3_0001ab3f (ID = 0)
5:43 PM: 00001953_43445249_0003567e (ID = 0)
5:43 PM: 000013e9_4343900a_000cdfe6 (ID = 0)
5:43 PM: 00006df1_434a63df_0002dc6c (ID = 0)
5:43 PM: 0000138a_43472244_0006ea05 (ID = 0)
5:43 PM: 00003cd6_43439031_00044aa2 (ID = 0)
5:43 PM: 00003699_43481672_00094c5f (ID = 0)
5:43 PM: 00005d03_43438f45_00057bcf (ID = 0)
5:43 PM: 00000bdb_43438f80_000ca2dd (ID = 0)
5:43 PM: 00000822_43438fd7_000487ab (ID = 0)
5:44 PM: 00001796_4346251b_0007a120 (ID = 0)
5:44 PM: 000063d9_434c1439_00057bcf (ID = 0)
5:44 PM: 00006f3c_434818a6_000af79e (ID = 0)
5:44 PM: 000032e6_4348175e_00031975 (ID = 0)
5:44 PM: 00001dd4_43484aac_000d59f8 (ID = 0)
5:44 PM: 000043db_434c0991_0003567e (ID = 0)
5:44 PM: 0000424c_4347abd6_000b34a7 (ID = 0)
5:44 PM: 000026a6_434830db_000d1cef (ID = 0)
5:45 PM: 00006f57_4347ac98_000aba95 (ID = 0)
5:45 PM: 00000822_434e0c03_0007de29 (ID = 0)
5:45 PM: 00004944_434a706f_0000f424 (ID = 0)
5:45 PM: 00001b0b_4344b6de_00066ff3 (ID = 0)
5:45 PM: 000067a6_4344aee4_00090f56 (ID = 0)
5:45 PM: 00006ad4_4349b4db_00040d99 (ID = 0)
5:45 PM: 00004dfc_4344b972_0001312d (ID = 0)
5:45 PM: 00002b0f_434c0849_000f0537 (ID = 0)
5:46 PM: 00007049_434bf501_000d59f8 (ID = 0)
5:46 PM: 00004987_4344ae5a_0009c671 (ID = 0)
5:46 PM: 00002c3b_4347731a_000a7d8c (ID = 0)
5:46 PM: 000009b3_43462a27_00003d09 (ID = 0)
5:46 PM: 00006db2_434840c0_00066ff3 (ID = 0)
5:46 PM: 000049f7_43437e50_00016e36 (ID = 0)
5:46 PM: 000020a8_4344ad38_0005b8d8 (ID = 0)
5:46 PM: 00007049_43439000_000d9701 (ID = 0)
5:46 PM: 00001ff1_43461125_00094c5f (ID = 0)
5:47 PM: 00003106_434611bc_00007a12 (ID = 0)
5:47 PM: 0000759a_4344615b_000e1113 (ID = 0)
5:47 PM: 0000440d_43438f31_000ca2dd (ID = 0)
5:47 PM: 00005f49_4344513f_0005f5e1 (ID = 0)
5:47 PM: 0000249e_4344525e_000af79e (ID = 0)
5:47 PM: 0000701f_434619a5_00094c5f (ID = 0)
5:47 PM: 00007f96_43438f72_0000f424 (ID = 0)
5:47 PM: 0000047e_434634ce_00053ec6 (ID = 0)
5:48 PM: 00003bf6_434bf400_0002dc6c (ID = 0)
5:48 PM: 00005772_4346bfe4_00044aa2 (ID = 0)
5:48 PM: 000018be_434a637e_00076417 (ID = 0)
5:48 PM: 00000860_4344c3af_00029f63 (ID = 0)
5:48 PM: 000000aa_4344ccd0_0001e848 (ID = 0)
5:48 PM: 00006d69_4344acb2_000dd40a (ID = 0)
5:48 PM: 000074ad_4349b928_00031975 (ID = 0)
5:49 PM: 00005f90_434b3f40_00039387 (ID = 0)
5:49 PM: 00004cd4_43463a77_000baeb9 (ID = 0)
5:49 PM: 0000798b_43437c6b_0006ea05 (ID = 0)
5:49 PM: 00006778_43481f0e_00029f63 (ID = 0)
5:49 PM: 0000491c_434b3fbb_0001e848 (ID = 0)
5:49 PM: 00001bd9_43472408_0000f424 (ID = 0)
5:49 PM: 0000489c_434c4374_00090f56 (ID = 0)
5:49 PM: 00004dc8_4346beba_00094c5f (ID = 0)
5:49 PM: 00001649_434b3f40_00066ff3 (ID = 0)
5:49 PM: 00005f32_4345d220_000baeb9 (ID = 0)
5:49 PM: 000071f0_434718bf_00081b32 (ID = 0)
5:50 PM: 00001cdf_4348f6c9_000c65d4 (ID = 0)
5:50 PM: 00000a76_4344c371_0007a120 (ID = 0)
5:50 PM: 0000138a_4348ed98_00016e36 (ID = 0)
5:50 PM: 00006df1_434a1287_00066ff3 (ID = 0)
5:50 PM: 00006da6_43481b1b_00057bcf (ID = 0)
5:50 PM: 000012e1_43500aad_0003567e (ID = 0)
5:50 PM: 000037e6_4348325f_00039387 (ID = 0)
5:50 PM: 00001dc0_4345e7a4_00000000 (ID = 0)
5:51 PM: 0000542c_434831fd_000b71b0 (ID = 0)
