[Trevuren]

1. Please reboot iinto Safe Mode

2. Now rerun SpySweeper

• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

3. Reboot your system

4. Post a fresh HJT log along with the session log from SpySweeper.

Regards,

Trevuren

[Advertisements]

Unfortunately, now I will also need a new startup list and a new screenshot.


Thanks,

Trevuren

[Trevuren]

Unfortunately, now I will also need a new startup list and a new screenshot.


Thanks,

Trevuren

[biggun1234]

StartupList report, 10/17/2005, 5:11:28 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Registration-Studio 7SE.lnk = ?

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
yojjksx = C:\WINDOWS\yojjksx.exe
WinampAgent = F:\Program Files\Winamp\winampa.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
oqseas = C:\WINDOWS\system32\xautvcr.exe r
omvoopq = C:\WINDOWS\system32\qsznvh.exe r
ngclwp = C:\WINDOWS\system32\pfjsiv.exe r
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
iehh.exe = C:\WINDOWS\system32\iehh.exe
dsdxgqqx = C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
DigidesignMMERefresh = F:\Program Files\Digidesign\Drivers\MMERefresh.exe
d3tr32.exe = C:\WINDOWS\system32\d3tr32.exe
d3sq.exe = C:\WINDOWS\system32\d3sq.exe
cxvwaq = C:\WINDOWS\system32\lzoeor.exe r
Creative WebCam Tray = C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
bowgfxgi = C:\WINDOWS\System32\oakuodn.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
696.tmp = C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
elitemedia = C:\WINDOWS\elitemediapop.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = "C:\WINDOWS\notepad.exe" "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...86/wmsp9dmo.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{26098EA2-C95D-48EA-89B4-63C5A63BD42F}]
CODEBASE = http://www.pacimedia...ll/pcs_0002.exe

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...01F/wmvadvd.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[elitectl.DemoCtl]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\elite.ocx
CODEBASE = http://cabs.elitemed...s/mediaview.cab

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivi...n/ravonline.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[CSS Web Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
CODEBASE = http://www.freedom.n...cabs/cssweb.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

61883 Unit Device: System32\DRIVERS\61883.sys (manual start)
Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adyhxyb: \??\C:\WINDOWS\system32\ikvgip\adyhxyb.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\SYSTEM32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVC Device: System32\DRIVERS\avc.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\system32\drivers\CDAC11BA.EXE (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CdaC15BA: \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS (autostart)
cdfouvs: \??\C:\WINDOWS\system32\whecdwm\cdfouvs (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dal service: system32\drivers\dalwdm.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DigiFilter: System32\drivers\DigiFi~1.sys (system)
Digidesign MME Refresh Service: F:\Program Files\Digidesign\Drivers\MMERefresh.exe -s (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dsdxgqqxikvgip: C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (autostart)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
idrmkl: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
ivhjnfc: \??\C:\WINDOWS\system32\qagnjkr\ivhjnfc.sys (manual start)
jvdnncd: \??\C:\WINDOWS\system32\pcox\jvdnncd (manual start)
kafjrfr: \??\C:\WINDOWS\system32\hjnqapd\kafjrfr (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
mchInjDrv: \??\C:\WINDOWS\TEMP\mc21.tmp (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
neeucsn: \??\C:\WINDOWS\system32\ugoyfn\neeucsn (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Creative WebCam Live!: system32\DRIVERS\P0630Vid.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: System32\DRIVERS\sbp2port.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: SYSTEM32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Player Recovery Device Control Driver: System32\Drivers\StMp3Rec.sys (manual start)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{629945EB-4822-491D-8085-B2A660303DEE} (manual start)
SymWMI Service: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TPkcess: \??\C:\WINDOWS\system32\drivers\viadmio9.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
UnlockerDriver4 Driver: \??\C:\Program Files\Unlocker\UnlockerDriver4.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,538 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[biggun1234]

