Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan.elitebar

Started by maxweber , Oct 30 2005 10:56 PM

Please log in to reply

#1
maxweber

Posted 30 October 2005 - 10:56 PM

Member

Member
12 posts

Hi! My wife's computer seems to be infected by trojan.elitebar. After searching through the forums, I have tried everything listed to remove this virus. I have run spybot, symantec antivirus and followed all of the instructions, ewido, trojanhunter, and the lqfix utility and nothing seems to work to get rid of it. I continue to get pop-ups, ie crashes occasionally, etc. I have pasted the Hijackthis log below. I would appreciate any help with this problem, I have spent the better part of two days trying to work through it and I just can't seem to fix it. Thanks!!!

Logfile of HijackThis v1.99.1
Scan saved at 10:43:29 PM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\fhsjqlvr.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\System Files\System.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scott Eliason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O5 "LPT1:" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fhsjqlvr] C:\WINDOWS\System32\fhsjqlvr.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream...er/tdserver.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0018.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109646613954
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.sho...Install4110.cab
O18 - Filter: text/plain - {BDB1A383-E5D8-49E3-B4C6-C88388612680} - C:\WINDOWS\System32\lcafl.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\ksdsp.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#2
Matt

Posted 03 November 2005 - 12:18 PM

Infected with AwesomeWare

Member
606 posts

Hi maxweber, I am currently working on a fix for you and will have it posted shortly.

Matt

#3
Matt

Posted 03 November 2005 - 12:41 PM

Infected with AwesomeWare

Member
606 posts

Hi maxweber
Welcome to GeeksToGo! I will be helping you in cleaning up your computer!

Please print out these directions for use of/when you cannot access this page.

One thing I need you to do first is to place HiJackThis into a permanent folder, not the desktop. The reason for this is so that when HJT makes backups, they will be stored in a safe place.
*Go to Start > My Computer > and double click on C:.
* Now right click an open area and click New > folder and change the folder name to HJT.
* Extract HijackThis from the zipped file into this new folder.

You have a CoolWebSearch infection.

Download CWShredder Here to its own folder, but do NOT run it yet.

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

Then, rescan with HJT, and post a new log.

#4
maxweber

Posted 03 November 2005 - 07:05 PM

Member

Topic Starter
Member
12 posts

Matt,

Thanks for your help! I am out of town right now, but I will try your fix when I get back (Sunday or Monday) and post a new log.

#5
Matt

Posted 08 November 2005 - 08:01 AM

Infected with AwesomeWare

Member
606 posts

Hi maxweber. Please post a fresh HJT log. For some reason, you post from last night is no longer here. Sorry for any inconvenience.

Matt

#6
maxweber

Posted 11 November 2005 - 09:44 PM

Member

Topic Starter
Member
12 posts

Matt, here it is again.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:17 PM, on 11/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\fhsjqlvr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\System Files\System.exe
C:\program files\internet explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O5 "LPT1:" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fhsjqlvr] C:\WINDOWS\System32\fhsjqlvr.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream...er/tdserver.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0018.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109646613954
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.sho...Install4110.cab
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ksdsp.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#7
Matt

Posted 13 November 2005 - 05:39 PM

Infected with AwesomeWare

Member
606 posts

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

#8
maxweber

Posted 13 November 2005 - 06:26 PM

Member

Topic Starter
Member
12 posts

Matt, here is the l2mfix log file. Thanks for all of your help.

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ksdsp.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFCD5488-ACB6-E3E8-0FF1-46EFE3B1DA67}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{2F25CF20-C569-11D1-B94C-00608CB45480}"="TextPad"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{06533E1A-D210-4C55-9D6F-961B50EE47FD}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{DB1267CA-89BE-408A-84FF-3EAFE60845D6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{06533E1A-D210-4C55-9D6F-961B50EE47FD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06533E1A-D210-4C55-9D6F-961B50EE47FD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06533E1A-D210-4C55-9D6F-961B50EE47FD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06533E1A-D210-4C55-9D6F-961B50EE47FD}\InprocServer32]
@="C:\\WINDOWS\\system32\\IPETWH32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB1267CA-89BE-408A-84FF-3EAFE60845D6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB1267CA-89BE-408A-84FF-3EAFE60845D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB1267CA-89BE-408A-84FF-3EAFE60845D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB1267CA-89BE-408A-84FF-3EAFE60845D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\smnceng.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Thu Oct 20 2005 8:46:18p A.... 687,592 671.48 K
btowseui.dll Thu Oct 20 2005 7:04:06p ..S.R 417,792 408.00 K
dsdparse.dll Thu Oct 20 2005 8:40:06p A.... 45,056 44.00 K
ipetwh32.dll Sun Oct 30 2005 8:06:06p ..S.R 417,792 408.00 K
ksdsp.dll Sat Oct 22 2005 2:25:52p ..S.R 417,792 408.00 K
mvports.dll Sat Oct 22 2005 2:46:14p ..S.R 417,792 408.00 K
nsmb.dll Thu Oct 20 2005 6:53:16p A.... 67,584 66.00 K
pvlstore.dll Sun Oct 23 2005 5:23:12p ..S.R 417,792 408.00 K
rbsser.dll Mon Nov 7 2005 9:59:04p ..S.R 417,792 408.00 K
rpoc3260.dll Mon Nov 7 2005 9:46:08p ..S.R 417,792 408.00 K
smnceng.dll Sun Nov 13 2005 5:28:18p ..S.R 417,792 408.00 K
sqimeng.dll Thu Oct 20 2005 7:02:06p ..S.R 417,792 408.00 K
sslwid.dll Thu Oct 20 2005 7:02:20p ..S.R 417,792 408.00 K
wgsdmod.dll Thu Oct 20 2005 7:03:26p ..S.R 417,792 408.00 K
wwsdmod.dll Mon Nov 7 2005 9:28:02p ..S.R 417,792 408.00 K
wwsdmoe2.dll Thu Oct 20 2005 7:03:20p ..S.R 417,792 408.00 K

16 items found: 16 files (13 H/S), 0 directories.
Total of file sizes: 6,231,528 bytes 5.94 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu Oct 20 2005 10:51:46p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 441B-3106

Directory of C:\WINDOWS\System32

11/13/2005 05:28 PM 417,792 smnceng.dll
11/07/2005 09:59 PM 417,792 rBsser.dll
11/07/2005 09:46 PM 417,792 rpoc3260.dll
11/07/2005 09:28 PM 417,792 wwsdmod.dll
10/30/2005 08:06 PM 417,792 IPETWH32.dll
10/23/2005 05:23 PM 417,792 pvlstore.dll
10/22/2005 02:46 PM 417,792 mvports.dll
10/22/2005 02:25 PM 417,792 ksdsp.dll
10/20/2005 10:51 PM 417,792 guard.tmp
10/20/2005 07:04 PM 417,792 BTOWSEUI.DLL
10/20/2005 07:03 PM 417,792 wgsdmod.dll
10/20/2005 07:03 PM 417,792 wwsdmoe2.dll
10/20/2005 07:02 PM 417,792 sslwid.dll
10/20/2005 07:02 PM 417,792 sqimeng.dll
07/08/2005 08:26 PM <DIR> dllcache
07/18/2003 03:03 PM <DIR> Microsoft
14 File(s) 5,849,088 bytes
2 Dir(s) 4,807,266,304 bytes free

#9
Matt

Posted 13 November 2005 - 06:47 PM

Infected with AwesomeWare

Member
606 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

#10
maxweber

Posted 13 November 2005 - 07:35 PM

Member

Topic Starter
Member
12 posts

Matt, below are the requested logs. I am still getting a lot of pop-ups, etc.

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Scott Eliason\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- changing existing entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\Scott Eliason\Desktop\l2mfix

Running From:
C:\Documents and Settings\Scott Eliason\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 392 'smss.exe'
Error 0x6 : The handle is invalid.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 472 'winlogon.exe'
Error 0x6 : The handle is invalid.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1820 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\BTOWSEUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\BTOWSEUI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IPETWH32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IPETWH32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkxml3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkxml3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pvlstore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pvlstore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rBsser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rBsser.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rpoc3260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rpoc3260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smnceng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smnceng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sqimeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sqimeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sslwid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sslwid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wgsdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wgsdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwsdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwsdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwsdmoe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwsdmoe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\BTOWSEUI.DLL
Successfully Deleted: C:\WINDOWS\system32\BTOWSEUI.DLL
deleting: C:\WINDOWS\system32\BTOWSEUI.DLL
Successfully Deleted: C:\WINDOWS\system32\BTOWSEUI.DLL
deleting: C:\WINDOWS\system32\IPETWH32.dll
Successfully Deleted: C:\WINDOWS\system32\IPETWH32.dll
deleting: C:\WINDOWS\system32\IPETWH32.dll
Successfully Deleted: C:\WINDOWS\system32\IPETWH32.dll
deleting: C:\WINDOWS\system32\mkxml3.dll
Successfully Deleted: C:\WINDOWS\system32\mkxml3.dll
deleting: C:\WINDOWS\system32\mkxml3.dll
Successfully Deleted: C:\WINDOWS\system32\mkxml3.dll
deleting: C:\WINDOWS\system32\mvports.dll
Successfully Deleted: C:\WINDOWS\system32\mvports.dll
deleting: C:\WINDOWS\system32\mvports.dll
Successfully Deleted: C:\WINDOWS\system32\mvports.dll
deleting: C:\WINDOWS\system32\pvlstore.dll
Successfully Deleted: C:\WINDOWS\system32\pvlstore.dll
deleting: C:\WINDOWS\system32\pvlstore.dll
Successfully Deleted: C:\WINDOWS\system32\pvlstore.dll
deleting: C:\WINDOWS\system32\rBsser.dll
Successfully Deleted: C:\WINDOWS\system32\rBsser.dll
deleting: C:\WINDOWS\system32\rBsser.dll
Successfully Deleted: C:\WINDOWS\system32\rBsser.dll
deleting: C:\WINDOWS\system32\rpoc3260.dll
Successfully Deleted: C:\WINDOWS\system32\rpoc3260.dll
deleting: C:\WINDOWS\system32\rpoc3260.dll
Successfully Deleted: C:\WINDOWS\system32\rpoc3260.dll
deleting: C:\WINDOWS\system32\smnceng.dll
Successfully Deleted: C:\WINDOWS\system32\smnceng.dll
deleting: C:\WINDOWS\system32\smnceng.dll
Successfully Deleted: C:\WINDOWS\system32\smnceng.dll
deleting: C:\WINDOWS\system32\sqimeng.dll
Successfully Deleted: C:\WINDOWS\system32\sqimeng.dll
deleting: C:\WINDOWS\system32\sqimeng.dll
Successfully Deleted: C:\WINDOWS\system32\sqimeng.dll
deleting: C:\WINDOWS\system32\sslwid.dll
Successfully Deleted: C:\WINDOWS\system32\sslwid.dll
deleting: C:\WINDOWS\system32\sslwid.dll
Successfully Deleted: C:\WINDOWS\system32\sslwid.dll
deleting: C:\WINDOWS\system32\wgsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wgsdmod.dll
deleting: C:\WINDOWS\system32\wgsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wgsdmod.dll
deleting: C:\WINDOWS\system32\wwsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wwsdmod.dll
deleting: C:\WINDOWS\system32\wwsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wwsdmod.dll
deleting: C:\WINDOWS\system32\wwsdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wwsdmoe2.dll
deleting: C:\WINDOWS\system32\wwsdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wwsdmoe2.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: BTOWSEUI.DLL (164 bytes security) (deflated 48%)
adding: IPETWH32.dll (164 bytes security) (deflated 48%)
adding: mkxml3.dll (164 bytes security) (deflated 48%)
adding: mvports.dll (164 bytes security) (deflated 48%)
adding: pvlstore.dll (164 bytes security) (deflated 48%)
adding: rBsser.dll (164 bytes security) (deflated 48%)
adding: rpoc3260.dll (164 bytes security) (deflated 48%)
adding: smnceng.dll (164 bytes security) (deflated 48%)
adding: sqimeng.dll (164 bytes security) (deflated 48%)
adding: sslwid.dll (164 bytes security) (deflated 48%)
adding: wgsdmod.dll (164 bytes security) (deflated 48%)
adding: wwsdmod.dll (164 bytes security) (deflated 48%)
adding: wwsdmoe2.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 12%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: -s.txt (164 bytes security) (stored 0%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 88%)
adding: test2.txt (164 bytes security) (deflated 16%)
adding: test3.txt (164 bytes security) (deflated 16%)
adding: test5.txt (164 bytes security) (deflated 16%)
adding: xfind.txt (164 bytes security) (deflated 84%)
adding: backregs/06533E1A-D210-4C55-9D6F-961B50EE47FD.reg (164 bytes security) (deflated 70%)
adding: backregs/DB1267CA-89BE-408A-84FF-3EAFE60845D6.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW Full access BUILTIN\Administrators

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: BTOWSEUI.DLL
deleting local copy: BTOWSEUI.DLL
deleting local copy: IPETWH32.dll
deleting local copy: IPETWH32.dll
deleting local copy: mkxml3.dll
deleting local copy: mkxml3.dll
deleting local copy: mvports.dll
deleting local copy: mvports.dll
deleting local copy: pvlstore.dll
deleting local copy: pvlstore.dll
deleting local copy: rBsser.dll
deleting local copy: rBsser.dll
deleting local copy: rpoc3260.dll
deleting local copy: rpoc3260.dll
deleting local copy: smnceng.dll
deleting local copy: smnceng.dll
deleting local copy: sqimeng.dll
deleting local copy: sqimeng.dll
deleting local copy: sslwid.dll
deleting local copy: sslwid.dll
deleting local copy: wgsdmod.dll
deleting local copy: wgsdmod.dll
deleting local copy: wwsdmod.dll
deleting local copy: wwsdmod.dll
deleting local copy: wwsdmoe2.dll
deleting local copy: wwsdmoe2.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ksdsp.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\BTOWSEUI.DLL
C:\WINDOWS\system32\BTOWSEUI.DLL
C:\WINDOWS\system32\IPETWH32.dll
C:\WINDOWS\system32\IPETWH32.dll
C:\WINDOWS\system32\mkxml3.dll
C:\WINDOWS\system32\mkxml3.dll
C:\WINDOWS\system32\mvports.dll
C:\WINDOWS\system32\mvports.dll
C:\WINDOWS\system32\pvlstore.dll
C:\WINDOWS\system32\pvlstore.dll
C:\WINDOWS\system32\rBsser.dll
C:\WINDOWS\system32\rBsser.dll
C:\WINDOWS\system32\rpoc3260.dll
C:\WINDOWS\system32\rpoc3260.dll
C:\WINDOWS\system32\smnceng.dll
C:\WINDOWS\system32\smnceng.dll
C:\WINDOWS\system32\sqimeng.dll
C:\WINDOWS\system32\sqimeng.dll
C:\WINDOWS\system32\sslwid.dll
C:\WINDOWS\system32\sslwid.dll
C:\WINDOWS\system32\wgsdmod.dll
C:\WINDOWS\system32\wgsdmod.dll
C:\WINDOWS\system32\wwsdmod.dll
C:\WINDOWS\system32\wwsdmod.dll
C:\WINDOWS\system32\wwsdmoe2.dll
C:\WINDOWS\system32\wwsdmoe2.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{06533E1A-D210-4C55-9D6F-961B50EE47FD}"=-
"{DB1267CA-89BE-408A-84FF-3EAFE60845D6}"=-
[-HKEY_CLASSES_ROOT\CLSID\{06533E1A-D210-4C55-9D6F-961B50EE47FD}]
[-HKEY_CLASSES_ROOT\CLSID\{DB1267CA-89BE-408A-84FF-3EAFE60845D6}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:28:56 PM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\fhsjqlvr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\System Files\System.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/old
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O5 "LPT1:" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fhsjqlvr] C:\WINDOWS\System32\fhsjqlvr.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream...er/tdserver.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0018.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109646613954
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.sho...Install4110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\ksdsp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#11
Matt

Posted 13 November 2005 - 08:29 PM

Infected with AwesomeWare

Member
606 posts

Alright, looks like we're going to have to try something else. This should get it.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Now, Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

So, please reply with:

1. SpySweeper Log
2. L2MFix Log
3. A new HijackThis Log

#12
maxweber

Posted 14 November 2005 - 02:52 PM

Member

Topic Starter
Member
12 posts

Matt,

The logs you requested are pasted below, things seem to be running a lot better now, so I think this might have got it.

********
12:39 PM: | Start of Session, Monday, November 14, 2005 |
12:39 PM: Spy Sweeper started
12:39 PM: Sweep initiated using definitions version 572
12:39 PM: Starting Memory Sweep
12:44 PM: Found Adware: shopathomeselect
12:44 PM: Detected running threat: C:\WINDOWS\system32\fhsjqlvr.exe (ID = 157330)
12:44 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fhsjqlvr (ID = 0)
12:45 PM: Memory Sweep Complete, Elapsed Time: 00:05:40
12:45 PM: Starting Registry Sweep
12:45 PM: Found Adware: cas
12:45 PM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105366)
12:45 PM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105369)
12:45 PM: Found Adware: cws_ns3
12:45 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 117588)
12:45 PM: Found Adware: iwantsearch
12:45 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
12:45 PM: Found Adware: start4search toolbar
12:45 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
12:45 PM: Found Adware: ez-finder toolbar
12:45 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
12:46 PM: Found Adware: purityscan
12:46 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (ID = 137986)
12:46 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
12:46 PM: Found Adware: search fast communicator toolbar
12:46 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
12:46 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140681)
12:46 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
12:46 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
12:46 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
12:46 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
12:46 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
12:46 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
12:46 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
12:46 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140692)
12:46 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
12:46 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
12:46 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
12:46 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140698)
12:46 PM: Found Adware: virtualbouncer
12:46 PM: HKLM\software\microsoft\windows\currentversion\run\ || vbouncer (ID = 145560)
12:46 PM: HKLM\software\microsoft\windows\currentversion\run\ || stb (ID = 201920)
12:46 PM: Found Adware: quicklink search toolbar
12:46 PM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)
12:46 PM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)
12:46 PM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359443)
12:46 PM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359446)
12:46 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
12:46 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
12:46 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
12:46 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
12:46 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
12:46 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
12:46 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
12:46 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
12:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
12:46 PM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
12:46 PM: HKCR\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609381)
12:46 PM: HKLM\software\classes\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609547)
12:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
12:46 PM: Found Adware: visfx
12:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
12:46 PM: Found Adware: ezula ilookup
12:46 PM: HKCR\bho.adware\ (5 subtraces) (ID = 819079)
12:46 PM: HKCR\bho.adware.1\ (3 subtraces) (ID = 819085)
12:46 PM: HKCR\bho.hider\ (5 subtraces) (ID = 819089)
12:46 PM: HKCR\bho.hider.1\ (3 subtraces) (ID = 819095)
12:46 PM: HKLM\software\classes\bho.adware\ (5 subtraces) (ID = 819212)
12:46 PM: HKLM\software\classes\bho.adware.1\ (3 subtraces) (ID = 819218)
12:46 PM: HKLM\software\classes\bho.hider\ (5 subtraces) (ID = 819222)
12:46 PM: HKLM\software\classes\bho.hider.1\ (3 subtraces) (ID = 819228)
12:46 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
12:46 PM: HKCR\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860940)
12:46 PM: HKLM\software\classes\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860969)
12:46 PM: HKCR\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862263)
12:46 PM: HKLM\software\classes\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862304)
12:46 PM: Found Adware: fatpickle toolbar
12:46 PM: HKLM\software\classes\typelib\{13090792-d4c2-433e-91ba-5ac36aa33fcb}\ (9 subtraces) (ID = 885885)
12:46 PM: HKCR\appid\main.dll\ || appid (ID = 889946)
12:46 PM: HKLM\software\classes\appid\main.dll\ || appid (ID = 889947)
12:46 PM: Found Adware: command
12:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
12:46 PM: HKCR\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926729)
12:46 PM: HKCR\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926741)
12:46 PM: HKCR\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926753)
12:46 PM: HKLM\software\classes\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926763)
12:46 PM: HKLM\software\classes\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926775)
12:46 PM: HKLM\software\classes\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926787)
12:46 PM: Found Adware: cws-aboutblank
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
12:46 PM: Found Adware: ie driver searchx.htm hijack
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || search bar (ID = 127908)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cmsystem\ (1 subtraces) (ID = 820421)
12:46 PM: Found Trojan Horse: trojan-downloader-pacisoft
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\apd123\ (10 subtraces) (ID = 861435)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cas2\ (12 subtraces) (ID = 862278)
12:46 PM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\windows\currentversion\run\ || cas2 (ID = 871018)
12:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
12:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
12:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 127908)
12:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
12:47 PM: Registry Sweep Complete, Elapsed Time:00:01:49
12:47 PM: Starting Cookie Sweep
12:47 PM: Found Spy Cookie: adrevolver cookie
12:47 PM: guest@adrevolver[1].txt (ID = 2088)
12:47 PM: guest@adrevolver[2].txt (ID = 2088)
12:47 PM: Found Spy Cookie: atwola cookie
12:47 PM: guest@atwola[1].txt (ID = 2255)
12:47 PM: Found Spy Cookie: go.com cookie
12:47 PM: [email protected][1].txt (ID = 2729)
12:47 PM: guest@go[2].txt (ID = 2728)
12:47 PM: [email protected][1].txt (ID = 2729)
12:47 PM: [email protected][1].txt (ID = 2729)
12:47 PM: Found Spy Cookie: 888 cookie
12:47 PM: scott eliason@888[1].txt (ID = 2019)
12:47 PM: Found Spy Cookie: websponsors cookie
12:47 PM: scott [email protected][2].txt (ID = 3665)
12:47 PM: Found Spy Cookie: abcsearch cookie
12:47 PM: scott eliason@abcsearch[1].txt (ID = 2033)
12:47 PM: Found Spy Cookie: yieldmanager cookie
12:47 PM: scott [email protected][1].txt (ID = 3751)
12:47 PM: Found Spy Cookie: adknowledge cookie
12:47 PM: scott eliason@adknowledge[1].txt (ID = 2072)
12:47 PM: Found Spy Cookie: hbmediapro cookie
12:47 PM: scott [email protected][2].txt (ID = 2768)
12:47 PM: Found Spy Cookie: specificclick.com cookie
12:47 PM: scott [email protected][2].txt (ID = 3400)
12:47 PM: Found Spy Cookie: cc214142 cookie
12:47 PM: scott [email protected][2].txt (ID = 2367)
12:47 PM: Found Spy Cookie: advertising cookie
12:47 PM: scott eliason@advertising[1].txt (ID = 2175)
12:47 PM: Found Spy Cookie: apmebf cookie
12:47 PM: scott eliason@apmebf[1].txt (ID = 2229)
12:47 PM: Found Spy Cookie: atlas dmt cookie
12:47 PM: scott eliason@atdmt[2].txt (ID = 2253)
12:47 PM: scott eliason@atwola[1].txt (ID = 2255)
12:47 PM: Found Spy Cookie: azjmp cookie
12:47 PM: scott eliason@azjmp[2].txt (ID = 2270)
12:47 PM: Found Spy Cookie: bizrate cookie
12:47 PM: scott eliason@bizrate[1].txt (ID = 2308)
12:47 PM: Found Spy Cookie: goclick cookie
12:47 PM: scott [email protected][2].txt (ID = 2733)
12:47 PM: Found Spy Cookie: zedo cookie
12:47 PM: scott [email protected][2].txt (ID = 3763)
12:47 PM: Found Spy Cookie: centrport net cookie
12:47 PM: scott eliason@centrport[1].txt (ID = 2374)
12:47 PM: scott [email protected][1].txt (ID = 2729)
12:47 PM: Found Spy Cookie: exitexchange cookie
12:47 PM: scott eliason@exitexchange[1].txt (ID = 2633)
12:47 PM: Found Spy Cookie: fastclick cookie
12:47 PM: scott eliason@fastclick[1].txt (ID = 2651)
12:47 PM: scott eliason@go[1].txt (ID = 2728)
12:47 PM: Found Spy Cookie: starware.com cookie
12:47 PM: scott [email protected][2].txt (ID = 3442)
12:47 PM: Found Spy Cookie: clickandtrack cookie
12:47 PM: scott [email protected][1].txt (ID = 2397)
12:47 PM: Found Spy Cookie: maxserving cookie
12:47 PM: scott eliason@maxserving[1].txt (ID = 2966)
12:47 PM: Found Spy Cookie: nextag cookie
12:47 PM: scott eliason@nextag[2].txt (ID = 5014)
12:47 PM: Found Spy Cookie: partypoker cookie
12:47 PM: scott eliason@partypoker[1].txt (ID = 3111)
12:47 PM: Found Spy Cookie: overture cookie
12:47 PM: scott [email protected][1].txt (ID = 3106)
12:47 PM: Found Spy Cookie: qksrv cookie
12:47 PM: scott eliason@qksrv[1].txt (ID = 3213)
12:47 PM: Found Spy Cookie: questionmarket cookie
12:47 PM: scott eliason@questionmarket[1].txt (ID = 3217)
12:47 PM: Found Spy Cookie: realmedia cookie
12:47 PM: scott eliason@realmedia[2].txt (ID = 3235)
12:47 PM: Found Spy Cookie: rn11 cookie
12:47 PM: scott eliason@rn11[2].txt (ID = 3261)
12:47 PM: scott [email protected][1].txt (ID = 2729)
12:47 PM: Found Spy Cookie: servedby advertising cookie
12:47 PM: scott [email protected][1].txt (ID = 3335)
12:47 PM: scott [email protected][1].txt (ID = 2729)
12:47 PM: Found Spy Cookie: reliablestats cookie
12:47 PM: scott [email protected][2].txt (ID = 3254)
12:47 PM: Found Spy Cookie: tradedoubler cookie
12:47 PM: scott eliason@tradedoubler[2].txt (ID = 3575)
12:47 PM: Found Spy Cookie: trafficmp cookie
12:47 PM: scott eliason@trafficmp[1].txt (ID = 3581)
12:47 PM: Found Spy Cookie: tribalfusion cookie
12:47 PM: scott eliason@tribalfusion[1].txt (ID = 3589)
12:47 PM: Found Spy Cookie: epilot cookie
12:47 PM: scott [email protected][1].txt (ID = 2622)
12:47 PM: Found Spy Cookie: clickxchange adware cookie
12:47 PM: scott [email protected][1].txt (ID = 2409)
12:47 PM: scott [email protected][1].txt (ID = 3442)
12:47 PM: scott eliason@zedo[1].txt (ID = 3762)
12:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:26
12:47 PM: Starting File Sweep
12:47 PM: c:\documents and settings\scott eliason\application data\sbsoft (22 subtraces) (ID = -2147480797)
12:47 PM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
12:47 PM: c:\program files\communicator toolbar (186 subtraces) (ID = -2147480362)
12:47 PM: c:\program files\related sites toolbar (2 subtraces) (ID = -2147475069)
12:48 PM: Warning: Failed to open file "c:\gsoep\fpluecke.dta". Access is denied
12:48 PM: Warning: Failed to open file "c:\gsoep\jpausl.dta". Access is denied
12:49 PM: 6pt6tkeg.exe (ID = 157331)
12:50 PM: uninst.exe (ID = 73428)
12:50 PM: fran-hot.exe (ID = 180418)
12:50 PM: uninst.exe (ID = 73428)
12:50 PM: Warning: Failed to open file "c:\gsoep\bhgen.dta". Access is denied
12:50 PM: Warning: Failed to open file "c:\gsoep\apbio.dta". Access is denied
12:50 PM: Warning: Failed to open file "c:\gsoep\hpkalost.dta". Access is denied
12:50 PM: preuninstallcom.exe (ID = 74818)
12:50 PM: Found Adware: isearch toolbar
12:50 PM: cmdinst.exe (ID = 154747)
12:51 PM: Warning: Failed to open file "c:\gsoep\dpluecke.dta". Access is denied
12:51 PM: cassetup.exe (ID = 133272)
12:51 PM: vb2.exe (ID = 164842)
12:51 PM: Found Adware: surfsidekick
12:51 PM: bk.exe (ID = 166386)
12:52 PM: Found Adware: apropos
12:52 PM: wingenerics.dll (ID = 50187)
12:52 PM: Warning: Failed to open file "c:\gsoep\ghbrutto.dta". Access is denied
12:52 PM: cas2setup.exe (ID = 162721)
12:52 PM: Warning: Failed to open file "c:\gsoep\hbrutt00.dta". Access is denied
12:52 PM: Warning: Failed to open file "c:\gsoep\cirdef.dta". Access is denied
12:52 PM: Warning: Failed to open file "c:\gsoep\ipausl.dta". Access is denied
12:52 PM: Warning: Failed to open file "c:\gsoep\opluecke.dta". Access is denied
12:52 PM: Warning: Failed to open file "c:\gsoep\sozkalen.dta". Access is denied
12:53 PM: Warning: Failed to open file "c:\gsoep\pflege.dta". Access is denied
12:54 PM: Warning: Failed to open file "c:\gsoep\rpluecke.dta". Access is denied
12:54 PM: Warning: Failed to open file "c:\gsoep\biobirth.dta". Access is denied
12:54 PM: Warning: Failed to open file "c:\gsoep\biomarsm.dta". Access is denied
12:54 PM: Warning: Failed to open file "c:\gsoep\cpluecke.dta". Access is denied
12:54 PM: Warning: Failed to open file "c:\gsoep\ihgen.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\ppequiv.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\lpluecke.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\biomarsy.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\hbrutt84.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\rhgen.dta". Access is denied
12:55 PM: Warning: Failed to open file "c:\gsoep\npluecke.dta". Access is denied
12:56 PM: Warning: Failed to open file "c:\gsoep\gpluecke.dta". Access is denied
12:56 PM: Warning: Failed to open file "c:\gsoep\ipluecke.dta". Access is denied
12:56 PM: Warning: Failed to open file "c:\gsoep\ohbrutto.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\jpequiv.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\jpluecke.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\ahbrutto.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\ehgen.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\hbrutt02.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\ohgen.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\lpausl.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\spbrutto.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\pbiospe.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\shbrutto.dta". Access is denied
12:57 PM: Warning: Failed to open file "c:\gsoep\bioparen.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\qpluecke.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\gpkalost.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\fpequiv.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\bioyouth.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\rpbrutto.dta". Access is denied
12:58 PM: mediaticketsinstaller.ocx.tcf (ID = 73162)
12:58 PM: Warning: Failed to open file "c:\gsoep\apequiv.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\hpost.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\cpequiv.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\opbrutto.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\chgen.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\ppbrutto.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\biosoc.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\qpbrutto.dta". Access is denied
12:58 PM: Warning: Failed to open file "c:\gsoep\lpbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\jpbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\ypbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\phgen.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\opequiv.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\bpausl.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\ipbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\dhgen.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\hhrf.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\mhbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\bpequiv.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\bpbrutto.dta". Access is denied
12:59 PM: Warning: Failed to open file "c:\gsoep\mpequiv.dta". Access is denied
1:00 PM: Warning: Failed to open file "c:\gsoep\hhgen.dta". Access is denied
1:00 PM: Warning: Failed to open file "c:\gsoep\lhbrutto.dta". Access is denied
1:00 PM: Warning: Failed to open file "c:\gsoep\hhbrutto.dta". Access is denied
1:00 PM: Found Adware: desktop hijacker
1:00 PM: ssico.ico (ID = 57990)
1:01 PM: desktop.html (ID = 57900)
1:01 PM: stb.exe (ID = 94666)
1:01 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || stb (ID = 0)
1:02 PM: Found Trojan Horse: trojan_downloader_favadd
1:02 PM: myin.hta (ID = 81266)
1:03 PM: mediaticketsinstaller.inf (ID = 73158)
1:03 PM: fhsjqlvr.exe (ID = 157330)
1:03 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fhsjqlvr (ID = 0)
1:05 PM: preuninstallql.exe (ID = 131326)
1:05 PM: nsmb.dll (ID = 180419)
1:06 PM: toolbar_installer.exe (ID = 164824)
1:06 PM: ur62l2y07_.exe (ID = 157331)
1:06 PM: Warning: Failed to open file "c:\gsoep\epequiv.dta". Access is denied
1:07 PM: Found Trojan Horse: trojan-downloader-psyme
1:07 PM: track26[1].chm (ID = 111347)
1:07 PM: pcs_0026[1].exe (ID = 161706)
1:07 PM: qlink32.dll (ID = 73425)
1:08 PM: fatpickle.exe (ID = 166140)
1:08 PM: pf78.exe (ID = 156523)
1:09 PM: communicator.dll (ID = 131321)
1:09 PM: qldf.bin (ID = 131688)
1:09 PM: atmtd.dll (ID = 166754)
1:10 PM: toolbar.exe (ID = 132006)
1:12 PM: Warning: Failed to open file "c:\gsoep\epluecke.dta". Access is denied
1:12 PM: Warning: Failed to open file "c:\gsoep\fhbrutto.dta". Access is denied
1:12 PM: Warning: Failed to open file "c:\gsoep\hbrutt98.dta". Access is denied
1:13 PM: Warning: Failed to open file "c:\gsoep\spequiv.dta". Access is denied
1:13 PM: Warning: Failed to open file "c:\gsoep\fhgen.dta". Access is denied
1:13 PM: Warning: Failed to open file "c:\gsoep\bpluecke.dta". Access is denied
1:13 PM: Warning: Failed to open file "c:\gsoep\shgen.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\ahgen.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\cpbrutto.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\cpausl.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\khgen.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\hpbrutto.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\npbrutto.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\dpbrutto.dta". Access is denied
1:14 PM: Warning: Failed to open file "c:\gsoep\jhbrutto.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\ghost.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\dpequiv.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\qpequiv.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\epbrutto.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\fpausl.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\lhgen.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\nhbrutto.dta". Access is denied
1:15 PM: Warning: Failed to open file "c:\gsoep\gpausl.dta". Access is denied
1:15 PM: a5b47.tmp (ID = 131317)
1:15 PM: Warning: Failed to open file "c:\gsoep\rpequiv.dta". Access is denied
1:16 PM: Warning: Failed to open file "c:\gsoep\lpequiv.dta". Access is denied
1:16 PM: Warning: Failed to open file "c:\gsoep\npequiv.dta". Access is denied
1:17 PM: Warning: Failed to open file "c:\gsoep\rhbrutto.dta". Access is denied
1:17 PM: Warning: Failed to open file "c:\gsoep\hpausl.dta". Access is denied
1:17 PM: Warning: Failed to open file "c:\gsoep\bioimmig.dta". Access is denied
1:17 PM: Warning: Failed to open file "c:\gsoep\gpbrutto.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\kpausl.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\hpfad.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\kpluecke.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\dhbrutto.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\kpbrutto.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\fpbrutto.dta". Access is denied
1:18 PM: Warning: Failed to open file "c:\gsoep\gpequiv.dta". Access is denied
1:19 PM: Warning: Failed to open file "c:\gsoep\kpequiv.dta". Access is denied
1:19 PM: Warning: Failed to open file "c:\gsoep\ipequiv.dta". Access is denied
1:19 PM: Warning: Failed to open file "c:\gsoep\einkalen.dta". Access is denied
1:19 PM: Warning: Failed to open file "c:\gsoep\khbrutto.dta". Access is denied
1:21 PM: Warning: Failed to open file "c:\gsoep\artkalen.dta". Access is denied
1:21 PM: atmtd.dll._ (ID = 166754)
1:22 PM: Warning: Failed to open file "c:\gsoep\ghgen.dta". Access is denied
1:22 PM: Warning: Failed to open file "c:\gsoep\apausl.dta". Access is denied
1:23 PM: Warning: Failed to open file "c:\gsoep\nhgen.dta". Access is denied
1:23 PM: Warning: Failed to open file "c:\gsoep\ap.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\apbrutto.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\hpluecke.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\hpequiv.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\gpost.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\epausl.dta". Access is denied
1:24 PM: Warning: Failed to open file "c:\gsoep\ppluecke.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\mhgen.dta". Access is denied
1:25 PM: rsini[1].cab (ID = 131317)
1:25 PM: Warning: Failed to open file "c:\gsoep\chbrutto.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\qhbrutto.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\qhgen.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\bhbrutto.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\mpbrutto.dta". Access is denied
1:25 PM: Warning: Failed to open file "c:\gsoep\ehbrutto.dta". Access is denied
1:26 PM: Warning: Failed to open file "c:\gsoep\jhgen.dta". Access is denied
1:26 PM: Warning: Failed to open file "c:\gsoep\ihbrutto.dta". Access is denied
1:26 PM: Warning: Failed to open file "c:\gsoep\mpluecke.dta". Access is denied
1:26 PM: Warning: Failed to open file "c:\gsoep\phbrutto.dta". Access is denied
1:26 PM: Warning: Failed to open file "c:\gsoep\dpausl.dta". Access is denied
1:28 PM: webdlg32.inf (ID = 60327)
1:28 PM: install.inf (ID = 161519)
1:28 PM: fgomcrapqnb4jl.vbs (ID = 185675)
1:28 PM: Found System Monitor: potentially rootkit-masked files
1:28 PM: 00004ae1_435a8de9_00095ac9 (ID = 0)
1:28 PM: 00001e1f_4365a210_000a47d3 (ID = 0)
1:28 PM: 0000491c_4365a0bd_0008a376 (ID = 0)
1:28 PM: 00006b89_4377e9c9_000b746c (ID = 0)
1:28 PM: ptivd_2k.sys (ID = 0)
1:28 PM: 00000029_43657c66_0003b828 (ID = 0)
1:28 PM: 00005af1_4377d74c_0000ff68 (ID = 0)
1:28 PM: 0000390c_435859fc_000da3f3 (ID = 0)
1:28 PM: 0000701f_4365856a_000316c1 (ID = 0)
1:28 PM: 00003b25_4365a1e1_000ebfb9 (ID = 0)
1:28 PM: 00004d06_4365a0c6_000700a9 (ID = 0)
1:28 PM: 00006784_43702440_0008018e (ID = 0)
1:28 PM: 00003b25_4377e9b7_00076453 (ID = 0)
1:28 PM: 00000f3e_4377d76e_0007db68 (ID = 0)
1:28 PM: 00005d03_4377e9a6_000dbdec (ID = 0)
1:28 PM: 00002ea6_4377e8e9_000d1a88 (ID = 0)
1:28 PM: 0000260d_4377e9c9_00011059 (ID = 0)
1:28 PM: eseertrm.exe (ID = 0)
1:28 PM: 00003bf6_4377e9f7_000e9ad6 (ID = 0)
1:28 PM: 000039b3_43585c53_000df759 (ID = 0)
1:28 PM: 00001547_43702ae9_0008f2cc (ID = 0)
1:28 PM: 00000bb3_437024ea_00024471 (ID = 0)
1:28 PM: 00001649_4377d743_000710a6 (ID = 0)
1:28 PM: 000056ae_4377d98e_0003eb0e (ID = 0)
1:28 PM: 00002ea6_437024eb_000ad8b8 (ID = 0)
1:28 PM: powkbdfi.exe (ID = 0)
1:28 PM: sisrtmgr.exe (ID = 0)
1:28 PM: ace.dll (ID = 0)
1:28 PM: 00000029_43659f61_00043374 (ID = 0)
1:28 PM: 00002ea6_4365a049_00018166 (ID = 0)
1:28 PM: 00004db7_4365a0c8_0002c496 (ID = 0)
1:28 PM: 00000ddc_4377ea04_000f0b14 (ID = 0)
1:28 PM: 00001238_4377d974_0008d914 (ID = 0)
1:28 PM: 00000ddc_4377d9c6_000e2a10 (ID = 0)
1:28 PM: 000026e9_43659fae_0002129c (ID = 0)
1:28 PM: 0000074d_43585ebe_00089e80 (ID = 0)
1:28 PM: 00000902_43585f36_0006d30e (ID = 0)
1:28 PM: 0000440d_43585b5b_0001a401 (ID = 0)
1:28 PM: 0000491c_43585b5b_000a59c6 (ID = 0)
1:28 PM: 00001af4_4358602c_000224f8 (ID = 0)
1:28 PM: 00005f90_4377e8a2_00076af3 (ID = 0)
1:28 PM: 00002350_4365a4b3_000f06dc (ID = 0)
1:28 PM: 0000260d_4377d98c_0002a6db (ID = 0)
1:28 PM: 00007f96_4377d985_000406ab (ID = 0)
1:28 PM: 00001cd0_43585f12_000172fe (ID = 0)
1:28 PM: data.bin (ID = 0)
1:28 PM: 00001238_4365a156_000014d3 (ID = 0)
1:28 PM: 00005f1e_43585ff9_0003ed59 (ID = 0)
1:28 PM: 00003cd6_43585f8b_0009c303 (ID = 0)
1:28 PM: 00006df1_4377d746_0006fa68 (ID = 0)
1:28 PM: 00005af1_437020e4_000f3891 (ID = 0)
1:28 PM: 00005e14_4377d9cf_0007f1b3 (ID = 0)
1:28 PM: 00007ff5_4377d988_0007e983 (ID = 0)
1:28 PM: 00006c69_43585fab_000f33b1 (ID = 0)
1:28 PM: 00007ff5_43585ee7_000936e3 (ID = 0)
1:28 PM: 000013e9_43585f72_000bcf68 (ID = 0)
1:28 PM: 00001e1f_4377e9b9_00076f93 (ID = 0)
1:28 PM: 00000d66_43585fa1_000c3b4e (ID = 0)
1:28 PM: 000001eb_437024e9_0006ad43 (ID = 0)
1:28 PM: 00007f4f_43585fd2_000078f4 (ID = 0)
1:28 PM: 00000fc9_43585ff0_0001e54c (ID = 0)
1:28 PM: 000001d3_43586036_000e96b8 (ID = 0)
1:28 PM: 000001eb_4377e8e0_0003204e (ID = 0)
1:28 PM: 00000099_4377e8f9_000d4d69 (ID = 0)
1:28 PM: 00006e5d_4377e9b9_000e28cc (ID = 0)
1:28 PM: 00005cfd_4365a4c5_000380d9 (ID = 0)
1:28 PM: 000063cb_4377d983_000337d3 (ID = 0)
1:28 PM: 00000029_4366b55c_000c25f3 (ID = 0)
1:28 PM: 00004db7_43585b60_000b1260 (ID = 0)
1:28 PM: 00007049_43585f43_000e4ac3 (ID = 0)
1:28 PM: 00002d12_4377e99b_0004a329 (ID = 0)
1:28 PM: 00004944_4377d9d0_0007d034 (ID = 0)
1:29 PM: 00005e9d_43585fc1_000b681e (ID = 0)
1:29 PM: 000023c9_43585f7b_000c7763 (ID = 0)
1:29 PM: 0000305e_4377e93f_00075a58 (ID = 0)
1:29 PM: 00000bb3_43657f38_00018d64 (ID = 0)
1:29 PM: 0000153c_4377e8ee_00091673 (ID = 0)
1:29 PM: 00005f90_437024b7_0004f789 (ID = 0)
1:29 PM: 00005f49_4377d9c4_000653c1 (ID = 0)
1:29 PM: dns (ID = 0)
1:29 PM: 00002ea6_43657f38_00031494 (ID = 0)
1:29 PM: index (ID = 0)
1:29 PM: 00004823_43702430_00044af1 (ID = 0)
1:29 PM: 0000759a_43585ef8_0006fd7e (ID = 0)
1:29 PM: 00005f90_4377d73c_0000f3a4 (ID = 0)
1:29 PM: 000001eb_4377d74f_0004bb21 (ID = 0)
1:29 PM: 00000099_4365a08b_00060306 (ID = 0)
1:29 PM: 0000390c_4377e8f3_0005125e (ID = 0)
1:29 PM: 00004823_4366b569_0007b264 (ID = 0)
1:29 PM: 00004e45_436585ac_00085bf9 (ID = 0)
1:29 PM: 000054de_43585b9c_000311a1 (ID = 0)
1:29 PM: 00005af1_4377e8ba_0003d1be (ID = 0)
1:29 PM: 0000074d_4365a13f_000e8d16 (ID = 0)
1:29 PM: 00004cad_4377ea05_00015004 (ID = 0)
1:29 PM: 00000120_4377e9cd_0005e388 (ID = 0)
1:29 PM: 00002350_4377e9d3_000ce5a0 (ID = 0)
1:29 PM: 00006443_4377e99e_0008d43e (ID = 0)
1:29 PM: 00003a9e_4377e9f9_00044203 (ID = 0)
1:29 PM: 000039b3_4377e99a_000eb360 (ID = 0)
1:29 PM: 00006b36_4377e9e7_000e19b8 (ID = 0)
1:29 PM: 00007ff5_4377e9c5_0002f664 (ID = 0)
1:29 PM: 00005cfd_4377e9e9_000520f6 (ID = 0)
1:29 PM: 00004dc8_4365a140_000eb9d4 (ID = 0)
1:29 PM: 00001649_43657d12_000deaa4 (ID = 0)
1:29 PM: 00002cd6_4377e89a_0001bdac (ID = 0)
1:29 PM: 0000074d_4377e99b_0008c35e (ID = 0)
1:29 PM: 00006e5d_4365a211_00028264 (ID = 0)
1:29 PM: 000026e9_43657f2c_0003bbcb (ID = 0)
1:29 PM: 00001ad4_4365a211_000daa10 (ID = 0)
1:29 PM: 00006443_4365a146_0002a214 (ID = 0)
1:29 PM: 000018be_4366b583_000eafa1 (ID = 0)
1:29 PM: 00005af1_43659fa5_000c1cf1 (ID = 0)
1:29 PM: 00001547_4365a0c9_0005d896 (ID = 0)
1:29 PM: 0000390c_43657f3a_00060716 (ID = 0)
1:29 PM: 00006784_435a8ba2_000232ce (ID = 0)
1:29 PM: 00004d06_43657f55_000c465b (ID = 0)
1:29 PM: 0000153c_435857a1_0004d284 (ID = 0)
1:29 PM: 00000124_4365a0a6_0002f00c (ID = 0)
1:29 PM: 00004db7_43657f56_0000fd31 (ID = 0)
1:29 PM: 00006952_43659f86_00006e04 (ID = 0)
1:29 PM: 0000260d_4365a32f_0004f92c (ID = 0)
1:29 PM: 00001649_43659f8a_000a733c (ID = 0)
1:29 PM: 000041bb_43657e17_000177a3 (ID = 0)
1:29 PM: 00006784_435aa5a0_00059541 (ID = 0)
1:29 PM: 00003e12_4377e9e9_000a7a1e (ID = 0)
1:29 PM: 00000975_43586aa1_0003f7cc (ID = 0)
1:29 PM: 0000759a_4377d996_000922f9 (ID = 0)
1:29 PM: 00000029_437020c7_000f0acc (ID = 0)
1:29 PM: 0000701f_4377d972_000262d8 (ID = 0)
1:29 PM: 000011f4_4358600a_000697c1 (ID = 0)
1:29 PM: 000063cb_43658597_0006378b (ID = 0)
1:29 PM: 0000030a_4365a41d_00099773 (ID = 0)
1:29 PM: 00004dc8_4377d966_00021f58 (ID = 0)
1:29 PM: 00000732_43658ccb_00083a1e (ID = 0)
1:29 PM: 00000bdb_436587fb_00085b41 (ID = 0)
1:29 PM: 0000440d_4377d77b_0000ced4 (ID = 0)
1:29 PM: 0000260d_436585fd_0004f190 (ID = 0)
1:29 PM: 00003d6c_43657cb2_000563a8 (ID = 0)
1:29 PM: 00002cd6_43657cf8_000390cb (ID = 0)
1:29 PM: 00006952_43657cfd_000cff29 (ID = 0)
1:29 PM: 00002d12_4365831e_00094519 (ID = 0)
1:29 PM: 00007a5a_43658582_00023db0 (ID = 0)
1:29 PM: 00001238_4365858a_000ea430 (ID = 0)
1:29 PM: 0000323b_436585ca_00072f4c (ID = 0)
1:29 PM: 00004dc8_4365840d_000a6544 (ID = 0)
1:29 PM: 00000120_43658cd5_000d7d49 (ID = 0)
1:29 PM: 000022ee_4377d9aa_00001a1c (ID = 0)
1:29 PM: 0000153c_4365a05a_000b3344 (ID = 0)
1:29 PM: 0000440d_4365a0a8_000d5f60 (ID = 0)
1:29 PM: 00004e45_4377d988_000a8288 (ID = 0)
1:29 PM: 00007f96_43658599_0001ad3b (ID = 0)
1:29 PM: 000066bb_4377d96e_000adafe (ID = 0)
1:29 PM: 000001eb_43657f30_00027239 (ID = 0)
1:29 PM: 00005f90_43657d08_00012aa8 (ID = 0)
1:29 PM: 000072ae_4377e89a_00058fa4 (ID = 0)
1:29 PM: 00004dc8_4377e99c_0001e8a6 (ID = 0)
1:29 PM: 00004823_437020c8_0007bab9 (ID = 0)
1:29 PM: 00006443_4377d969_000f0631 (ID = 0)
1:29 PM: 0000366b_4377d9d5_0007c536 (ID = 0)
1:29 PM: 00007f96_4365a26c_000cc2ae (ID = 0)
1:29 PM: 0000314f_4377ea05_000a5406 (ID = 0)
1:29 PM: 00002cd6_4359a880_000c1893 (ID = 0)
1:29 PM: 0000139d_43585f43_0006f510 (ID = 0)
1:29 PM: 00006be8_43585fd6_000ca1d6 (ID = 0)
1:29 PM: 000022ee_4377e9d4_000c75e4 (ID = 0)
1:29 PM: 0000261e_43585fbc_000ecfb9 (ID = 0)
1:29 PM: 00004dc8_43585eca_0003d714 (ID = 0)
1:29 PM: 00002833_43585ffc_000cdb1c (ID = 0)
1:29 PM: 0000127e_4358601b_000a2ce0 (ID = 0)
1:29 PM: 00007b44_435872a0_000873b4 (ID = 0)
1:29 PM: 00006e5d_43658591_0002b92e (ID = 0)
1:29 PM: 00004db7_4377e996_000af206 (ID = 0)
1:29 PM: 00005e14_4377ea07_000d4688 (ID = 0)
1:29 PM: 00007e87_4370258a_0007c4fc (ID = 0)
1:29 PM: 000018be_437020c9_00006aa6 (ID = 0)
1:29 PM: 0000030a_4377d98d_0000aff0 (ID = 0)
1:29 PM: 00002213_4377d98b_000edabb (ID = 0)
1:30 PM: 0000458f_43586849_000637cb (ID = 0)
1:30 PM: 000041bb_4377e8d9_000f0b50 (ID = 0)
1:30 PM: 00001547_4377d795_0003abdc (ID = 0)
1:30 PM: 00003d6c_4377d735_0006256c (ID = 0)
1:30 PM: 00002350_4377d99e_000d21f1 (ID = 0)
1:30 PM: 00005cfd_4377d9af_00091320 (ID = 0)
1:30 PM: 000041bb_437020ec_000b6c7b (ID = 0)
1:30 PM: 000066c4_4377d9d6_00009c41 (ID = 0)
1:30 PM: 0000440d_43702aaf_00051388 (ID = 0)
1:30 PM: 000066bb_43658411_00045f04 (ID = 0)
1:30 PM: 00005af1_437024dd_0007a2b6 (ID = 0)
1:30 PM: 0000153c_4377d757_0004c103 (ID = 0)
1:30 PM: 00003a9e_4377d9ba_00075474 (ID = 0)
1:30 PM: 00000bb3_4377e8e6_000081eb (ID = 0)
1:30 PM: 00001ad4_4377d97f_000d3729 (ID = 0)
1:30 PM: 0000797d_4377e9f9_0009e968 (ID = 0)
1:30 PM: 0000301c_4377d98d_0002ac7b (ID = 0)
1:30 PM: 00001a49_4365a4c5_000c0f80 (ID = 0)
1:30 PM: 00000099_43585b41_00042021 (ID = 0)
1:30 PM: 00004230_4377d9d7_00090969 (ID = 0)
1:30 PM: 00001cd0_4377d9d4_0008d16b (ID = 0)
1:30 PM: 00007dd1_43585fbb_000550bc (ID = 0)
1:30 PM: 00006ad6_43585f98_00079a3c (ID = 0)
1:30 PM: 00001953_43585fe1_000c1c1e (ID = 0)
1:30 PM: 00004080_43585f77_0009c7de (ID = 0)
1:30 PM: 00007874_43585ffe_0001beb1 (ID = 0)
1:30 PM: 00006d22_43586022_0003e943 (ID = 0)
1:30 PM: 00000822_43585f21_000263d8 (ID = 0)
1:30 PM: 00006bcb_43585fe9_000ebb04 (ID = 0)
1:30 PM: 00006784_437020c9_0004d918 (ID = 0)
1:30 PM: 00006784_4377e896_000d4433 (ID = 0)
1:30 PM: 00007ff5_4365a27b_000c2c58 (ID = 0)
1:30 PM: 0000489c_43585fc3_000099f0 (ID = 0)
1:30 PM: 00001547_43585b6e_00067d53 (ID = 0)
1:30 PM: 0000409d_43585f22_0009e649 (ID = 0)
1:30 PM: 00004a80_43585f58_00068079 (ID = 0)
1:30 PM: 00006443_43585eca_000e6246 (ID = 0)
1:30 PM: 00004df2_4377ea08_00042108 (ID = 0)
1:30 PM: 00007a5a_4377e9ac_00043f31 (ID = 0)
1:30 PM: 00001e1f_4377d97f_0003e4eb (ID = 0)
1:30 PM: 000073da_43585f2b_000b51dc (ID = 0)
1:30 PM: 000026ca_43585f30_0001a663 (ID = 0)
1:30 PM: 0000121f_43585f28_0002d974 (ID = 0)
1:30 PM: 00007e87_4365a05b_00003858 (ID = 0)
1:30 PM: 00003b25_4377d97e_000baa59 (ID = 0)
1:30 PM: 0000305e_437025fa_0003f71e (ID = 0)
1:30 PM: 0000249e_43585fff_000100b9 (ID = 0)
1:30 PM: 0000288f_43585fac_0003c369 (ID = 0)
1:30 PM: 00006784_43659f74_0005890b (ID = 0)
1:30 PM: 00006784_4377d722_000ac578 (ID = 0)
1:30 PM: 00001547_4377e996_000eeb1c (ID = 0)
1:30 PM: 0000305e_4365a0a8_000bb111 (ID = 0)
1:30 PM: 00004ae1_4377d723_00008e23 (ID = 0)
1:30 PM: 00005f32_4377d9b3_00027066 (ID = 0)
1:30 PM: 000057d3_435865f1_00047eb3 (ID = 0)
1:30 PM: 00003699_43585f35_00006271 (ID = 0)
1:30 PM: 00005f32_43585f06_000d68fe (ID = 0)
1:30 PM: 00004230_43585f13_00074721 (ID = 0)
1:30 PM: 000060bf_43585f88_000a277e (ID = 0)
1:30 PM: 00005dd5_4358600c_000dd196 (ID = 0)
1:30 PM: 00000099_43657f3c_000d6809 (ID = 0)
1:30 PM: 00002d12_4377d959_000d733e (ID = 0)
1:30 PM: 0000767d_4365a14b_0008b3d6 (ID = 0)
1:30 PM: 00004b40_4377e9da_00019718 (ID = 0)
1:30 PM: 000054de_4377e99a_0008bdbe (ID = 0)
1:30 PM: 0000323b_4377e9c6_0007dfd1 (ID = 0)
1:30 PM: 00005878_4377e9db_0001eaf4 (ID = 0)
1:30 PM: 00000124_4377e8ff_000c0f18 (ID = 0)
1:30 PM: 000066bb_4377e99f_0008d9de (ID = 0)
1:30 PM: 00001916_43585fc4_000a18ec (ID = 0)
1:30 PM: 00003a2d_43586047_0005f256 (ID = 0)
1:30 PM: 000012db_4377d754_000cc96e (ID = 0)
1:30 PM: 00004944_43585f0e_000bc091 (ID = 0)
1:30 PM: 000075ef_43585fa6_0008101b (ID = 0)
1:30 PM: 000037e5_4358727e_000e94cc (ID = 0)
1:30 PM: 000071f0_43585fcd_000ac0e8 (ID = 0)
1:30 PM: 00000035_4358601d_000b9831 (ID = 0)
1:30 PM: 00003cd5_43585f6b_00038ebc (ID = 0)
1:30 PM: 00007eb7_43585f13_000af1fb (ID = 0)
1:30 PM: 00005c67_43585f89_00076cfb (ID = 0)
1:30 PM: 00005f49_43585f0a_000f06ae (ID = 0)
1:30 PM: 00003bf6_4377d9b7_000c759e (ID = 0)
1:30 PM: 00006172_43585fc5_000b5780 (ID = 0)
1:30 PM: 0000692c_43585f57_00089e83 (ID = 0)
1:30 PM: 0000047e_43585f9b_0004c3db (ID = 0)
1:30 PM: 0000428b_4377d96f_00070ea6 (ID = 0)
1:30 PM: 00004e45_4377e9c5_000ce51c (ID = 0)
1:30 PM: 00004402_43585fd5_0006f4d1 (ID = 0)
1:30 PM: 0000187e_43585f62_00024a48 (ID = 0)
1:30 PM: 00005991_43585f21_000e9d58 (ID = 0)
1:30 PM: 0000759a_4365a4b1_000890a0 (ID = 0)
1:30 PM: 00000f3e_43585b39_00074fbe (ID = 0)
1:30 PM: 000012db_43585721_000b7be1 (ID = 0)
1:30 PM: 00006ad4_43586010_00081993 (ID = 0)
1:30 PM: 00007ff5_436585a6_000504bb (ID = 0)
1:30 PM: 00005753_43585f88_00023551 (ID = 0)
1:30 PM: 00001ad4_43585ee6_000c66c1 (ID = 0)
1:30 PM: 000063cb_43585ee7_00022f6c (ID = 0)
1:30 PM: 000066bb_43585ed4_0005bda3 (ID = 0)
1:30 PM: 00003a61_43585fad_00043e64 (ID = 0)
1:30 PM: 000054dc_43585f9e_000af17b (ID = 0)
1:30 PM: 00005a9f_43586012_000b0c14 (ID = 0)
1:30 PM: 000016c5_43585f68_00055349 (ID = 0)
1:30 PM: 000018d7_43585fd5_000a516e (ID = 0)
1:30 PM: 00006899_43585f68_000776f3 (ID = 0)
1:30 PM: 00000029_43655333_000ef068 (ID = 0)
1:30 PM: 000054de_4377d796_00090aa4 (ID = 0)
1:31 PM: 00007e87_4377d758_000a6e08 (ID = 0)
1:31 PM: 00007a5a_4377d972_00091c11 (ID = 0)
1:31 PM: 0000767d_4377d973_000156a3 (ID = 0)
1:31 PM: 00004509_4365a14b_000ef7b4 (ID = 0)
1:31 PM: 0000390c_4365a05b_00031f99 (ID = 0)
1:31 PM: 00000bdb_4377d98e_000263de (ID = 0)
1:31 PM: 000012db_4370250a_0000ada9 (ID = 0)
1:31 PM: 00001a49_4377e9ea_0001c9f9 (ID = 0)
1:31 PM: 00005d03_4377d972_00071f86 (ID = 0)
1:31 PM: 000026e9_4377d74e_00097230 (ID = 0)
1:31 PM: 00005e14_43585f0d_0007e8f9 (ID = 0)
1:31 PM: 000066c4_43585f13_00045fe0 (ID = 0)
1:31 PM: 000056ae_43585ef4_000a6ab9 (ID = 0)
1:31 PM: 0000368e_43585f9f_00080fd9 (ID = 0)
1:31 PM: 00006e5d_4377d97f_00093e13 (ID = 0)
1:31 PM: 00002213_43585eef_000a9cd6 (ID = 0)
1:31 PM: 00000124_43585b58_00034170 (ID = 0)
1:31 PM: 00005f49_4377e9fa_000b27fb (ID = 0)
1:31 PM: 00002c3b_43585f17_0005fd90 (ID = 0)
1:31 PM: 00002d12_43585d17_000cc593 (ID = 0)
1:31 PM: 00004944_4377ea09_0002edb4 (ID = 0)
1:31 PM: 000032e6_43585fc7_0000b070 (ID = 0)
1:31 PM: 0000542c_43585fe1_00007f18 (ID = 0)
1:31 PM: 00001e1f_43585ee6_0000f0d9 (ID = 0)
1:31 PM: 00004df2_43585f0d_00097029 (ID = 0)
1:31 PM: 00003c61_43585faa_0006c689 (ID = 0)
1:31 PM: 000049f7_4358728f_00033048 (ID = 0)
1:31 PM: 00002f14_43585f97_00037468 (ID = 0)
1:31 PM: 00000bdb_4365a457_00062104 (ID = 0)
1:31 PM: 00000732_4377e9cc_000ac1b4 (ID = 0)
1:31 PM: 000018be_43659f70_000067a0 (ID = 0)
1:31 PM: 0000701f_4377e9a5_000ea303 (ID = 0)
1:31 PM: 000041bb_437024df_000ba70c (ID = 0)
1:31 PM: 000041bb_4377d74c_000e4abc (ID = 0)
1:31 PM: 000026e9_437020ef_0003b24c (ID = 0)
1:31 PM: 000026e9_43585638_000859cc (ID = 0)
1:31 PM: 00004cad_4377d9cd_00012d39 (ID = 0)
1:31 PM: 000001eb_437020f2_00023bfc (ID = 0)
1:31 PM: 0000314f_4377d9cd_000350e3 (ID = 0)
1:31 PM: 00006df1_437024cc_0009b4fc (ID = 0)
1:31 PM: 00000029_4377d717_000491f6 (ID = 0)
1:31 PM: 00005f32_4377e9ec_0005ce50 (ID = 0)
1:31 PM: 00000099_43702595_00028296 (ID = 0)
1:31 PM: 000072ae_4377d739_0008d4f1 (ID = 0)
1:31 PM: 0000153c_43702514_00013426 (ID = 0)
1:31 PM: 00006b36_4377d9ae_0006e9d6 (ID = 0)
1:31 PM: 00004d06_4377e993_000ba4be (ID = 0)
1:31 PM: 0000030a_4377e9ca_000add93 (ID = 0)
1:31 PM: 00001a49_4377d9b0_0003bf98 (ID = 0)
1:31 PM: 00000029_4377e893_000ac16c (ID = 0)
1:31 PM: 00005078_43587296_000ad479 (ID = 0)
1:31 PM: 00006952_437024b6_000e9264 (ID = 0)
1:31 PM: 000026a6_4377d971_000a2846 (ID = 0)
1:31 PM: 00001481_43587298_0003ff61 (ID = 0)
1:31 PM: 000001eb_43659faf_000e9ff9 (ID = 0)
1:31 PM: 00005d03_4365a14a_000be3b4 (ID = 0)
1:31 PM: 0000301c_4377e9cb_0004ed91 (ID = 0)
1:31 PM: 0000305e_4377d778_0001a8ab (ID = 0)
1:31 PM: 0000491c_4377e992_0004bec6 (ID = 0)
1:31 PM: 0000759a_4377e9d2_000d071e (ID = 0)
1:31 PM: 00003bf6_43585f07_000a3920 (ID = 0)
1:31 PM: 00006032_43585f17_0002c811 (ID = 0)
1:31 PM: 00004ae1_43657cac_0009fe96 (ID = 0)
1:31 PM: 00004823_435a8370_000a7fd4 (ID = 0)
1:31 PM: 000018be_435a8371_00015a54 (ID = 0)
1:31 PM: 00000029_435a8324_0006d7c9 (ID = 0)
1:31 PM: 00001366_43585f11_00042d81 (ID = 0)
1:31 PM: ai_14-11-2005.log (ID = 0)
1:31 PM: 00003d6c_435a92a6_0008cec6 (ID = 0)
1:31 PM: 00004823_435a997a_000081e8 (ID = 0)
1:31 PM: 00002cd6_4359b300_0009f5f3 (ID = 0)
1:31 PM: 00004ae1_4365546e_000709c3 (ID = 0)
1:31 PM: 0000440d_4377e98c_0001dce3 (ID = 0)
1:31 PM: 00004823_43655334_00094ea3 (ID = 0)
1:31 PM: 000018be_43655344_000a451c (ID = 0)
1:31 PM: 00006784_43655459_000a659b (ID = 0)
1:31 PM: 00003d6c_4365546f_0006c126 (ID = 0)
1:31 PM: 00002cd6_43655470_0006ede4 (ID = 0)
1:31 PM: 000072ae_43655472_0001ee39 (ID = 0)
1:31 PM: 00006952_43655472_000a7ce0 (ID = 0)
1:31 PM: 00006784_43657c89_00039251 (ID = 0)
1:31 PM: 00005af1_43657e15_000ce24b (ID = 0)
1:31 PM: 0000153c_43657f38_000b54fe (ID = 0)
1:31 PM: 00000f3e_43657f3b_00048586 (ID = 0)
1:31 PM: 0000305e_43657f45_000a652b (ID = 0)
1:31 PM: 00001e1f_43658590_00088211 (ID = 0)
1:31 PM: 00003b25_43658590_00026551 (ID = 0)
1:31 PM: 00001ad4_43658594_000e6714 (ID = 0)
1:31 PM: 00006bfc_43658597_000ddb7b (ID = 0)
1:31 PM: 00005f90_43659f89_00033f08 (ID = 0)
1:31 PM: 000072ae_43659f7f_0009e720 (ID = 0)
1:31 PM: 00006b89_436585fe_0003e55b (ID = 0)
1:31 PM: 0000301c_436587e9_0009a450 (ID = 0)
1:31 PM: 00002cd6_4377d738_0005c0f1 (ID = 0)
1:31 PM: 000056ae_43658cbb_000f0eb3 (ID = 0)
1:31 PM: 0000759a_43658cd7_0004d2c4 (ID = 0)
1:31 PM: 00000bb3_43659fb0_00074fe6 (ID = 0)
1:31 PM: ai_11-11-2005.log (ID = 0)
1:31 PM: 000066bb_4365a147_0003926b (ID = 0)
1:31 PM: 0000701f_4365a149_000eec74 (ID = 0)
1:31 PM: 00007a5a_4365a14b_0001ac60 (ID = 0)
1:31 PM: 000063cb_4365a238_000496b8 (ID = 0)
1:31 PM: 00006b36_4365a4c4_0008ad43 (ID = 0)
1:31 PM: 00003e12_4365a4c5_0006681b (ID = 0)
1:31 PM: 00004ae1_437020cb_0000c423 (ID = 0)
1:31 PM: 00003d6c_437020cb_0006b9c4 (ID = 0)
1:31 PM: 000072ae_437020cd_00058c11 (ID = 0)
1:31 PM: 00002cd6_437020cc_000ba331 (ID = 0)
1:31 PM: 00006952_437020cd_000e68f4 (ID = 0)
1:31 PM: ai_13-11-2005.log (ID = 0)
1:32 PM: 00006df1_437020e3_0003bd09 (ID = 0)
1:32 PM: 00000bb3_43702104_0007d346 (ID = 0)
1:32 PM: 000018be_4370243e_0000a09b (ID = 0)
1:32 PM: 00004ae1_43702477_000df39c (ID = 0)
1:32 PM: 00001649_437024be_000e22eb (ID = 0)
1:32 PM: 00000124_437025f9_000046a4 (ID = 0)
1:32 PM: 0000591d_43587279_000329e3 (ID = 0)
1:32 PM: 00004db7_43702ae4_00032f48 (ID = 0)
1:32 PM: 00000120_4377d994_00019ae8 (ID = 0)
1:32 PM: 00002ea6_4377d751_000a46a8 (ID = 0)
1:32 PM: 00006952_4377d73b_000c63ec (ID = 0)
1:32 PM: 00000bb3_4377d751_0000cd4b (ID = 0)
1:32 PM: 0000390c_4377d75a_00019c64 (ID = 0)
1:32 PM: 00004db7_4377d78a_000d3596 (ID = 0)
1:32 PM: 000018be_4377e896_0005ee80 (ID = 0)
1:32 PM: 00004823_4377e895_00077010 (ID = 0)
1:32 PM: 00004ae1_4377e897_00027064 (ID = 0)
1:32 PM: 000039b3_4377d829_000b0c91 (ID = 0)
1:32 PM: 00004509_4377d973_000c3011 (ID = 0)
1:32 PM: 00006b89_4377d98c_0007154c (ID = 0)
1:32 PM: 00006bfc_4377d984_000bf338 (ID = 0)
1:32 PM: 0000323b_4377d98a_000d7509 (ID = 0)
1:32 PM: 00000732_4377d993_000875a0 (ID = 0)
1:32 PM: 00004b40_4377d9ab_00088744 (ID = 0)
1:32 PM: 00005878_4377d9ac_000ea9a4 (ID = 0)
1:32 PM: 00003e12_4377d9b0_0002d4e1 (ID = 0)
1:32 PM: 00002e40_4377d9d1_0006eb1e (ID = 0)
1:32 PM: 0000797d_4377d9c3_000e8e8b (ID = 0)
1:32 PM: 00003d6c_4377e897_0006697b (ID = 0)
1:32 PM: 00004df2_4377d9d0_00055e4e (ID = 0)
1:32 PM: 00001366_4377d9d2_00062d26 (ID = 0)
1:32 PM: 00001649_4377e8ad_0005d366 (ID = 0)
1:32 PM: 00006df1_4377e8b3_000c3904 (ID = 0)
1:32 PM: 0000252a_4358727a_0006da5c (ID = 0)
1:32 PM: 000012db_4377e8ea_000134e4 (ID = 0)
1:32 PM: 00000f3e_4377e8f8_0005f216 (ID = 0)
1:32 PM: 0000428b_4377e9a1_000b7e23 (ID = 0)
1:32 PM: 000026a6_4377e9a2_0004ca89 (ID = 0)
1:32 PM: 0000767d_4377e9ad_0005cc01 (ID = 0)
1:32 PM: 00004509_4377e9af_000f0261 (ID = 0)
1:32 PM: 00001238_4377e9b0_00014751 (ID = 0)
1:32 PM: 00001ad4_4377e9c0_000376be (ID = 0)
1:32 PM: 000063cb_4377e9c0_00072198 (ID = 0)
1:32 PM: 00006bfc_4377e9c0_0007e530 (ID = 0)
1:32 PM: 00007f96_4377e9c0_000d8c94 (ID = 0)
1:32 PM: 00002213_4377e9c6_000dfc91 (ID = 0)
1:32 PM: 00000bdb_4377e9cc_00003683 (ID = 0)
1:32 PM: 000056ae_4377e9cc_0006efbc (ID = 0)
1:32 PM: 00000bdb_43585ef4_0006bfe0 (ID = 0)
1:32 PM: 00006048_43586223_000a23f8 (ID = 0)
1:32 PM: 00004823_43585566_0008793b (ID = 0)
1:32 PM: 000018be_4358556c_00069e70 (ID = 0)
1:32 PM: 00006784_4358558c_000dbd6c (ID = 0)
1:32 PM: 00004ae1_435855a7_000f4003 (ID = 0)
1:32 PM: 00003d6c_435855b0_00078076 (ID = 0)
1:32 PM: 00000bb3_4358566f_00063290 (ID = 0)
1:32 PM: 00002ea6_43585670_000302b1 (ID = 0)
1:32 PM: 00002cd6_435855eb_00019dc1 (ID = 0)
1:32 PM: 000072ae_435855ed_0008623b (ID = 0)
1:32 PM: 00006952_435855fb_0001a984 (ID = 0)
1:32 PM: 00005f90_43585600_00080983 (ID = 0)
1:32 PM: 00001649_43585600_000c0299 (ID = 0)
1:32 PM: 00006df1_43585603_00092c38 (ID = 0)
1:32 PM: 00005af1_43585633_0007a133 (ID = 0)
1:32 PM: 000041bb_43585636_00031c83 (ID = 0)
1:32 PM: 000001eb_43585639_00081130 (ID = 0)
1:32 PM: 00007e87_435857b5_000a9c2c (ID = 0)
1:32 PM: 0000305e_43585b58_0005da74 (ID = 0)
1:32 PM: 0000301c_43585ef4_0002788c (ID = 0)
1:32 PM: 00006e5d_43585ee6_00055f4b (ID = 0)
1:32 PM: 00004cad_43585f0b_000dac3c (ID = 0)
1:32 PM: 00003e12_43585f05_000dffd8 (ID = 0)
1:32 PM: 00001a49_43585f06_0004da58 (ID = 0)
1:32 PM: 0000366b_43585f12_000d1004 (ID = 0)
1:32 PM: 00002e40_43585f0f_000cb0e8 (ID = 0)
1:32 PM: 0000314f_43585f0c_0007e359 (ID = 0)
1:32 PM: 000015a1_43585f1b_000885f6 (ID = 0)
1:32 PM: 00003ef6_43585f1f_000b83b8 (ID = 0)
1:32 PM: 00005422_43585f1f_0000aa49 (ID = 0)
1:32 PM: 00007bb9_43585f36_000c7a73 (ID = 0)
1:32 PM: 000012e1_43585f25_00016883 (ID = 0)
1:32 PM: 0000798b_43585f27_000bfef4 (ID = 0)
1:32 PM: 000058b0_43585f2e_000d3829 (ID = 0)
1:32 PM: 000048cc_43585f7d_0008d7c9 (ID = 0)
1:32 PM: 00005772_43585f37_000354f3 (ID = 0)
1:32 PM: 000022cd_43585fb0_00056119 (ID = 0)
1:32 PM: 000033ea_43585f79_0004ef51 (ID = 0)
1:32 PM: 00005db2_43585f78_000782b6 (ID = 0)
1:32 PM: 00000677_43585fd4_000147cc (ID = 0)
1:32 PM: 00002b0c_43586000_000b1c30 (ID = 0)
1:32 PM: 00000fbf_43585f8d_000ed92e (ID = 0)
1:32 PM: 0000422d_43585f9b_0005fcce (ID = 0)
1:32 PM: 00007983_43585fa3_0000342c (ID = 0)
1:32 PM: 00004657_43585fa9_000d04c8 (ID = 0)
1:32 PM: 00002c49_43585faa_00056678 (ID = 0)
1:32 PM: 00002fff_43585fab_00067dec (ID = 0)
1:32 PM: 0000401d_43585fc8_000460e9 (ID = 0)
1:32 PM: 0000494a_43585fd3_0008befe (ID = 0)
1:32 PM: 00006b72_43585fc6_0006c790 (ID = 0)
1:32 PM: 00000384_43585fd0_0008d53c (ID = 0)
1:32 PM: 00005039_43585fd8_0001856b (ID = 0)
1:32 PM: 000007cf_43586020_00087393 (ID = 0)
1:32 PM: 00000e12_43585ff3_0002e0e3 (ID = 0)
1:32 PM: 00004cd4_43586019_000676c6 (ID = 0)
1:32 PM: 000046cf_43586036_0002ab74 (ID = 0)
1:33 PM: 00005fa4_4358601a_00028350 (ID = 0)
1:33 PM: 00006732_43586021_00082af6 (ID = 0)
1:33 PM: 00002059_4358601a_00078e3b (ID = 0)
1:33 PM: 00000ecc_43586034_000f27f1 (ID = 0)
1:33 PM: 00000e90_43586044_000baff9 (ID = 0)
1:33 PM: 00001dc0_43587283_00029e8b (ID = 0)
1:33 PM: 000037e6_43587032_000ea664 (ID = 0)
1:33 PM: 0000442b_43587294_000c022c (ID = 0)
1:33 PM: 00004087_4358729a_00056ab3 (ID = 0)
1:33 PM: 00000029_43587445_000ab7b0 (ID = 0)
1:33 PM: 00003d6c_43587483_0007a5fe (ID = 0)
1:33 PM: 00006784_4358747c_0009540b (ID = 0)
1:33 PM: 000072ae_435875ab_000374ae (ID = 0)
1:33 PM: 00003d6c_4359a7b0_00045114 (ID = 0)
1:33 PM: 00000029_4359a68e_000ee803 (ID = 0)
1:33 PM: 00004823_4359a694_000605c1 (ID = 0)
1:33 PM: 00000029_4359b03d_000c4df8 (ID = 0)
1:35 PM: File Sweep Complete, Elapsed Time: 00:47:51
1:35 PM: Full Sweep has completed. Elapsed time 00:56:00
1:35 PM: Traces Found: 1200
1:52 PM: Removal process initiated
1:52 PM: Quarantining All Traces: cws_ns3
1:52 PM: Quarantining All Traces: cws-aboutblank
1:52 PM: Quarantining All Traces: potentially rootkit-masked files
2:16 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
2:16 PM: 00004ae1_435a8de9_00095ac9 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_4365a210_000a47d3 is in use. It will be removed on reboot.
2:16 PM: 0000491c_4365a0bd_0008a376 is in use. It will be removed on reboot.
2:16 PM: 00006b89_4377e9c9_000b746c is in use. It will be removed on reboot.
2:16 PM: ptivd_2k.sys is in use. It will be removed on reboot.
2:16 PM: 00000029_43657c66_0003b828 is in use. It will be removed on reboot.
2:16 PM: 00005af1_4377d74c_0000ff68 is in use. It will be removed on reboot.
2:16 PM: 0000390c_435859fc_000da3f3 is in use. It will be removed on reboot.
2:16 PM: 0000701f_4365856a_000316c1 is in use. It will be removed on reboot.
2:16 PM: 00003b25_4365a1e1_000ebfb9 is in use. It will be removed on reboot.
2:16 PM: 00004d06_4365a0c6_000700a9 is in use. It will be removed on reboot.
2:16 PM: 00006784_43702440_0008018e is in use. It will be removed on reboot.
2:16 PM: 00003b25_4377e9b7_00076453 is in use. It will be removed on reboot.
2:16 PM: 00000f3e_4377d76e_0007db68 is in use. It will be removed on reboot.
2:16 PM: 00005d03_4377e9a6_000dbdec is in use. It will be removed on reboot.
2:16 PM: 00002ea6_4377e8e9_000d1a88 is in use. It will be removed on reboot.
2:16 PM: 0000260d_4377e9c9_00011059 is in use. It will be removed on reboot.
2:16 PM: eseertrm.exe is in use. It will be removed on reboot.
2:16 PM: 00003bf6_4377e9f7_000e9ad6 is in use. It will be removed on reboot.
2:16 PM: 000039b3_43585c53_000df759 is in use. It will be removed on reboot.
2:16 PM: 00001547_43702ae9_0008f2cc is in use. It will be removed on reboot.
2:16 PM: 00000bb3_437024ea_00024471 is in use. It will be removed on reboot.
2:16 PM: 00001649_4377d743_000710a6 is in use. It will be removed on reboot.
2:16 PM: 000056ae_4377d98e_0003eb0e is in use. It will be removed on reboot.
2:16 PM: 00002ea6_437024eb_000ad8b8 is in use. It will be removed on reboot.
2:16 PM: powkbdfi.exe is in use. It will be removed on reboot.
2:16 PM: sisrtmgr.exe is in use. It will be removed on reboot.
2:16 PM: ace.dll is in use. It will be removed on reboot.
2:16 PM: 00000029_43659f61_00043374 is in use. It will be removed on reboot.
2:16 PM: 00002ea6_4365a049_00018166 is in use. It will be removed on reboot.
2:16 PM: 00004db7_4365a0c8_0002c496 is in use. It will be removed on reboot.
2:16 PM: 00000ddc_4377ea04_000f0b14 is in use. It will be removed on reboot.
2:16 PM: 00001238_4377d974_0008d914 is in use. It will be removed on reboot.
2:16 PM: 00000ddc_4377d9c6_000e2a10 is in use. It will be removed on reboot.
2:16 PM: 000026e9_43659fae_0002129c is in use. It will be removed on reboot.
2:16 PM: 0000074d_43585ebe_00089e80 is in use. It will be removed on reboot.
2:16 PM: 00000902_43585f36_0006d30e is in use. It will be removed on reboot.
2:16 PM: 0000440d_43585b5b_0001a401 is in use. It will be removed on reboot.
2:16 PM: 0000491c_43585b5b_000a59c6 is in use. It will be removed on reboot.
2:16 PM: 00001af4_4358602c_000224f8 is in use. It will be removed on reboot.
2:16 PM: 00005f90_4377e8a2_00076af3 is in use. It will be removed on reboot.
2:16 PM: 00002350_4365a4b3_000f06dc is in use. It will be removed on reboot.
2:16 PM: 0000260d_4377d98c_0002a6db is in use. It will be removed on reboot.
2:16 PM: 00007f96_4377d985_000406ab is in use. It will be removed on reboot.
2:16 PM: 00001cd0_43585f12_000172fe is in use. It will be removed on reboot.
2:16 PM: data.bin is in use. It will be removed on reboot.
2:16 PM: 00001238_4365a156_000014d3 is in use. It will be removed on reboot.
2:16 PM: 00005f1e_43585ff9_0003ed59 is in use. It will be removed on reboot.
2:16 PM: 00003cd6_43585f8b_0009c303 is in use. It will be removed on reboot.
2:16 PM: 00006df1_4377d746_0006fa68 is in use. It will be removed on reboot.
2:16 PM: 00005af1_437020e4_000f3891 is in use. It will be removed on reboot.
2:16 PM: 00005e14_4377d9cf_0007f1b3 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_4377d988_0007e983 is in use. It will be removed on reboot.
2:16 PM: 00006c69_43585fab_000f33b1 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_43585ee7_000936e3 is in use. It will be removed on reboot.
2:16 PM: 000013e9_43585f72_000bcf68 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_4377e9b9_00076f93 is in use. It will be removed on reboot.
2:16 PM: 00000d66_43585fa1_000c3b4e is in use. It will be removed on reboot.
2:16 PM:

#13
Matt

Posted 14 November 2005 - 02:56 PM

Infected with AwesomeWare

Member
606 posts

Hey maxweber! Great that things seem to be running better! Can you also please post the L2MFix Log and a new HijackThis Log. You may not have pasted the entire SpySweeper log, so please check that too.

Thanks,
Matt

#14
maxweber

Posted 14 November 2005 - 03:15 PM

Member

Topic Starter
Member
12 posts

Matt, Sorry, I think the Spy Sweeper long may just have been too long, so I will get the three logs into a couple of posts.

2:16 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
2:16 PM: 00004ae1_435a8de9_00095ac9 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_4365a210_000a47d3 is in use. It will be removed on reboot.
2:16 PM: 0000491c_4365a0bd_0008a376 is in use. It will be removed on reboot.
2:16 PM: 00006b89_4377e9c9_000b746c is in use. It will be removed on reboot.
2:16 PM: ptivd_2k.sys is in use. It will be removed on reboot.
2:16 PM: 00000029_43657c66_0003b828 is in use. It will be removed on reboot.
2:16 PM: 00005af1_4377d74c_0000ff68 is in use. It will be removed on reboot.
2:16 PM: 0000390c_435859fc_000da3f3 is in use. It will be removed on reboot.
2:16 PM: 0000701f_4365856a_000316c1 is in use. It will be removed on reboot.
2:16 PM: 00003b25_4365a1e1_000ebfb9 is in use. It will be removed on reboot.
2:16 PM: 00004d06_4365a0c6_000700a9 is in use. It will be removed on reboot.
2:16 PM: 00006784_43702440_0008018e is in use. It will be removed on reboot.
2:16 PM: 00003b25_4377e9b7_00076453 is in use. It will be removed on reboot.
2:16 PM: 00000f3e_4377d76e_0007db68 is in use. It will be removed on reboot.
2:16 PM: 00005d03_4377e9a6_000dbdec is in use. It will be removed on reboot.
2:16 PM: 00002ea6_4377e8e9_000d1a88 is in use. It will be removed on reboot.
2:16 PM: 0000260d_4377e9c9_00011059 is in use. It will be removed on reboot.
2:16 PM: eseertrm.exe is in use. It will be removed on reboot.
2:16 PM: 00003bf6_4377e9f7_000e9ad6 is in use. It will be removed on reboot.
2:16 PM: 000039b3_43585c53_000df759 is in use. It will be removed on reboot.
2:16 PM: 00001547_43702ae9_0008f2cc is in use. It will be removed on reboot.
2:16 PM: 00000bb3_437024ea_00024471 is in use. It will be removed on reboot.
2:16 PM: 00001649_4377d743_000710a6 is in use. It will be removed on reboot.
2:16 PM: 000056ae_4377d98e_0003eb0e is in use. It will be removed on reboot.
2:16 PM: 00002ea6_437024eb_000ad8b8 is in use. It will be removed on reboot.
2:16 PM: powkbdfi.exe is in use. It will be removed on reboot.
2:16 PM: sisrtmgr.exe is in use. It will be removed on reboot.
2:16 PM: ace.dll is in use. It will be removed on reboot.
2:16 PM: 00000029_43659f61_00043374 is in use. It will be removed on reboot.
2:16 PM: 00002ea6_4365a049_00018166 is in use. It will be removed on reboot.
2:16 PM: 00004db7_4365a0c8_0002c496 is in use. It will be removed on reboot.
2:16 PM: 00000ddc_4377ea04_000f0b14 is in use. It will be removed on reboot.
2:16 PM: 00001238_4377d974_0008d914 is in use. It will be removed on reboot.
2:16 PM: 00000ddc_4377d9c6_000e2a10 is in use. It will be removed on reboot.
2:16 PM: 000026e9_43659fae_0002129c is in use. It will be removed on reboot.
2:16 PM: 0000074d_43585ebe_00089e80 is in use. It will be removed on reboot.
2:16 PM: 00000902_43585f36_0006d30e is in use. It will be removed on reboot.
2:16 PM: 0000440d_43585b5b_0001a401 is in use. It will be removed on reboot.
2:16 PM: 0000491c_43585b5b_000a59c6 is in use. It will be removed on reboot.
2:16 PM: 00001af4_4358602c_000224f8 is in use. It will be removed on reboot.
2:16 PM: 00005f90_4377e8a2_00076af3 is in use. It will be removed on reboot.
2:16 PM: 00002350_4365a4b3_000f06dc is in use. It will be removed on reboot.
2:16 PM: 0000260d_4377d98c_0002a6db is in use. It will be removed on reboot.
2:16 PM: 00007f96_4377d985_000406ab is in use. It will be removed on reboot.
2:16 PM: 00001cd0_43585f12_000172fe is in use. It will be removed on reboot.
2:16 PM: data.bin is in use. It will be removed on reboot.
2:16 PM: 00001238_4365a156_000014d3 is in use. It will be removed on reboot.
2:16 PM: 00005f1e_43585ff9_0003ed59 is in use. It will be removed on reboot.
2:16 PM: 00003cd6_43585f8b_0009c303 is in use. It will be removed on reboot.
2:16 PM: 00006df1_4377d746_0006fa68 is in use. It will be removed on reboot.
2:16 PM: 00005af1_437020e4_000f3891 is in use. It will be removed on reboot.
2:16 PM: 00005e14_4377d9cf_0007f1b3 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_4377d988_0007e983 is in use. It will be removed on reboot.
2:16 PM: 00006c69_43585fab_000f33b1 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_43585ee7_000936e3 is in use. It will be removed on reboot.
2:16 PM: 000013e9_43585f72_000bcf68 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_4377e9b9_00076f93 is in use. It will be removed on reboot.
2:16 PM: 00000d66_43585fa1_000c3b4e is in use. It will be removed on reboot.
2:16 PM: 000001eb_437024e9_0006ad43 is in use. It will be removed on reboot.
2:16 PM: 00007f4f_43585fd2_000078f4 is in use. It will be removed on reboot.
2:16 PM: 00000fc9_43585ff0_0001e54c is in use. It will be removed on reboot.
2:16 PM: 000001d3_43586036_000e96b8 is in use. It will be removed on reboot.
2:16 PM: 000001eb_4377e8e0_0003204e is in use. It will be removed on reboot.
2:16 PM: 00000099_4377e8f9_000d4d69 is in use. It will be removed on reboot.
2:16 PM: 00006e5d_4377e9b9_000e28cc is in use. It will be removed on reboot.
2:16 PM: 00005cfd_4365a4c5_000380d9 is in use. It will be removed on reboot.
2:16 PM: 000063cb_4377d983_000337d3 is in use. It will be removed on reboot.
2:16 PM: 00000029_4366b55c_000c25f3 is in use. It will be removed on reboot.
2:16 PM: 00004db7_43585b60_000b1260 is in use. It will be removed on reboot.
2:16 PM: 00007049_43585f43_000e4ac3 is in use. It will be removed on reboot.
2:16 PM: 00002d12_4377e99b_0004a329 is in use. It will be removed on reboot.
2:16 PM: 00004944_4377d9d0_0007d034 is in use. It will be removed on reboot.
2:16 PM: 00005e9d_43585fc1_000b681e is in use. It will be removed on reboot.
2:16 PM: 000023c9_43585f7b_000c7763 is in use. It will be removed on reboot.
2:16 PM: 0000305e_4377e93f_00075a58 is in use. It will be removed on reboot.
2:16 PM: 00000bb3_43657f38_00018d64 is in use. It will be removed on reboot.
2:16 PM: 0000153c_4377e8ee_00091673 is in use. It will be removed on reboot.
2:16 PM: 00005f90_437024b7_0004f789 is in use. It will be removed on reboot.
2:16 PM: 00005f49_4377d9c4_000653c1 is in use. It will be removed on reboot.
2:16 PM: dns is in use. It will be removed on reboot.
2:16 PM: 00002ea6_43657f38_00031494 is in use. It will be removed on reboot.
2:16 PM: index is in use. It will be removed on reboot.
2:16 PM: 00004823_43702430_00044af1 is in use. It will be removed on reboot.
2:16 PM: 0000759a_43585ef8_0006fd7e is in use. It will be removed on reboot.
2:16 PM: 00005f90_4377d73c_0000f3a4 is in use. It will be removed on reboot.
2:16 PM: 000001eb_4377d74f_0004bb21 is in use. It will be removed on reboot.
2:16 PM: 00000099_4365a08b_00060306 is in use. It will be removed on reboot.
2:16 PM: 0000390c_4377e8f3_0005125e is in use. It will be removed on reboot.
2:16 PM: 00004823_4366b569_0007b264 is in use. It will be removed on reboot.
2:16 PM: 00004e45_436585ac_00085bf9 is in use. It will be removed on reboot.
2:16 PM: 000054de_43585b9c_000311a1 is in use. It will be removed on reboot.
2:16 PM: 00005af1_4377e8ba_0003d1be is in use. It will be removed on reboot.
2:16 PM: 0000074d_4365a13f_000e8d16 is in use. It will be removed on reboot.
2:16 PM: 00004cad_4377ea05_00015004 is in use. It will be removed on reboot.
2:16 PM: 00000120_4377e9cd_0005e388 is in use. It will be removed on reboot.
2:16 PM: 00002350_4377e9d3_000ce5a0 is in use. It will be removed on reboot.
2:16 PM: 00006443_4377e99e_0008d43e is in use. It will be removed on reboot.
2:16 PM: 00003a9e_4377e9f9_00044203 is in use. It will be removed on reboot.
2:16 PM: 000039b3_4377e99a_000eb360 is in use. It will be removed on reboot.
2:16 PM: 00006b36_4377e9e7_000e19b8 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_4377e9c5_0002f664 is in use. It will be removed on reboot.
2:16 PM: 00005cfd_4377e9e9_000520f6 is in use. It will be removed on reboot.
2:16 PM: 00004dc8_4365a140_000eb9d4 is in use. It will be removed on reboot.
2:16 PM: 00001649_43657d12_000deaa4 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_4377e89a_0001bdac is in use. It will be removed on reboot.
2:16 PM: 0000074d_4377e99b_0008c35e is in use. It will be removed on reboot.
2:16 PM: 00006e5d_4365a211_00028264 is in use. It will be removed on reboot.
2:16 PM: 000026e9_43657f2c_0003bbcb is in use. It will be removed on reboot.
2:16 PM: 00001ad4_4365a211_000daa10 is in use. It will be removed on reboot.
2:16 PM: 00006443_4365a146_0002a214 is in use. It will be removed on reboot.
2:16 PM: 000018be_4366b583_000eafa1 is in use. It will be removed on reboot.
2:16 PM: 00005af1_43659fa5_000c1cf1 is in use. It will be removed on reboot.
2:16 PM: 00001547_4365a0c9_0005d896 is in use. It will be removed on reboot.
2:16 PM: 0000390c_43657f3a_00060716 is in use. It will be removed on reboot.
2:16 PM: 00006784_435a8ba2_000232ce is in use. It will be removed on reboot.
2:16 PM: 00004d06_43657f55_000c465b is in use. It will be removed on reboot.
2:16 PM: 0000153c_435857a1_0004d284 is in use. It will be removed on reboot.
2:16 PM: 00000124_4365a0a6_0002f00c is in use. It will be removed on reboot.
2:16 PM: 00004db7_43657f56_0000fd31 is in use. It will be removed on reboot.
2:16 PM: 00006952_43659f86_00006e04 is in use. It will be removed on reboot.
2:16 PM: 0000260d_4365a32f_0004f92c is in use. It will be removed on reboot.
2:16 PM: 00001649_43659f8a_000a733c is in use. It will be removed on reboot.
2:16 PM: 000041bb_43657e17_000177a3 is in use. It will be removed on reboot.
2:16 PM: 00006784_435aa5a0_00059541 is in use. It will be removed on reboot.
2:16 PM: 00003e12_4377e9e9_000a7a1e is in use. It will be removed on reboot.
2:16 PM: 00000975_43586aa1_0003f7cc is in use. It will be removed on reboot.
2:16 PM: 0000759a_4377d996_000922f9 is in use. It will be removed on reboot.
2:16 PM: 00000029_437020c7_000f0acc is in use. It will be removed on reboot.
2:16 PM: 0000701f_4377d972_000262d8 is in use. It will be removed on reboot.
2:16 PM: 000011f4_4358600a_000697c1 is in use. It will be removed on reboot.
2:16 PM: 000063cb_43658597_0006378b is in use. It will be removed on reboot.
2:16 PM: 0000030a_4365a41d_00099773 is in use. It will be removed on reboot.
2:16 PM: 00004dc8_4377d966_00021f58 is in use. It will be removed on reboot.
2:16 PM: 00000732_43658ccb_00083a1e is in use. It will be removed on reboot.
2:16 PM: 00000bdb_436587fb_00085b41 is in use. It will be removed on reboot.
2:16 PM: 0000440d_4377d77b_0000ced4 is in use. It will be removed on reboot.
2:16 PM: 0000260d_436585fd_0004f190 is in use. It will be removed on reboot.
2:16 PM: 00003d6c_43657cb2_000563a8 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_43657cf8_000390cb is in use. It will be removed on reboot.
2:16 PM: 00006952_43657cfd_000cff29 is in use. It will be removed on reboot.
2:16 PM: 00002d12_4365831e_00094519 is in use. It will be removed on reboot.
2:16 PM: 00007a5a_43658582_00023db0 is in use. It will be removed on reboot.
2:16 PM: 00001238_4365858a_000ea430 is in use. It will be removed on reboot.
2:16 PM: 0000323b_436585ca_00072f4c is in use. It will be removed on reboot.
2:16 PM: 00004dc8_4365840d_000a6544 is in use. It will be removed on reboot.
2:16 PM: 00000120_43658cd5_000d7d49 is in use. It will be removed on reboot.
2:16 PM: 000022ee_4377d9aa_00001a1c is in use. It will be removed on reboot.
2:16 PM: 0000153c_4365a05a_000b3344 is in use. It will be removed on reboot.
2:16 PM: 0000440d_4365a0a8_000d5f60 is in use. It will be removed on reboot.
2:16 PM: 00004e45_4377d988_000a8288 is in use. It will be removed on reboot.
2:16 PM: 00007f96_43658599_0001ad3b is in use. It will be removed on reboot.
2:16 PM: 000066bb_4377d96e_000adafe is in use. It will be removed on reboot.
2:16 PM: 000001eb_43657f30_00027239 is in use. It will be removed on reboot.
2:16 PM: 00005f90_43657d08_00012aa8 is in use. It will be removed on reboot.
2:16 PM: 000072ae_4377e89a_00058fa4 is in use. It will be removed on reboot.
2:16 PM: 00004dc8_4377e99c_0001e8a6 is in use. It will be removed on reboot.
2:16 PM: 00004823_437020c8_0007bab9 is in use. It will be removed on reboot.
2:16 PM: 00006443_4377d969_000f0631 is in use. It will be removed on reboot.
2:16 PM: 0000366b_4377d9d5_0007c536 is in use. It will be removed on reboot.
2:16 PM: 00007f96_4365a26c_000cc2ae is in use. It will be removed on reboot.
2:16 PM: 0000314f_4377ea05_000a5406 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_4359a880_000c1893 is in use. It will be removed on reboot.
2:16 PM: 0000139d_43585f43_0006f510 is in use. It will be removed on reboot.
2:16 PM: 00006be8_43585fd6_000ca1d6 is in use. It will be removed on reboot.
2:16 PM: 000022ee_4377e9d4_000c75e4 is in use. It will be removed on reboot.
2:16 PM: 0000261e_43585fbc_000ecfb9 is in use. It will be removed on reboot.
2:16 PM: 00004dc8_43585eca_0003d714 is in use. It will be removed on reboot.
2:16 PM: 00002833_43585ffc_000cdb1c is in use. It will be removed on reboot.
2:16 PM: 0000127e_4358601b_000a2ce0 is in use. It will be removed on reboot.
2:16 PM: 00007b44_435872a0_000873b4 is in use. It will be removed on reboot.
2:16 PM: 00006e5d_43658591_0002b92e is in use. It will be removed on reboot.
2:16 PM: 00004db7_4377e996_000af206 is in use. It will be removed on reboot.
2:16 PM: 00005e14_4377ea07_000d4688 is in use. It will be removed on reboot.
2:16 PM: 00007e87_4370258a_0007c4fc is in use. It will be removed on reboot.
2:16 PM: 000018be_437020c9_00006aa6 is in use. It will be removed on reboot.
2:16 PM: 0000030a_4377d98d_0000aff0 is in use. It will be removed on reboot.
2:16 PM: 00002213_4377d98b_000edabb is in use. It will be removed on reboot.
2:16 PM: 0000458f_43586849_000637cb is in use. It will be removed on reboot.
2:16 PM: 000041bb_4377e8d9_000f0b50 is in use. It will be removed on reboot.
2:16 PM: 00001547_4377d795_0003abdc is in use. It will be removed on reboot.
2:16 PM: 00003d6c_4377d735_0006256c is in use. It will be removed on reboot.
2:16 PM: 00002350_4377d99e_000d21f1 is in use. It will be removed on reboot.
2:16 PM: 00005cfd_4377d9af_00091320 is in use. It will be removed on reboot.
2:16 PM: 000041bb_437020ec_000b6c7b is in use. It will be removed on reboot.
2:16 PM: 000066c4_4377d9d6_00009c41 is in use. It will be removed on reboot.
2:16 PM: 0000440d_43702aaf_00051388 is in use. It will be removed on reboot.
2:16 PM: 000066bb_43658411_00045f04 is in use. It will be removed on reboot.
2:16 PM: 00005af1_437024dd_0007a2b6 is in use. It will be removed on reboot.
2:16 PM: 0000153c_4377d757_0004c103 is in use. It will be removed on reboot.
2:16 PM: 00003a9e_4377d9ba_00075474 is in use. It will be removed on reboot.
2:16 PM: 00000bb3_4377e8e6_000081eb is in use. It will be removed on reboot.
2:16 PM: 00001ad4_4377d97f_000d3729 is in use. It will be removed on reboot.
2:16 PM: 0000797d_4377e9f9_0009e968 is in use. It will be removed on reboot.
2:16 PM: 0000301c_4377d98d_0002ac7b is in use. It will be removed on reboot.
2:16 PM: 00001a49_4365a4c5_000c0f80 is in use. It will be removed on reboot.
2:16 PM: 00000099_43585b41_00042021 is in use. It will be removed on reboot.
2:16 PM: 00004230_4377d9d7_00090969 is in use. It will be removed on reboot.
2:16 PM: 00001cd0_4377d9d4_0008d16b is in use. It will be removed on reboot.
2:16 PM: 00007dd1_43585fbb_000550bc is in use. It will be removed on reboot.
2:16 PM: 00006ad6_43585f98_00079a3c is in use. It will be removed on reboot.
2:16 PM: 00001953_43585fe1_000c1c1e is in use. It will be removed on reboot.
2:16 PM: 00004080_43585f77_0009c7de is in use. It will be removed on reboot.
2:16 PM: 00007874_43585ffe_0001beb1 is in use. It will be removed on reboot.
2:16 PM: 00006d22_43586022_0003e943 is in use. It will be removed on reboot.
2:16 PM: 00000822_43585f21_000263d8 is in use. It will be removed on reboot.
2:16 PM: 00006bcb_43585fe9_000ebb04 is in use. It will be removed on reboot.
2:16 PM: 00006784_437020c9_0004d918 is in use. It will be removed on reboot.
2:16 PM: 00006784_4377e896_000d4433 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_4365a27b_000c2c58 is in use. It will be removed on reboot.
2:16 PM: 0000489c_43585fc3_000099f0 is in use. It will be removed on reboot.
2:16 PM: 00001547_43585b6e_00067d53 is in use. It will be removed on reboot.
2:16 PM: 0000409d_43585f22_0009e649 is in use. It will be removed on reboot.
2:16 PM: 00004a80_43585f58_00068079 is in use. It will be removed on reboot.
2:16 PM: 00006443_43585eca_000e6246 is in use. It will be removed on reboot.
2:16 PM: 00004df2_4377ea08_00042108 is in use. It will be removed on reboot.
2:16 PM: 00007a5a_4377e9ac_00043f31 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_4377d97f_0003e4eb is in use. It will be removed on reboot.
2:16 PM: 000073da_43585f2b_000b51dc is in use. It will be removed on reboot.
2:16 PM: 000026ca_43585f30_0001a663 is in use. It will be removed on reboot.
2:16 PM: 0000121f_43585f28_0002d974 is in use. It will be removed on reboot.
2:16 PM: 00007e87_4365a05b_00003858 is in use. It will be removed on reboot.
2:16 PM: 00003b25_4377d97e_000baa59 is in use. It will be removed on reboot.
2:16 PM: 0000305e_437025fa_0003f71e is in use. It will be removed on reboot.
2:16 PM: 0000249e_43585fff_000100b9 is in use. It will be removed on reboot.
2:16 PM: 0000288f_43585fac_0003c369 is in use. It will be removed on reboot.
2:16 PM: 00006784_43659f74_0005890b is in use. It will be removed on reboot.
2:16 PM: 00006784_4377d722_000ac578 is in use. It will be removed on reboot.
2:16 PM: 00001547_4377e996_000eeb1c is in use. It will be removed on reboot.
2:16 PM: 0000305e_4365a0a8_000bb111 is in use. It will be removed on reboot.
2:16 PM: 00004ae1_4377d723_00008e23 is in use. It will be removed on reboot.
2:16 PM: 00005f32_4377d9b3_00027066 is in use. It will be removed on reboot.
2:16 PM: 000057d3_435865f1_00047eb3 is in use. It will be removed on reboot.
2:16 PM: 00003699_43585f35_00006271 is in use. It will be removed on reboot.
2:16 PM: 00005f32_43585f06_000d68fe is in use. It will be removed on reboot.
2:16 PM: 00004230_43585f13_00074721 is in use. It will be removed on reboot.
2:16 PM: 000060bf_43585f88_000a277e is in use. It will be removed on reboot.
2:16 PM: 00005dd5_4358600c_000dd196 is in use. It will be removed on reboot.
2:16 PM: 00000099_43657f3c_000d6809 is in use. It will be removed on reboot.
2:16 PM: 00002d12_4377d959_000d733e is in use. It will be removed on reboot.
2:16 PM: 0000767d_4365a14b_0008b3d6 is in use. It will be removed on reboot.
2:16 PM: 00004b40_4377e9da_00019718 is in use. It will be removed on reboot.
2:16 PM: 000054de_4377e99a_0008bdbe is in use. It will be removed on reboot.
2:16 PM: 0000323b_4377e9c6_0007dfd1 is in use. It will be removed on reboot.
2:16 PM: 00005878_4377e9db_0001eaf4 is in use. It will be removed on reboot.
2:16 PM: 00000124_4377e8ff_000c0f18 is in use. It will be removed on reboot.
2:16 PM: 000066bb_4377e99f_0008d9de is in use. It will be removed on reboot.
2:16 PM: 00001916_43585fc4_000a18ec is in use. It will be removed on reboot.
2:16 PM: 00003a2d_43586047_0005f256 is in use. It will be removed on reboot.
2:16 PM: 000012db_4377d754_000cc96e is in use. It will be removed on reboot.
2:16 PM: 00004944_43585f0e_000bc091 is in use. It will be removed on reboot.
2:16 PM: 000075ef_43585fa6_0008101b is in use. It will be removed on reboot.
2:16 PM: 000037e5_4358727e_000e94cc is in use. It will be removed on reboot.
2:16 PM: 000071f0_43585fcd_000ac0e8 is in use. It will be removed on reboot.
2:16 PM: 00000035_4358601d_000b9831 is in use. It will be removed on reboot.
2:16 PM: 00003cd5_43585f6b_00038ebc is in use. It will be removed on reboot.
2:16 PM: 00007eb7_43585f13_000af1fb is in use. It will be removed on reboot.
2:16 PM: 00005c67_43585f89_00076cfb is in use. It will be removed on reboot.
2:16 PM: 00005f49_43585f0a_000f06ae is in use. It will be removed on reboot.
2:16 PM: 00003bf6_4377d9b7_000c759e is in use. It will be removed on reboot.
2:16 PM: 00006172_43585fc5_000b5780 is in use. It will be removed on reboot.
2:16 PM: 0000692c_43585f57_00089e83 is in use. It will be removed on reboot.
2:16 PM: 0000047e_43585f9b_0004c3db is in use. It will be removed on reboot.
2:16 PM: 0000428b_4377d96f_00070ea6 is in use. It will be removed on reboot.
2:16 PM: 00004e45_4377e9c5_000ce51c is in use. It will be removed on reboot.
2:16 PM: 00004402_43585fd5_0006f4d1 is in use. It will be removed on reboot.
2:16 PM: 0000187e_43585f62_00024a48 is in use. It will be removed on reboot.
2:16 PM: 00005991_43585f21_000e9d58 is in use. It will be removed on reboot.
2:16 PM: 0000759a_4365a4b1_000890a0 is in use. It will be removed on reboot.
2:16 PM: 00000f3e_43585b39_00074fbe is in use. It will be removed on reboot.
2:16 PM: 000012db_43585721_000b7be1 is in use. It will be removed on reboot.
2:16 PM: 00006ad4_43586010_00081993 is in use. It will be removed on reboot.
2:16 PM: 00007ff5_436585a6_000504bb is in use. It will be removed on reboot.
2:16 PM: 00005753_43585f88_00023551 is in use. It will be removed on reboot.
2:16 PM: 00001ad4_43585ee6_000c66c1 is in use. It will be removed on reboot.
2:16 PM: 000063cb_43585ee7_00022f6c is in use. It will be removed on reboot.
2:16 PM: 000066bb_43585ed4_0005bda3 is in use. It will be removed on reboot.
2:16 PM: 00003a61_43585fad_00043e64 is in use. It will be removed on reboot.
2:16 PM: 000054dc_43585f9e_000af17b is in use. It will be removed on reboot.
2:16 PM: 00005a9f_43586012_000b0c14 is in use. It will be removed on reboot.
2:16 PM: 000016c5_43585f68_00055349 is in use. It will be removed on reboot.
2:16 PM: 000018d7_43585fd5_000a516e is in use. It will be removed on reboot.
2:16 PM: 00006899_43585f68_000776f3 is in use. It will be removed on reboot.
2:16 PM: 00000029_43655333_000ef068 is in use. It will be removed on reboot.
2:16 PM: 000054de_4377d796_00090aa4 is in use. It will be removed on reboot.
2:16 PM: 00007e87_4377d758_000a6e08 is in use. It will be removed on reboot.
2:16 PM: 00007a5a_4377d972_00091c11 is in use. It will be removed on reboot.
2:16 PM: 0000767d_4377d973_000156a3 is in use. It will be removed on reboot.
2:16 PM: 00004509_4365a14b_000ef7b4 is in use. It will be removed on reboot.
2:16 PM: 0000390c_4365a05b_00031f99 is in use. It will be removed on reboot.
2:16 PM: 00000bdb_4377d98e_000263de is in use. It will be removed on reboot.
2:16 PM: 000012db_4370250a_0000ada9 is in use. It will be removed on reboot.
2:16 PM: 00001a49_4377e9ea_0001c9f9 is in use. It will be removed on reboot.
2:16 PM: 00005d03_4377d972_00071f86 is in use. It will be removed on reboot.
2:16 PM: 000026e9_4377d74e_00097230 is in use. It will be removed on reboot.
2:16 PM: 00005e14_43585f0d_0007e8f9 is in use. It will be removed on reboot.
2:16 PM: 000066c4_43585f13_00045fe0 is in use. It will be removed on reboot.
2:16 PM: 000056ae_43585ef4_000a6ab9 is in use. It will be removed on reboot.
2:16 PM: 0000368e_43585f9f_00080fd9 is in use. It will be removed on reboot.
2:16 PM: 00006e5d_4377d97f_00093e13 is in use. It will be removed on reboot.
2:16 PM: 00002213_43585eef_000a9cd6 is in use. It will be removed on reboot.
2:16 PM: 00000124_43585b58_00034170 is in use. It will be removed on reboot.
2:16 PM: 00005f49_4377e9fa_000b27fb is in use. It will be removed on reboot.
2:16 PM: 00002c3b_43585f17_0005fd90 is in use. It will be removed on reboot.
2:16 PM: 00002d12_43585d17_000cc593 is in use. It will be removed on reboot.
2:16 PM: 00004944_4377ea09_0002edb4 is in use. It will be removed on reboot.
2:16 PM: 000032e6_43585fc7_0000b070 is in use. It will be removed on reboot.
2:16 PM: 0000542c_43585fe1_00007f18 is in use. It will be removed on reboot.
2:16 PM: 00001e1f_43585ee6_0000f0d9 is in use. It will be removed on reboot.
2:16 PM: 00004df2_43585f0d_00097029 is in use. It will be removed on reboot.
2:16 PM: 00003c61_43585faa_0006c689 is in use. It will be removed on reboot.
2:16 PM: 000049f7_4358728f_00033048 is in use. It will be removed on reboot.
2:16 PM: 00002f14_43585f97_00037468 is in use. It will be removed on reboot.
2:16 PM: 00000bdb_4365a457_00062104 is in use. It will be removed on reboot.
2:16 PM: 00000732_4377e9cc_000ac1b4 is in use. It will be removed on reboot.
2:16 PM: 000018be_43659f70_000067a0 is in use. It will be removed on reboot.
2:16 PM: 0000701f_4377e9a5_000ea303 is in use. It will be removed on reboot.
2:16 PM: 000041bb_437024df_000ba70c is in use. It will be removed on reboot.
2:16 PM: 000041bb_4377d74c_000e4abc is in use. It will be removed on reboot.
2:16 PM: 000026e9_437020ef_0003b24c is in use. It will be removed on reboot.
2:16 PM: 000026e9_43585638_000859cc is in use. It will be removed on reboot.
2:16 PM: 00004cad_4377d9cd_00012d39 is in use. It will be removed on reboot.
2:16 PM: 000001eb_437020f2_00023bfc is in use. It will be removed on reboot.
2:16 PM: 0000314f_4377d9cd_000350e3 is in use. It will be removed on reboot.
2:16 PM: 00006df1_437024cc_0009b4fc is in use. It will be removed on reboot.
2:16 PM: 00000029_4377d717_000491f6 is in use. It will be removed on reboot.
2:16 PM: 00005f32_4377e9ec_0005ce50 is in use. It will be removed on reboot.
2:16 PM: 00000099_43702595_00028296 is in use. It will be removed on reboot.
2:16 PM: 000072ae_4377d739_0008d4f1 is in use. It will be removed on reboot.
2:16 PM: 0000153c_43702514_00013426 is in use. It will be removed on reboot.
2:16 PM: 00006b36_4377d9ae_0006e9d6 is in use. It will be removed on reboot.
2:16 PM: 00004d06_4377e993_000ba4be is in use. It will be removed on reboot.
2:16 PM: 0000030a_4377e9ca_000add93 is in use. It will be removed on reboot.
2:16 PM: 00001a49_4377d9b0_0003bf98 is in use. It will be removed on reboot.
2:16 PM: 00000029_4377e893_000ac16c is in use. It will be removed on reboot.
2:16 PM: 00005078_43587296_000ad479 is in use. It will be removed on reboot.
2:16 PM: 00006952_437024b6_000e9264 is in use. It will be removed on reboot.
2:16 PM: 000026a6_4377d971_000a2846 is in use. It will be removed on reboot.
2:16 PM: 00001481_43587298_0003ff61 is in use. It will be removed on reboot.
2:16 PM: 000001eb_43659faf_000e9ff9 is in use. It will be removed on reboot.
2:16 PM: 00005d03_4365a14a_000be3b4 is in use. It will be removed on reboot.
2:16 PM: 0000301c_4377e9cb_0004ed91 is in use. It will be removed on reboot.
2:16 PM: 0000305e_4377d778_0001a8ab is in use. It will be removed on reboot.
2:16 PM: 0000491c_4377e992_0004bec6 is in use. It will be removed on reboot.
2:16 PM: 0000759a_4377e9d2_000d071e is in use. It will be removed on reboot.
2:16 PM: 00003bf6_43585f07_000a3920 is in use. It will be removed on reboot.
2:16 PM: 00006032_43585f17_0002c811 is in use. It will be removed on reboot.
2:16 PM: 00004ae1_43657cac_0009fe96 is in use. It will be removed on reboot.
2:16 PM: 00004823_435a8370_000a7fd4 is in use. It will be removed on reboot.
2:16 PM: 000018be_435a8371_00015a54 is in use. It will be removed on reboot.
2:16 PM: 00000029_435a8324_0006d7c9 is in use. It will be removed on reboot.
2:16 PM: 00001366_43585f11_00042d81 is in use. It will be removed on reboot.
2:16 PM: ai_14-11-2005.log is in use. It will be removed on reboot.
2:16 PM: 00003d6c_435a92a6_0008cec6 is in use. It will be removed on reboot.
2:16 PM: 00004823_435a997a_000081e8 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_4359b300_0009f5f3 is in use. It will be removed on reboot.
2:16 PM: 00004ae1_4365546e_000709c3 is in use. It will be removed on reboot.
2:16 PM: 0000440d_4377e98c_0001dce3 is in use. It will be removed on reboot.
2:16 PM: 00004823_43655334_00094ea3 is in use. It will be removed on reboot.
2:16 PM: 000018be_43655344_000a451c is in use. It will be removed on reboot.
2:16 PM: 00006784_43655459_000a659b is in use. It will be removed on reboot.
2:16 PM: 00003d6c_4365546f_0006c126 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_43655470_0006ede4 is in use. It will be removed on reboot.
2:16 PM: 000072ae_43655472_0001ee39 is in use. It will be removed on reboot.
2:16 PM: 00006952_43655472_000a7ce0 is in use. It will be removed on reboot.
2:16 PM: 00006784_43657c89_00039251 is in use. It will be removed on reboot.
2:16 PM: 00005af1_43657e15_000ce24b is in use. It will be removed on reboot.
2:16 PM: 0000153c_43657f38_000b54fe is in use. It will be removed on reboot.
2:16 PM: 00000f3e_43657f3b_00048586 is in use. It will be removed on reboot.
2:16 PM: 0000305e_43657f45_000a652b is in use. It will be removed on reboot.
2:16 PM: 00001e1f_43658590_00088211 is in use. It will be removed on reboot.
2:16 PM: 00003b25_43658590_00026551 is in use. It will be removed on reboot.
2:16 PM: 00001ad4_43658594_000e6714 is in use. It will be removed on reboot.
2:16 PM: 00006bfc_43658597_000ddb7b is in use. It will be removed on reboot.
2:16 PM: 00005f90_43659f89_00033f08 is in use. It will be removed on reboot.
2:16 PM: 000072ae_43659f7f_0009e720 is in use. It will be removed on reboot.
2:16 PM: 00006b89_436585fe_0003e55b is in use. It will be removed on reboot.
2:16 PM: 0000301c_436587e9_0009a450 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_4377d738_0005c0f1 is in use. It will be removed on reboot.
2:16 PM: 000056ae_43658cbb_000f0eb3 is in use. It will be removed on reboot.
2:16 PM: 0000759a_43658cd7_0004d2c4 is in use. It will be removed on reboot.
2:16 PM: 00000bb3_43659fb0_00074fe6 is in use. It will be removed on reboot.
2:16 PM: ai_11-11-2005.log is in use. It will be removed on reboot.
2:16 PM: 000066bb_4365a147_0003926b is in use. It will be removed on reboot.
2:16 PM: 0000701f_4365a149_000eec74 is in use. It will be removed on reboot.
2:16 PM: 00007a5a_4365a14b_0001ac60 is in use. It will be removed on reboot.
2:16 PM: 000063cb_4365a238_000496b8 is in use. It will be removed on reboot.
2:16 PM: 00006b36_4365a4c4_0008ad43 is in use. It will be removed on reboot.
2:16 PM: 00003e12_4365a4c5_0006681b is in use. It will be removed on reboot.
2:16 PM: 00004ae1_437020cb_0000c423 is in use. It will be removed on reboot.
2:16 PM: 00003d6c_437020cb_0006b9c4 is in use. It will be removed on reboot.
2:16 PM: 000072ae_437020cd_00058c11 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_437020cc_000ba331 is in use. It will be removed on reboot.
2:16 PM: 00006952_437020cd_000e68f4 is in use. It will be removed on reboot.
2:16 PM: ai_13-11-2005.log is in use. It will be removed on reboot.
2:16 PM: 00006df1_437020e3_0003bd09 is in use. It will be removed on reboot.
2:16 PM: 00000bb3_43702104_0007d346 is in use. It will be removed on reboot.
2:16 PM: 000018be_4370243e_0000a09b is in use. It will be removed on reboot.
2:16 PM: 00004ae1_43702477_000df39c is in use. It will be removed on reboot.
2:16 PM: 00001649_437024be_000e22eb is in use. It will be removed on reboot.
2:16 PM: 00000124_437025f9_000046a4 is in use. It will be removed on reboot.
2:16 PM: 0000591d_43587279_000329e3 is in use. It will be removed on reboot.
2:16 PM: 00004db7_43702ae4_00032f48 is in use. It will be removed on reboot.
2:16 PM: 00000120_4377d994_00019ae8 is in use. It will be removed on reboot.
2:16 PM: 00002ea6_4377d751_000a46a8 is in use. It will be removed on reboot.
2:16 PM: 00006952_4377d73b_000c63ec is in use. It will be removed on reboot.
2:16 PM: 00000bb3_4377d751_0000cd4b is in use. It will be removed on reboot.
2:16 PM: 0000390c_4377d75a_00019c64 is in use. It will be removed on reboot.
2:16 PM: 00004db7_4377d78a_000d3596 is in use. It will be removed on reboot.
2:16 PM: 000018be_4377e896_0005ee80 is in use. It will be removed on reboot.
2:16 PM: 00004823_4377e895_00077010 is in use. It will be removed on reboot.
2:16 PM: 00004ae1_4377e897_00027064 is in use. It will be removed on reboot.
2:16 PM: 000039b3_4377d829_000b0c91 is in use. It will be removed on reboot.
2:16 PM: 00004509_4377d973_000c3011 is in use. It will be removed on reboot.
2:16 PM: 00006b89_4377d98c_0007154c is in use. It will be removed on reboot.
2:16 PM: 00006bfc_4377d984_000bf338 is in use. It will be removed on reboot.
2:16 PM: 0000323b_4377d98a_000d7509 is in use. It will be removed on reboot.
2:16 PM: 00000732_4377d993_000875a0 is in use. It will be removed on reboot.
2:16 PM: 00004b40_4377d9ab_00088744 is in use. It will be removed on reboot.
2:16 PM: 00005878_4377d9ac_000ea9a4 is in use. It will be removed on reboot.
2:16 PM: 00003e12_4377d9b0_0002d4e1 is in use. It will be removed on reboot.
2:16 PM: 00002e40_4377d9d1_0006eb1e is in use. It will be removed on reboot.
2:16 PM: 0000797d_4377d9c3_000e8e8b is in use. It will be removed on reboot.
2:16 PM: 00003d6c_4377e897_0006697b is in use. It will be removed on reboot.
2:16 PM: 00004df2_4377d9d0_00055e4e is in use. It will be removed on reboot.
2:16 PM: 00001366_4377d9d2_00062d26 is in use. It will be removed on reboot.
2:16 PM: 00001649_4377e8ad_0005d366 is in use. It will be removed on reboot.
2:16 PM: 00006df1_4377e8b3_000c3904 is in use. It will be removed on reboot.
2:16 PM: 0000252a_4358727a_0006da5c is in use. It will be removed on reboot.
2:16 PM: 000012db_4377e8ea_000134e4 is in use. It will be removed on reboot.
2:16 PM: 00000f3e_4377e8f8_0005f216 is in use. It will be removed on reboot.
2:16 PM: 0000428b_4377e9a1_000b7e23 is in use. It will be removed on reboot.
2:16 PM: 000026a6_4377e9a2_0004ca89 is in use. It will be removed on reboot.
2:16 PM: 0000767d_4377e9ad_0005cc01 is in use. It will be removed on reboot.
2:16 PM: 00004509_4377e9af_000f0261 is in use. It will be removed on reboot.
2:16 PM: 00001238_4377e9b0_00014751 is in use. It will be removed on reboot.
2:16 PM: 00001ad4_4377e9c0_000376be is in use. It will be removed on reboot.
2:16 PM: 000063cb_4377e9c0_00072198 is in use. It will be removed on reboot.
2:16 PM: 00006bfc_4377e9c0_0007e530 is in use. It will be removed on reboot.
2:16 PM: 00007f96_4377e9c0_000d8c94 is in use. It will be removed on reboot.
2:16 PM: 00002213_4377e9c6_000dfc91 is in use. It will be removed on reboot.
2:16 PM: 00000bdb_4377e9cc_00003683 is in use. It will be removed on reboot.
2:16 PM: 000056ae_4377e9cc_0006efbc is in use. It will be removed on reboot.
2:16 PM: 00000bdb_43585ef4_0006bfe0 is in use. It will be removed on reboot.
2:16 PM: 00006048_43586223_000a23f8 is in use. It will be removed on reboot.
2:16 PM: 00004823_43585566_0008793b is in use. It will be removed on reboot.
2:16 PM: 000018be_4358556c_00069e70 is in use. It will be removed on reboot.
2:16 PM: 00006784_4358558c_000dbd6c is in use. It will be removed on reboot.
2:16 PM: 00004ae1_435855a7_000f4003 is in use. It will be removed on reboot.
2:16 PM: 00003d6c_435855b0_00078076 is in use. It will be removed on reboot.
2:16 PM: 00000bb3_4358566f_00063290 is in use. It will be removed on reboot.
2:16 PM: 00002ea6_43585670_000302b1 is in use. It will be removed on reboot.
2:16 PM: 00002cd6_435855eb_00019dc1 is in use. It will be removed on reboot.
2:16 PM: 000072ae_435855ed_0008623b is in use. It will be removed on reboot.
2:16 PM: 00006952_435855fb_0001a984 is in use. It will be removed on reboot.
2:16 PM: 00005f90_43585600_00080983 is in use. It will be removed on reboot.
2:16 PM: 00001649_43585600_000c0299 is in use. It will be removed on reboot.
2:16 PM: 00006df1_43585603_00092c38 is in use. It will be removed on reboot.
2:16 PM: 00005af1_43585633_0007a133 is in use. It will be removed on reboot.
2:16 PM: 000041bb_43585636_00031c83 is in use. It will be removed on reboot.
2:16 PM: 000001eb_43585639_00081130 is in use. It will be removed on reboot.
2:16 PM: 00007e87_435857b5_000a9c2c is in use. It will be removed on reboot.
2:16 PM: 0000305e_43585b58_0005da74 is in use. It will be removed on reboot.
2:16 PM: 0000301c_43585ef4_0002788c is in use. It will be removed on reboot.
2:16 PM: 00006e5d_43585ee6_00055f4b is in use. It will be removed on reboot.
2:16 PM: 00004cad_43585f0b_000dac3c is in use. It will be removed on reboot.
2:16 PM: 00003e12_43585f05_000dffd8 is in use. It will be removed on reboot.
2:16 PM: 00001a49_43585f06_0004da58 is in use. It will be removed on reboot.
2:16 PM: 0000366b_43585f12_000d1004 is in use. It will be removed on reboot.
2:16 PM: 00002e40_43585f0f_000cb0e8 is in use. It will be removed on reboot.
2:16 PM: 0000314f_43585f0c_0007e359 is in use. It will be removed on reboot.
2:16 PM: 000015a1_43585f1b_000885f6 is in use. It will be removed on reboot.
2:16 PM: 00003ef6_43585f1f_000b83b8 is in use. It will be removed on reboot.
2:16 PM: 00005422_43585f1f_0000aa49 is in use. It will be removed on reboot.
2:16 PM: 00007bb9_43585f36_000c7a73 is in use. It will be removed on reboot.
2:16 PM: 000012e1_43585f25_00016883 is in use. It will be removed on reboot.
2:16 PM: 0000798b_43585f27_000bfef4 is in use. It will be removed on reboot.
2:16 PM: 000058b0_43585f2e_000d3829 is in use. It will be removed on reboot.
2:16 PM: 000048cc_43585f7d_0008d7c9 is in use. It will be removed on reboot.
2:16 PM: 00005772_43585f37_000354f3 is in use. It will be removed on reboot.
2:16 PM: 000022cd_43585fb0_00056119 is in use. It will be removed on reboot.
2:16 PM: 000033ea_43585f79_0004ef51 is in use. It will be removed on reboot.
2:16 PM: 00005db2_43585f78_000782b6 is in use. It will be removed on reboot.
2:16 PM: 00000677_43585fd4_000147cc is in use. It will be removed on reboot.
2:16 PM: 00002b0c_43586000_000b1c30 is in use. It will be removed on reboot.
2:16 PM: 00000fbf_43585f8d_000ed92e is in use. It will be removed on reboot.
2:16 PM: 0000422d_43585f9b_0005fcce is in use. It will be removed on reboot.
2:16 PM: 00007983_43585fa3_0000342c is in use. It will be removed on reboot.
2:16 PM: 00004657_43585fa9_000d04c8 is in use. It will be removed on reboot.
2:16 PM: 00002c49_43585faa_00056678 is in use. It will be removed on reboot.
2:16 PM: 00002fff_43585fab_00067dec is in use. It will be removed on reboot.
2:16 PM: 0000401d_43585fc8_000460e9 is in use. It will be removed on reboot.
2:16 PM: 0000494a_43585fd3_0008befe is in use. It will be removed on reboot.
2:16 PM: 00006b72_43585fc6_0006c790 is in use. It will be removed on reboot.
2:16 PM: 00000384_43585fd0_0008d53c is in use. It will be removed on reboot.
2:16 PM: 00005039_43585fd8_0001856b is in use. It will be removed on reboot.
2:16 PM: 000007cf_43586020_00087393 is in use. It will be removed on reboot.
2:16 PM: 00000e12_43585ff3_0002e0e3 is in use. It will be removed on reboot.
2:16 PM: 00004cd4_43586019_000676c6 is in use. It will be removed on reboot.
2:16 PM: 000046cf_43586036_0002ab74 is in use. It will be removed on reboot.
2:16 PM: 00005fa4_4358601a_00028350 is in use. It will be removed on reboot.
2:16 PM: 00006732_43586021_00082af6 is in use. It will be removed on reboot.
2:16 PM: 00002059_4358601a_00078e3b is in use. It will be removed on reboot.
2:16 PM: 00000ecc_43586034_000f27f1 is in use. It will be removed on reboot.
2:16 PM: 00000e90_43586044_000baff9 is in use. It will be removed on reboot.
2:16 PM: 00001dc0_43587283_00029e8b is in use. It will be removed on reboot.
2:16 PM: 000037e6_43587032_000ea664 is in use. It will be removed on reboot.
2:16 PM: 0000442b_43587294_000c022c is in use. It will be removed on reboot.
2:16 PM: 00004087_4358729a_00056ab3 is in use. It will be removed on reboot.
2:16 PM: 00000029_43587445_000ab7b0 is in use. It will be removed on reboot.
2:16 PM: 00003d6c_43587483_0007a5fe is in use. It will be removed on reboot.
2:16 PM: 00006784_4358747c_0009540b is in use. It will be removed on reboot.
2:16 PM: 000072ae_435875ab_000374ae is in use. It will be removed on reboot.
2:16 PM: 00003d6c_4359a7b0_00045114 is in use. It will be removed on reboot.
2:16 PM: 00000029_4359a68e_000ee803 is in use. It will be removed on reboot.
2:16 PM: 00004823_4359a694_000605c1 is in use. It will be removed on reboot.
2:16 PM: 00000029_4359b03d_000c4df8 is in use. It will be removed on reboot.
2:16 PM: Quarantining All Traces: purityscan
2:16 PM: Quarantining All Traces: surfsidekick
2:16 PM: Quarantining All Traces: visfx
2:16 PM: Quarantining All Traces: apropos
2:16 PM: apropos is in use. It will be removed on reboot.
2:16 PM: wingenerics.dll is in use. It will be removed on reboot.
2:16 PM: Quarantining All Traces: cas
2:16 PM: Quarantining All Traces: ez-finder toolbar
2:16 PM: Quarantining All Traces: fatpickle toolbar
2:16 PM: Quarantining All Traces: iwantsearch
2:16 PM: Quarantining All Traces: trojan_downloader_favadd
2:16 PM: Quarantining All Traces: trojan-downloader-pacisoft
2:17 PM: Quarantining All Traces: trojan-downloader-psyme
2:17 PM: Quarantining All Traces: command
2:17 PM: Quarantining All Traces: desktop hijacker
2:17 PM: Quarantining All Traces: ezula ilookup
2:17 PM: Quarantining All Traces: ie driver searchx.htm hijack
2:17 PM: Quarantining All Traces: isearch toolbar
2:17 PM: Quarantining All Traces: quicklink search toolbar
2:17 PM: Quarantining All Traces: search fast communicator toolbar
2:17 PM: Quarantining All Traces: shopathomeselect
2:18 PM: shopathomeselect is in use. It will be removed on reboot.
2:18 PM: fhsjqlvr.exe is in use. It will be removed on reboot.
2:18 PM: Quarantining All Traces: start4search toolbar
2:18 PM: Quarantining All Traces: virtualbouncer
2:18 PM: Quarantining All Traces: 888 cookie
2:18 PM: Quarantining All Traces: abcsearch cookie
2:18 PM: Quarantining All Traces: adknowledge cookie
2:18 PM: Quarantining All Traces: adrevolver cookie
2:18 PM: Quarantining All Traces: advertising cookie
2:18 PM: Quarantining All Traces: apmebf cookie
2:18 PM: Quarantining All Traces: atlas dmt cookie
2:18 PM: Quarantining All Traces: atwola cookie
2:18 PM: Quarantining All Traces: azjmp cookie
2:18 PM: Quarantining All Traces: bizrate cookie
2:18 PM: Quarantining All Traces: cc214142 cookie
2:18 PM: Quarantining All Traces: centrport net cookie
2:18 PM: Quarantining All Traces: clickandtrack cookie
2:18 PM: Quarantining All Traces: clickxchange adware cookie
2:18 PM: Quarantining All Traces: epilot cookie
2:18 PM: Quarantining All Traces: exitexchange cookie
2:18 PM: Quarantining All Traces: fastclick cookie
2:18 PM: Quarantining All Traces: go.com cookie
2:18 PM: Quarantining All Traces: goclick cookie
2:18 PM: Quarantining All Traces: hbmediapro cookie
2:18 PM: Quarantining All Traces: maxserving cookie
2:18 PM: Quarantining All Traces: nextag cookie
2:18 PM: Quarantining All Traces: overture cookie
2:18 PM: Quarantining All Traces: partypoker cookie
2:18 PM: Quarantining All Traces: qksrv cookie
2:18 PM: Quarantining All Traces: questionmarket cookie
2:18 PM: Quarantining All Traces: realmedia cookie
2:18 PM: Quarantining All Traces: reliablestats cookie
2:18 PM: Quarantining All Traces: rn11 cookie
2:18 PM: Quarantining All Traces: servedby advertising cookie
2:18 PM: Quarantining All Traces: specificclick.com cookie
2:18 PM: Quarantining All Traces: starware.com cookie
2:18 PM: Quarantining All Traces: tradedoubler cookie
2:18 PM: Quarantining All Traces: trafficmp cookie
2:18 PM: Quarantining All Traces: tribalfusion cookie
2:18 PM: Quarantining All Traces: websponsors cookie
2:18 PM: Quarantining All Traces: yieldmanager cookie
2:18 PM: Quarantining All Traces: zedo cookie
2:34 PM: Preparing to restart your computer. Please wait...
2:34 PM: Removal process completed. Elapsed time 00:42:40
********
11:18 AM: | Start of Session, Monday, November 14, 2005 |
11:18 AM: Spy Sweeper started
11:18 AM: Sweep initiated using definitions version 572
11:19 AM: Starting Memory Sweep
11:20 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:20 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:20 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:20 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:20 AM: Found Adware: shopathomeselect
11:20 AM: Detected running threat: C:\WINDOWS\system32\fhsjqlvr.exe (ID = 157330)
11:20 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fhsjqlvr (ID = 0)
11:20 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:20 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:20 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:20 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:21 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:21 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:21 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:21 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:22 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:22 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:22 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:22 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:22 AM: Found Adware: icannnews
11:22 AM: Detected running threat: C:\WINDOWS\system32\ksdsp.dll (ID = 156955)
11:22 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:22 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:22 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:22 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:23 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:23 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:23 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:23 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:24 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:24 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:24 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:24 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:24 AM: Detected running threat: C:\WINDOWS\system32\mdident.dll (ID = 156955)
11:24 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:24 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:24 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:24 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:25 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:25 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:25 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:25 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:25 AM: Found Adware: search fast communicator toolbar
11:25 AM: Detected running threat: C:\WINDOWS\system32\communicator.dll (ID = 131321)
11:25 AM: Memory Sweep Complete, Elapsed Time: 00:06:57
11:25 AM: Starting Registry Sweep
11:26 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:26 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:26 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:26 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:26 AM: Found Adware: cas
11:26 AM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105366)
11:26 AM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105369)
11:26 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:26 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:26 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:26 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:26 AM: Found Adware: cws-aboutblank
11:26 AM: HKLM\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115926)
11:26 AM: Found Adware: cws_ns3
11:26 AM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 117588)
11:26 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\webdlg32.dll (ID = 123378)
11:26 AM: Found Adware: iwantsearch
11:26 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
11:26 AM: Found Adware: start4search toolbar
11:26 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
11:26 AM: Found Adware: ez-finder toolbar
11:26 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 125908)
11:26 AM: Found Adware: purityscan
11:26 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (ID = 137986)
11:26 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
11:27 AM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140681)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
11:27 AM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
11:27 AM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
11:27 AM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
11:27 AM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
11:27 AM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140692)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
11:27 AM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
11:27 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140698)
11:27 AM: Found Adware: virtualbouncer
11:27 AM: HKLM\software\microsoft\windows\currentversion\run\ || vbouncer (ID = 145560)
11:27 AM: HKLM\software\microsoft\windows\currentversion\run\ || stb (ID = 201920)
11:27 AM: Found Adware: quicklink search toolbar
11:27 AM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)
11:27 AM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)
11:27 AM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359443)
11:27 AM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359446)
11:27 AM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
11:27 AM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
11:27 AM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
11:27 AM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
11:27 AM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
11:27 AM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
11:27 AM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
11:27 AM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
11:27 AM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
11:27 AM: HKCR\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609381)
11:27 AM: HKLM\software\classes\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609547)
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
11:27 AM: Found Adware: visfx
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
11:27 AM: Found Adware: clkoptimizer
11:27 AM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
11:27 AM: Found Adware: ezula ilookup
11:27 AM: HKCR\bho.adware\ (5 subtraces) (ID = 819079)
11:27 AM: HKCR\bho.adware.1\ (3 subtraces) (ID = 819085)
11:27 AM: HKCR\bho.hider\ (5 subtraces) (ID = 819089)
11:27 AM: HKCR\bho.hider.1\ (3 subtraces) (ID = 819095)
11:27 AM: HKLM\software\classes\bho.adware\ (5 subtraces) (ID = 819212)
11:27 AM: HKLM\software\classes\bho.adware.1\ (3 subtraces) (ID = 819218)
11:27 AM: HKLM\software\classes\bho.hider\ (5 subtraces) (ID = 819222)
11:27 AM: HKLM\software\classes\bho.hider.1\ (3 subtraces) (ID = 819228)
11:27 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
11:27 AM: HKCR\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860940)
11:27 AM: HKLM\software\classes\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860969)
11:27 AM: HKCR\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862263)
11:27 AM: HKLM\software\classes\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862304)
11:27 AM: HKLM\software\qstat\ || brr (ID = 877670)
11:27 AM: Found Adware: fatpickle toolbar
11:27 AM: HKLM\software\classes\typelib\{13090792-d4c2-433e-91ba-5ac36aa33fcb}\ (9 subtraces) (ID = 885885)
11:27 AM: HKCR\appid\main.dll\ || appid (ID = 889946)
11:27 AM: HKLM\software\classes\appid\main.dll\ || appid (ID = 889947)
11:27 AM: Found Adware: command
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
11:27 AM: HKCR\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926729)
11:27 AM: HKCR\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926741)
11:27 AM: HKCR\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926753)
11:27 AM: HKLM\software\classes\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926763)
11:27 AM: HKLM\software\classes\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926775)
11:27 AM: HKLM\software\classes\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926787)
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
11:27 AM: Found Adware: ie driver searchx.htm hijack
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || search bar (ID = 127908)
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cmsystem\ (1 subtraces) (ID = 820421)
11:27 AM: Found Trojan Horse: trojan-downloader-pacisoft
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\apd123\ (10 subtraces) (ID = 861435)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cas2\ (12 subtraces) (ID = 862278)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\windows\currentversion\run\ || cas2 (ID = 871018)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
11:27 AM: HKU\S-1-5-18\software\microsoft&

#15
maxweber

Posted 14 November 2005 - 03:18 PM

Member

Topic Starter
Member
12 posts

Yep, that's the problem, here is (hopefully) the rest of the spy sweeper log.

11:27 AM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140681)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
11:27 AM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
11:27 AM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
11:27 AM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
11:27 AM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
11:27 AM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
11:27 AM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140692)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
11:27 AM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
11:27 AM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140697)
11:27 AM: HKLM\software\microsoft\internet explorer\toolbar\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140698)
11:27 AM: Found Adware: virtualbouncer
11:27 AM: HKLM\software\microsoft\windows\currentversion\run\ || vbouncer (ID = 145560)
11:27 AM: HKLM\software\microsoft\windows\currentversion\run\ || stb (ID = 201920)
11:27 AM: Found Adware: quicklink search toolbar
11:27 AM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)
11:27 AM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)
11:27 AM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359443)
11:27 AM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 359446)
11:27 AM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
11:27 AM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
11:27 AM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
11:27 AM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
11:27 AM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
11:27 AM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
11:27 AM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
11:27 AM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
11:27 AM: HKLM\software\ql\ (2 subtraces) (ID = 359458)
11:27 AM: HKCR\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609381)
11:27 AM: HKLM\software\classes\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609547)
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\related sites toolbar\ (2 subtraces) (ID = 652841)
11:27 AM: Found Adware: visfx
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
11:27 AM: Found Adware: clkoptimizer
11:27 AM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
11:27 AM: Found Adware: ezula ilookup
11:27 AM: HKCR\bho.adware\ (5 subtraces) (ID = 819079)
11:27 AM: HKCR\bho.adware.1\ (3 subtraces) (ID = 819085)
11:27 AM: HKCR\bho.hider\ (5 subtraces) (ID = 819089)
11:27 AM: HKCR\bho.hider.1\ (3 subtraces) (ID = 819095)
11:27 AM: HKLM\software\classes\bho.adware\ (5 subtraces) (ID = 819212)
11:27 AM: HKLM\software\classes\bho.adware.1\ (3 subtraces) (ID = 819218)
11:27 AM: HKLM\software\classes\bho.hider\ (5 subtraces) (ID = 819222)
11:27 AM: HKLM\software\classes\bho.hider.1\ (3 subtraces) (ID = 819228)
11:27 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
11:27 AM: HKCR\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860940)
11:27 AM: HKLM\software\classes\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860969)
11:27 AM: HKCR\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862263)
11:27 AM: HKLM\software\classes\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862304)
11:27 AM: HKLM\software\qstat\ || brr (ID = 877670)
11:27 AM: Found Adware: fatpickle toolbar
11:27 AM: HKLM\software\classes\typelib\{13090792-d4c2-433e-91ba-5ac36aa33fcb}\ (9 subtraces) (ID = 885885)
11:27 AM: HKCR\appid\main.dll\ || appid (ID = 889946)
11:27 AM: HKLM\software\classes\appid\main.dll\ || appid (ID = 889947)
11:27 AM: Found Adware: command
11:27 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
11:27 AM: HKCR\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926729)
11:27 AM: HKCR\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926741)
11:27 AM: HKCR\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926753)
11:27 AM: HKLM\software\classes\clsid\{09d98db3-217f-4a37-950f-7fa1b08ce2b6}\ (11 subtraces) (ID = 926763)
11:27 AM: HKLM\software\classes\clsid\{55be9f0d-6caf-4c3e-b125-5a13a8c9d0ec}\ (11 subtraces) (ID = 926775)
11:27 AM: HKLM\software\classes\typelib\{4dfd0b10-93db-4d7e-9b34-3d92ca493be4}\ (9 subtraces) (ID = 926787)
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
11:27 AM: Found Adware: ie driver searchx.htm hijack
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\main\ || search bar (ID = 127908)
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cmsystem\ (1 subtraces) (ID = 820421)
11:27 AM: Found Trojan Horse: trojan-downloader-pacisoft
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\apd123\ (10 subtraces) (ID = 861435)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\cas2\ (12 subtraces) (ID = 862278)
11:27 AM: HKU\S-1-5-21-2799803650-3875050562-2771834179-1003\software\microsoft\windows\currentversion\run\ || cas2 (ID = 871018)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121296)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 127908)
11:27 AM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
11:27 AM: Registry Sweep Complete, Elapsed Time:00:01:56
11:27 AM: Starting Cookie Sweep
11:27 AM: Found Spy Cookie: adrevolver cookie
11:27 AM: guest@adrevolver[1].txt (ID = 2088)
11:27 AM: guest@adrevolver[2].txt (ID = 2088)
11:27 AM: Found Spy Cookie: atwola cookie
11:27 AM: guest@atwola[1].txt (ID = 2255)
11:27 AM: Found Spy Cookie: go.com cookie
11:27 AM: [email protected][1].txt (ID = 2729)
11:27 AM: guest@go[2].txt (ID = 2728)
11:27 AM: [email protected][1].txt (ID = 2729)
11:27 AM: [email protected][1].txt (ID = 2729)
11:27 AM: Found Spy Cookie: 888 cookie
11:27 AM: scott eliason@888[1].txt (ID = 2019)
11:27 AM: Found Spy Cookie: websponsors cookie
11:27 AM: scott [email protected][2].txt (ID = 3665)
11:27 AM: Found Spy Cookie: abcsearch cookie
11:27 AM: scott eliason@abcsearch[1].txt (ID = 2033)
11:27 AM: Found Spy Cookie: yieldmanager cookie
11:27 AM: scott [email protected][1].txt (ID = 3751)
11:27 AM: Found Spy Cookie: adknowledge cookie
11:27 AM: scott eliason@adknowledge[1].txt (ID = 2072)
11:27 AM: Found Spy Cookie: hbmediapro cookie
11:27 AM: scott [email protected][2].txt (ID = 2768)
11:27 AM: Found Spy Cookie: specificclick.com cookie
11:27 AM: scott [email protected][2].txt (ID = 3400)
11:27 AM: Found Spy Cookie: cc214142 cookie
11:27 AM: scott [email protected][2].txt (ID = 2367)
11:27 AM: Found Spy Cookie: advertising cookie
11:27 AM: scott eliason@advertising[1].txt (ID = 2175)
11:27 AM: Found Spy Cookie: apmebf cookie
11:27 AM: scott eliason@apmebf[1].txt (ID = 2229)
11:28 AM: Found Spy Cookie: atlas dmt cookie
11:28 AM: scott eliason@atdmt[2].txt (ID = 2253)
11:28 AM: scott eliason@atwola[1].txt (ID = 2255)
11:28 AM: Found Spy Cookie: azjmp cookie
11:28 AM: scott eliason@azjmp[2].txt (ID = 2270)
11:28 AM: Found Spy Cookie: bizrate cookie
11:28 AM: scott eliason@bizrate[1].txt (ID = 2308)
11:28 AM: Found Spy Cookie: goclick cookie
11:28 AM: scott [email protected][2].txt (ID = 2733)
11:28 AM: Found Spy Cookie: zedo cookie
11:28 AM: scott [email protected][2].txt (ID = 3763)
11:28 AM: Found Spy Cookie: centrport net cookie
11:28 AM: scott eliason@centrport[1].txt (ID = 2374)
11:28 AM: scott [email protected][1].txt (ID = 2729)
11:28 AM: Found Spy Cookie: exitexchange cookie
11:28 AM: scott eliason@exitexchange[1].txt (ID = 2633)
11:28 AM: Found Spy Cookie: fastclick cookie
11:28 AM: scott eliason@fastclick[1].txt (ID = 2651)
11:28 AM: scott eliason@go[1].txt (ID = 2728)
11:28 AM: Found Spy Cookie: starware.com cookie
11:28 AM: scott [email protected][2].txt (ID = 3442)
11:28 AM: Found Spy Cookie: clickandtrack cookie
11:28 AM: scott [email protected][1].txt (ID = 2397)
11:28 AM: Found Spy Cookie: maxserving cookie
11:28 AM: scott eliason@maxserving[1].txt (ID = 2966)
11:28 AM: Found Spy Cookie: nextag cookie
11:28 AM: scott eliason@nextag[2].txt (ID = 5014)
11:28 AM: Found Spy Cookie: partypoker cookie
11:28 AM: scott eliason@partypoker[1].txt (ID = 3111)
11:28 AM: Found Spy Cookie: overture cookie
11:28 AM: scott [email protected][1].txt (ID = 3106)
11:28 AM: Found Spy Cookie: qksrv cookie
11:28 AM: scott eliason@qksrv[1].txt (ID = 3213)
11:28 AM: Found Spy Cookie: questionmarket cookie
11:28 AM: scott eliason@questionmarket[1].txt (ID = 3217)
11:28 AM: Found Spy Cookie: realmedia cookie
11:28 AM: scott eliason@realmedia[2].txt (ID = 3235)
11:28 AM: Found Spy Cookie: rn11 cookie
11:28 AM: scott eliason@rn11[2].txt (ID = 3261)
11:28 AM: scott [email protected][1].txt (ID = 2729)
11:28 AM: Found Spy Cookie: servedby advertising cookie
11:28 AM: scott [email protected][1].txt (ID = 3335)
11:28 AM: scott [email protected][1].txt (ID = 2729)
11:28 AM: Found Spy Cookie: reliablestats cookie
11:28 AM: scott [email protected][2].txt (ID = 3254)
11:28 AM: Found Spy Cookie: tradedoubler cookie
11:28 AM: scott eliason@tradedoubler[2].txt (ID = 3575)
11:28 AM: Found Spy Cookie: trafficmp cookie
11:28 AM: scott eliason@trafficmp[1].txt (ID = 3581)
11:28 AM: Found Spy Cookie: tribalfusion cookie
11:28 AM: scott eliason@tribalfusion[1].txt (ID = 3589)
11:28 AM: Found Spy Cookie: epilot cookie
11:28 AM: scott [email protected][1].txt (ID = 2622)
11:28 AM: Found Spy Cookie: clickxchange adware cookie
11:28 AM: scott [email protected][1].txt (ID = 2409)
11:28 AM: scott [email protected][1].txt (ID = 3442)
11:28 AM: scott eliason@zedo[1].txt (ID = 3762)
11:28 AM: Cookie Sweep Complete, Elapsed Time: 00:00:26
11:28 AM: Starting File Sweep
11:28 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:28 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:28 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:28 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:28 AM: c:\documents and settings\scott eliason\application data\sbsoft (22 subtraces) (ID = -2147480797)
11:28 AM: c:\program files\quick links (2 subtraces) (ID = -2147478145)
11:28 AM: c:\program files\related sites toolbar (2 subtraces) (ID = -2147475069)
11:28 AM: c:\program files\communicator toolbar (185 subtraces) (ID = -2147480362)
11:28 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:28 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:28 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:28 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:29 AM: Warning: Failed to open file "c:\gsoep\fpluecke.dta". Access is denied
11:29 AM: Warning: Failed to open file "c:\gsoep\jpausl.dta". Access is denied
11:29 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:29 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:29 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:29 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:29 AM: 6pt6tkeg.exe (ID = 157331)
11:30 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:30 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:30 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:30 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:30 AM: Warning: Failed to open file "c:\gsoep\bhgen.dta". Access is denied
11:30 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:30 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:30 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:30 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:30 AM: Warning: Failed to open file "c:\gsoep\apbio.dta". Access is denied
11:30 AM: Warning: Failed to open file "c:\gsoep\hpkalost.dta". Access is denied
11:31 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:31 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:31 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:31 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:31 AM: uninst.exe (ID = 73428)
11:31 AM: fran-hot.exe (ID = 180418)
11:31 AM: uninst.exe (ID = 73428)
11:31 AM: Warning: Failed to open file "c:\gsoep\dpluecke.dta". Access is denied
11:31 AM: hnui.dll (ID = 156955)
11:31 AM: preuninstallcom.exe (ID = 74818)
11:31 AM: Found Adware: isearch toolbar
11:31 AM: cmdinst.exe (ID = 154747)
11:31 AM: guard.tmp (ID = 156955)
11:32 AM: mdident.dll (ID = 156955)
11:32 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:32 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:32 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:32 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:32 AM: cassetup.exe (ID = 133272)
11:32 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:32 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:32 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:32 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:32 AM: vb2.exe (ID = 164842)
11:32 AM: Found Adware: surfsidekick
11:32 AM: bk.exe (ID = 166386)
11:33 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:33 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:33 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:33 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:33 AM: Warning: Failed to open file "c:\gsoep\ghbrutto.dta". Access is denied
11:33 AM: Warning: Failed to open file "c:\gsoep\hbrutt00.dta". Access is denied
11:33 AM: Warning: Failed to open file "c:\gsoep\cirdef.dta". Access is denied
11:33 AM: Found Adware: apropos
11:33 AM: wingenerics.dll (ID = 50187)
11:33 AM: Warning: Failed to open file "c:\gsoep\ipausl.dta". Access is denied
11:33 AM: cas2setup.exe (ID = 162721)
11:33 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:33 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:33 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:33 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:34 AM: Warning: Failed to open file "c:\gsoep\opluecke.dta". Access is denied
11:34 AM: Warning: Failed to open file "c:\gsoep\sozkalen.dta". Access is denied
11:34 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:34 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:34 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:34 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:34 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:34 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:34 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:34 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:35 AM: Warning: Failed to open file "c:\gsoep\pflege.dta". Access is denied
11:35 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:35 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:35 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:35 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:35 AM: Warning: Failed to open file "c:\gsoep\rpluecke.dta". Access is denied
11:35 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:35 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:35 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:35 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:36 AM: Warning: Failed to open file "c:\gsoep\biobirth.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\biomarsm.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\cpluecke.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\ihgen.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\ppequiv.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\lpluecke.dta". Access is denied
11:36 AM: Warning: Failed to open file "c:\gsoep\biomarsy.dta". Access is denied
11:37 AM: Warning: Failed to open file "c:\gsoep\hbrutt84.dta". Access is denied
11:37 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:37 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:37 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:37 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:37 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:37 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:37 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:37 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:37 AM: Warning: Failed to open file "c:\gsoep\rhgen.dta". Access is denied
11:37 AM: Warning: Failed to open file "c:\gsoep\npluecke.dta". Access is denied
11:38 AM: Warning: Failed to open file "c:\gsoep\gpluecke.dta". Access is denied
11:38 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:38 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:38 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:38 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:38 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:38 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:38 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:38 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:39 AM: Warning: Failed to open file "c:\gsoep\ipluecke.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\ohbrutto.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\jpequiv.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\jpluecke.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\ahbrutto.dta". Access is denied
11:39 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:39 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:39 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:39 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:39 AM: Warning: Failed to open file "c:\gsoep\ehgen.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\hbrutt02.dta". Access is denied
11:39 AM: Warning: Failed to open file "c:\gsoep\ohgen.dta". Access is denied
11:39 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:39 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:39 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:39 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:40 AM: Warning: Failed to open file "c:\gsoep\lpausl.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\spbrutto.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\pbiospe.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\shbrutto.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\bioparen.dta". Access is denied
11:40 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:40 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:40 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:40 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:40 AM: Warning: Failed to open file "c:\gsoep\qpluecke.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\gpkalost.dta". Access is denied
11:40 AM: Warning: Failed to open file "c:\gsoep\fpequiv.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\bioyouth.dta". Access is denied
11:41 AM: mediaticketsinstaller.ocx.tcf (ID = 73162)
11:41 AM: Warning: Failed to open file "c:\gsoep\rpbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\apequiv.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\hpost.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\cpequiv.dta". Access is denied
11:41 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:41 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:41 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:41 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:41 AM: Warning: Failed to open file "c:\gsoep\opbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\chgen.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\ppbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\biosoc.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\qpbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\lpbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\jpbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\ypbrutto.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\phgen.dta". Access is denied
11:41 AM: Warning: Failed to open file "c:\gsoep\opequiv.dta". Access is denied
11:41 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:41 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:41 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:41 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:42 AM: Warning: Failed to open file "c:\gsoep\bpausl.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\ipbrutto.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\dhgen.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\hhrf.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\mhbrutto.dta". Access is denied
11:42 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:42 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:42 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:42 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:42 AM: Warning: Failed to open file "c:\gsoep\bpequiv.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\bpbrutto.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\mpequiv.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\hhgen.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\lhbrutto.dta". Access is denied
11:42 AM: Warning: Failed to open file "c:\gsoep\hhbrutto.dta". Access is denied
11:43 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:43 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:43 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:43 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:43 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:43 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:43 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:43 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:43 AM: Found Adware: desktop hijacker
11:43 AM: ssico.ico (ID = 57990)
11:44 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:44 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:44 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:44 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:44 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:44 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:44 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:44 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:44 AM: desktop.html (ID = 57900)
11:44 AM: stb.exe (ID = 94666)
11:44 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || stb (ID = 0)
11:45 AM: Found Trojan Horse: trojan_downloader_favadd
11:45 AM: myin.hta (ID = 81266)
11:45 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:45 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:45 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:45 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:45 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:45 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:45 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:45 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:46 AM: mediaticketsinstaller.inf (ID = 73158)
11:46 AM: fhsjqlvr.exe (ID = 157330)
11:46 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || fhsjqlvr (ID = 0)
11:46 AM: ksdsp.dll (ID = 156955)
11:47 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:47 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:47 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:47 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:47 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:47 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:47 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:47 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:48 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:48 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:48 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:48 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:48 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:48 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:48 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:48 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:49 AM: preuninstallql.exe (ID = 131326)
11:49 AM: nsmb.dll (ID = 180419)
11:49 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:49 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:49 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:49 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:49 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:49 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:49 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:49 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:49 AM: toolbar_installer.exe (ID = 164824)
11:49 AM: ur62l2y07_.exe (ID = 157331)
11:50 AM: Warning: Failed to open file "c:\gsoep\epequiv.dta". Access is denied
11:50 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:50 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:50 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:50 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:50 AM: Found Trojan Horse: trojan-downloader-psyme
11:50 AM: track26[1].chm (ID = 111347)
11:50 AM: pcs_0026[1].exe (ID = 161706)
11:51 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:51 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:51 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:51 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:51 AM: Found Adware: ie driver
11:51 AM: setup1050.exe (ID = 166207)
11:51 AM: qlink32.dll (ID = 73425)
11:52 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:52 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:52 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:52 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:52 AM: fatpickle.exe (ID = 166140)
11:52 AM: pf78.exe (ID = 156523)
11:52 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:52 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:52 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:52 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:53 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:53 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:53 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:53 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:53 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:53 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:53 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:53 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:54 AM: communicator.dll (ID = 131321)
11:54 AM: qldf.bin (ID = 131688)
11:54 AM: atmtd.dll (ID = 166754)
11:54 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:54 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:54 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:54 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:54 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:54 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:54 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:54 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:55 AM: toolbar.exe (ID = 132006)
11:55 AM: derpsetu.dll (ID = 156955)
11:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:55 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:55 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:56 AM: Warning: Failed to open file "c:\gsoep\epluecke.dta". Access is denied
11:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:57 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:57 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:57 AM: Warning: Failed to open file "c:\gsoep\fhbrutto.dta". Access is denied
11:57 AM: Warning: Failed to open file "c:\gsoep\hbrutt98.dta". Access is denied
11:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:58 AM: Warning: Failed to open file "c:\gsoep\spequiv.dta". Access is denied
11:58 AM: Warning: Failed to open file "c:\gsoep\fhgen.dta". Access is denied
11:58 AM: Warning: Failed to open file "c:\gsoep\bpluecke.dta". Access is denied
11:58 AM: Warning: Failed to open file "c:\gsoep\shgen.dta". Access is denied
11:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:58 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:58 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:59 AM: Warning: Failed to open file "c:\gsoep\ahgen.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\cpbrutto.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\cpausl.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\khgen.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\hpbrutto.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\npbrutto.dta". Access is denied
11:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:59 AM: Warning: Failed to open file "c:\gsoep\dpbrutto.dta". Access is denied
11:59 AM: Warning: Failed to open file "c:\gsoep\jhbrutto.dta". Access is denied
11:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:59 AM: The Spy Communication shield has blocked access to: www.icannnews.com
11:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
11:59 AM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:00 PM: Warning: Failed to open file "c:\gsoep\ghost.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\dpequiv.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\qpequiv.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\epbrutto.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\fpausl.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\lhgen.dta". Access is denied
12:00 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:00 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:00 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:00 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:00 PM: a5b47.tmp (ID = 131317)
12:00 PM: Warning: Failed to open file "c:\gsoep\nhbrutto.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\gpausl.dta". Access is denied
12:00 PM: Warning: Failed to open file "c:\gsoep\rpequiv.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\lpequiv.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\npequiv.dta". Access is denied
12:01 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:01 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:01 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:01 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:01 PM: Warning: Failed to open file "c:\gsoep\rhbrutto.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\hpausl.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\bioimmig.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\gpbrutto.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\kpausl.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\hpfad.dta". Access is denied
12:01 PM: Warning: Failed to open file "c:\gsoep\kpluecke.dta". Access is denied
12:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:02 PM: Warning: Failed to open file "c:\gsoep\dhbrutto.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\kpbrutto.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\fpbrutto.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\gpequiv.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\kpequiv.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\ipequiv.dta". Access is denied
12:02 PM: Warning: Failed to open file "c:\gsoep\einkalen.dta". Access is denied
12:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:02 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:02 PM: Warning: Failed to open file "c:\gsoep\khbrutto.dta". Access is denied
12:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:02 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:02 PM: Warning: Failed to open file "c:\gsoep\artkalen.dta". Access is denied
12:02 PM: atmtd.dll._ (ID = 166754)
12:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:03 PM: Warning: Failed to open file "c:\gsoep\ghgen.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\apausl.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\nhgen.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\ap.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\apbrutto.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\hpluecke.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\hpequiv.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\gpost.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\epausl.dta". Access is denied
12:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:03 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:03 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:03 PM: Warning: Failed to open file "c:\gsoep\ppluecke.dta". Access is denied
12:03 PM: Warning: Failed to open file "c:\gsoep\mhgen.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\chbrutto.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\qhbrutto.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\qhgen.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\bhbrutto.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\mpbrutto.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\ehbrutto.dta". Access is denied
12:04 PM: rsini[1].cab (ID = 131317)
12:04 PM: Warning: Failed to open file "c:\gsoep\jhgen.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\ihbrutto.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\mpluecke.dta". Access is denied
12:04 PM: Warning: Failed to open file "c:\gsoep\phbrutto.dta". Access is denied
12:04 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:04 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:04 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:04 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:04 PM: Warning: Failed to open file "c:\gsoep\dpausl.dta". Access is denied
12:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:05 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:05 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:06 PM: webdlg32.inf (ID = 60327)
12:06 PM: install.inf (ID = 161519)
12:06 PM: fgomcrapqnb4jl.vbs (ID = 185675)
12:06 PM: Found System Monitor: potentially rootkit-masked files
12:06 PM: 00004ae1_435a8de9_00095ac9 (ID = 0)
12:06 PM: 00001e1f_4365a210_000a47d3 (ID = 0)
12:06 PM: 0000491c_4365a0bd_0008a376 (ID = 0)
12:06 PM: 00006b89_4377e9c9_000b746c (ID = 0)
12:06 PM: ptivd_2k.sys (ID = 0)
12:06 PM: 00000029_43657c66_0003b828 (ID = 0)
12:06 PM: 00005af1_4377d74c_0000ff68 (ID = 0)
12:06 PM: 0000390c_435859fc_000da3f3 (ID = 0)
12:06 PM: 0000701f_4365856a_000316c1 (ID = 0)
12:06 PM: 00003b25_4365a1e1_000ebfb9 (ID = 0)
12:06 PM: 00004d06_4365a0c6_000700a9 (ID = 0)
12:06 PM: 00006784_43702440_0008018e (ID = 0)
12:06 PM: 00003b25_4377e9b7_00076453 (ID = 0)
12:06 PM: 00000f3e_4377d76e_0007db68 (ID = 0)
12:06 PM: 00005d03_4377e9a6_000dbdec (ID = 0)
12:06 PM: 00002ea6_4377e8e9_000d1a88 (ID = 0)
12:06 PM: 0000260d_4377e9c9_00011059 (ID = 0)
12:06 PM: eseertrm.exe (ID = 0)
12:06 PM: 00003bf6_4377e9f7_000e9ad6 (ID = 0)
12:06 PM: 000039b3_43585c53_000df759 (ID = 0)
12:06 PM: 00001547_43702ae9_0008f2cc (ID = 0)
12:06 PM: 00000bb3_437024ea_00024471 (ID = 0)
12:06 PM: 00001649_4377d743_000710a6 (ID = 0)
12:06 PM: 000056ae_4377d98e_0003eb0e (ID = 0)
12:06 PM: 00002ea6_437024eb_000ad8b8 (ID = 0)
12:06 PM: powkbdfi.exe (ID = 0)
12:06 PM: sisrtmgr.exe (ID = 0)
12:06 PM: ace.dll (ID = 0)
12:06 PM: 00000029_43659f61_00043374 (ID = 0)
12:06 PM: 00002ea6_4365a049_00018166 (ID = 0)
12:06 PM: 00004db7_4365a0c8_0002c496 (ID = 0)
12:06 PM: 00000ddc_4377ea04_000f0b14 (ID = 0)
12:06 PM: 00001238_4377d974_0008d914 (ID = 0)
12:06 PM: 00000ddc_4377d9c6_000e2a10 (ID = 0)
12:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:06 PM: 000026e9_43659fae_0002129c (ID = 0)
12:06 PM: 0000074d_43585ebe_00089e80 (ID = 0)
12:06 PM: 00000902_43585f36_0006d30e (ID = 0)
12:06 PM: 0000440d_43585b5b_0001a401 (ID = 0)
12:06 PM: 0000491c_43585b5b_000a59c6 (ID = 0)
12:06 PM: 00001af4_4358602c_000224f8 (ID = 0)
12:06 PM: 00005f90_4377e8a2_00076af3 (ID = 0)
12:06 PM: 00002350_4365a4b3_000f06dc (ID = 0)
12:06 PM: 0000260d_4377d98c_0002a6db (ID = 0)
12:06 PM: 00007f96_4377d985_000406ab (ID = 0)
12:06 PM: 00001cd0_43585f12_000172fe (ID = 0)
12:06 PM: data.bin (ID = 0)
12:06 PM: 00001238_4365a156_000014d3 (ID = 0)
12:06 PM: 00005f1e_43585ff9_0003ed59 (ID = 0)
12:06 PM: 00003cd6_43585f8b_0009c303 (ID = 0)
12:06 PM: 00006df1_4377d746_0006fa68 (ID = 0)
12:06 PM: 00005af1_437020e4_000f3891 (ID = 0)
12:06 PM: 00005e14_4377d9cf_0007f1b3 (ID = 0)
12:06 PM: 00007ff5_4377d988_0007e983 (ID = 0)
12:06 PM: 00006c69_43585fab_000f33b1 (ID = 0)
12:06 PM: 00007ff5_43585ee7_000936e3 (ID = 0)
12:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:06 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:06 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:06 PM: 000013e9_43585f72_000bcf68 (ID = 0)
12:06 PM: 00001e1f_4377e9b9_00076f93 (ID = 0)
12:06 PM: 00000d66_43585fa1_000c3b4e (ID = 0)
12:06 PM: 000001eb_437024e9_0006ad43 (ID = 0)
12:06 PM: 00007f4f_43585fd2_000078f4 (ID = 0)
12:06 PM: 00000fc9_43585ff0_0001e54c (ID = 0)
12:06 PM: 000001d3_43586036_000e96b8 (ID = 0)
12:06 PM: 000001eb_4377e8e0_0003204e (ID = 0)
12:06 PM: 00000099_4377e8f9_000d4d69 (ID = 0)
12:07 PM: 00006e5d_4377e9b9_000e28cc (ID = 0)
12:07 PM: 00005cfd_4365a4c5_000380d9 (ID = 0)
12:07 PM: 000063cb_4377d983_000337d3 (ID = 0)
12:07 PM: 00000029_4366b55c_000c25f3 (ID = 0)
12:07 PM: 00004db7_43585b60_000b1260 (ID = 0)
12:07 PM: 00007049_43585f43_000e4ac3 (ID = 0)
12:07 PM: 00002d12_4377e99b_0004a329 (ID = 0)
12:07 PM: 00004944_4377d9d0_0007d034 (ID = 0)
12:07 PM: 00005e9d_43585fc1_000b681e (ID = 0)
12:07 PM: 000023c9_43585f7b_000c7763 (ID = 0)
12:07 PM: 0000305e_4377e93f_00075a58 (ID = 0)
12:07 PM: 00000bb3_43657f38_00018d64 (ID = 0)
12:07 PM: 0000153c_4377e8ee_00091673 (ID = 0)
12:07 PM: 00005f90_437024b7_0004f789 (ID = 0)
12:07 PM: 00005f49_4377d9c4_000653c1 (ID = 0)
12:07 PM: 00002ea6_43657f38_00031494 (ID = 0)
12:07 PM: 00004823_43702430_00044af1 (ID = 0)
12:07 PM: 0000759a_43585ef8_0006fd7e (ID = 0)
12:07 PM: 00005f90_4377d73c_0000f3a4 (ID = 0)
12:07 PM: 000001eb_4377d74f_0004bb21 (ID = 0)
12:07 PM: 00000099_4365a08b_00060306 (ID = 0)
12:07 PM: 0000390c_4377e8f3_0005125e (ID = 0)
12:07 PM: 00004823_4366b569_0007b264 (ID = 0)
12:07 PM: 00004e45_436585ac_00085bf9 (ID = 0)
12:07 PM: 000054de_43585b9c_000311a1 (ID = 0)
12:07 PM: 00005af1_4377e8ba_0003d1be (ID = 0)
12:07 PM: 0000074d_4365a13f_000e8d16 (ID = 0)
12:07 PM: 00004cad_4377ea05_00015004 (ID = 0)
12:07 PM: 00000120_4377e9cd_0005e388 (ID = 0)
12:07 PM: 00002350_4377e9d3_000ce5a0 (ID = 0)
12:07 PM: 00006443_4377e99e_0008d43e (ID = 0)
12:07 PM: 00003a9e_4377e9f9_00044203 (ID = 0)
12:07 PM: 000039b3_4377e99a_000eb360 (ID = 0)
12:07 PM: 00006b36_4377e9e7_000e19b8 (ID = 0)
12:07 PM: 00007ff5_4377e9c5_0002f664 (ID = 0)
12:07 PM: 00005cfd_4377e9e9_000520f6 (ID = 0)
12:07 PM: 00004dc8_4365a140_000eb9d4 (ID = 0)
12:07 PM: 00001649_43657d12_000deaa4 (ID = 0)
12:07 PM: 00002cd6_4377e89a_0001bdac (ID = 0)
12:07 PM: 0000074d_4377e99b_0008c35e (ID = 0)
12:07 PM: 00006e5d_4365a211_00028264 (ID = 0)
12:07 PM: 000026e9_43657f2c_0003bbcb (ID = 0)
12:07 PM: 00001ad4_4365a211_000daa10 (ID = 0)
12:07 PM: 00006443_4365a146_0002a214 (ID = 0)
12:07 PM: 000018be_4366b583_000eafa1 (ID = 0)
12:07 PM: 00005af1_43659fa5_000c1cf1 (ID = 0)
12:07 PM: 00001547_4365a0c9_0005d896 (ID = 0)
12:07 PM: 0000390c_43657f3a_00060716 (ID = 0)
12:07 PM: 00006784_435a8ba2_000232ce (ID = 0)
12:07 PM: 00004d06_43657f55_000c465b (ID = 0)
12:07 PM: 0000153c_435857a1_0004d284 (ID = 0)
12:07 PM: 00000124_4365a0a6_0002f00c (ID = 0)
12:07 PM: 00004db7_43657f56_0000fd31 (ID = 0)
12:07 PM: 00006952_43659f86_00006e04 (ID = 0)
12:07 PM: 0000260d_4365a32f_0004f92c (ID = 0)
12:07 PM: 00001649_43659f8a_000a733c (ID = 0)
12:07 PM: 000041bb_43657e17_000177a3 (ID = 0)
12:07 PM: 00006784_435aa5a0_00059541 (ID = 0)
12:07 PM: 00003e12_4377e9e9_000a7a1e (ID = 0)
12:07 PM: 00000975_43586aa1_0003f7cc (ID = 0)
12:07 PM: 0000759a_4377d996_000922f9 (ID = 0)
12:07 PM: 00000029_437020c7_000f0acc (ID = 0)
12:07 PM: 0000701f_4377d972_000262d8 (ID = 0)
12:07 PM: 000011f4_4358600a_000697c1 (ID = 0)
12:07 PM: 000063cb_43658597_0006378b (ID = 0)
12:07 PM: 0000030a_4365a41d_00099773 (ID = 0)
12:07 PM: 00004dc8_4377d966_00021f58 (ID = 0)
12:07 PM: 00000732_43658ccb_00083a1e (ID = 0)
12:07 PM: 00000bdb_436587fb_00085b41 (ID = 0)
12:07 PM: 0000440d_4377d77b_0000ced4 (ID = 0)
12:07 PM: 0000260d_436585fd_0004f190 (ID = 0)
12:07 PM: 00003d6c_43657cb2_000563a8 (ID = 0)
12:07 PM: 00002cd6_43657cf8_000390cb (ID = 0)
12:07 PM: 00006952_43657cfd_000cff29 (ID = 0)
12:07 PM: 00002d12_4365831e_00094519 (ID = 0)
12:07 PM: 00007a5a_43658582_00023db0 (ID = 0)
12:07 PM: 00001238_4365858a_000ea430 (ID = 0)
12:07 PM: 0000323b_436585ca_00072f4c (ID = 0)
12:07 PM: 00004dc8_4365840d_000a6544 (ID = 0)
12:07 PM: 00000120_43658cd5_000d7d49 (ID = 0)
12:07 PM: 000022ee_4377d9aa_00001a1c (ID = 0)
12:07 PM: 0000153c_4365a05a_000b3344 (ID = 0)
12:07 PM: 0000440d_4365a0a8_000d5f60 (ID = 0)
12:07 PM: 00004e45_4377d988_000a8288 (ID = 0)
12:07 PM: 00007f96_43658599_0001ad3b (ID = 0)
12:07 PM: 000066bb_4377d96e_000adafe (ID = 0)
12:07 PM: 000001eb_43657f30_00027239 (ID = 0)
12:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:07 PM: 00005f90_43657d08_00012aa8 (ID = 0)
12:07 PM: 000072ae_4377e89a_00058fa4 (ID = 0)
12:07 PM: 00004dc8_4377e99c_0001e8a6 (ID = 0)
12:07 PM: 00004823_437020c8_0007bab9 (ID = 0)
12:07 PM: 00006443_4377d969_000f0631 (ID = 0)
12:07 PM: 0000366b_4377d9d5_0007c536 (ID = 0)
12:07 PM: 00007f96_4365a26c_000cc2ae (ID = 0)
12:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:07 PM: The Spy Communication shield has blocked access to: www.icannnews.com
12:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:07 PM: The Spy Communication shield has blocked access to: www.licenseverify.com
12:07 PM: 0000314f_4377ea05_000a5406 (ID = 0)
12:08 PM: 00002cd6_4359a880_000c1893 (ID = 0)
12:08 PM: 0000139d_43585f43_0006f510 (ID = 0)
12:08 PM: 00006be8_43585fd6_000ca1d6 (ID = 0)
12:08 PM: 000022ee_4377e9d4_000c75e4 (ID = 0)
12:08 PM: 0000261e_43585fbc_000ecfb9 (ID = 0)
12:08 PM: 00004dc8_43585eca_0003d714 (ID = 0)
12:08 PM: 00002833_43585ffc_000cdb1c (ID = 0)
12:08 PM: 0000127e_4358601b_000a2ce0 (ID = 0)
12:08 PM: 00007b44_435872a0_000873b4 (ID = 0)
12:08 PM: 00006e5d_43658591_0002b92e (ID = 0)
12:08 PM: 00004db7_4377e996_000af206 (ID = 0)
12:08 PM: 00005e14_4377ea07_000d4688 (ID = 0)
12:08 PM: 00007e87_4370258a_0007c4fc (ID = 0)
12:08 PM: 000018be_437020c9_00006aa6 (ID = 0)
12:08 PM: 0000030a_4377d98d_0000aff0 (ID = 0)
12:08 PM: 00002213_4377d98b_000edabb (ID = 0)
12:08 PM: 0000458f_43586849_000637cb (ID = 0)
12:08 PM: 000041bb_4377e8d9_000f0b50 (ID = 0)
12:08 PM: 00001547_4377d795_0003abdc (ID = 0)
12:08 PM: 00003d6c_4377d735_0006256c (ID = 0)
12:08 PM: 00002350_4377d99e_000d21f1 (ID = 0)
12:08 PM: 00005cfd_4377d9af_00091320 (ID = 0)
12:08 PM: 000041bb_437020ec_000b6c7b (ID = 0)
12:08 PM: 000066c4_4377d9d6_00009c41 (ID = 0)
12:08 PM: 0000440d_43702aaf_00051388 (ID = 0)
12:08 PM: 000066bb_43658411_00045f04 (ID = 0)
12:08 PM: 00005af1_437024dd_0007a2b6 (ID = 0)
12:08 PM: 0000153c_4377d757_0004c103 (ID = 0)
12:08 PM: 00003a9e_4377d9ba_00075474 (ID = 0)
12:08 PM: 00000bb3_4377e8e6_000081eb (ID = 0)
12:08