5:51 PM: 00000ddc_4343f502_0001312d (ID = 0)
5:51 PM: 00005af1_434a1287_00094c5f (ID = 0)
5:51 PM: 00003a9e_434bf400_0007270e (ID = 0)
5:51 PM: 00003e12_4343857d_00066ff3 (ID = 0)
5:51 PM: 00001243_43462a3d_000f0537 (ID = 0)
5:52 PM: 000027da_4346c9c7_0003567e (ID = 0)
5:52 PM: 0000074d_43463326_0007de29 (ID = 0)
5:52 PM: 000065c4_4344c3c2_000a4083 (ID = 0)
5:52 PM: 0000767d_434a0728_0006acfc (ID = 0)
5:52 PM: 00005f67_4344aeae_0003d090 (ID = 0)
5:52 PM: 00001366_43438fc0_0001e848 (ID = 0)
5:52 PM: 000048d3_4344ddc4_0000f424 (ID = 0)
5:53 PM: 00000e29_4346271e_000d59f8 (ID = 0)
5:53 PM: 0000590e_434775e8_000d9701 (ID = 0)
5:53 PM: 00002332_4344b036_000c28cb (ID = 0)
5:53 PM: 000041bb_434a1287_000e4e1c (ID = 0)
5:53 PM: 0000323b_434ec186_00003d09 (ID = 0)
5:53 PM: 00004640_434c30dc_000d59f8 (ID = 0)
5:53 PM: 000066bb_4346beba_000d9701 (ID = 0)
5:54 PM: 00003895_4346294d_0003567e (ID = 0)
5:54 PM: 00007cfe_4346c74a_000d1cef (ID = 0)
5:54 PM: 00000029_434b3ebc_0001312d (ID = 0)
5:54 PM: 00002350_4344615c_0008d24d (ID = 0)
5:54 PM: 00004ae1_434bf258_000e1113 (ID = 0)
5:54 PM: 0000773b_434c5477_000487ab (ID = 0)
5:55 PM: 00005cfd_434bf3cb_000bebc2 (ID = 0)
5:55 PM: 00006c6c_434833c8_00029f63 (ID = 0)
5:55 PM: 00003b97_4346259e_0007270e (ID = 0)
5:55 PM: 0000047e_4346c09d_00007a12 (ID = 0)
5:55 PM: 00005804_4346e279_0002dc6c (ID = 0)
5:55 PM: 00002528_4344ad01_000dd40a (ID = 0)
5:55 PM: 000001eb_434460f4_0009c671 (ID = 0)
5:55 PM: 00005422_4346bfa8_00081b32 (ID = 0)
5:55 PM: 00001f16_4344acc4_000632ea (ID = 0)
5:55 PM: 00002ea6_434eb705_000487ab (ID = 0)
5:56 PM: 00000de9_4349b10f_0009c671 (ID = 0)
5:56 PM: 00006ade_434c23d6_000a7d8c (ID = 0)
5:56 PM: 00004944_434e0bbe_000a037a (ID = 0)
5:56 PM: 00002738_43446f6d_0005f5e1 (ID = 0)
5:56 PM: 000077e7_4348ff0c_000a7d8c (ID = 0)
5:56 PM: Sweep Canceled
5:56 PM: 000018be_43458992_000dd40a (ID = 0)
5:56 PM: 00006bc9_4347a832_0007a120 (ID = 0)
5:56 PM: 00002784_4344b95e_00016e36 (ID = 0)
5:57 PM: 00005953_4344b939_0003567e (ID = 0)
5:57 PM: 000028e2_4348f66f_00007a12 (ID = 0)
5:57 PM: 00006795_4344c3b0_000a4083 (ID = 0)
5:58 PM: 00005d03_434b4046_00090f56 (ID = 0)
5:58 PM: 000071f6_43481f9b_0006ea05 (ID = 0)
5:58 PM: 000026a6_4346bebb_0003d090 (ID = 0)
5:58 PM: 00000fbf_434ffd3b_000501bd (ID = 0)
5:58 PM: 00003742_4349ac3b_000ca2dd (ID = 0)
5:58 PM: 000022ee_4344615d_00000000 (ID = 0)
5:58 PM: 00000bb3_434460f4_000af79e (ID = 0)
5:59 PM: 0000424c_4346e230_000e8b25 (ID = 0)
5:59 PM: 00007f0d_4344adb4_00003d09 (ID = 0)
5:59 PM: 00003d6c_434460d3_000632ea (ID = 0)
5:59 PM: 00002332_4344ad72_0007de29 (ID = 0)
5:59 PM: 00000e00_4346e1b7_000a7d8c (ID = 0)
5:59 PM: 000026e9_434a1289_000dd40a (ID = 0)
6:00 PM: 0000314f_434b4ccd_0004c4b4 (ID = 0)
6:00 PM: 00001a49_434e0baa_000632ea (ID = 0)
6:00 PM: 0000139d_434af411_0003d090 (ID = 0)
6:01 PM: 00005e41_4346e14f_0005f5e1 (ID = 0)
6:01 PM: 00001af4_434af607_0003567e (ID = 0)
6:01 PM: 00004e45_434e0a85_00039387 (ID = 0)
6:01 PM: 00003602_43484f08_00066ff3 (ID = 0)
6:01 PM: 00001f0d_4344b378_00090f56 (ID = 0)
6:01 PM: 00001e58_434c31d9_000b71b0 (ID = 0)
6:02 PM: 0000486c_434757f4_0008d24d (ID = 0)