********
3:13 PM: | Start of Session, Monday, October 17, 2005 |
3:13 PM: Spy Sweeper started
3:13 PM: Sweep initiated using definitions version 555
3:13 PM: Starting Memory Sweep
3:14 PM: Memory Sweep Complete, Elapsed Time: 00:01:18
3:14 PM: Starting Registry Sweep
3:14 PM: Registry Sweep Complete, Elapsed Time:00:00:27
3:14 PM: Starting Cookie Sweep
3:14 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:15 PM: Starting File Sweep
3:29 PM: Warning: Failed to access drive F:
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Found Adware: exact cashback/bargain buddy
3:29 PM: exactadvertisingbargainsbuddy12.zip (ID = 50547)
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Found Adware: webhancer
3:29 PM: webhancer1.zip (ID = 83822)
3:29 PM: webhancer2.zip (ID = 83813)
3:29 PM: Found Adware: powerscan
3:29 PM: isearchtechpowerscan9.zip (ID = 72676)
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:29 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: powerscan.zip (ID = 72676)
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Warning: Invalid file - not a PKZip file
3:30 PM: Found Adware: twain-tech
3:30 PM: vxf2.zip (ID = 81841)
3:30 PM: Found Adware: sexfiles dialers
3:30 PM: isearchtechsidefind23.zip (ID = 75396)
3:31 PM: exactadvertisingbargainsbuddy13.zip (ID = 50877)
3:31 PM: Found Adware: ist istbar
3:31 PM: isearchtechistsvc.zip (ID = 64660)
3:31 PM: isearchtechpowerscan.zip (ID = 72676)
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: isearchtechpowerscan1.zip (ID = 72678)
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: Warning: Invalid file - not a PKZip file
3:31 PM: File Sweep Complete, Elapsed Time: 00:16:44
3:31 PM: Full Sweep has completed. Elapsed time 00:18:38
3:31 PM: Traces Found: 11
5:09 PM: Removal process initiated
5:09 PM: Quarantining All Traces: ist istbar
5:09 PM: Quarantining All Traces: exact cashback/bargain buddy
5:09 PM: Quarantining All Traces: powerscan
5:09 PM: Quarantining All Traces: sexfiles dialers
5:09 PM: Quarantining All Traces: twain-tech
5:09 PM: Quarantining All Traces: webhancer
5:09 PM: Removal process completed. Elapsed time 00:00:13
********
10:50 PM: | Start of Session, Sunday, October 16, 2005 |
10:50 PM: Spy Sweeper started
10:50 PM: Sweep initiated using definitions version 555
10:50 PM: Starting Memory Sweep
10:51 PM: Memory Sweep Complete, Elapsed Time: 00:01:11
10:51 PM: Starting Registry Sweep
10:51 PM: Found Adware: mirar webband
10:51 PM: HKCR\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (10 subtraces) (ID = 135064)
10:51 PM: HKCR\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (9 subtraces) (ID = 135065)
10:51 PM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
10:51 PM: HKCR\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135069)
10:51 PM: HKCR\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135070)
10:51 PM: HKCR\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135071)
10:51 PM: HKCR\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135072)
10:51 PM: HKCR\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135075)
10:51 PM: HKCR\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135076)
10:51 PM: HKLM\software\classes\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (10 subtraces) (ID = 135077)
10:51 PM: HKLM\software\classes\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (9 subtraces) (ID = 135078)
10:51 PM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
10:51 PM: HKLM\software\classes\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135082)
10:51 PM: HKLM\software\classes\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135083)
10:51 PM: HKLM\software\classes\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135084)
10:51 PM: HKLM\software\classes\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135085)
10:51 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135088)
10:51 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135089)
10:51 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\clsid\ (1 subtraces) (ID = 135090)
10:51 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\curver\ (1 subtraces) (ID = 135091)
10:51 PM: HKLM\software\classes\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135092)
10:51 PM: HKLM\software\classes\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135093)
10:51 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (2 subtraces) (ID = 135119)
10:51 PM: HKCR\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135121)
10:51 PM: HKCR\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135122)
10:51 PM: Found Adware: shopathomeselect
10:51 PM: HKLM\software\microsoft\windows\currentversion\run\ || sahbundle (ID = 141704)
10:51 PM: HKLM\software\vgroup\ (22 subtraces) (ID = 141734)
10:51 PM: HKLM\software\vgroup\sahagent\ (19 subtraces) (ID = 396143)
10:51 PM: Found Adware: bookedspace
10:51 PM: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (1 subtraces) (ID = 662284)
10:51 PM: Found Adware: clkoptimizer
10:51 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
10:51 PM: HKLM\software\qstat\ || brr (ID = 877670)
10:51 PM: Registry Sweep Complete, Elapsed Time:00:00:27
10:51 PM: Starting Cookie Sweep
10:51 PM: Found Spy Cookie: yieldmanager cookie
10:51 PM: [email protected][1].txt (ID = 3751)
10:51 PM: Found Spy Cookie: adknowledge cookie
10:51 PM: owner@adknowledge[2].txt (ID = 2072)
10:51 PM: Found Spy Cookie: adrevolver cookie
10:51 PM: owner@adrevolver[1].txt (ID = 2088)
10:51 PM: owner@adrevolver[3].txt (ID = 2088)
10:51 PM: Found Spy Cookie: cc214142 cookie
10:51 PM: [email protected][2].txt (ID = 2367)
10:51 PM: Found Spy Cookie: pointroll cookie
10:51 PM: [email protected][2].txt (ID = 3148)
10:51 PM: Found Spy Cookie: adserver cookie
10:51 PM: owner@adserver[2].txt (ID = 2141)
10:51 PM: Found Spy Cookie: ask cookie
10:51 PM: owner@ask[1].txt (ID = 2245)
10:51 PM: Found Spy Cookie: belnk cookie
10:51 PM: [email protected][2].txt (ID = 2293)
10:51 PM: Found Spy Cookie: banner cookie
10:51 PM: owner@banner[1].txt (ID = 2276)
10:51 PM: owner@belnk[1].txt (ID = 2292)
10:51 PM: Found Spy Cookie: bluestreak cookie
10:51 PM: owner@bluestreak[1].txt (ID = 2314)
10:51 PM: Found Spy Cookie: casalemedia cookie
10:51 PM: owner@casalemedia[1].txt (ID = 2354)
10:51 PM: [email protected][2].txt (ID = 2293)
10:51 PM: Found Spy Cookie: military cookie
10:51 PM: owner@military[1].txt (ID = 2996)
10:51 PM: Found Spy Cookie: nextag cookie
10:51 PM: owner@nextag[2].txt (ID = 5014)
10:51 PM: Found Spy Cookie: questionmarket cookie
10:51 PM: owner@questionmarket[1].txt (ID = 3217)
10:51 PM: Found Spy Cookie: realmedia cookie
10:51 PM: owner@realmedia[1].txt (ID = 3235)
10:51 PM: Found Spy Cookie: statcounter cookie
10:51 PM: owner@statcounter[2].txt (ID = 3447)
10:51 PM: Found Spy Cookie: tradedoubler cookie
10:51 PM: owner@tradedoubler[1].txt (ID = 3575)
10:51 PM: Found Spy Cookie: tribalfusion cookie
10:51 PM: owner@tribalfusion[1].txt (ID = 3589)
10:51 PM: Found Spy Cookie: burstbeacon cookie
10:51 PM: [email protected][1].txt (ID = 2335)
10:51 PM: [email protected][1].txt (ID = 2142)
10:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:52 PM: Starting File Sweep
10:57 PM: dc23.dll (ID = 150833)
10:58 PM: dc24.cpl (ID = 150831)
10:58 PM: dc25.dll (ID = 70014)
10:59 PM: f4540171.exe (ID = 146393)
10:59 PM: Warning: Failed to access drive F:
10:59 PM: File Sweep Complete, Elapsed Time: 00:07:48
10:59 PM: Full Sweep has completed. Elapsed time 00:09:35
10:59 PM: Traces Found: 275
11:04 PM: Removal process initiated
11:04 PM: Quarantining All Traces: mirar webband
11:04 PM: Quarantining All Traces: shopathomeselect
11:04 PM: Quarantining All Traces: bookedspace
11:04 PM: Quarantining All Traces: clkoptimizer
11:04 PM: Quarantining All Traces: yieldmanager cookie
11:04 PM: Quarantining All Traces: adknowledge cookie
11:04 PM: Quarantining All Traces: adrevolver cookie
11:04 PM: Quarantining All Traces: cc214142 cookie
11:04 PM: Quarantining All Traces: pointroll cookie
11:04 PM: Quarantining All Traces: adserver cookie
11:04 PM: Quarantining All Traces: ask cookie
11:04 PM: Quarantining All Traces: belnk cookie
11:04 PM: Quarantining All Traces: banner cookie
11:04 PM: Quarantining All Traces: bluestreak cookie
11:04 PM: Quarantining All Traces: casalemedia cookie
11:04 PM: Quarantining All Traces: military cookie
11:04 PM: Quarantining All Traces: nextag cookie
11:04 PM: Quarantining All Traces: questionmarket cookie
11:04 PM: Quarantining All Traces: realmedia cookie
11:04 PM: Quarantining All Traces: statcounter cookie
11:04 PM: Quarantining All Traces: tradedoubler cookie
11:04 PM: Quarantining All Traces: tribalfusion cookie
11:04 PM: Quarantining All Traces: burstbeacon cookie
11:04 PM: Removal process completed. Elapsed time 00:00:35
3:10 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
3:12 PM: Updating spyware definitions
3:12 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:13 PM: | End of Session, Monday, October 17, 2005 |
********
9:49 PM: | Start of Session, Sunday, October 16, 2005 |
9:49 PM: Spy Sweeper started
9:49 PM: Sweep initiated using definitions version 555
9:49 PM: Starting Memory Sweep
9:50 PM: Found Adware: shopathomeselect
9:50 PM: Detected running threat: C:\Documents and Settings\Owner\Local Settings\Temp\3THSLATV.dll (ID = 125428)
9:50 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:50 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:55 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:55 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:55 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:55 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:57 PM: Memory Sweep Complete, Elapsed Time: 00:08:38
9:57 PM: Starting Registry Sweep
9:58 PM: Found Adware: mirar webband
9:58 PM: HKCR\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (10 subtraces) (ID = 135064)
9:58 PM: HKCR\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (9 subtraces) (ID = 135065)
9:58 PM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
9:58 PM: HKCR\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135069)
9:58 PM: HKCR\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135070)
9:58 PM: HKCR\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135071)
9:58 PM: HKCR\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135072)
9:58 PM: HKCR\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135075)
9:58 PM: HKCR\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135076)
9:58 PM: HKLM\software\classes\clsid\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (10 subtraces) (ID = 135077)
9:58 PM: HKLM\software\classes\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}\ (9 subtraces) (ID = 135078)
9:58 PM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
9:58 PM: HKLM\software\classes\interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f}\ (8 subtraces) (ID = 135082)
9:58 PM: HKLM\software\classes\interface\{54b287f9-fd90-4457-b65e-cb91560c021d}\ (8 subtraces) (ID = 135083)
9:58 PM: HKLM\software\classes\interface\{1037b06c-84b7-4240-8d80-485810a0497d}\ (8 subtraces) (ID = 135084)
9:58 PM: HKLM\software\classes\interface\{224302b0-94e9-45c2-9e5b-ba989ee556e1}\ (8 subtraces) (ID = 135085)
9:58 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy.1\ (3 subtraces) (ID = 135088)
9:58 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\ (5 subtraces) (ID = 135089)
9:58 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\clsid\ (1 subtraces) (ID = 135090)
9:58 PM: HKLM\software\classes\nn_bar_dummy.nn_bardummy\curver\ (1 subtraces) (ID = 135091)
9:58 PM: HKLM\software\classes\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135092)
9:58 PM: HKLM\software\classes\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135093)
9:58 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}\ (2 subtraces) (ID = 135119)
9:58 PM: HKCR\typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49}\ (9 subtraces) (ID = 135121)
9:58 PM: HKCR\typelib\{f8310e7d-4c4d-46a4-a068-b5bb99411cc7}\ (9 subtraces) (ID = 135122)
9:58 PM: HKLM\software\microsoft\windows\currentversion\run\ || sahbundle (ID = 141704)
9:58 PM: HKLM\software\vgroup\ (21 subtraces) (ID = 141734)
9:58 PM: HKLM\software\vgroup\sahagent\ (18 subtraces) (ID = 396143)
9:58 PM: Found Adware: bookedspace
9:58 PM: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (1 subtraces) (ID = 662284)
9:58 PM: Found Adware: clkoptimizer
9:58 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
9:58 PM: HKLM\software\qstat\ || brr (ID = 877670)
9:59 PM: Registry Sweep Complete, Elapsed Time:00:01:32
9:59 PM: Starting Cookie Sweep
9:59 PM: Found Spy Cookie: yieldmanager cookie
9:59 PM: [email protected][2].txt (ID = 3751)
9:59 PM: Found Spy Cookie: adknowledge cookie
9:59 PM: owner@adknowledge[1].txt (ID = 2072)
9:59 PM: Found Spy Cookie: adrevolver cookie
9:59 PM: owner@adrevolver[1].txt (ID = 2088)
9:59 PM: owner@adrevolver[3].txt (ID = 2088)
9:59 PM: Found Spy Cookie: cc214142 cookie
9:59 PM: [email protected][2].txt (ID = 2367)
9:59 PM: Found Spy Cookie: adserver cookie
9:59 PM: owner@adserver[1].txt (ID = 2141)
9:59 PM: Found Spy Cookie: ask cookie
9:59 PM: owner@ask[1].txt (ID = 2245)
9:59 PM: Found Spy Cookie: belnk cookie
9:59 PM: [email protected][2].txt (ID = 2293)
9:59 PM: Found Spy Cookie: banner cookie
9:59 PM: owner@banner[1].txt (ID = 2276)
9:59 PM: owner@belnk[1].txt (ID = 2292)
9:59 PM: Found Spy Cookie: bluestreak cookie
9:59 PM: owner@bluestreak[1].txt (ID = 2314)
9:59 PM: [email protected][2].txt (ID = 2293)
9:59 PM: Found Spy Cookie: military cookie
9:59 PM: owner@military[1].txt (ID = 2996)
9:59 PM: Found Spy Cookie: nextag cookie
9:59 PM: owner@nextag[2].txt (ID = 5014)
9:59 PM: Found Spy Cookie: questionmarket cookie
9:59 PM: owner@questionmarket[1].txt (ID = 3217)
9:59 PM: Found Spy Cookie: realmedia cookie
9:59 PM: owner@realmedia[2].txt (ID = 3235)
9:59 PM: Found Spy Cookie: statcounter cookie
9:59 PM: owner@statcounter[2].txt (ID = 3447)
9:59 PM: Found Spy Cookie: tradedoubler cookie
9:59 PM: owner@tradedoubler[1].txt (ID = 3575)
9:59 PM: Found Spy Cookie: tribalfusion cookie
9:59 PM: owner@tribalfusion[1].txt (ID = 3589)
9:59 PM: Found Spy Cookie: burstbeacon cookie
9:59 PM: [email protected][1].txt (ID = 2335)
9:59 PM: [email protected][1].txt (ID = 2142)
9:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
9:59 PM: Starting File Sweep
10:00 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:00 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:00 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:00 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:05 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:05 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:05 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:05 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:10 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:10 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:10 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:10 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:12 PM: wuauclt.dll (ID = 150833)
10:13 PM: vgactl.cpl (ID = 150831)
10:14 PM: windmy.dll (ID = 70014)
10:14 PM: 3thslatv.dll (ID = 125428)
10:15 PM: f4540171.exe (ID = 146393)
10:15 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:15 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:15 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:15 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:20 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:20 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:20 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:20 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:25 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:25 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:25 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:25 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:30 PM: Found System Monitor: potentially rootkit-masked files
10:30 PM: 0000409d_4344abe5_0001ab3f (ID = 0)
10:30 PM: 00004dc8_434e0977_0004c4b4 (ID = 0)
10:30 PM: 000039ce_43496744_000ec82e (ID = 0)
10:30 PM: 000022ee_43464335_000a7d8c (ID = 0)
10:30 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:30 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:30 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:30 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
10:30 PM: 00005772_4348e5c1_00066ff3 (ID = 0)
10:31 PM: 000032c1_43462903_000a4083 (ID = 0)
10:31 PM: 00004e45_43461657_00000000 (ID = 0)
10:31 PM: 00000035_4346180f_0001ab3f (ID = 0)
10:32 PM: 0000261e_4343906f_0005f5e1 (ID = 0)
10:32 PM: 00001a49_43438fa8_000d59f8 (ID = 0)
10:32 PM: 00000732_43464221_0006ea05 (ID = 0)
10:32 PM: 00003ef6_434715dd_000a7d8c (ID = 0)
10:32 PM: 00003c61_434da2ea_000c65d4 (ID = 0)
10:32 PM: 00005cfd_4344ab9b_00081b32 (ID = 0)
10:33 PM: 0000441d_4348eeba_0002dc6c (ID = 0)
10:33 PM: 0000691d_434c1e17_000b71b0 (ID = 0)
10:33 PM: 00000f3e_43471514_00090f56 (ID = 0)
10:33 PM: 000072ae_434b3f14_000b71b0 (ID = 0)
10:33 PM: 00007eb7_4351d986_000ca2dd (ID = 0)
10:33 PM: 000022ee_4343f490_00090f56 (ID = 0)
10:34 PM: 00003bf6_434616c7_00066ff3 (ID = 0)
10:34 PM: 00006e5d_4344aada_0001ab3f (ID = 0)
10:34 PM: 0000409d_43507baf_00094c5f (ID = 0)
10:34 PM: 0000798b_43461714_0001e848 (ID = 0)
10:34 PM: 00005dd5_4345d2e2_000501bd (ID = 0)
10:35 PM: 00005064_43463d5b_00053ec6 (ID = 0)
10:35 PM: 0000567e_43462a5d_000e1113 (ID = 0)
10:35 PM: 0000074d_4351c09c_0006acfc (ID = 0)
10:35 PM: 00006df1_4350835b_000a4083 (ID = 0)
10:36 PM: 0000409d_43445185_00090f56 (ID = 0)
10:36 PM: 00002b0f_43446c4e_000d59f8 (ID = 0)
10:36 PM: 00005ea5_434b1ebd_0002dc6c (ID = 0)
10:36 PM: 00004ae1_43519ad5_0007de29 (ID = 0)
10:37 PM: 00002c49_4351d9da_000e8b25 (ID = 0)
10:37 PM: Sweep Canceled
10:37 PM: 000050bf_434e1280_0005b8d8 (ID = 0)
10:37 PM: 000050bf_4351918e_000d9701 (ID = 0)
10:37 PM: 0000759a_434815af_000f0537 (ID = 0)
10:37 PM: 00005d03_434640db_000d59f8 (ID = 0)
10:37 PM: 00006586_43481f1e_0007270e (ID = 0)
10:37 PM: 00000029_434612aa_00007a12 (ID = 0)
10:38 PM: 00007a74_4344ce4e_0009c671 (ID = 0)
10:38 PM: 000039b3_43458b18_00089544 (ID = 0)
10:38 PM: 00001db5_4346ed41_0006acfc (ID = 0)
10:38 PM: 0000030a_434c3eb2_000a037a (ID = 0)
10:38 PM: 00005422_434616ef_000501bd (ID = 0)
10:38 PM: 000072b1_43481d88_00031975 (ID = 0)
10:38 PM: 00005e14_434c40df_0005f5e1 (ID = 0)
10:39 PM: 00004e45_434ec185_0004c4b4 (ID = 0)
10:39 PM: 00005579_434b1329_000487ab (ID = 0)
10:39 PM: 00006443_43481576_000bebc2 (ID = 0)
10:39 PM: 00003a8d_434af688_00053ec6 (ID = 0)
10:39 PM: 00003d6c_434a7a20_000ca2dd (ID = 0)
10:40 PM: 00000d66_434c42b4_00076417 (ID = 0)
10:40 PM: 00005753_43507c04_000cdfe6 (ID = 0)
10:40 PM: 00003d6c_4343aa27_000ca2dd (ID = 0)
10:40 PM: 000012c2_434b7e91_000a7d8c (ID = 0)
10:40 PM: 00005878_43438f92_00007a12 (ID = 0)
10:40 PM: 00005789_4349ac02_0007de29 (ID = 0)
10:41 PM: 00006b72_434af4c9_0001e848 (ID = 0)
10:41 PM: 00001350_4349ad59_00031975 (ID = 0)
10:41 PM: 00003f0e_43483b8e_0004c4b4 (ID = 0)
10:41 PM: 00000b31_4349aba9_00098968 (ID = 0)
10:41 PM: 00000fbf_434c41d2_0002dc6c (ID = 0)
10:41 PM: 00000677_4348176a_000d59f8 (ID = 0)
10:42 PM: 0000030a_434a078d_00016e36 (ID = 0)
10:42 PM: 0000513e_4348ea2e_0006ea05 (ID = 0)
10:42 PM: 000001eb_434a1384_00022551 (ID = 0)
10:42 PM: 0000798b_4343f539_000c65d4 (ID = 0)
10:42 PM: 00004d06_43438f32_0007de29 (ID = 0)
10:42 PM: 000023c9_434451a1_000f0537 (ID = 0)
10:43 PM: 00004db7_43438f32_0008d24d (ID = 0)
10:43 PM: 00005d03_434a0727_00053ec6 (ID = 0)
10:43 PM: 00002350_4347158f_00040d99 (ID = 0)
10:43 PM: 000054de_4349b2b3_0001ab3f (ID = 0)
10:43 PM: 000019da_434c046c_0005b8d8 (ID = 0)
10:43 PM: 00000fbf_4348319e_0007a120 (ID = 0)
10:43 PM: 00006014_43481cb6_000af79e (ID = 0)
10:44 PM: 00003cd5_43518c18_000e8b25 (ID = 0)
10:44 PM: 00003d6c_4351d45f_000b71b0 (ID = 0)
10:44 PM: 00006ad4_434617ec_0001ab3f (ID = 0)
10:45 PM: 00005f49_43507b6c_000a4083 (ID = 0)
10:45 PM: 00000bdb_4344615a_000cdfe6 (ID = 0)
10:45 PM: 00007e87_43438f28_000b71b0 (ID = 0)
10:45 PM: 000015d5_43483f8e_0002dc6c (ID = 0)
10:45 PM: 0000759a_43438f88_00076417 (ID = 0)
10:45 PM: 00005e73_43463f9f_00090f56 (ID = 0)
10:45 PM: 000075ec_434b7f6e_0003567e (ID = 0)
10:46 PM: 00002277_43484d51_0007de29 (ID = 0)
10:46 PM: 000026e9_434eb5a7_000a037a (ID = 0)
10:46 PM: 00005d03_435149d7_00022551 (ID = 0)
10:46 PM: 0000773b_43458faf_00040d99 (ID = 0)
10:47 PM: 00004f2b_4344bf1b_000b34a7 (ID = 0)
10:47 PM: 00004d8e_4344c0c0_000aba95 (ID = 0)
10:47 PM: 00005968_434c05e7_000a4083 (ID = 0)
10:47 PM: 00006952_43454626_00000000 (ID = 0)
10:49 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
10:50 PM: | End of Session, Sunday, October 16, 2005 |
********
7:54 PM: | Start of Session, Sunday, October 16, 2005 |
7:54 PM: Spy Sweeper started
7:54 PM: Sweep initiated using definitions version 555
7:54 PM: Starting Memory Sweep
7:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:10
7:56 PM: Starting Registry Sweep
7:56 PM: Found Adware: apropos
7:56 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
7:56 PM: Found Adware: begin2search
7:56 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: Found Adware: hotsearchbar toolbar
7:56 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
7:56 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
7:56 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
7:56 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
7:56 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
7:56 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
7:56 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
7:56 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
7:56 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
7:56 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
7:56 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
7:56 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
7:56 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
7:56 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
7:56 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
7:56 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
7:56 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
7:56 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
7:56 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
7:56 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
7:56 PM: Found Adware: cws_easy-search.biz hijacker
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || games acceleration (ID = 117153)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet connection wizard (ID = 117154)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet mail and news (ID = 117155)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft internet acceleration utility (ID = 117156)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft management console (ID = 117157)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || multimedia extensions (ID = 117158)
7:56 PM: Found Adware: drsnsrch.com hijack
7:56 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
7:56 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
7:56 PM: Found Adware: mirar webband
7:56 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
7:56 PM: Found Trojan Horse: trojan-downloader-pacisoft
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
7:56 PM: Found Adware: purityscan
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
7:56 PM: Found Adware: media-motor
7:56 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
7:56 PM: Found Adware: search fast communicator toolbar
7:56 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
7:56 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
7:56 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
7:56 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
7:56 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
7:56 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
7:56 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
7:56 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
7:56 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
7:56 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
7:56 PM: Found Adware: surfsidekick
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406)
7:56 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
7:56 PM: Found Adware: delfin
7:56 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
7:56 PM: Found Adware: winad
7:56 PM: HKLM\software\media gateway\ (2 subtraces) (ID = 359545)
7:56 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
7:56 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
7:56 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
7:56 PM: Found Adware: drsnsrch hijacker
7:56 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
7:56 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
7:56 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
7:56 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
7:56 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
7:56 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
7:56 PM: Found Adware: clkoptimizer
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
7:56 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
7:56 PM: Found Adware: visfx
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
7:56 PM: Found Adware: abetterinternet
7:56 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
7:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
7:56 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
7:56 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
7:56 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
7:56 PM: Found Adware: 180search assistant/zango
7:56 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
7:56 PM: Found Adware: shopathomeselect
7:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || apd123 (ID = 861469)
7:56 PM: HKLM\software\qstat\ || brr (ID = 877670)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: Found Adware: cws-aboutblank
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
7:56 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
7:56 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:56 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
7:56 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
7:56 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
7:56 PM: Registry Sweep Complete, Elapsed Time:00:00:31
7:56 PM: Starting Cookie Sweep
7:56 PM: Found Spy Cookie: 888 cookie
7:56 PM: owner@888[1].txt (ID = 2019)
7:56 PM: Found Spy Cookie: yieldmanager cookie
7:56 PM: [email protected][2].txt (ID = 3751)
7:56 PM: Found Spy Cookie: adknowledge cookie
7:56 PM: owner@adknowledge[1].txt (ID = 2072)
7:56 PM: Found Spy Cookie: adrevolver cookie
7:56 PM: owner@adrevolver[2].txt (ID = 2088)
7:56 PM: owner@adrevolver[3].txt (ID = 2088)
7:56 PM: Found Spy Cookie: adserver cookie
7:56 PM: owner@adserver[2].txt (ID = 2141)
7:56 PM: Found Spy Cookie: advertising cookie
7:56 PM: owner@advertising[1].txt (ID = 2175)
7:56 PM: Found Spy Cookie: ask cookie
7:56 PM: owner@ask[1].txt (ID = 2245)
7:56 PM: Found Spy Cookie: atlas dmt cookie
7:56 PM: owner@atdmt[2].txt (ID = 2253)
7:56 PM: Found Spy Cookie: belnk cookie
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: banner cookie
7:56 PM: owner@banner[1].txt (ID = 2276)
7:56 PM: owner@belnk[1].txt (ID = 2292)
7:56 PM: Found Spy Cookie: bluestreak cookie
7:56 PM: owner@bluestreak[1].txt (ID = 2314)
7:56 PM: Found Spy Cookie: casalemedia cookie
7:56 PM: owner@casalemedia[2].txt (ID = 2354)
7:56 PM: [email protected][2].txt (ID = 2293)
7:56 PM: Found Spy Cookie: fastclick cookie
7:56 PM: owner@fastclick[1].txt (ID = 2651)
7:56 PM: Found Spy Cookie: overture cookie
7:56 PM: [email protected][1].txt (ID = 3106)
7:56 PM: Found Spy Cookie: questionmarket cookie
7:56 PM: owner@questionmarket[1].txt (ID = 3217)
7:56 PM: Found Spy Cookie: realmedia cookie
7:56 PM: owner@realmedia[1].txt (ID = 3235)
7:56 PM: Found Spy Cookie: adjuggler cookie
7:56 PM: [email protected][1].txt (ID = 2071)
7:56 PM: Found Spy Cookie: servedby advertising cookie
7:56 PM: [email protected][2].txt (ID = 3335)
7:56 PM: Found Spy Cookie: reliablestats cookie
7:56 PM: [email protected][2].txt (ID = 3254)
7:56 PM: Found Spy Cookie: tradedoubler cookie
7:56 PM: owner@tradedoubler[1].txt (ID = 3575)
7:56 PM: Found Spy Cookie: trafficmp cookie
7:56 PM: owner@trafficmp[2].txt (ID = 3581)
7:56 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:56 PM: [email protected][2].txt (ID = 3032)
7:56 PM: Found Spy Cookie: zedo cookie
7:56 PM: owner@zedo[2].txt (ID = 3762)
7:56 PM: system@casalemedia[1].txt (ID = 2354)
7:56 PM: system@zedo[2].txt (ID = 3762)
7:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:56 PM: Starting File Sweep
7:57 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
7:57 PM: Found Adware: cws_ns3
7:57 PM: wmprfptb.prx:ypgwmu (ID = 56287)
7:57 PM: preuninstallcom.exe (ID = 74818)
7:57 PM: Found Adware: coolwebsearch (cws)
7:57 PM: wmprfjpn.prx:foorkk (ID = 54051)
7:57 PM: vmmreg32.dll:jmucx (ID = 56447)
7:57 PM: Found Trojan Horse: lzio
7:57 PM: qekrmujx.exe (ID = 159311)
7:57 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
7:57 PM: blue lace 16.bmp:pyxtq (ID = 56447)
7:58 PM: Found Adware: winantispyware 2005
7:58 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:58 PM: wmprfesp.prx:qnkqv (ID = 56447)
7:58 PM: wmprfheb.prx:incwp (ID = 56447)
7:58 PM: wmprfkor.prx:bovbr (ID = 56447)
7:58 PM: uclvf.exe (ID = 159311)
7:58 PM: sskknwrd.dll (ID = 77733)
7:58 PM: msnavpklog.txt:vcelr (ID = 56711)
7:58 PM: mnlwmv.exe (ID = 159311)
7:58 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mnlwmv (ID = 0)
7:58 PM: m67m.inf (ID = 74028)
7:58 PM: ocgen.log:faalko (ID = 56287)
7:59 PM: stb.exe (ID = 94666)
7:59 PM: ssk.exe (ID = 163864)
7:59 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
7:59 PM: mediagatewayx.dll (ID = 156819)
7:59 PM: mediaticketsinstaller.inf (ID = 73158)
8:00 PM: sskknwrd.dll (ID = 77733)
8:00 PM: msxmidi.exe.js:gwqvn (ID = 55098)
8:01 PM: auhccup1.dll:jpxurb (ID = 56287)
8:01 PM: active setup log.txt:rofppq (ID = 54051)
8:01 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
8:01 PM: btnetw3-995329.exe (ID = 155333)
8:01 PM: rifqr.exe (ID = 159311)
8:01 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
8:02 PM: wingenerics.dll (ID = 50187)
8:02 PM: comsetup.log:xdsnj (ID = 53966)
8:02 PM: ocmsn.log:jsouf (ID = 56447)
8:02 PM: orun32.isu:uurmb (ID = 53966)
8:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
8:03 PM: mqjwnm.exe (ID = 159311)
8:03 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mqjwnm (ID = 0)
8:04 PM: sskcwrd.dll (ID = 77712)
8:04 PM: Warning: Failed to access drive F:
8:04 PM: File Sweep Complete, Elapsed Time: 00:08:08
8:04 PM: Full Sweep has completed. Elapsed time 00:09:59
8:04 PM: Traces Found: 844
8:15 PM: Removal process initiated
8:15 PM: Quarantining All Traces: apropos
8:15 PM: Quarantining All Traces: begin2search
8:15 PM: Quarantining All Traces: hotsearchbar toolbar
8:16 PM: Quarantining All Traces: cws_easy-search.biz hijacker
8:16 PM: Quarantining All Traces: drsnsrch.com hijack
8:16 PM: Quarantining All Traces: mirar webband
8:16 PM: Quarantining All Traces: trojan-downloader-pacisoft
8:16 PM: Quarantining All Traces: purityscan
8:16 PM: Quarantining All Traces: media-motor
8:16 PM: Quarantining All Traces: search fast communicator toolbar
8:16 PM: Warning: Quarantine could not read registry value for HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\. Failed to export registry value ".default\software\microsoft\internet explorer\toolbar\webbrowser\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}". Key/Value does not exist
8:16 PM: Quarantining All Traces: surfsidekick
8:17 PM: Quarantining All Traces: delfin
8:17 PM: Quarantining All Traces: winad
8:17 PM: Quarantining All Traces: drsnsrch hijacker
8:17 PM: Quarantining All Traces: clkoptimizer
8:17 PM: Quarantining All Traces: visfx
8:17 PM: Quarantining All Traces: abetterinternet
8:17 PM: Quarantining All Traces: 180search assistant/zango
8:17 PM: Quarantining All Traces: shopathomeselect
8:17 PM: Quarantining All Traces: cws-aboutblank
8:17 PM: Warning: Quarantine could not read registry value for HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\search page_bak\. Failed to export registry value "S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\search page_bak". Key/Value does not exist
8:17 PM: Quarantining All Traces: 888 cookie
8:17 PM: Quarantining All Traces: yieldmanager cookie
8:17 PM: Quarantining All Traces: adknowledge cookie
8:17 PM: Quarantining All Traces: adrevolver cookie
8:17 PM: Quarantining All Traces: adserver cookie
8:17 PM: Quarantining All Traces: advertising cookie
8:17 PM: Quarantining All Traces: ask cookie
8:17 PM: Quarantining All Traces: atlas dmt cookie
8:17 PM: Quarantining All Traces: belnk cookie
8:17 PM: Quarantining All Traces: banner cookie
8:17 PM: Quarantining All Traces: bluestreak cookie
8:17 PM: Quarantining All Traces: casalemedia cookie
8:17 PM: Quarantining All Traces: fastclick cookie
8:17 PM: Quarantining All Traces: overture cookie
8:17 PM: Quarantining All Traces: questionmarket cookie
8:17 PM: Quarantining All Traces: realmedia cookie
8:17 PM: Quarantining All Traces: adjuggler cookie
8:17 PM: Quarantining All Traces: servedby advertising cookie
8:17 PM: Quarantining All Traces: reliablestats cookie
8:17 PM: Quarantining All Traces: tradedoubler cookie
8:17 PM: Quarantining All Traces: trafficmp cookie
8:17 PM: Quarantining All Traces: myaffiliateprogram.com cookie
8:17 PM: Quarantining All Traces: zedo cookie
8:17 PM: Quarantining All Traces: cws_ns3
8:18 PM: Quarantining All Traces: coolwebsearch (cws)
8:18 PM: Quarantining All Traces: lzio
8:18 PM: Quarantining All Traces: winantispyware 2005
8:18 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars
8:18 PM: Removal process completed. Elapsed time 00:03:14
8:19 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
9:44 PM: IE Security Shield: found: C:\WINDOWS\ELITEMEDIAPOP.EXE -- IE Security modification denied
9:45 PM: IE Security Shield: found: C:\WINDOWS\ELITEMEDIAPOP.EXE -- IE Security modification denied
9:45 PM: ActiveX Shield: found: Adware: mirar webband, version 1.0.0.0 -- Installation denied
9:45 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:45 PM: The Spy Communication shield has blocked access to: downloads.shopathomeselect.com
9:45 PM: BHO Shield: found: WinNB57.dll-- BHO installation denied at user request
9:45 PM: BHO Shield: found: WinNB57.dll-- BHO installation denied at user request
9:45 PM: IE Security Shield: found: C:\WINDOWS\ELITEMEDIAPOP.EXE -- IE Security modification denied
9:49 PM: Memory Shield: Found: Memory-resident threat shopathomeselect, version 1.0.0.0
9:49 PM: Detected running threat: shopathomeselect
9:49 PM: | End of Session, Sunday, October 16, 2005 |
********
7:36 PM: | Start of Session, Sunday, October 16, 2005 |
7:36 PM: Spy Sweeper started
7:36 PM: Sweep initiated using definitions version 555
7:36 PM: Starting Memory Sweep
7:36 PM: Sweep Canceled
7:36 PM: Memory Sweep Complete, Elapsed Time: 00:00:07
7:36 PM: Traces Found: 0
7:54 PM: Program Version 4.5.3 (Build 560) Using Spyware Definitions 555
7:54 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:27 PM: Sweep Canceled
9:27 PM: Memory Sweep Complete, Elapsed Time: 00:01:36
9:27 PM: Traces Found: 0
9:40 AM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:40 AM: Detected running threat: lzio
11:21 AM: Ignored memory-resident threat: lzio
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:21 AM: The Spy Communication shield has blocked access to: paypopup.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
11:26 AM: The Spy Communication shield has blocked access to: focusin.ads.targetnet.com
4:36 PM: ActiveX Shield: found: Adware: winad, version 1.0.0.0 -- Installation denied
4:37 PM: Spy Installation Shield: found: Adware: winad, version 1.0.0.0 -- Execution Denied
4:37 PM: Processing Startup Alerts
4:37 PM: Removed Startup entry: mnlwmv
5:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
5:27 PM: Detected running threat: lzio
5:27 PM: Ignored memory-resident threat: lzio
7:38 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:38 PM: Detected running threat: lzio
7:38 PM: Ignored memory-resident threat: lzio
7:50 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
7:50 PM: Detected running threat: lzio
7:50 PM: Ignored memory-resident threat: lzio
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:14 PM: The Spy Communication shield has blocked access to: paypopup.com
9:17 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:17 PM: Detected running threat: lzio
9:17 PM: Ignored memory-resident threat: lzio
9:27 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:27 PM: Detected running threat: lzio
9:27 PM: Ignored memory-resident threat: lzio
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
12:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
2:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
5:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
9:25 AM: The Spy Communication shield has blocked access to: paypopup.com
11:58 AM: IE Security Shield: found: C:\WINDOWS\SYSTEM32\RUNDLL32.EXE -- IE Security modification allowed at user request
12:10 PM: Error: Access violation at address 0055E852 in module 'WRSSSDK.exe'. Read of address 00000004.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:45 PM: Updating spyware definitions
3:45 PM: Your definitions are up to date.
3:49 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
3:49 PM: Detected running threat: lzio
3:49 PM: Ignored memory-resident threat: lzio
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:35 PM: Updating spyware definitions
7:35 PM: Your definitions are up to date.
7:36 PM: Only Sweep Folders Where Threats Are Known to Reside
7:36 PM: | End of Session, Sunday, October 16, 2005 |
********
9:25 PM: | Start of Session, Friday, October 14, 2005 |
9:25 PM: Spy Sweeper started
9:25 PM: Sweep initiated using definitions version 555
9:25 PM: Starting Memory Sweep
9:25 PM: Sweep Canceled
9:25 PM: Memory Sweep Complete, Elapsed Time: 00:00:19
9:25 PM: Traces Found: 0
9:25 PM: Only Sweep Folders Where Threats Are Known to Reside
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
6:15 PM: | Start of Session, Friday, October 14, 2005 |
6:15 PM: Spy Sweeper started
6:15 PM: Sweep initiated using definitions version 555
6:15 PM: Starting Memory Sweep
6:15 PM: Sweep Canceled
6:15 PM: Memory Sweep Complete, Elapsed Time: 00:00:03
6:15 PM: Traces Found: 0
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: updates.lzio.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:06 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:07 PM: Processing Startup Alerts
9:07 PM: Removed Startup entry: mnlwmv
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:08 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:12 PM: The Spy Communication shi

[biggun1234]

________________________________________________________________Here is the rest of that log:
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:13 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
9:13 PM: Detected running threat: lzio
9:15 PM: Ignored memory-resident threat: lzio
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:15 PM: The Spy Communication shield has blocked access to: st.bestoffersnetworks.com
9:24 PM: Updating spyware definitions
9:24 PM: Your definitions are up to date.
9:25 PM: | End of Session, Friday, October 14, 2005 |
********
4:46 PM: | Start of Session, Friday, October 14, 2005 |
4:46 PM: Spy Sweeper started
4:46 PM: Sweep initiated using definitions version 555
4:46 PM: Starting Memory Sweep
4:46 PM: Found Adware: abetterinternet
4:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\ypowlt.exe (ID = 158592)
4:48 PM: Found Trojan Horse: lzio
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\whecdwm\qekrmujx.exe (ID = 159311)
4:48 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\uudmzf.exe (ID = 158592)
4:48 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 63)
4:48 PM: Detected running threat: C:\WINDOWS\SYSTEM32\fhlyvp.exe (ID = 158592)
4:49 PM: Memory Sweep Complete, Elapsed Time: 00:02:33
4:49 PM: Starting Registry Sweep
4:49 PM: Found Adware: apropos
4:49 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
4:49 PM: Found Adware: begin2search
4:49 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: Found Adware: hotsearchbar toolbar
4:49 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
4:49 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
4:49 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
4:49 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
4:49 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
4:49 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
4:49 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
4:49 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
4:49 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
4:49 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
4:49 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
4:49 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
4:49 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
4:49 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
4:49 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
4:49 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
4:49 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
4:49 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
4:49 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
4:49 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
4:49 PM: Found Adware: coolwebsearch (cws)
4:49 PM: HKCR\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 107683)
4:49 PM: HKLM\software\classes\clsid\{899a5903-19a8-847c-427c-8f50787644ae}\ (2 subtraces) (ID = 109067)
4:49 PM: Found Adware: cws_ns3
4:49 PM: HKCR\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 118827)
4:49 PM: HKCR\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 118859)
4:49 PM: HKLM\software\classes\clsid\{aef3e64a-b4fc-fc2a-5ef9-4fc735f322d9}\ (2 subtraces) (ID = 120666)
4:49 PM: HKLM\software\classes\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 120698)
4:49 PM: Found Adware: delfin
4:49 PM: HKLM\software\motoin\ (2 subtraces) (ID = 124883)
4:49 PM: Found Adware: elitebar
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
4:49 PM: Found Adware: drsnsrch.com hijack
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 128208)
4:49 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 128209)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 128210)
4:49 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 128211)
4:49 PM: Found Adware: mirar webband
4:49 PM: HKLM\software\relatedpageinstall\ (6 subtraces) (ID = 135120)
4:49 PM: Found Trojan Horse: trojan-downloader-pacisoft
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{972bb342-14a7-4660-83c1-51ddbee171db}\ (8 subtraces) (ID = 136524)
4:49 PM: Found Adware: purityscan
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
4:49 PM: Found Adware: media-motor
4:49 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
4:49 PM: Found Adware: search fast communicator toolbar
4:49 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
4:49 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
4:49 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
4:49 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
4:49 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
4:49 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
4:49 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
4:49 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
4:49 PM: HKU\.default\software\communicator toolbar\ (9 subtraces) (ID = 140696)
4:49 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
4:49 PM: Found Adware: surfsidekick
4:49 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
4:49 PM: HKLM\system\currentcontrolset\services\svcproc\ (12 subtraces) (ID = 146140)
4:49 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
4:49 PM: Found Adware: quicklink search toolbar
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
4:49 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
4:49 PM: Found Adware: winad
4:49 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
4:49 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
4:49 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
4:49 PM: Found Adware: drsnsrch hijacker
4:49 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
4:49 PM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
4:49 PM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
4:49 PM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
4:49 PM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
4:49 PM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
4:49 PM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
4:49 PM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
4:49 PM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
4:49 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
4:49 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
4:49 PM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
4:49 PM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
4:49 PM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
4:49 PM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
4:49 PM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
4:49 PM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
4:49 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
4:49 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
4:49 PM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
4:49 PM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
4:49 PM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
4:49 PM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
4:49 PM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
4:49 PM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
4:49 PM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
4:49 PM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
4:49 PM: HKCR\dsrch.band.1\ (3 subtraces) (ID = 512692)
4:49 PM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
4:49 PM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
4:49 PM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
4:49 PM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
4:49 PM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
4:49 PM: HKLM\software\classes\dsrch.band.1\ (3 subtraces) (ID = 513072)
4:49 PM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
4:49 PM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
4:49 PM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
4:49 PM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
4:49 PM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
4:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (ID = 513230)
4:49 PM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 646382)
4:49 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
4:49 PM: Found Adware: bookedspace
4:49 PM: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (3 subtraces) (ID = 662284)
4:49 PM: HKLM\software\microsoft\windows\currentversion\run\ || dinst (ID = 705664)
4:49 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 711393)
4:49 PM: Found Adware: visfx
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
4:49 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
4:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm81.ocx\ (2 subtraces) (ID = 762354)
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
4:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
4:49 PM: Found Adware: clkoptimizer
4:49 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
4:49 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
4:49 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
4:49 PM: Found Adware: 180search assistant/zango
4:49 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
4:49 PM: Found Adware: shopathomeselect
4:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
4:49 PM: HKLM\software\qstat\ || brr (ID = 877670)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
4:49 PM: HKU\WRSS_Profile_S-1-5-21-2801439982-3646181656-3495054330-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: Found Adware: cws-aboutblank
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\psof1\ (10 subtraces) (ID = 136530)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\aurora\ (27 subtraces) (ID = 360174)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\dsrch\ (11 subtraces) (ID = 509156)
4:49 PM: HKU\S-1-5-21-2801439982-3646181656-3495054330-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:49 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 128206)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 128207)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\searchurl\ (ID = 128212)
4:49 PM: HKU\S-1-5-18\software\communicator toolbar\ (9 subtraces) (ID = 140688)
4:49 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
4:49 PM: HKU\S-1-5-18\software\dsrch\ (7 subtraces) (ID = 509156)
4:49 PM: Registry Sweep Complete, Elapsed Time:00:00:45
4:49 PM: Starting Cookie Sweep
4:49 PM: Found Spy Cookie: 2o7.net cookie
4:49 PM: owner@2o7[2].txt (ID = 1957)
4:49 PM: Found Spy Cookie: 888 cookie
4:49 PM: owner@888[1].txt (ID = 2019)
4:49 PM: Found Spy Cookie: yieldmanager cookie
4:49 PM: [email protected][1].txt (ID = 3751)
4:49 PM: Found Spy Cookie: adknowledge cookie
4:49 PM: owner@adknowledge[2].txt (ID = 2072)
4:49 PM: Found Spy Cookie: hbmediapro cookie
4:49 PM: [email protected][2].txt (ID = 2768)
4:49 PM: Found Spy Cookie: adrevolver cookie
4:49 PM: owner@adrevolver[1].txt (ID = 2088)
4:49 PM: owner@adrevolver[2].txt (ID = 2088)
4:49 PM: Found Spy Cookie: adserver cookie
4:49 PM: owner@adserver[1].txt (ID = 2141)
4:49 PM: Found Spy Cookie: advertising cookie
4:49 PM: owner@advertising[2].txt (ID = 2175)
4:49 PM: Found Spy Cookie: falkag cookie
4:49 PM: [email protected][1].txt (ID = 2650)
4:49 PM: [email protected][2].txt (ID = 2650)
4:49 PM: Found Spy Cookie: ask cookie
4:49 PM: owner@ask[1].txt (ID = 2245)
4:49 PM: Found Spy Cookie: atlas dmt cookie
4:49 PM: owner@atdmt[2].txt (ID = 2253)
4:49 PM: Found Spy Cookie: belnk cookie
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: atwola cookie
4:49 PM: owner@atwola[2].txt (ID = 2255)
4:49 PM: Found Spy Cookie: a cookie
4:49 PM: owner@a[2].txt (ID = 2027)
4:49 PM: Found Spy Cookie: banner cookie
4:49 PM: owner@banner[1].txt (ID = 2276)
4:49 PM: owner@belnk[2].txt (ID = 2292)
4:49 PM: Found Spy Cookie: btgrab cookie
4:49 PM: [email protected][2].txt (ID = 2333)
4:49 PM: Found Spy Cookie: gostats cookie
4:49 PM: [email protected][2].txt (ID = 2748)
4:49 PM: Found Spy Cookie: cliks cookie
4:49 PM: owner@cliks[1].txt (ID = 2414)
4:49 PM: Found Spy Cookie: sextracker cookie
4:49 PM: [email protected][1].txt (ID = 3362)
4:49 PM: [email protected][1].txt (ID = 2293)
4:49 PM: Found Spy Cookie: ru4 cookie
4:49 PM: [email protected][2].txt (ID = 3269)
4:49 PM: Found Spy Cookie: fastclick cookie
4:49 PM: owner@fastclick[1].txt (ID = 2651)
4:49 PM: owner@fastclick[2].txt (ID = 2651)
4:49 PM: owner@gostats[2].txt (ID = 2747)
4:49 PM: Found Spy Cookie: clickandtrack cookie
4:49 PM: [email protected][2].txt (ID = 2397)
4:49 PM: Found Spy Cookie: kmpads cookie
4:49 PM: owner@kmpads[1].txt (ID = 2909)
4:49 PM: Found Spy Cookie: offeroptimizer cookie
4:49 PM: owner@offeroptimizer[2].txt (ID = 3087)
4:49 PM: Found Spy Cookie: overture cookie
4:49 PM: [email protected][1].txt (ID = 3106)
4:49 PM: Found Spy Cookie: questionmarket cookie
4:49 PM: owner@questionmarket[2].txt (ID = 3217)
4:49 PM: Found Spy Cookie: realmedia cookie
4:49 PM: owner@realmedia[1].txt (ID = 3235)
4:49 PM: Found Spy Cookie: adjuggler cookie
4:49 PM: [email protected][2].txt (ID = 2071)
4:49 PM: Found Spy Cookie: servedby advertising cookie
4:49 PM: [email protected][1].txt (ID = 3335)
4:49 PM: owner@sextracker[2].txt (ID = 3361)
4:49 PM: Found Spy Cookie: reliablestats cookie
4:49 PM: [email protected][2].txt (ID = 3254)
4:49 PM: Found Spy Cookie: targetnet cookie
4:49 PM: owner@targetnet[1].txt (ID = 3489)
4:49 PM: Found Spy Cookie: toplist cookie
4:49 PM: owner@toplist[1].txt (ID = 3557)
4:49 PM: Found Spy Cookie: tradedoubler cookie
4:49 PM: owner@tradedoubler[1].txt (ID = 3575)
4:49 PM: Found Spy Cookie: trafficmp cookie
4:49 PM: owner@trafficmp[1].txt (ID = 3581)
4:49 PM: Found Spy Cookie: tribalfusion cookie
4:49 PM: owner@tribalfusion[2].txt (ID = 3589)
4:49 PM: Found Spy Cookie: myaffiliateprogram.com cookie
4:49 PM: [email protected][1].txt (ID = 3032)
4:49 PM: owner@yieldmanager[1].txt (ID = 3749)
4:49 PM: [email protected][1].txt (ID = 2142)
4:49 PM: Found Spy Cookie: casalemedia cookie
4:49 PM: system@casalemedia[2].txt (ID = 2354)
4:49 PM: [email protected][1].txt (ID = 3269)
4:49 PM: Found Spy Cookie: exitexchange cookie
4:49 PM: system@exitexchange[2].txt (ID = 2633)
4:49 PM: Found Spy Cookie: paypopup cookie
4:49 PM: system@paypopup[2].txt (ID = 3119)
4:49 PM: system@questionmarket[1].txt (ID = 3217)
4:49 PM: Found Spy Cookie: rednova cookie
4:49 PM: system@rednova[2].txt (ID = 3245)
4:49 PM: system@trafficmp[2].txt (ID = 3581)
4:49 PM: [email protected][1].txt (ID = 3246)
4:49 PM: Found Spy Cookie: zedo cookie
4:49 PM: system@zedo[2].txt (ID = 3762)
4:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
4:49 PM: Starting File Sweep
4:50 PM: Found Adware: webhancer
4:50 PM: c:\program files\whinstall (5 subtraces) (ID = -2147480064)
4:50 PM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
4:50 PM: Found Adware: virtualbouncer
4:50 PM: c:\program files\vbouncer (2 subtraces) (ID = -2147477376)
4:50 PM: c:\program files\surfsidekick 3 (ID = -2147480186)
4:50 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
4:50 PM: Found Adware: cas
4:50 PM: c:\program files\cmsystem (ID = -2147471610)
4:50 PM: backup-20051004-233143-932.inf (ID = 144896)
4:50 PM: wmprfptb.prx:ypgwmu (ID = 56287)
4:50 PM: backup-20051004-233142-977.dll.tcf (ID = 115632)
4:50 PM: wmprfchs.prx:byvgwy (ID = 56270)
4:50 PM: preuninstallcom.exe (ID = 74818)
4:50 PM: wmprfjpn.prx:foorkk (ID = 54051)
4:50 PM: backup-20050820-024611-298.dll.tcf (ID = 115632)
4:50 PM: vmmreg32.dll:jmucx (ID = 56447)
4:50 PM: backup-20051014-122146-985.dll (ID = 131321)
4:50 PM: wmsetup.log:bqjpah (ID = 54093)
4:51 PM: qekrmujx.exe (ID = 159311)
4:51 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || qekrmujx (ID = 0)
4:51 PM: fhlyvp.exe (ID = 158592)
4:51 PM: clock.avi:uqanf (ID = 56270)
4:51 PM: pcs_0031.exe (ID = 161706)
4:51 PM: backup-20051004-233142-567.dll (ID = 131321)
4:51 PM: backup-20051004-233143-657.dll (ID = 73425)
4:51 PM: blue lace 16.bmp:pyxtq (ID = 56447)
4:52 PM: 5b490ro6.exe (ID = 157331)
4:52 PM: Found Adware: winantispyware 2005
4:52 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:52 PM: wmprfesp.prx:qnkqv (ID = 56447)
4:52 PM: wmprfheb.prx:incwp (ID = 56447)
4:52 PM: wmprfkor.prx:bovbr (ID = 56447)
4:52 PM: uclvf.exe (ID = 159311)
4:53 PM: music store.ico:drvzty (ID = 56270)
4:53 PM: sskknwrd.dll (ID = 77733)
4:53 PM: t30debuglogfile.txt:trhmf (ID = 56194)
4:53 PM: msnavpklog.txt:vcelr (ID = 56711)
4:53 PM: Found Adware: cws_tiny0
4:53 PM: olx98nt.sys:mrqyr (ID = 56968)
4:53 PM: nsw.log:bpfgu (ID = 56968)
4:53 PM: m67m.inf (ID = 74028)
4:53 PM: sskbho.dll (ID = 163865)
4:53 PM: ocgen.log:faalko (ID = 56287)
4:54 PM: patch.exe:fraet (ID = 55707)
4:54 PM: ntq5e7dn.dll (ID = 157332)
4:54 PM: uudmzf.exe (ID = 158592)
4:54 PM: stb.exe (ID = 94666)
4:54 PM: ssk.exe (ID = 163864)
4:54 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
4:55 PM: 30r8imok.exe (ID = 157330)
4:55 PM: Found Adware: ist yoursitebar
4:55 PM: backup-20050820-024612-156.dll.tcf (ID = 133888)
4:55 PM: apd123.exe.tcf (ID = 161622)
4:55 PM: uninst.exe (ID = 73428)
4:55 PM: mon2007.dbd (ID = 57693)
4:55 PM: qldf.bin (ID = 131688)
4:55 PM: Found Adware: isearch toolbar
4:55 PM: mte2odm6odoxng.exe.tcf (ID = 145831)
4:55 PM: mediaticketsinstaller.inf (ID = 73158)
4:55 PM: qlink32.dll (ID = 73425)
4:55 PM: ypowlt.exe (ID = 158592)
4:56 PM: preuninstallql.exe (ID = 131326)
4:56 PM: uninst.exe (ID = 73428)
4:56 PM: sskknwrd.dll (ID = 77733)
4:56 PM: Found Trojan Horse: trojan_downloader_tibser
4:56 PM: odbc.ini:jrtka (ID = 81471)
4:57 PM: msxmidi.exe.js:gwqvn (ID = 55098)
4:57 PM: {2cea2f29-8fb4-4414-bc3b-fe8205b3cee1}.dat:yjzri (ID = 56711)
4:58 PM: dsr.exe.tcf (ID = 121121)
4:59 PM: installt.exe (ID = 82806)
4:59 PM: whinstaller.ini (ID = 83848)
4:59 PM: whagent.inf (ID = 83822)
5:00 PM: _default.pif:nmjryt (ID = 81471)
5:00 PM: auhccup1.dll:jpxurb (ID = 56287)
5:00 PM: {3ad02412-f082-4583-b4a2-5888e7e64911}.dat:gnbwse (ID = 56270)
5:00 PM: active setup log.txt:rofppq (ID = 54051)
5:00 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
5:00 PM: btnetw3-995329.exe (ID = 155333)
5:00 PM: rifqr.exe (ID = 159311)
5:00 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rifqr (ID = 0)
5:01 PM: msnsetuplog.bak:lrcmzn (ID = 81471)
5:01 PM: notepad.exe.bak:uqcuj (ID = 56711)
5:01 PM: 9b7psqu9.exe.tcf (ID = 130510)
5:01 PM: mon1920.dbd (ID = 57692)
5:01 PM: wingenerics.dll (ID = 50187)
5:02 PM: patch.exe:qtlwgb (ID = 54093)
5:02 PM: dsr.dll.tcf (ID = 115632)
5:02 PM: comsetup.log:xdsnj (ID = 53966)
5:02 PM: ocmsn.log:jsouf (ID = 56447)
5:03 PM: mm81.ocx (ID = 144897)
5:03 PM: orun32.isu:uurmb (ID = 53966)
5:03 PM: wmprfrus.prx:vpdtr (ID = 56447)
5:03 PM: clock.avi:uqanfo (ID = 54093)
5:04 PM: mqjwnm.exe (ID = 159311)
5:05 PM: vminst.log:dpczx (ID = 56966)
5:05 PM: kb885836.log:ilbgrd (ID = 81471)
5:05 PM: kb887822.log:bltlln (ID = 56270)
5:06 PM: mediaticketsinstaller.ocx.tcf (ID = 73164)
5:08 PM: sskcwrd.dll (ID = 77712)
5:08 PM: whagent.ini (ID = 83825)
5:08 PM: mon0204.ddx (ID = 57681)
5:08 PM: mon1125.ddx (ID = 57685)
5:08 PM: mon1909.ddx (ID = 57691)
5:08 PM: mon0504.ddx (ID = 57681)
5:08 PM: mon0904.ddx (ID = 57691)
5:08 PM: mon0412.ddx (ID = 57681)
5:08 PM: mon0106.ddx (ID = 57679)
5:08 PM: mon0315.ddx (ID = 57681)
5:08 PM: mon1204.ddx (ID = 57681)
5:08 PM: Found System Monitor: potentially rootkit-masked files
5:08 PM: 0000409d_4344abe5_0001ab3f (ID = 0)
5:08 PM: 00004dc8_434e0977_0004c4b4 (ID = 0)
5:08 PM: 000039ce_43496744_000ec82e (ID = 0)
5:08 PM: 000022ee_43464335_000a7d8c (ID = 0)
5:08 PM: 00005772_4348e5c1_00066ff3 (ID = 0)
5:08 PM: 000032c1_43462903_000a4083 (ID = 0)
5:08 PM: 00004e45_43461657_00000000 (ID = 0)
5:08 PM: 00000035_4346180f_0001ab3f (ID = 0)
5:09 PM: 0000261e_4343906f_0005f5e1 (ID = 0)
5:09 PM: 00001a49_43438fa8_000d59f8 (ID = 0)
5:09 PM: 00000732_43464221_0006ea05 (ID = 0)
5:09 PM: 00003ef6_434715dd_000a7d8c (ID = 0)
5:09 PM: 00003c61_434da2ea_000c65d4 (ID = 0)
5:09 PM: 00005cfd_4344ab9b_00081b32 (ID = 0)
5:09 PM: 0000441d_4348eeba_0002dc6c (ID = 0)
5:10 PM: 0000691d_434c1e17_000b71b0 (ID = 0)
5:10 PM: 00000f3e_43471514_00090f56 (ID = 0)
5:10 PM: 000072ae_434b3f14_000b71b0 (ID = 0)
5:10 PM: 000022ee_4343f490_00090f56 (ID = 0)
5:10 PM: 00003bf6_434616c7_00066ff3 (ID = 0)
5:10 PM: 00006e5d_4344aada_0001ab3f (ID = 0)
5:10 PM: 0000798b_43461714_0001e848 (ID = 0)
5:10 PM: 00005dd5_4345d2e2_000501bd (ID = 0)
5:10 PM: 00005064_43463d5b_00053ec6 (ID = 0)
5:10 PM: 0000567e_43462a5d_000e1113 (ID = 0)
5:10 PM: 0000409d_43445185_00090f56 (ID = 0)
5:11 PM: 00002b0f_43446c4e_000d59f8 (ID = 0)
5:11 PM: 00005ea5_434b1ebd_0002dc6c (ID = 0)
5:11 PM: 000050bf_434e1280_0005b8d8 (ID = 0)
5:11 PM: 0000759a_434815af_000f0537 (ID = 0)
5:11 PM: 00005d03_434640db_000d59f8 (ID = 0)
5:11 PM: 00006586_43481f1e_0007270e (ID = 0)
5:11 PM: 00000029_434612aa_00007a12 (ID = 0)
5:11 PM: 00007a74_4344ce4e_0009c671 (ID = 0)
5:11 PM: 000039b3_43458b18_00089544 (ID = 0)
5:11 PM: 00001db5_4346ed41_0006acfc (ID = 0)
5:12 PM: 0000030a_434c3eb2_000a037a (ID = 0)
5:12 PM: 00005422_434616ef_000501bd (ID = 0)
5:12 PM: 000072b1_43481d88_00031975 (ID = 0)
5:12 PM: 00005e14_434c40df_0005f5e1 (ID = 0)
5:12 PM: 00004e45_434ec185_0004c4b4 (ID = 0)
5:12 PM: 00005579_434b1329_000487ab (ID = 0)
5:12 PM: 00006443_43481576_000bebc2 (ID = 0)
5:12 PM: 00003a8d_434af688_00053ec6 (ID = 0)
5:13 PM: 00003d6c_434a7a20_000ca2dd (ID = 0)
5:13 PM: 00000d66_434c42b4_00076417 (ID = 0)
5:13 PM: 00003d6c_4343aa27_000ca2dd (ID = 0)
5:13 PM: 000012c2_434b7e91_000a7d8c (ID = 0)
5:13 PM: 00005878_43438f92_00007a12 (ID = 0)
5:13 PM: 00005789_4349ac02_0007de29 (ID = 0)
5:13 PM: 00006b72_434af4c9_0001e848 (ID = 0)
5:14 PM: 00001350_4349ad59_00031975 (ID = 0)
5:14 PM: 00003f0e_43483b8e_0004c4b4 (ID = 0)
5:14 PM: 00000b31_4349aba9_00098968 (ID = 0)
5:14 PM: 00000fbf_434c41d2_0002dc6c (ID = 0)
5:14 PM: 00000677_4348176a_000d59f8 (ID = 0)
5:14 PM: 0000030a_434a078d_00016e36 (ID = 0)
5:14 PM: 0000513e_4348ea2e_0006ea05 (ID = 0)
5:14 PM: 000001eb_434a1384_00022551 (ID = 0)
5:15 PM: 0000798b_4343f539_000c65d4 (ID = 0)
5:15 PM: 00004d06_43438f32_0007de29 (ID = 0)
5:15 PM: 000023c9_434451a1_000f0537 (ID = 0)
5:15 PM: 00004db7_43438f32_0008d24d (ID = 0)
5:15 PM: 00005d03_434a0727_00053ec6 (ID = 0)
5:15 PM: 00002350_4347158f_00040d99 (ID = 0)
5:15 PM: 000054de_4349b2b3_0001ab3f (ID = 0)
5:15 PM: 000019da_434c046c_0005b8d8 (ID = 0)
5:15 PM: 00000fbf_4348319e_0007a120 (ID = 0)
5:15 PM: 00006014_43481cb6_000af79e (ID = 0)
5:15 PM: 00006ad4_434617ec_0001ab3f (ID = 0)
5:15 PM: 00000bdb_4344615a_000cdfe6 (ID = 0)
5:16 PM: 00007e87_43438f28_000b71b0 (ID = 0)
5:16 PM: 000015d5_43483f8e_0002dc6c (ID = 0)
5:16 PM: 0000759a_43438f88_00076417 (ID = 0)
5:16 PM: 00005e73_43463f9f_00090f56 (ID = 0)
5:16 PM: 000075ec_434b7f6e_0003567e (ID = 0)
5:16 PM: 00002277_43484d51_0007de29 (ID = 0)
5:16 PM: 000026e9_434eb5a7_000a037a (ID = 0)
5:17 PM: 0000773b_43458faf_00040d99 (ID = 0)
5:17 PM: 00004f2b_4344bf1b_000b34a7 (ID = 0)
5:17 PM: 00004d8e_4344c0c0_000aba95 (ID = 0)
5:17 PM: 00005968_434c05e7_000a4083 (ID = 0)
5:17 PM: 00006952_43454626_00000000 (ID = 0)
5:17 PM: 0000123b_4348fcf2_000e4e1c (ID = 0)
5:17 PM: 00007e87_43464075_000487ab (ID = 0)
5:17 PM: 000016d4_434e0f03_00098968 (ID = 0)
5:18 PM: 00003bb1_434c0528_000c65d4 (ID = 0)
5:18 PM: 00000029_43445dec_0001ab3f (ID = 0)
5:18 PM: 000078d4_43446a1d_0008d24d (ID = 0)
5:18 PM: 0000366b_43481628_00066ff3 (ID = 0)
5:18 PM: 00007a61_43472263_0007270e (ID = 0)
5:18 PM: 0000249e_4348320f_000b34a7 (ID = 0)
5:18 PM: 00007613_434627c2_0003d090 (ID = 0)
5:18 PM: 00003d6c_434da0e0_000632ea (ID = 0)
5:19 PM: 0000422d_434b4d42_0009c671 (ID = 0)
5:19 PM: 00000bdb_4346167b_00016e36 (ID = 0)
5:19 PM: 0000441d_434c0697_00031975 (ID = 0)
5:19 PM: 0000798b_43463448_00076417 (ID = 0)
5:19 PM: 0000153c_43461966_00040d99 (ID = 0)
5:19 PM: 00006c69_4348e67a_0007270e (ID = 0)
5:19 PM: 00007dd1_4346c0d4_000c28cb (ID = 0)
5:19 PM: 0000368e_4344622d_00022551 (ID = 0)
5:19 PM: 00000de5_434469d4_0006acfc (ID = 0)
5:20 PM: 0000428b_434f021a_0007270e (ID = 0)
5:20 PM: 0000054b_4349b090_00029f63 (ID = 0)
5:20 PM: 00001916_4349b468_0004c4b4 (ID = 0)
5:20 PM: 00000029_434a637c_0005b8d8 (ID = 0)
5:20 PM: 000015a1_4344619c_0009c671 (ID = 0)
5:20 PM: 00005af1_4344a3b4_000632ea (ID = 0)
5:20 PM: 000056ae_4344615b_0003d090 (ID = 0)
5:21 PM: 00001649_434a127f_0001ab3f (ID = 0)
5:21 PM: 00003a9e_434815d8_000c28cb (ID = 0)
5:21 PM: 00001edc_434726dd_0001e848 (ID = 0)
5:21 PM: 00006611_43483936_0003567e (ID = 0)
5:21 PM: 00006032_434616ee_0002625a (ID = 0)
5:21 PM: 00004823_43445dec_0005f5e1 (ID = 0)
5:21 PM: 00003908_4344baf1_000a7d8c (ID = 0)
5:21 PM: 00006b36_4350091e_000dd40a (ID = 0)
5:21 PM: 00004a80_4343f555_000baeb9 (ID = 0)
5:22 PM: 00006469_434c0bd1_00022551 (ID = 0)
5:22 PM: 00000902_43500b0e_000501bd (ID = 0)
5:22 PM: 00006df1_434ec609_00076417 (ID = 0)
5:22 PM: 0000422d_4349619e_00031975 (ID = 0)
5:22 PM: 000032de_4347ab8f_000d59f8 (ID = 0)
5:22 PM: 0000658c_434a015a_0007a120 (ID = 0)
5:23 PM: 0000123b_4347a8be_000baeb9 (ID = 0)
5:23 PM: 00000607_4347a809_000a037a (ID = 0)
5:23 PM: 000019da_4349b633_000bebc2 (ID = 0)
5:23 PM: 0000169a_434819da_000b71b0 (ID = 0)
5:23 PM: 00001366_4344516f_00044aa2 (ID = 0)
5:23 PM: 000041bb_434460f2_0007a120 (ID = 0)
5:23 PM: 00004531_4344adf1_0001e848 (ID = 0)
5:24 PM: 00005991_43501437_000f0537 (ID = 0)
5:24 PM: 00001316_4346257f_0000b71b (ID = 0)
5:24 PM: 000018d7_4344523c_00000000 (ID = 0)
5:24 PM: 00003419_43484af2_000d9701 (ID = 0)
5:24 PM: 00006ea1_434779a1_000e8b25 (ID = 0)
5:24 PM: 00005878_4349b31b_00076417 (ID = 0)
5:24 PM: 000004f0_4349766b_000ca2dd (ID = 0)
5:24 PM: 00003bf6_4350304c_0007270e (ID = 0)
5:24 PM: 000022da_4344c3a1_000cdfe6 (ID = 0)
5:24 PM: 000072ae_4343fec7_00007a12 (ID = 0)
5:24 PM: 0000242d_4344c3e0_000a037a (ID = 0)
5:24 PM: 00007b44_4346c373_00003d09 (ID = 0)
5:25 PM: 00006bfc_43464110_00007a12 (ID = 0)
5:25 PM: 00007ff4_4344bfd6_0006acfc (ID = 0)
5:25 PM: 00000029_434a0688_00089544 (ID = 0)
5:25 PM: 00007f0d_434b7f4e_000c65d4 (ID = 0)
5:25 PM: 00001a31_4347aec7_00053ec6 (ID = 0)
5:25 PM: 00000ddc_434389b9_0001ab3f (ID = 0)
5:25 PM: 00005e41_434c0aeb_000ca2dd (ID = 0)
5:26 PM: 0000199f_434c0aed_00044aa2 (ID = 0)
5:26 PM: 00002c49_434c430b_0001ab3f (ID = 0)
5:26 PM: 00000bb3_434a1384_000e4e1c (ID = 0)
5:26 PM: 00007fbe_434af688_000d9701 (ID = 0)
5:26 PM: 00007ac2_434b15b4_00029f63 (ID = 0)
5:26 PM: 000008ff_434c0a6e_000d1cef (ID = 0)
5:26 PM: 00002213_434c3ea4_000baeb9 (ID = 0)
5:26 PM: 00004d06_434b3fd3_00090f56 (ID = 0)
5:27 PM: 00006d22_43437daf_000dd40a (ID = 0)
5:27 PM: 0000513e_4348184e_00057bcf (ID = 0)
5:27 PM: 000073cb_4344b6cb_00089544 (ID = 0)
5:27 PM: 000008d2_43484d8b_0003d090 (ID = 0)
5:27 PM: 00006479_434c5604_000d9701 (ID = 0)
5:27 PM: 000026e9_4349b201_000ca2dd (ID = 0)
5:27 PM: 00004962_434756bb_000e1113 (ID = 0)
5:27 PM: 00002c3b_434616ee_00044aa2 (ID = 0)
5:27 PM: 00002784_43484806_0007270e (ID = 0)
5:27 PM: 00004efe_434c06df_000b71b0 (ID = 0)
5:28 PM: 00004402_434b4d8f_000a4083 (ID = 0)
5:28 PM: 00005f90_434ff5c2_0007de29 (ID = 0)
5:28 PM: 000049d0_434b7ede_000e1113 (ID = 0)
5:28 PM: 00000c7b_434b5555_000e4e1c (ID = 0)
5:28 PM: 00002e39_434c07eb_00098968 (ID = 0)
5:28 PM: 00003765_4346ca14_0000b71b (ID = 0)
5:29 PM: 00002725_4348ed2b_000d9701 (ID = 0)
5:29 PM: 00004d06_43502db0_0003567e (ID = 0)
5:29 PM: 000049d0_4346ca74_00057bcf (ID = 0)
5:29 PM: 00006732_43437dae_0007270e (ID = 0)
5:29 PM: 00007a54_4346c8a5_000f0537 (ID = 0)
5:29 PM: 00005fa4_4344ac73_0001ab3f (ID = 0)
5:29 PM: 00005a9c_4346c8ed_000af79e (ID = 0)
5:30 PM: 00005039_43458eed_00066ff3 (ID = 0)
5:30 PM: 00003960_43502bd5_0002dc6c (ID = 0)
5:30 PM: 00001238_4344a473_0002dc6c (ID = 0)
5:31 PM: 000066bb_434830d9_00066ff3 (ID = 0)
5:31 PM: 000032c1_434a05df_000a4083 (ID = 0)
5:31 PM: 00001eca_4344ad8e_00029f63 (ID = 0)
5:31 PM: 00003751_434c22d2_0008583b (ID = 0)
5:31 PM: 00000fc9_43446275_000e4e1c (ID = 0)
5:31 PM: 000073da_4349616f_0002dc6c (ID = 0)
5:32 PM: 00000029_4345892e_000af79e (ID = 0)
5:32 PM: 00004823_43458931_000af79e (ID = 0)
5:32 PM: 00003ef6_43458c62_00022551 (ID = 0)
5:32 PM: 00002db5_434833a2_0003d090 (ID = 0)
5:33 PM: 00005acb_4344c02d_00039387 (ID = 0)
5:33 PM: 00000029_4343845b_0008583b (ID = 0)
5:33 PM: 00006b36_434c3fef_000632ea (ID = 0)
5:33 PM: 000046cf_434c03ea_000f0537 (ID = 0)
5:33 PM: 00002959_434e10ba_000e1113 (ID = 0)
5:34 PM: 00005064_434c5486_0001312d (ID = 0)
5:34 PM: 00003a9e_4350304c_000dd40a (ID = 0)
5:35 PM: 000006e3_4348347d_00039387 (ID = 0)
5:35 PM: 00000c7b_434af689_0003567e (ID = 0)
5:35 PM: 00001739_4344bd2e_00094c5f (ID = 0)
5:35 PM: 000073da_4350144f_000a037a (ID = 0)
5:36 PM: 00004db7_43471518_000d9701 (ID = 0)
5:36 PM: 0000121f_4343f540_000dd40a (ID = 0)
5:36 PM: 00001e1f_4343e24c_0001ab3f (ID = 0)
5:36 PM: 00006443_434a6521_0008d24d (ID = 0)
5:36 PM: 00006d69_4348184e_0008d24d (ID = 0)
5:36 PM: 00004ae1_43501287_0006ea05 (ID = 0)
5:36 PM: 00002f14_434716aa_0003d090 (ID = 0)
5:36 PM: 00006b72_434bfdef_00089544 (ID = 0)
5:36 PM: 00005039_434831fd_0009c671 (ID = 0)
5:37 PM: 0000424c_434629df_000a4083 (ID = 0)
5:37 PM: 00004087_4345e7aa_0000f424 (ID = 0)
5:37 PM: 00006df1_43437ba3_0000b71b (ID = 0)
5:37 PM: 000072a6_43462946_0002625a (ID = 0)
5:37 PM: 000026e9_434460f3_0001312d (ID = 0)
5:37 PM: 0000759a_434ff9ec_0007270e (ID = 0)
5:37 PM: 00007bb9_43500b49_000bebc2 (ID = 0)
5:37 PM: 000058d5_4344aecc_00003d09 (ID = 0)
5:38 PM: 0000127e_434b4de5_000dd40a (ID = 0)
5:38 PM: 00000029_434a0d3f_000501bd (ID = 0)
5:38 PM: 0000409d_434461a7_000d59f8 (ID = 0)
5:38 PM: 00005e14_43483159_000baeb9 (ID = 0)
5:38 PM: 00006ea1_43481a51_0002625a (ID = 0)
5:38 PM: 0000249e_43471900_000b34a7 (ID = 0)
5:38 PM: 000022cd_43446249_0005b8d8 (ID = 0)
5:39 PM: 00000120_4349b30a_0003567e (ID = 0)
5:39 PM: 00003d6c_434eb593_000a4083 (ID = 0)
5:39 PM: 000074ad_434469a2_000a4083 (ID = 0)
5:39 PM: 00000bdb_434c3f47_00044aa2 (ID = 0)
5:39 PM: 00006d22_434af606_000c65d4 (ID = 0)
5:39 PM: 0000153c_43454d46_0007de29 (ID = 0)
5:39 PM: 00000dc3_4344c365_000dd40a (ID = 0)
5:39 PM: 00004cef_4344bcc0_000e4e1c (ID = 0)
5:40 PM: 00004eae_43496812_000501bd (ID = 0)
5:40 PM: 00002abc_4344bb3d_000501bd (ID = 0)
5:40 PM: 0000363a_434c21b5_00076417 (ID = 0)
5:40 PM: 0000440d_434bf276_000b71b0 (ID = 0)
5:40 PM: 00003f9a_434c06a4_0007a120 (ID = 0)
5:40 PM: 00006f07_4344ba20_0007270e (ID = 0)
5:40 PM: 00007eb7_43464406_0005b8d8 (ID = 0)
5:40 PM: 000045a1_43472b76_0006acfc (ID = 0)
5:40 PM: 0000759a_434642d1_00081b32 (ID = 0)
5:41 PM: 00004df2_43464376_000c28cb (ID = 0)
5:41 PM: 00000822_4345d239_00089544 (ID = 0)
5:41 PM: 000043db_4346ca95_000501bd (ID = 0)
5:41 PM: 00002bb8_434c13f2_0005f5e1 (ID = 0)
5:41 PM: 00007d4b_43484ddc_00039387 (ID = 0)
5:41 PM: 00005887_434839a9_000af79e (ID = 0)
5:41 PM: 0000293b_434e1117_0009c671 (ID = 0)
5:41 PM: 0000328d_43484792_0000b71b (ID = 0)
5:42 PM: 00000029_434bf31f_000baeb9 (ID = 0)
5:42 PM: 00005078_4349b5b8_00003d09 (ID = 0)
5:42 PM: 00003cd5_4343900a_000c28cb (ID = 0)
5:42 PM: 00002d12_434963f5_00057bcf (ID = 0)
5:42 PM: 000015bd_4344b281_000632ea (ID = 0)
5:42 PM: 00002ea6_434a06c3_0001ab3f (ID = 0)
5:43 PM: 00001953_43445249_0003567e (ID = 0)
5:43 PM: 000013e9_4343900a_000cdfe6 (ID = 0)
5:43 PM: 00006df1_434a63df_0002dc6c (ID = 0)
5:43 PM: 0000138a_43472244_0006ea05 (ID = 0)
5:43 PM: 00003cd6_43439031_00044aa2 (ID = 0)
5:43 PM: 00003699_43481672_00094c5f (ID = 0)
5:43 PM: 00005d03_43438f45_00057bcf (ID = 0)
5:43 PM: 00000bdb_43438f80_000ca2dd (ID = 0)
5:43 PM: 00000822_43438fd7_000487ab (ID = 0)
5:44 PM: 00001796_4346251b_0007a120 (ID = 0)
5:44 PM: 000063d9_434c1439_00057bcf (ID = 0)
5:44 PM: 00006f3c_434818a6_000af79e (ID = 0)
5:44 PM: 000032e6_4348175e_00031975 (ID = 0)
5:44 PM: 00001dd4_43484aac_000d59f8 (ID = 0)
5:44 PM: 000043db_434c0991_0003567e (ID = 0)
5:44 PM: 0000424c_4347abd6_000b34a7 (ID = 0)
5:44 PM: 000026a6_434830db_000d1cef (ID = 0)
5:45 PM: 00006f57_4347ac98_000aba95 (ID = 0)
5:45 PM: 00000822_434e0c03_0007de29 (ID = 0)
5:45 PM: 00004944_434a706f_0000f424 (ID = 0)
5:45 PM: 00001b0b_4344b6de_00066ff3 (ID = 0)
5:45 PM: 000067a6_4344aee4_00090f56 (ID = 0)
5:45 PM: 00006ad4_4349b4db_00040d99 (ID = 0)
5:45 PM: 00004dfc_4344b972_0001312d (ID = 0)
5:45 PM: 00002b0f_434c0849_000f0537 (ID = 0)
5:46 PM: 00007049_434bf501_000d59f8 (ID = 0)
5:46 PM: 00004987_4344ae5a_0009c671 (ID = 0)
5:46 PM: 00002c3b_4347731a_000a7d8c (ID = 0)
5:46 PM: 000009b3_43462a27_00003d09 (ID = 0)
5:46 PM: 00006db2_434840c0_00066ff3 (ID = 0)
5:46 PM: 000049f7_43437e50_00016e36 (ID = 0)
5:46 PM: 000020a8_4344ad38_0005b8d8 (ID = 0)
5:46 PM: 00007049_43439000_000d9701 (ID = 0)
5:46 PM: 00001ff1_43461125_00094c5f (ID = 0)
5:47 PM: 00003106_434611bc_00007a12 (ID = 0)
5:47 PM: 0000759a_4344615b_000e1113 (ID = 0)
5:47 PM: 0000440d_43438f31_000ca2dd (ID = 0)
5:47 PM: 00005f49_4344513f_0005f5e1 (ID = 0)
5:47 PM: 0000249e_4344525e_000af79e (ID = 0)
5:47 PM: 0000701f_434619a5_00094c5f (ID = 0)
5:47 PM: 00007f96_43438f72_0000f424 (ID = 0)
5:47 PM: 0000047e_434634ce_00053ec6 (ID = 0)
5:48 PM: 00003bf6_434bf400_0002dc6c (ID = 0)
5:48 PM: 00005772_4346bfe4_00044aa2 (ID = 0)
5:48 PM: 000018be_434a637e_00076417 (ID = 0)
5:48 PM: 00000860_4344c3af_00029f63 (ID = 0)
5:48 PM: 000000aa_4344ccd0_0001e848 (ID = 0)
5:48 PM: 00006d69_4344acb2_000dd40a (ID = 0)
5:48 PM: 000074ad_4349b928_00031975 (ID = 0)
5:49 PM: 00005f90_434b3f40_00039387 (ID = 0)
5:49 PM: 00004cd4_43463a77_000baeb9 (ID = 0)
5:49 PM: 0000798b_43437c6b_0006ea05 (ID = 0)
5:49 PM: 00006778_43481f0e_00029f63 (ID = 0)
5:49 PM: 0000491c_434b3fbb_0001e848 (ID = 0)
5:49 PM: 00001bd9_43472408_0000f424 (ID = 0)
5:49 PM: 0000489c_434c4374_00090f56 (ID = 0)
5:49 PM: 00004dc8_4346beba_00094c5f (ID = 0)
5:49 PM: 00001649_434b3f40_00066ff3 (ID = 0)
5:49 PM: 00005f32_4345d220_000baeb9 (ID = 0)
5:49 PM: 000071f0_434718bf_00081b32 (ID = 0)
5:50 PM: 00001cdf_4348f6c9_000c65d4 (ID = 0)
5:50 PM: 00000a76_4344c371_0007a120 (ID = 0)
5:50 PM: 0000138a_4348ed98_00016e36 (ID = 0)
5:50 PM: 00006df1_434a1287_00066ff3 (ID = 0)
5:50 PM: 00006da6_43481b1b_00057bcf (ID = 0)
5:50 PM: 000012e1_43500aad_0003567e (ID = 0)
5:50 PM: 000037e6_4348325f_00039387 (ID = 0)
5:50 PM: 00001dc0_4345e7a4_00000000 (ID = 0)
5:51 PM: 0000542c_434831fd_000b71b0 (ID = 0)
5:51 PM: 00000ddc_4343f502_0001312d (ID = 0)
5:51 PM: 00005af1_434a1287_00094c5f (ID = 0)
5:51 PM: 00003a9e_434bf400_0007270e (ID = 0)
5:51 PM: 00003e12_4343857d_00066ff3 (ID = 0)
5:51 PM: 00001243_43462a3d_000f0537 (ID = 0)
5:52 PM: 000027da_4346c9c7_0003567e (ID = 0)
5:52 PM: 0000074d_43463326_0007de29 (ID = 0)
5:52 PM: 000065c4_4344c3c2_000a4083 (ID = 0)
5:52 PM: 0000767d_434a0728_0006acfc (ID = 0)
5:52 PM: 00005f67_4344aeae_0003d090 (ID = 0)
5:52 PM: 00001366_43438fc0_0001e848 (ID = 0)
5:52 PM: 000048d3_4344ddc4_0000f424 (ID = 0)
5:53 PM: 00000e29_4346271e_000d59f8 (ID = 0)
5:53 PM: 0000590e_434775e8_000d9701 (ID = 0)
5:53 PM: 00002332_4344b036_000c28cb (ID = 0)
5:53 PM: 000041bb_434a1287_000e4e1c (ID = 0)
5:53 PM: 0000323b_434ec186_00003d09 (ID = 0)
5:53 PM: 00004640_434c30dc_000d59f8 (ID = 0)
5:53 PM: 000066bb_4346beba_000d9701 (ID = 0)
5:54 PM: 00003895_4346294d_0003567e (ID = 0)
5:54 PM: 00007cfe_4346c74a_000d1cef (ID = 0)
5:54 PM: 00000029_434b3ebc_0001312d (ID = 0)
5:54 PM: 00002350_4344615c_0008d24d (ID = 0)
5:54 PM: 00004ae1_434bf258_000e1113 (ID = 0)
5:54 PM: 0000773b_434c5477_000487ab (ID = 0)
5:55 PM: 00005cfd_434bf3cb_000bebc2 (ID = 0)
5:55 PM: 00006c6c_434833c8_00029f63 (ID = 0)
5:55 PM: 00003b97_4346259e_0007270e (ID = 0)
5:55 PM: 0000047e_4346c09d_00007a12 (ID = 0)
5:55 PM: 00005804_4346e279_0002dc6c (ID = 0)
5:55 PM: 00002528_4344ad01_000dd40a (ID = 0)
5:55 PM: 000001eb_434460f4_0009c671 (ID = 0)
5:55 PM: 00005422_4346bfa8_00081b32 (ID = 0)
5:55 PM: 00001f16_4344acc4_000632ea (ID = 0)
5:55 PM: 00002ea6_434eb705_000487ab (ID = 0)
5:56 PM: 00000de9_4349b10f_0009c671 (ID = 0)
5:56 PM: 00006ade_434c23d6_000a7d8c (ID = 0)
5:56 PM: 00004944_434e0bbe_000a037a (ID = 0)
5:56 PM: 00002738_43446f6d_0005f5e1 (ID = 0)
5:56 PM: 000077e7_4348ff0c_000a7d8c (ID = 0)
5:56 PM: Sweep Canceled
5:56 PM: 000018be_43458992_000dd40a (ID = 0)
5:56 PM: 00006bc9_4347a832_0007a120 (ID = 0)
5:56 PM: 00002784_4344b95e_00016e36 (ID = 0)
5:57 PM: 00005953_4344b939_0003567e (ID = 0)
5:57 PM: 000028e2_4348f66f_00007a12 (ID = 0)
5:57 PM: 00006795_4344c3b0_000a4083 (ID = 0)
5:58 PM: 00005d03_434b4046_00090f56 (ID = 0)
5:58 PM: 000071f6_43481f9b_0006ea05 (ID = 0)
5:58 PM: 000026a6_4346bebb_0003d090 (ID = 0)
5:58 PM: 00000fbf_434ffd3b_000501bd (ID = 0)
5:58 PM: 00003742_4349ac3b_000ca2dd (ID = 0)
5:58 PM: 000022ee_4344615d_00000000 (ID = 0)
5:58 PM: 00000bb3_434460f4_000af79e (ID = 0)
5:59 PM: 0000424c_4346e230_000e8b25 (ID = 0)
5:59 PM: 00007f0d_4344adb4_00003d09 (ID = 0)
5:59 PM: 00003d6c_434460d3_000632ea (ID = 0)
5:59 PM: 00002332_4344ad72_0007de29 (ID = 0)
5:59 PM: 00000e00_4346e1b7_000a7d8c (ID = 0)
5:59 PM: 000026e9_434a1289_000dd40a (ID = 0)
6:00 PM: 0000314f_434b4ccd_0004c4b4 (ID = 0)
6:00 PM: 00001a49_434e0baa_000632ea (ID = 0)
6:00 PM: 0000139d_434af411_0003d090 (ID = 0)
6:01 PM: 00005e41_4346e14f_0005f5e1 (ID = 0)
6:01 PM: 00001af4_434af607_0003567e (ID = 0)
6:01 PM: 00004e45_434e0a85_00039387 (ID = 0)
6:01 PM: 00003602_43484f08_00066ff3 (ID = 0)
6:01 PM: 00001f0d_4344b378_00090f56 (ID = 0)
6:01 PM: 00001e58_434c31d9_000b71b0 (ID = 0)
6:02 PM: 0000486c_434757f4_0008d24d (ID = 0)
6:02 PM: 00002cd6_434460d4_00029f63 (ID = 0)
6:02 PM: 00001d18_4344687e_0007de29 (ID = 0)
6:02 PM: 00007dd1_4345d2b1_0001e848 (ID = 0)
6:02 PM: 00004efe_4346c8f4_000cdfe6 (ID = 0)
6:02 PM: 00007874_4346c126_00040d99 (ID = 0)
6:02 PM: 00003ef6_4344619d_0005b8d8 (ID = 0)
6:02 PM: 00007983_434c42bd_00003d09 (ID = 0)
6:02 PM: 0000014a_4344bb9f_000bebc2 (ID = 0)
6:03 PM: 00000732_434c3f4b_000bebc2 (ID = 0)
6:03 PM: 0000194d_4344c253_0003d090 (ID = 0)
6:03 PM: 00005b8f_4344bd1e_00003d09 (ID = 0)
6:03 PM: 00004d06_4348e3f4_000632ea (ID = 0)
6:03 PM: 000072ae_434460d4_000a037a (ID = 0)
6:03 PM: 00003f0b_4346263d_000632ea (ID = 0)
6:03 PM: 0000390c_4346beb3_000b71b0 (ID = 0)
6:04 PM: 000030dc_4344b875_000ec82e (ID = 0)
6:04 PM: 0000139d_4344518f_00022551 (ID = 0)
6:04 PM: 000072ae_434381bf_000c28cb (ID = 0)
6:04 PM: 0000767d_4343853d_00016e36 (ID = 0)
6:04 PM: 00002db5_43446ad2_00000000 (ID = 0)
6:04 PM: 00005039_434af4d1_0004c4b4 (ID = 0)
6:05 PM: 0000065a_4348364d_00040d99 (ID = 0)
6:05 PM: 000062b0_4346ed7b_0007a120 (ID = 0)
6:05 PM: 00005f90_4343aa35_000e8b25 (ID = 0)
6:05 PM: 0000030a_4343854e_000d1cef (ID = 0)
6:06 PM: 000007c9_4349a654_000b34a7 (ID = 0)
6:06 PM: 00005cfd_434da128_00098968 (ID = 0)
6:06 PM: 0000176a_4349b04f_00098968 (ID = 0)
6:10 PM: Spy Installation Shield: found: Adware: abetterinternet, version 1.1.1.1 -- Execution Denied
6:11 PM: The Spy Communication shield has blocked access to: paypopup.com
6:11 PM: The Spy Communication shield has blocked access to: paypopup.com
6:15 PM: Memory Shield: Found: Memory-resident threat lzio, version 1.0.0.0
6:15 PM: Detected running threat: lzio
6:15 PM: | End of Session, Friday, October 14, 2005 |
********
4:34 PM: | Start of Session, Friday, October 14, 2005 |
4:34 PM: Spy Sweeper started
4:35 PM: Your spyware definitions have been updated.
4:40 PM: Memory Shield: Found: Memory-resident threat abetterinternet, version 1.1.1.1
4:40 PM: Detected running threat: abetterinternet
4:46 PM: | End of Session, Friday, October 14, 2005 |

[biggun1234]

I made this screenshot in normal mode instead of safe mode and was able to fit all the processes in one shot because of the resolution change from normal to safe mode. I also made the HJT log in normal mode. here ya go.

Logfile of HijackThis v1.99.1
Scan saved at 5:17:59 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - F:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Trevuren]

How many user accounts are there on your machine?

Trevuren

[biggun1234]

Just one user. I did notice under safe mode that there is 2 though. THere is Administartor and Owner. Is this normal?

[Trevuren]

Yes it is


Trevuren

[Trevuren]

Next for a big cleanup:

A. Please disable EwidoGuard as it could easily interfere with our fix.

B. We must disable Spy Sweeper for it may interfere with our fix

To disable SpySweeper:

• Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup".
• Over to the left, click "shields" and uncheck all there.
• Uncheck "home page shield".
• Uncheck 'automaticly restore default without notifiction

C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

• First we need to make all files and folders VISIBLE:
  
  • Go to start>control panel>folder options>view (tab)
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  O4 - HKLM\..\Run: [yojjksx] C:\WINDOWS\yojjksx.exe
  O4 - HKLM\..\Run: [oqseas] C:\WINDOWS\system32\xautvcr.exe r
  O4 - HKLM\..\Run: [omvoopq] C:\WINDOWS\system32\qsznvh.exe r
  O4 - HKLM\..\Run: [ngclwp] C:\WINDOWS\system32\pfjsiv.exe r
  O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
  O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
  O4 - HKLM\..\Run: [dsdxgqqx] C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe
  O4 - HKLM\..\Run: [d3tr32.exe] C:\WINDOWS\system32\d3tr32.exe
  O4 - HKLM\..\Run: [d3sq.exe] C:\WINDOWS\system32\d3sq.exe
  O4 - HKLM\..\Run: [cxvwaq] C:\WINDOWS\system32\lzoeor.exe r
  O4 - HKLM\..\Run: [bowgfxgi] C:\WINDOWS\System32\oakuodn.exe
  O4 - HKLM\..\Run: [696.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
  O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
  O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
  O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
  O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
  O23 - Service: dsdxgqqxikvgip - Unknown owner - C:\WINDOWS\system32\ikvgip\dsdxgqqx.exe (file missing)
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System in Safe Mode
  
  How to use the F8 method to Start Your Computer in Safe Mode
  
  
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
• Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):
  
  C:\WINDOWS\yojjksx.exe
  C:\WINDOWS\system32\xautvcr.exe
  C:\WINDOWS\system32\qsznvh.exe
  C:\WINDOWS\system32\pfjsiv.exe
  C:\PROGRAM FILES\NEWDOTNET<==Folder
  C:\WINDOWS\system32\iehh.exe
  C:\WINDOWS\system32\ikvgip<==Folder
  C:\WINDOWS\system32\d3tr32.exe
  C:\WINDOWS\system32\d3sq.exe
  C:\WINDOWS\system32\lzoeor.exe
  C:\WINDOWS\System32\oakuodn.exe
  C:\DOCUMENTS AND SETTINGS\Owner\LOCALS~1\Temp\696.tmp.exe 1 10001
  C:\WINDOWS\elitemediapop.exe
  C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
  
  
  
• Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

[biggun1234]

Hi Trevuren. I fixed all that you said in HJT, but I couldnt find any of the files that you mentioned above in safe mode. here is the newest HJT log. Also I was wondering, why do you think there are so many svchost.exe files running. Is that where rootkits tend to hide?

Logfile of HijackThis v1.99.1
Scan saved at 8:46:18 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Registration-Studio 7SE.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - F:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[biggun1234]

hey there again Trevuren! I forgot to ask you something in the last post. I had my F: drive (which is external) unplugged for the last cleaning process and for the spy sweeper cleaning. THe F: drive also doesnt load in Safe mode, so it doesn't scan it then either. Is this ok?

[Trevuren]

No, not really. SVCHOSTS are an accumulation of services often. You don't mes with them.

So far, so good.

A. I would like you to run 2 different searches with the same tool.

1. Download "Registry Search Tool" (RegSrch.vbs) from HERE

2. Start it and paste in dsdxggx.

3. Wait for it to complete the search, click ok at the prompt.

4. Then when wordpad opens, copy the text as a reply into this thread.

5. Then repeat the search using the following word " lzoeor"

6. I need both results to formulate a regfix, if required.


7. Please post a fresh HJT log with all comments pertaining to still suspect malware activity on your machine.

Regards,

Trevuren

[Trevuren]

Won't Spy Sweeper scan external drives?

Trevuren

[Trevuren]

I would like you to run another Staup List using HJT but make sure it is in Safe Mode. That is the only way of finding the re-infector.


Thanks,

Trevuren