6:02 PM: 00002cd6_434460d4_00029f63 (ID = 0)
6:02 PM: 00001d18_4344687e_0007de29 (ID = 0)
6:02 PM: 00007dd1_4345d2b1_0001e848 (ID = 0)
6:02 PM: 00004efe_4346c8f4_000cdfe6 (ID = 0)
6:02 PM: 00007874_4346c126_00040d99 (ID = 0)
6:02 PM: 00003ef6_4344619d_0005b8d8 (ID = 0)
6:02 PM: 00007983_434c42bd_00003d09 (ID = 0)
6:02 PM: 0000014a_4344bb9f_000bebc2 (ID = 0)
6:03 PM: 00000732_434c3f4b_000bebc2 (ID = 0)
6:03 PM: 0000194d_4344c253_0003d090 (ID = 0)
6:03 PM: 00005b8f_4344bd1e_00003d09 (ID = 0)
6:03 PM: 00004d06_4348e3f4_000632ea (ID = 0)
6:03 PM: 000072ae_434460d4_000a037a (ID = 0)
6:03 PM: 00003f0b_4346263d_000632ea (ID = 0)
6:03 PM: 0000390c_4346beb3_000b71b0 (ID = 0)
6:04 PM: 000030dc_4344b875_000ec82e (ID = 0)
6:04 PM: 0000139d_4344518f_00022551 (ID = 0)
6:04 PM: 000072ae_434381bf_000c28cb (ID = 0)
6:04 PM: 0000767d_4343853d_00016e36 (ID = 0)
6:04 PM: 00002db5_43446ad2_00000000 (ID = 0)
6:04 PM: 00005039_434af4d1_0004c4b4 (ID = 0)
6:05 PM: 0000065a_4348364d_00040d99 (ID = 0)
6:05 PM: 000062b0_4346ed7b_0007a120 (ID = 0)
6:05 PM: 00005f90_4343aa35_000e8b25 (ID = 0)
6:05 PM: 0000030a_4343854e_000d1cef (ID = 0)
6:06 PM: 000007c9_4349a654_000b34a7 (ID = 0)
6:06 PM: 00005cfd_434da128_00098968 (ID = 0)
6:06 PM: 0000176a_4349b04f_00098968 (ID = 0)
6:10 PM: Spy Installation Shield: found: Adware: abetterinternet, version 1.1.1.1 -- Execution Denied
6:11 PM: The Spy Communication shield has blocked access to: paypopup.com
6:11 PM: The Spy Communication shield has blocked access to: paypopup.com
6:15 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
6:15 PM: Detected running threat: lzio
6:15 PM: | End of Session, Friday, October 14, 2005 |
********
4:34 PM: | Start of Session, Friday, October 14, 2005 |
4:34 PM: Spy Sweeper started
4:35 PM: Your spyware definitions have been updated.
4:40 PM: Memory Shield: Found: Memory-resident threat abetterinternet, version 1.1.1.1
4:40 PM: Detected running threat: abetterinternet
4:46 PM: | End of Session, Friday, October 14, 2005 |

#30
biggun1234

Posted 17 October 2005 - 12:30 AM

Member

Topic Starter
Member
49 posts

Hi Trevuren, I have some bad news. My friend used this computer today to get some of his schoolwork done. He told me he came across a site that put more d*** spyware on my computer!! I am so angry! I won't let this happen again. When I sat down to check this site, spy sweeper said programs such as ELITEMEDIA, and shopathome, etc were installing onto my comp. I immediatley restarted into safe mode and ran spy sweeper. It caught some stuff and I let it take care of it. However, I dont think it really did take care of it. Now, every once in awhile a window keeps coming up saying internet explorer needs to shut down, but when i click ok nothing happens and the pc is running ffunny. I am so, so, sorry about this. People are used to just coming in and using my computer, but I am letting everyone know to stay off!! I am putting a password on my user name so nobody but me will be on here. Here is the HJT log after the incident

Logfile of HijackThis v1.99.1
Scan saved at 11:21:25 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe