Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

New Browser Windows w/ Ads Popups [RESOLVED]


  • This topic is locked This topic is locked

#1
arepark

arepark

    New Member

  • Member
  • Pip
  • 9 posts
I have read this message board in the past, followed directions given, and solved several problems. This time, however, I have gotten myself in deep. If my machine is connected to the internet, they pop up. When I close IE, at least three pop up. I read your start here page and did it twice. The first, I had my machine connected to do all of the updates. The second time, I did not. I followed this order:

Clean-Up
Ad-Aware
CW Schredder
Spy-Bot
Ewido
Trend Housecall
Trojan Hunter

I did not run Trend Housecall the second time around.
Below are the reports from the last runs of SpyBot and both runs of Ewido.
A curious not about the SpyBot results. Both runs said it found 5 items from 'Desktop.ActiveDesktop'
It stated that the five items were fixed each time, but it seems to always be there.

My machine is a 2.4 GHz P4, 256M RAM running Windows 2000 Professional.

Thanks in advance to anyone who can give me a hand.

Repetitively Popped. :tazz:

Spybot Report

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-879983540-682003330-1017\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper!=0

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-879983540-682003330-1017\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=1

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-879983540-682003330-1017\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents!=0

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-879983540-682003330-1017\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents!=0

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-879983540-682003330-1017\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents!=0


--- Spybot - Search && Destroy version: 1.3 ---
2005-11-11 Includes\Cookies.sbi
2005-11-11 Includes\Dialer.sbi
2005-11-11 Includes\Hijackers.sbi
2005-11-11 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-11-11 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2005-11-11 Includes\PUPS.sbi
2003-11-12 Includes\QA Tests.sbi
2005-11-11 Includes\Revision.sbi
2005-11-11 Includes\Security.sbi
2005-11-11 Includes\Spybots.sbi
2003-11-21 Includes\Temporary.sbi
2005-02-17 Includes\Tracks.uti
2005-11-11 Includes\Trojans.sbi

Ewido report – run 1
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:00:31 PM, 11/15/2005
+ Report-Checksum: 856E27DD

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/PdpPlugin5094.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/PdpPlugin5094.dll\\{C7B05B62-C8D7-438C-840B-4994DAAA8EEE} -> Spyware.Gator : Cleaned with backup
[1076] C:\WINNT\system32\iVsrecst.dll -> Spyware.Look2Me : Error during cleaning
[1452] C:\WINNT\system32\iVsrecst.dll -> Spyware.Look2Me : Error during cleaning
C:\contextplus.exe -> Trojan.Crypt.t : Cleaned with backup
C:\Documents and Settings\me\Cookies\me@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\drsmartload1.exe -> Spyware.SmartLoad : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> TrojanSpy.Small.dg : Cleaned with backup
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll -> Dialer.Generic : Cleaned with backup
C:\WINNT\ccc.exe -> TrojanDownloader.MlFree : Cleaned with backup
C:\WINNT\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINNT\kl.exe -> TrojanSpy.Small.dg : Cleaned with backup
C:\WINNT\system32\dbintf.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\i4nm0e51eh.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ktr2l79o1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\lvjm0911e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mkmlkgno.exe -> TrojanDropper.Small.afo : Cleaned with backup
C:\WINNT\system32\mxcories.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\rofsaps.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\RZABASE.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.w : Cleaned with backup
C:\WINNT\tool3.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINNT\ttil_sbc.exe -> Adware.eZula : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.w : Cleaned with backup
D:\pool.buddy.yahoo.3.2.loader-tsrh.exe/run.exe -> TrojanDownloader.Small.bfy : Cleaned with backup
D:\run.exe -> TrojanDownloader.Small.bfy : Cleaned with backup


::Report End

Ewido report – run 2

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:41:14 PM, 11/16/2005
+ Report-Checksum: 6C9A1E15

+ Scan result:

[1188] C:\WINNT\system32\wwweb.dll -> Spyware.Look2Me : Error during cleaning
[1216] C:\WINNT\system32\wwweb.dll -> Spyware.Look2Me : Error during cleaning
C:\WINNT\system32\fpnm0351e.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

Hijack report

Logfile of HijackThis v1.99.1
Scan saved at 4:42:53 PM, on 11/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\R-Undelete20\rloginsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
D:\ToolBox\Reg-Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu...ferer=&logout=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: NetCache - C:\WINNT\system32\dnnq0155e.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: R-Studio Login Server - Unknown owner - C:\Program Files\R-Undelete20\rloginsrv.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

  • 0

#3
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I installed L2MFix as directed. No errors. Results are below. How did you determine that I had VX2?

Thanks for your help...

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dnnq0155e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9C71FCC6-EFA9-14F3-B9A9-CF11E4B4FA2D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8f7261d0-d2b9-11d2-9909-00605205b24c}"="CuteFTP Shell Extension"
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}"="IntelliType Pro Key Settings Control Panel Property Page"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5E7D9611-0A92-11D6-BCC6-C117EB0C4E52}"="RStudio Menu Handler"
"{3C7BE262-0E51-11D6-BCC6-A29C3C5B2152}"="R-Undelete"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{0FBEE6A8-52E6-4589-8188-8E60F8007573}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0FBEE6A8-52E6-4589-8188-8E60F8007573}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FBEE6A8-52E6-4589-8188-8E60F8007573}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FBEE6A8-52E6-4589-8188-8E60F8007573}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FBEE6A8-52E6-4589-8188-8E60F8007573}\InprocServer32]
@="C:\\WINNT\\system32\\vqXMLRPC.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atmtd.dll Fri Nov 11 2005 10:17:54p A.... 687,592 671.48 K
catsrv.dll Mon Sep 5 2005 3:18:46a A.... 165,648 161.77 K
catsrvut.dll Mon Sep 5 2005 3:18:46a A.... 595,728 581.77 K
cdosys.dll Tue Aug 30 2005 4:29:42a A.... 2,532,112 2.41 M
clbcatex.dll Mon Sep 5 2005 3:18:46a A.... 97,040 94.77 K
clbcatq.dll Mon Sep 5 2005 3:18:46a A.... 551,184 538.27 K
colbact.dll Mon Sep 5 2005 3:18:46a A.... 41,744 40.77 K
comrepl.dll Mon Sep 5 2005 3:18:46a A.... 97,552 95.27 K
comsvcs.dll Mon Sep 5 2005 3:18:48a A.... 1,471,248 1.40 M
comuid.dll Mon Sep 5 2005 3:18:48a A.... 625,936 611.27 K
danim.dll Fri Sep 2 2005 10:06:58a A.... 986,112 963.00 K
dnnq01~1.dll Wed Nov 16 2005 1:49:34p ..S.R 235,464 229.95 K
dxtrans.dll Fri Sep 2 2005 3:35:16p A.... 192,000 187.50 K
es.dll Mon Sep 5 2005 3:18:46a A.... 242,448 236.77 K
gdi32.dll Fri Oct 7 2005 1:19:38a A.... 233,744 228.27 K
linkinfo.dll Fri Sep 23 2005 6:03:26a A.... 17,680 17.27 K
m6nqlg~1.dll Wed Nov 16 2005 4:35:00p ..S.R 237,020 231.46 K
msdtclog.dll Mon Sep 5 2005 3:18:48a A.... 96,016 93.77 K
msdtcprx.dll Mon Sep 5 2005 3:18:48a A.... 726,288 709.27 K
msdtctm.dll Mon Sep 5 2005 3:18:48a A.... 1,200,400 1.14 M
msdtcui.dll Mon Sep 5 2005 3:18:48a A.... 153,872 150.27 K
mshtml.dll Tue Oct 4 2005 11:19:14a A.... 2,700,288 2.57 M
mstime.dll Fri Sep 2 2005 3:35:12p A.... 496,128 484.50 K
mtxclu.dll Mon Sep 5 2005 3:18:48a A.... 52,496 51.27 K
mtxdm.dll Mon Sep 5 2005 3:18:48a A.... 26,896 26.27 K
mtxlegih.dll Mon Sep 5 2005 3:18:50a A.... 35,600 34.77 K
mtxoci.dll Mon Sep 5 2005 3:18:50a A.... 122,640 119.77 K
nwwks.dll Mon Aug 22 2005 4:20:40a A.... 61,200 59.77 K
ole32.dll Mon Sep 5 2005 3:18:46a A.... 957,712 935.27 K
olecli32.dll Mon Sep 5 2005 3:18:46a A.... 69,392 67.77 K
olecnv32.dll Mon Sep 5 2005 3:18:46a A.... 36,624 35.77 K
quartz.dll Tue Aug 30 2005 8:14:00a A.... 1,227,776 1.17 M
rpcss.dll Mon Sep 5 2005 3:18:46a A.... 212,240 207.27 K
sengwi~1.dll Sat Sep 17 2005 10:23:58a A.... 24,575 23.99 K
shell32.dll Fri Sep 23 2005 6:03:26a A.... 2,360,592 2.25 M
shlwapi.dll Wed Aug 31 2005 5:49:30p A.... 409,088 399.50 K
spmsg.dll Mon Oct 10 2005 12:31:28a ..... 13,536 13.22 K
stclient.dll Mon Sep 5 2005 3:18:50a A.... 71,440 69.77 K
txfaux.dll Mon Sep 5 2005 3:18:46a A.... 398,608 389.27 K
umpnpmgr.dll Fri Sep 2 2005 4:24:06a A.... 94,480 92.27 K
urlmon.dll Fri Sep 2 2005 2:19:16p A.... 457,216 446.50 K
vqxmlrpc.dll Wed Nov 16 2005 4:35:02p ..S.R 235,464 229.95 K
webvw.dll Fri Sep 23 2005 6:03:26a A.... 1,120,016 1.07 M
winsrv.dll Fri Sep 23 2005 6:03:26a A.... 245,008 239.27 K
xolehlp.dll Mon Sep 5 2005 3:18:50a A.... 19,216 18.77 K

45 items found: 45 files (3 H/S), 0 directories.
Total of file sizes: 22,635,059 bytes 21.59 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8C05-C945

Directory of C:\WINNT\System32

11/16/2005 04:35p 235,464 vqXMLRPC.dll
11/16/2005 04:34p 237,020 m6nqlg5516.dll
11/16/2005 01:49p 235,464 dnnq0155e.dll
11/09/2005 08:56a <DIR> dllcache
11/13/2003 09:21p 0 insqcb.ins
09/19/2001 10:43p 244,232 Msflxgrd.ocx
04/05/2001 12:43p 94,208 msstkprp.dll
6 File(s) 1,046,388 bytes
1 Dir(s) 11,779,608,576 bytes free
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

How did you determine that I had VX2?

Among other things, this was the main thing that gave it away.
O20 - Winlogon Notify: NetCache - C:\WINNT\system32\dnnq0155e.dll

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also, post back a fresh Hijackthis log please.
  • 0

#5
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I downloaded and installed Spy Sweeper. I updated and ran it. It finished it's scan, said at the bottom that it had found 16 items and some other things, then froze up. I ended up restarting the computer and I got a windows screen of the same type that I get when it does a checkdisk, only it appeared to be deleting things. I restarted Spy Sweeper and retrieved the logs. Then I ran HijackThis and that log is also attached.

Ron

********
7:56 AM: | Start of Session, Friday, November 18, 2005 |
7:56 AM: Spy Sweeper started
7:56 AM: Sweep initiated using definitions version 556
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: Starting Memory Sweep
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: Found Adware: icannnews
7:57 AM: Detected running threat: C:\WINNT\system32\dnnq0155e.dll (ID = 83)
7:59 AM: Detected running threat: C:\WINNT\system32\vqXMLRPC.dll (ID = 83)
7:59 AM: Memory Sweep Complete, Elapsed Time: 00:03:01
8:00 AM: Starting Registry Sweep
8:00 AM: Found Adware: safesurf
8:00 AM: HKLM\software\microsoft\windows\currentversion\app paths\sshelp.dll\ (2 subtraces) (ID = 140388)
8:00 AM: Found Adware: scbar
8:00 AM: HKLM\software\microsoft\windows\currentversion\uninstall\data compiler\ (1 subtraces) (ID = 140509)
8:00 AM: HKLM\software\microsoft\windows\currentversion\uninstall\indexing function\ (1 subtraces) (ID = 140510)
8:01 AM: Found Adware: win favorites
8:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\win favorites\ (1 subtraces) (ID = 146981)
8:01 AM: Found Adware: zenosearchassistant
8:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\ (2 subtraces) (ID = 147935)
8:01 AM: Found Trojan Horse: trojan - zerotollerance
8:01 AM: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 608255)
8:01 AM: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 609144)
8:01 AM: Found Adware: mediacharger
8:01 AM: HKU\WRSS_Profile_S-1-5-21-1214440339-879983540-682003330-500\software\mediacharger\ (3 subtraces) (ID = 134901)
8:01 AM: Found Adware: cram toolbar
8:01 AM: HKU\S-1-5-21-1214440339-879983540-682003330-1017\software\microsoft\internet explorer\toolbar\webbrowser\ || {01e69986-a054-4c52-abe8-ef63df1c5211} (ID = 826757)
8:01 AM: Registry Sweep Complete, Elapsed Time:00:01:17
8:01 AM: Starting Cookie Sweep
8:01 AM: Found Spy Cookie: yieldmanager cookie
8:01 AM: me@ad.yieldmanager[2].txt (ID = 3751)
8:01 AM: Found Spy Cookie: hbmediapro cookie
8:01 AM: me@adopt.hbmediapro[2].txt (ID = 2768)
8:01 AM: Found Spy Cookie: realmedia cookie
8:01 AM: me@realmedia[1].txt (ID = 3235)
8:01 AM: Cookie Sweep Complete, Elapsed Time: 00:00:05
8:01 AM: Starting File Sweep
8:01 AM: Found Adware: squire webhelper
8:01 AM: c:\program files\common files\sq (1 subtraces) (ID = -2147480239)
8:10 AM: Found Adware: commonname
8:10 AM: cnbabeie.exe (ID = 53748)
8:12 AM: ssurf022.dll (ID = 74301)
8:22 AM: Found Adware: apropos
8:22 AM: wingenerics.dll (ID = 50187)
8:22 AM: winnet.ini (ID = 53846)
8:25 AM: Found Trojan Horse: downloadul
8:25 AM: rpuxgbdz.inf (ID = 59264)
8:25 AM: Warning: Failed to access drive D:
8:25 AM: Warning: Failed to access drive D:
8:25 AM: Found System Monitor: potentially rootkit-masked files
8:25 AM: 00005fa8_4376a835_00094c5f (ID = 0)
8:25 AM: 00006486_4376a83a_0000b71b (ID = 0)
8:25 AM: 000069d0_4376a789_00053ec6 (ID = 0)
8:25 AM: 00004fc0_4376a833_000e1113 (ID = 0)
8:25 AM: 00002db5_4376a83b_00066ff3 (ID = 0)
8:25 AM: 00000029_43756185_00016e36 (ID = 0)
8:26 AM: 00004027_4376a786_00094c5f (ID = 0)
8:26 AM: 00007a54_4376a83c_0007a120 (ID = 0)
8:26 AM: 00004b40_43766eb5_000501bd (ID = 0)
8:26 AM: 0000138a_4376a787_0001312d (ID = 0)
8:26 AM: 00007a5a_4376bb7d_000cdfe6 (ID = 0)
8:26 AM: 0000441d_4376a82e_0007a120 (ID = 0)
8:26 AM: 00001649_4375ebec_0006acfc (ID = 0)
8:26 AM: 0000591d_43769d70_00040d99 (ID = 0)
8:26 AM: 000012db_4376b8b9_000487ab (ID = 0)
8:26 AM: 00003295_4376a82e_000c28cb (ID = 0)
8:26 AM: 00005f23_4376a840_000632ea (ID = 0)
8:26 AM: 000000c1_4376a82f_0005b8d8 (ID = 0)
8:26 AM: 0000442b_4376a043_0008583b (ID = 0)
8:26 AM: 00002852_4376a76f_000632ea (ID = 0)
8:26 AM: 00000c1e_4376a892_000af79e (ID = 0)
8:26 AM: 00002120_4376a893_00016e36 (ID = 0)
8:26 AM: 00005078_4376a043_000d9701 (ID = 0)
8:26 AM: 00004087_4376a136_000b34a7 (ID = 0)
8:26 AM: 00007b44_4376a136_000e1113 (ID = 0)
8:26 AM: 00004328_4376a88b_0004c4b4 (ID = 0)
8:26 AM: 00003492_4376a62f_000baeb9 (ID = 0)
8:26 AM: 0000590e_4376a1b4_00081b32 (ID = 0)
8:26 AM: 0000765f_4376a1b8_000e4e1c (ID = 0)
8:26 AM: 00002b00_4376a1ba_000501bd (ID = 0)
8:26 AM: 000051d1_4376a843_000baeb9 (ID = 0)
8:26 AM: 000012db_43756194_00044aa2 (ID = 0)
8:26 AM: 000016d4_4376a1ba_000e8b25 (ID = 0)
8:26 AM: 000078d4_4376a796_00000000 (ID = 0)
8:26 AM: 00001049_4376a796_00029f63 (ID = 0)
8:26 AM: 00004509_4376bba1_000a4083 (ID = 0)
8:26 AM: 00007f61_4376a204_00053ec6 (ID = 0)
8:26 AM: 000058c5_4376a910_00031975 (ID = 0)
8:26 AM: 00003a8d_4376a235_000bebc2 (ID = 0)
8:26 AM: 00000bdb_4376c111_000baeb9 (ID = 0)
8:26 AM: 00004e45_4376bce3_0003d090 (ID = 0)
8:26 AM: 00001547_4376b950_00081b32 (ID = 0)
8:26 AM: 00006d4e_4376a845_000ca2dd (ID = 0)
8:26 AM: 000039ce_4376a72a_00031975 (ID = 0)
8:26 AM: 000001e1_4376a846_0003567e (ID = 0)
8:26 AM: 00007fbe_4376a250_00094c5f (ID = 0)
8:26 AM: 0000251f_4376a3fc_00094c5f (ID = 0)
8:26 AM: 00002b0f_4376a8a4_000aba95 (ID = 0)
8:26 AM: 00001d5e_4376a886_000632ea (ID = 0)
8:26 AM: 0000489c_43768a8a_00022551 (ID = 0)
8:26 AM: 00007dd1_43768a4c_0005b8d8 (ID = 0)
8:26 AM: 000022cd_43768a27_0008583b (ID = 0)
8:26 AM: 00001ff1_4376a887_0009c671 (ID = 0)
8:26 AM: 00002c49_4376898b_0001ab3f (ID = 0)
8:26 AM: 00001bd9_4376a84c_000e8b25 (ID = 0)
8:26 AM: 00003c61_437689a0_000d59f8 (ID = 0)
8:26 AM: 0000261e_43768a54_00029f63 (ID = 0)
8:26 AM: 00005e9d_43768a83_000f0537 (ID = 0)
8:26 AM: 00006172_43768aa4_000b34a7 (ID = 0)
8:26 AM: 00000871_4376a84d_00098968 (ID = 0)
8:26 AM: 00006b72_43768aac_0000b71b (ID = 0)
8:26 AM: 000032e6_43768ab6_0000f424 (ID = 0)
8:26 AM: 00003305_4376a8a7_00081b32 (ID = 0)
8:26 AM: pcipu401.sys (ID = 0)
8:26 AM: 000063cb_4376bcad_00089544 (ID = 0)
8:26 AM: 00000384_43768d49_00094c5f (ID = 0)
8:26 AM: 00004dc8_4375f162_0004c4b4 (ID = 0)
8:26 AM: 00006443_4375f164_0003d090 (ID = 0)
8:26 AM: 000066bb_4375f165_000e4e1c (ID = 0)
8:26 AM: 0000428b_4375f183_00094c5f (ID = 0)
8:26 AM: 000018d7_43768f8e_0003567e (ID = 0)
8:26 AM: 00006747_4376a85b_000dd40a (ID = 0)
8:26 AM: 00007346_4376a860_00003d09 (ID = 0)
8:26 AM: 00001289_4376a860_00098968 (ID = 0)
8:26 AM: 00003382_4376a864_000dd40a (ID = 0)
8:26 AM: 00000ecc_43769117_000cdfe6 (ID = 0)
8:26 AM: 00000878_4376a867_0002625a (ID = 0)
8:26 AM: 00004402_43768e69_0008d24d (ID = 0)
8:26 AM: 00003f4a_4376a750_0008583b (ID = 0)
8:26 AM: 00006be8_43768fa0_00040d99 (ID = 0)
8:26 AM: 00000a28_4376a77c_000dd40a (ID = 0)
8:26 AM: 00005064_4376a631_0009c671 (ID = 0)
8:26 AM: 000009ce_4376a77d_000501bd (ID = 0)
8:26 AM: 00004ae1_4376b89e_00039387 (ID = 0)
8:26 AM: 0000701f_4375f187_000cdfe6 (ID = 0)
8:26 AM: 000071f0_43768c1c_0009c671 (ID = 0)
8:26 AM: 00004963_4376a868_00053ec6 (ID = 0)
8:26 AM: 00003d6c_4376b89e_000b34a7 (ID = 0)
8:26 AM: 00001cdf_4376a868_000b71b0 (ID = 0)
8:26 AM: 00005039_43768fa2_0004c4b4 (ID = 0)
8:26 AM: 0000153c_4376b8bb_00098968 (ID = 0)
8:26 AM: 00002cd6_4376b89e_000ca2dd (ID = 0)
8:26 AM: 00007e87_4375ec18_00003d09 (ID = 0)
8:26 AM: 00000099_4375ec18_0003d090 (ID = 0)
8:26 AM: 0000542c_43768fa2_000a4083 (ID = 0)
8:26 AM: 00006bcb_43769052_000a7d8c (ID = 0)
8:26 AM: 000039b3_4375f14e_0002625a (ID = 0)
8:26 AM: 00005ed0_4376a751_0007de29 (ID = 0)
8:26 AM: 00007e87_4376b8bc_000501bd (ID = 0)
8:26 AM: 00000f3e_4376b8bc_000c65d4 (ID = 0)
8:26 AM: 00006b89_4376beaf_000cdfe6 (ID = 0)
8:26 AM: 000072ae_4376b89e_000dd40a (ID = 0)
8:26 AM: 00006952_4376b89e_000f0537 (ID = 0)
8:26 AM: 00005f90_4376b8a3_0001ab3f (ID = 0)
8:26 AM: 00001649_4376b8a3_0002dc6c (ID = 0)
8:26 AM: 0000520b_4376a77d_0007a120 (ID = 0)
8:26 AM: 0000074d_437561b0_000b71b0 (ID = 0)
8:26 AM: 00000d6a_4376a820_0007a120 (ID = 0)
8:26 AM: 00006df1_4376b8a5_00089544 (ID = 0)
8:26 AM: 00000fc9_43769055_00029f63 (ID = 0)
8:26 AM: 00000e12_43769055_0007a120 (ID = 0)
8:26 AM: 00005af1_4376b8a5_000d59f8 (ID = 0)
8:26 AM: 00005f1e_43769055_000baeb9 (ID = 0)
8:26 AM: 000041bb_4376b8a8_0007de29 (ID = 0)
8:26 AM: 000039b3_4376babd_00040d99 (ID = 0)
8:26 AM: 00002833_4376905b_00076417 (ID = 0)
8:26 AM: 00007874_4376905b_000e1113 (ID = 0)
8:26 AM: 000001eb_4376b8ae_0007de29 (ID = 0)
8:26 AM: 0000249e_4376905c_0007270e (ID = 0)
8:26 AM: 000011f4_4376905c_000b34a7 (ID = 0)
8:26 AM: 00005dd5_4376905d_00053ec6 (ID = 0)
8:26 AM: 00005d03_4376bb7d_0003567e (ID = 0)
8:26 AM: 00003bb1_4376a732_0001312d (ID = 0)
8:26 AM: 00006ad4_4376905d_0008583b (ID = 0)
8:26 AM: 0000293b_4376a81e_0000b71b (ID = 0)
8:26 AM: 00000099_4376b8c1_00057bcf (ID = 0)
8:27 AM: 00004cd4_43769061_000ec82e (ID = 0)
8:27 AM: 00005fa4_43769062_00040d99 (ID = 0)
8:27 AM: 00000bb3_4376b8b4_000d1cef (ID = 0)
8:27 AM: 00000124_4376b8c1_000a037a (ID = 0)
8:27 AM: 00002059_43769062_0008d24d (ID = 0)
8:27 AM: 00000035_43769066_0005f5e1 (ID = 0)
8:27 AM: 00006732_43769098_000ca2dd (ID = 0)
8:27 AM: 000046cf_43769143_00098968 (ID = 0)
8:27 AM: 00003bf6_4376718f_0006ea05 (ID = 0)
8:27 AM: 0000491c_437561a7_00081b32 (ID = 0)
8:27 AM: 000001d3_43769c51_000aba95 (ID = 0)
8:27 AM: 00006d22_437690bf_00057bcf (ID = 0)
8:27 AM: 000018be_4375ebde_00076417 (ID = 0)
8:27 AM: 00000c7b_4376a25c_00076417 (ID = 0)
8:27 AM: 00006784_4375ebe0_0000b71b (ID = 0)
8:27 AM: 00004ae1_4375ebe1_00081b32 (ID = 0)
8:27 AM: 00006b28_4376a8aa_00098968 (ID = 0)
8:27 AM: 00000a4a_4376a751_0003d090 (ID = 0)
8:27 AM: 00002cd6_4375618e_0000b71b (ID = 0)
8:27 AM: 00006b36_43766fa8_00040d99 (ID = 0)
8:27 AM: 00006952_4375618e_0007de29 (ID = 0)
8:27 AM: 00007983_437688c6_000c65d4 (ID = 0)
8:27 AM: 00004c66_4376a845_0008d24d (ID = 0)
8:27 AM: 00005c5e_4376a845_000af79e (ID = 0)
8:27 AM: 00004657_43768980_000632ea (ID = 0)
8:27 AM: 00004461_4376a8ab_0000f424 (ID = 0)
8:27 AM: 00003765_4376a8a8_0007270e (ID = 0)
8:27 AM: 0000767d_43766c02_000d1cef (ID = 0)
8:27 AM: 00007a5a_43766c02_00029f63 (ID = 0)
8:27 AM: 00001e1f_4376bca8_000632ea (ID = 0)
8:27 AM: 00003459_4376a77e_000d1cef (ID = 0)
8:27 AM: 00004509_43766c07_00016e36 (ID = 0)
8:27 AM: 000041bb_43756190_0007a120 (ID = 0)
8:27 AM: 000026e9_43756193_0002dc6c (ID = 0)
8:27 AM: 00001238_43766c08_000d9701 (ID = 0)
8:27 AM: 000001eb_43756193_00040d99 (ID = 0)
8:27 AM: 00000bb3_43756193_000e1113 (ID = 0)
8:27 AM: 00003b25_43766c13_000487ab (ID = 0)
8:27 AM: 00005d24_4376a75c_000e8b25 (ID = 0)
8:27 AM: 00004df2_43767193_0008583b (ID = 0)
8:27 AM: 00005968_4376a74d_0001312d (ID = 0)
8:27 AM: 000066b4_4376a85b_0009c671 (ID = 0)
8:27 AM: 00003d6c_4375ebe3_00040d99 (ID = 0)
8:27 AM: 00003b25_4376bca8_0004c4b4 (ID = 0)
8:27 AM: 00004ae1_43755fc1_00000000 (ID = 0)
8:27 AM: 00002cd6_4375ebe3_0006acfc (ID = 0)
8:27 AM: 00006784_43755f75_000af79e (ID = 0)
8:27 AM: 00004d06_4375f120_0006ea05 (ID = 0)
8:27 AM: 000072ae_4375ebe5_000ec82e (ID = 0)
8:27 AM: 00000588_4376a760_000a4083 (ID = 0)
8:27 AM: 00004ad4_4376a74e_00081b32 (ID = 0)
8:27 AM: 00001d11_4376a823_00044aa2 (ID = 0)
8:27 AM: 000072ae_43755fc7_0005b8d8 (ID = 0)
8:27 AM: 00006048_43769c7e_0008d24d (ID = 0)
8:27 AM: 00002cf7_4376a74f_00007a12 (ID = 0)
8:27 AM: 0000390c_43756196_0000b71b (ID = 0)
8:27 AM: 000066c4_43767376_00090f56 (ID = 0)
8:27 AM: 0000305e_437561a2_000b34a7 (ID = 0)
8:27 AM: 00004230_43767376_000a7d8c (ID = 0)
8:27 AM: 00006952_4375ebec_00044aa2 (ID = 0)
8:27 AM: 00007eb7_43767376_000c65d4 (ID = 0)
8:27 AM: 00006e5d_43766c23_00039387 (ID = 0)
8:27 AM: 00001ad4_43766c23_000b71b0 (ID = 0)
8:27 AM: 00000099_4375619a_0008583b (ID = 0)
8:27 AM: 000063cb_43766c2c_00044aa2 (ID = 0)
8:27 AM: 00006bfc_43766c2c_00098968 (ID = 0)
8:27 AM: 00005f90_4375ebec_000487ab (ID = 0)
8:27 AM: 0000440d_437561a2_000b71b0 (ID = 0)
8:27 AM: 0000323b_43766c2f_000c28cb (ID = 0)
8:27 AM: 00001547_4375f120_000c28cb (ID = 0)
8:27 AM: 00006b89_43766c30_00081b32 (ID = 0)
8:27 AM: 0000030a_43766c30_000a7d8c (ID = 0)
8:27 AM: 00000bdb_43766c31_0000b71b (ID = 0)
8:27 AM: dns (ID = 0)
8:27 AM: 00000d66_437688b4_000a7d8c (ID = 0)
8:27 AM: 000036c2_4376a867_00066ff3 (ID = 0)
8:27 AM: index (ID = 0)
8:27 AM: 0000549b_4376a856_00081b32 (ID = 0)
8:27 AM: 00002350_43766dc4_000487ab (ID = 0)
8:27 AM: 00006899_437685e0_00081b32 (ID = 0)
8:27 AM: 00005db2_437685f6_0002dc6c (ID = 0)
8:27 AM: 000023c9_437685f7_00022551 (ID = 0)
8:27 AM: 00001a49_4376709b_00053ec6 (ID = 0)
8:27 AM: 00000fbf_437686d8_0007a120 (ID = 0)
8:27 AM: 0000153c_43756194_00094c5f (ID = 0)
8:27 AM: 00005772_43767559_0009c671 (ID = 0)
8:27 AM: 000075ef_437688dc_0005b8d8 (ID = 0)
8:27 AM: 000026b1_4376a868_00066ff3 (ID = 0)
8:27 AM: 00002528_4376a823_00094c5f (ID = 0)
8:27 AM: 00001366_43767281_0007de29 (ID = 0)
8:27 AM: 00003004_4376a73c_000a7d8c (ID = 0)
8:27 AM: 00007049_4376764c_00031975 (ID = 0)
8:27 AM: 0000468c_4376a827_000dd40a (ID = 0)
8:27 AM: 000072ae_4375618e_0000f424 (ID = 0)
8:27 AM: 00001796_4376a73f_0001e848 (ID = 0)
8:27 AM: 00002ea6_43756194_00039387 (ID = 0)
8:27 AM: 00003d6c_4375618d_00081b32 (ID = 0)
8:27 AM: 000066bb_4376bb21_000f0537 (ID = 0)
8:27 AM: 00004944_43767194_0006ea05 (ID = 0)
8:27 AM: 00005f90_4375618e_000d1cef (ID = 0)
8:27 AM: 000026a6_4376bb77_0001312d (ID = 0)
8:27 AM: 0000797d_43767191_0000f424 (ID = 0)
8:27 AM: ipmagent.exe (ID = 0)
8:27 AM: 00006e7e_4376a834_00098968 (ID = 0)
8:27 AM: 00001649_4375618e_000e1113 (ID = 0)
8:27 AM: 0000366b_43767375_000a7d8c (ID = 0)
8:27 AM: 000060bf_43768694_0001312d (ID = 0)
8:27 AM: 00005f49_43767191_0002dc6c (ID = 0)
8:27 AM: 00006df1_4375ebf1_00040d99 (ID = 0)
8:27 AM: 00005422_43767377_000d1cef (ID = 0)
8:27 AM: 00003ef6_43767378_0001e848 (ID = 0)
8:27 AM: 00004a80_43767832_0002dc6c (ID = 0)
8:27 AM: 0000305e_4376b8c4_00016e36 (ID = 0)
8:27 AM: 00005991_4376737d_000af79e (ID = 0)
8:27 AM: 00002e39_4376a87f_00089544 (ID = 0)
8:27 AM: 000048cc_43768685_0007270e (ID = 0)
8:27 AM: 00006e89_4376a884_00090f56 (ID = 0)
8:28 AM: 000057d3_43769c7e_000cdfe6 (ID = 0)
8:28 AM: 00004823_4376b899_00076417 (ID = 0)
8:28 AM: jetwrite.exe (ID = 0)
8:28 AM: 0000047e_4376886e_00003d09 (ID = 0)
8:28 AM: 000054de_4375f14b_000a4083 (ID = 0)
8:28 AM: 00006ad6_43768868_000e1113 (ID = 0)
8:28 AM: 00006443_4376bae9_00053ec6 (ID = 0)
8:28 AM: 00002f14_43768867_0001ab3f (ID = 0)
8:28 AM: 0000491c_4376b8c5_000d9701 (ID = 0)
8:28 AM: 00001ad4_4376bcac_00029f63 (ID = 0)
8:28 AM: 0000428b_4376bb67_000af79e (ID = 0)
8:28 AM: 00005af1_4375ec11_0006ea05 (ID = 0)
8:28 AM: 000037e6_43769d63_000a4083 (ID = 0)
8:28 AM: 000049f7_43769f4f_00089544 (ID = 0)
8:28 AM: 000019d9_43769d63_000d1cef (ID = 0)
8:28 AM: 000054dc_4376888d_000a037a (ID = 0)
8:28 AM: 000026e9_4375ec16_00076417 (ID = 0)
8:28 AM: 0000288f_437689ad_00039387 (ID = 0)
8:28 AM: 000001eb_4375ec17_0009c671 (ID = 0)
8:28 AM: 0000074d_4375f160_000d59f8 (ID = 0)
8:28 AM: data.bin (ID = 0)
8:28 AM: ace.dll (ID = 0)
8:28 AM: 00003f97_4376a82c_0002dc6c (ID = 0)
8:28 AM: quadmime.exe (ID = 0)
8:28 AM: 000039b3_437561ad_00016e36 (ID = 0)
8:28 AM: 000054de_437561a9_0007de29 (ID = 0)
8:28 AM: 00000bb3_4375ec17_000a7d8c (ID = 0)
8:28 AM: 00007f96_4376bcaf_00029f63 (ID = 0)
8:28 AM: 0000301c_4376c111_0008d24d (ID = 0)
8:28 AM: 00002ea6_4375ec17_000b71b0 (ID = 0)
8:28 AM: 00002d12_437561ad_000baeb9 (ID = 0)
8:28 AM: 00000f3e_43756199_000501bd (ID = 0)
8:28 AM: 000012db_4375ec17_000dd40a (ID = 0)
8:28 AM: 0000153c_4375ec17_000e4e1c (ID = 0)
8:28 AM: 00006784_4376b89d_000ec82e (ID = 0)
8:28 AM: 0000390c_4375ec18_00016e36 (ID = 0)
8:28 AM: 00007e87_43756195_00022551 (ID = 0)
8:28 AM: ai_12-11-2005.log (ID = 0)
8:28 AM: 000026e9_4376b8a9_00039387 (ID = 0)
8:28 AM: 00004823_4375ebdd_00044aa2 (ID = 0)
8:28 AM: 000041bb_4375ec14_00022551 (ID = 0)
8:28 AM: 00000f3e_4375ec18_00031975 (ID = 0)
8:28 AM: 00000124_4375ec18_0007a120 (ID = 0)
8:28 AM: 0000305e_4375ec18_000c65d4 (ID = 0)
8:28 AM: 0000440d_4375ec19_00039387 (ID = 0)
8:28 AM: 00002d12_4375f151_0002dc6c (ID = 0)
8:28 AM: 000026a6_4375f186_000501bd (ID = 0)
8:28 AM: 00005d03_43766c00_0005b8d8 (ID = 0)
8:28 AM: ai_18-11-2005.log (ID = 0)
8:28 AM: ai_13-11-2005.log (ID = 0)
8:28 AM: 00003cd5_437685f5_000487ab (ID = 0)
8:28 AM: 0000458f_43769cf9_00016e36 (ID = 0)
8:28 AM: 00007f96_43766c2f_00022551 (ID = 0)
8:28 AM: 00007ff5_43766c2f_00076417 (ID = 0)
8:28 AM: 00004e45_43766c2f_000b71b0 (ID = 0)
8:28 AM: 00002213_43766c30_00003d09 (ID = 0)
8:28 AM: 0000260d_43766c30_0004c4b4 (ID = 0)
8:28 AM: 0000301c_43766c31_00007a12 (ID = 0)
8:28 AM: 000056ae_43766c31_000487ab (ID = 0)
8:28 AM: 0000759a_43766dc3_00053ec6 (ID = 0)
8:28 AM: 0000676d_4376a86c_000a037a (ID = 0)
8:28 AM: 000054d6_4376a828_00053ec6 (ID = 0)
8:28 AM: 000026ca_43767382_00031975 (ID = 0)
8:28 AM: 00000ea9_4376a828_0006acfc (ID = 0)
8:28 AM: 00006bc9_4376a90e_000d1cef (ID = 0)
8:28 AM: 000073da_43767381_000d59f8 (ID = 0)
8:28 AM: 000058b0_43767381_000d9701 (ID = 0)
8:28 AM: 00004080_437685f5_000e1113 (ID = 0)
8:28 AM: 00003699_43767382_000d1cef (ID = 0)
8:28 AM: 000033ea_437685f6_0008d24d (ID = 0)
8:28 AM: 00005753_4376868c_000a4083 (ID = 0)
8:28 AM: 00005c67_43768694_00031975 (ID = 0)
8:28 AM: 0000422d_43768872_0001e848 (ID = 0)
8:28 AM: 00002fff_437689a8_000cdfe6 (ID = 0)
8:28 AM: 00006c69_437689ac_000af79e (ID = 0)
8:28 AM: 0000494a_43768d77_00007a12 (ID = 0)
8:28 AM: 00003a61_437689ad_00098968 (ID = 0)
8:28 AM: ai_17-11-2005.log (ID = 0)
8:28 AM: 00007f4f_43768d76_00081b32 (ID = 0)
8:28 AM: 00000120_4376c415_00039387 (ID = 0)
8:28 AM: 00000732_4376c322_0008583b (ID = 0)
8:28 AM: 00001953_43768fa2_000aba95 (ID = 0)
8:28 AM: 00002b0c_4376905c_00094c5f (ID = 0)
8:28 AM: 0000127e_43769063_00094c5f (ID = 0)
8:28 AM: 000007cf_4376907a_000af79e (ID = 0)
8:28 AM: 00001af4_43769116_000f0537 (ID = 0)
8:28 AM: 00003a2d_43769c7e_00053ec6 (ID = 0)
8:28 AM: 0000252a_43769e56_0002dc6c (ID = 0)
8:28 AM: 00006270_4376a62e_00098968 (ID = 0)
8:28 AM: 00001850_4376a1ba_00022551 (ID = 0)
8:28 AM: 00003ee9_4376a834_000ca2dd (ID = 0)
8:28 AM: 000019da_4376a631_00003d09 (ID = 0)
8:28 AM: 00005005_4376a25d_0001ab3f (ID = 0)
8:28 AM: 00000c15_4376a25d_00022551 (ID = 0)
8:28 AM: 00003807_4376a25e_000b34a7 (ID = 0)
8:28 AM: 00006479_4376a799_0008583b (ID = 0)
8:28 AM: 000068f5_4376a77e_00000000 (ID = 0)
8:28 AM: 000045c5_4376a77e_00022551 (ID = 0)
8:28 AM: 00003960_4376a77e_0007270e (ID = 0)
8:28 AM: 00002959_4376a787_0008583b (ID = 0)
8:28 AM: 00000e29_4376a86c_0000f424 (ID = 0)
8:28 AM: 00004325_4376a799_000ca2dd (ID = 0)
8:28 AM: 00004e08_4376a799_000e4e1c (ID = 0)
8:28 AM: 000075c1_4376a824_0002625a (ID = 0)
8:28 AM: 00004e55_4376a841_0001e848 (ID = 0)
8:28 AM: 00005a9b_4376a82f_000a7d8c (ID = 0)
8:28 AM: 00000ce1_4376a830_0001ab3f (ID = 0)
8:28 AM: 000030a7_4376a839_000e1113 (ID = 0)
8:28 AM: 000046c2_4376a83b_0002625a (ID = 0)
8:28 AM: 000028e2_4376a84f_0007270e (ID = 0)
8:28 AM: 000050bf_4376a83f_000cdfe6 (ID = 0)
8:28 AM: 0000662a_4376a85f_000dd40a (ID = 0)
8:28 AM: 000010d9_4376a843_000ca2dd (ID = 0)
8:28 AM: 00006c6c_4376a844_0001e848 (ID = 0)
8:28 AM: 00006ea1_4376a844_0006acfc (ID = 0)
8:28 AM: 00004fe2_4376a84e_00044aa2 (ID = 0)
8:28 AM: 00002ba5_4376a84e_000e8b25 (ID = 0)
8:28 AM: 00004365_4376a85c_0001ab3f (ID = 0)
8:28 AM: 000050a9_4376a863_00029f63 (ID = 0)
8:28 AM: 00004626_4376a868_0009c671 (ID = 0)
8:28 AM: 00006da6_4376a87f_000ca2dd (ID = 0)
8:28 AM: 00007e0e_4376a889_000bebc2 (ID = 0)
8:28 AM: 00001dcb_4376a895_0006ea05 (ID = 0)
8:28 AM: 00000607_4376a8a1_000487ab (ID = 0)
8:28 AM: 00002ea6_4376b8b9_00040d99 (ID = 0)
8:28 AM: 0000390c_4376b8bc_0005f5e1 (ID = 0)
8:28 AM: 0000440d_4376b8c4_0007de29 (ID = 0)
8:28 AM: ai_16-11-2005.log (ID = 0)
8:28 AM: 00006e5d_4376bca8_000d59f8 (ID = 0)
8:28 AM: 00006bfc_4376bcaf_00003d09 (ID = 0)
8:29 AM: 00007ff5_4376bcaf_0003d090 (ID = 0)
8:29 AM: ai_14-11-2005.log (ID = 0)
8:29 AM: 00004823_43756187_0008583b (ID = 0)
8:29 AM: 000018be_43756187_000e4e1c (ID = 0)
8:29 AM: ai_15-11-2005.log (ID = 0)
8:29 AM: 00000124_4375619d_000a4083 (ID = 0)
8:29 AM: 00004d06_437561a8_000af79e (ID = 0)
8:29 AM: 00004db7_437561a9_0001312d (ID = 0)
8:29 AM: 00001547_437561a9_00044aa2 (ID = 0)
8:29 AM: 000018be_43755f74_000d1cef (ID = 0)
8:29 AM: 00002cd6_43755fc5_0000f424 (ID = 0)
8:29 AM: 00005f90_43755fca_00000000 (ID = 0)
8:30 AM: File Sweep Complete, Elapsed Time: 00:28:40
8:30 AM: Full Sweep has completed. Elapsed time 00:33:05
8:30 AM: Traces Found: 416
12:09 PM: Removal process initiated
12:09 PM: Quarantining All Traces: potentially rootkit-masked files
12:23 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
12:23 PM: 00005fa8_4376a835_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00006486_4376a83a_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000069d0_4376a789_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00004fc0_4376a833_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00002db5_4376a83b_00066ff3 is in use. It will be removed on reboot.
12:23 PM: 00000029_43756185_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00004027_4376a786_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00007a54_4376a83c_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00004b40_43766eb5_000501bd is in use. It will be removed on reboot.
12:23 PM: 0000138a_4376a787_0001312d is in use. It will be removed on reboot.
12:23 PM: 00007a5a_4376bb7d_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 0000441d_4376a82e_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00001649_4375ebec_0006acfc is in use. It will be removed on reboot.
12:23 PM: 0000591d_43769d70_00040d99 is in use. It will be removed on reboot.
12:23 PM: 000012db_4376b8b9_000487ab is in use. It will be removed on reboot.
12:23 PM: 00003295_4376a82e_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00005f23_4376a840_000632ea is in use. It will be removed on reboot.
12:23 PM: 000000c1_4376a82f_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 0000442b_4376a043_0008583b is in use. It will be removed on reboot.
12:23 PM: 00002852_4376a76f_000632ea is in use. It will be removed on reboot.
12:23 PM: 00000c1e_4376a892_000af79e is in use. It will be removed on reboot.
12:23 PM: 00002120_4376a893_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00005078_4376a043_000d9701 is in use. It will be removed on reboot.
12:23 PM: 00004087_4376a136_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00007b44_4376a136_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00004328_4376a88b_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00003492_4376a62f_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 0000590e_4376a1b4_00081b32 is in use. It will be removed on reboot.
12:23 PM: 0000765f_4376a1b8_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 00002b00_4376a1ba_000501bd is in use. It will be removed on reboot.
12:23 PM: 000051d1_4376a843_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 000012db_43756194_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000016d4_4376a1ba_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 000078d4_4376a796_00000000 is in use. It will be removed on reboot.
12:23 PM: 00001049_4376a796_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00004509_4376bba1_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00007f61_4376a204_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 000058c5_4376a910_00031975 is in use. It will be removed on reboot.
12:23 PM: 00003a8d_4376a235_000bebc2 is in use. It will be removed on reboot.
12:23 PM: 00000bdb_4376c111_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 00004e45_4376bce3_0003d090 is in use. It will be removed on reboot.
12:23 PM: 00001547_4376b950_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00006d4e_4376a845_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 000039ce_4376a72a_00031975 is in use. It will be removed on reboot.
12:23 PM: 000001e1_4376a846_0003567e is in use. It will be removed on reboot.
12:23 PM: 00007fbe_4376a250_00094c5f is in use. It will be removed on reboot.
12:23 PM: 0000251f_4376a3fc_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00002b0f_4376a8a4_000aba95 is in use. It will be removed on reboot.
12:23 PM: 00001d5e_4376a886_000632ea is in use. It will be removed on reboot.
12:23 PM: 0000489c_43768a8a_00022551 is in use. It will be removed on reboot.
12:23 PM: 00007dd1_43768a4c_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 000022cd_43768a27_0008583b is in use. It will be removed on reboot.
12:23 PM: 00001ff1_4376a887_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00002c49_4376898b_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 00001bd9_4376a84c_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 00003c61_437689a0_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 0000261e_43768a54_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00005e9d_43768a83_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00006172_43768aa4_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00000871_4376a84d_00098968 is in use. It will be removed on reboot.
12:23 PM: 00006b72_43768aac_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000032e6_43768ab6_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00003305_4376a8a7_00081b32 is in use. It will be removed on reboot.
12:23 PM: pcipu401.sys is in use. It will be removed on reboot.
12:23 PM: 000063cb_4376bcad_00089544 is in use. It will be removed on reboot.
12:23 PM: 00000384_43768d49_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00004dc8_4375f162_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00006443_4375f164_0003d090 is in use. It will be removed on reboot.
12:23 PM: 000066bb_4375f165_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 0000428b_4375f183_00094c5f is in use. It will be removed on reboot.
12:23 PM: 000018d7_43768f8e_0003567e is in use. It will be removed on reboot.
12:23 PM: 00006747_4376a85b_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00007346_4376a860_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00001289_4376a860_00098968 is in use. It will be removed on reboot.
12:23 PM: 00003382_4376a864_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00000ecc_43769117_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 00000878_4376a867_0002625a is in use. It will be removed on reboot.
12:23 PM: 00004402_43768e69_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00003f4a_4376a750_0008583b is in use. It will be removed on reboot.
12:23 PM: 00006be8_43768fa0_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000a28_4376a77c_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00005064_4376a631_0009c671 is in use. It will be removed on reboot.
12:23 PM: 000009ce_4376a77d_000501bd is in use. It will be removed on reboot.
12:23 PM: 00004ae1_4376b89e_00039387 is in use. It will be removed on reboot.
12:23 PM: 0000701f_4375f187_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 000071f0_43768c1c_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00004963_4376a868_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4376b89e_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00001cdf_4376a868_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00005039_43768fa2_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 0000153c_4376b8bb_00098968 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4376b89e_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 00007e87_4375ec18_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00000099_4375ec18_0003d090 is in use. It will be removed on reboot.
12:23 PM: 0000542c_43768fa2_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00006bcb_43769052_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000039b3_4375f14e_0002625a is in use. It will be removed on reboot.
12:23 PM: 00005ed0_4376a751_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00007e87_4376b8bc_000501bd is in use. It will be removed on reboot.
12:23 PM: 00000f3e_4376b8bc_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00006b89_4376beaf_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 000072ae_4376b89e_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00006952_4376b89e_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4376b8a3_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 00001649_4376b8a3_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 0000520b_4376a77d_0007a120 is in use. It will be removed on reboot.
12:23 PM: 0000074d_437561b0_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00000d6a_4376a820_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00006df1_4376b8a5_00089544 is in use. It will be removed on reboot.
12:23 PM: 00000fc9_43769055_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00000e12_43769055_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00005af1_4376b8a5_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 00005f1e_43769055_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 000041bb_4376b8a8_0007de29 is in use. It will be removed on reboot.
12:23 PM: 000039b3_4376babd_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00002833_4376905b_00076417 is in use. It will be removed on reboot.
12:23 PM: 00007874_4376905b_000e1113 is in use. It will be removed on reboot.
12:23 PM: 000001eb_4376b8ae_0007de29 is in use. It will be removed on reboot.
12:23 PM: 0000249e_4376905c_0007270e is in use. It will be removed on reboot.
12:23 PM: 000011f4_4376905c_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00005dd5_4376905d_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00005d03_4376bb7d_0003567e is in use. It will be removed on reboot.
12:23 PM: 00003bb1_4376a732_0001312d is in use. It will be removed on reboot.
12:23 PM: 00006ad4_4376905d_0008583b is in use. It will be removed on reboot.
12:23 PM: 0000293b_4376a81e_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00000099_4376b8c1_00057bcf is in use. It will be removed on reboot.
12:23 PM: 00004cd4_43769061_000ec82e is in use. It will be removed on reboot.
12:23 PM: 00005fa4_43769062_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_4376b8b4_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00000124_4376b8c1_000a037a is in use. It will be removed on reboot.
12:23 PM: 00002059_43769062_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00000035_43769066_0005f5e1 is in use. It will be removed on reboot.
12:23 PM: 00006732_43769098_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 000046cf_43769143_00098968 is in use. It will be removed on reboot.
12:23 PM: 00003bf6_4376718f_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 0000491c_437561a7_00081b32 is in use. It will be removed on reboot.
12:23 PM: 000001d3_43769c51_000aba95 is in use. It will be removed on reboot.
12:23 PM: 00006d22_437690bf_00057bcf is in use. It will be removed on reboot.
12:23 PM: 000018be_4375ebde_00076417 is in use. It will be removed on reboot.
12:23 PM: 00000c7b_4376a25c_00076417 is in use. It will be removed on reboot.
12:23 PM: 00006784_4375ebe0_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00004ae1_4375ebe1_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00006b28_4376a8aa_00098968 is in use. It will be removed on reboot.
12:23 PM: 00000a4a_4376a751_0003d090 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4375618e_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00006b36_43766fa8_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00006952_4375618e_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00007983_437688c6_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00004c66_4376a845_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00005c5e_4376a845_000af79e is in use. It will be removed on reboot.
12:23 PM: 00004657_43768980_000632ea is in use. It will be removed on reboot.
12:23 PM: 00004461_4376a8ab_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00003765_4376a8a8_0007270e is in use. It will be removed on reboot.
12:23 PM: 0000767d_43766c02_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00007a5a_43766c02_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00001e1f_4376bca8_000632ea is in use. It will be removed on reboot.
12:23 PM: 00003459_4376a77e_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00004509_43766c07_00016e36 is in use. It will be removed on reboot.
12:23 PM: 000041bb_43756190_0007a120 is in use. It will be removed on reboot.
12:23 PM: 000026e9_43756193_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 00001238_43766c08_000d9701 is in use. It will be removed on reboot.
12:23 PM: 000001eb_43756193_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_43756193_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00003b25_43766c13_000487ab is in use. It will be removed on reboot.
12:23 PM: 00005d24_4376a75c_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 00004df2_43767193_0008583b is in use. It will be removed on reboot.
12:23 PM: 00005968_4376a74d_0001312d is in use. It will be removed on reboot.
12:23 PM: 000066b4_4376a85b_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4375ebe3_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00003b25_4376bca8_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00004ae1_43755fc1_00000000 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4375ebe3_0006acfc is in use. It will be removed on reboot.
12:23 PM: 00006784_43755f75_000af79e is in use. It will be removed on reboot.
12:23 PM: 00004d06_4375f120_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 000072ae_4375ebe5_000ec82e is in use. It will be removed on reboot.
12:23 PM: 00000588_4376a760_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00004ad4_4376a74e_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00001d11_4376a823_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000072ae_43755fc7_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 00006048_43769c7e_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00002cf7_4376a74f_00007a12 is in use. It will be removed on reboot.
12:23 PM: 0000390c_43756196_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000066c4_43767376_00090f56 is in use. It will be removed on reboot.
12:23 PM: 0000305e_437561a2_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00004230_43767376_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00006952_4375ebec_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 00007eb7_43767376_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00006e5d_43766c23_00039387 is in use. It will be removed on reboot.
12:23 PM: 00001ad4_43766c23_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00000099_4375619a_0008583b is in use. It will be removed on reboot.
12:23 PM: 000063cb_43766c2c_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 00006bfc_43766c2c_00098968 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4375ebec_000487ab is in use. It will be removed on reboot.
12:23 PM: 0000440d_437561a2_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 0000323b_43766c2f_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00001547_4375f120_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00006b89_43766c30_00081b32 is in use. It will be removed on reboot.
12:23 PM: 0000030a_43766c30_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00000bdb_43766c31_0000b71b is in use. It will be removed on reboot.
12:23 PM: dns is in use. It will be removed on reboot.
12:23 PM: 00000d66_437688b4_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000036c2_4376a867_00066ff3 is in use. It will be removed on reboot.
12:23 PM: index is in use. It will be removed on reboot.
12:23 PM: 0000549b_4376a856_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00002350_43766dc4_000487ab is in use. It will be removed on reboot.
12:23 PM: 00006899_437685e0_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00005db2_437685f6_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 000023c9_437685f7_00022551 is in use. It will be removed on reboot.
12:23 PM: 00001a49_4376709b_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00000fbf_437686d8_0007a120 is in use. It will be removed on reboot.
12:23 PM: 0000153c_43756194_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00005772_43767559_0009c671 is in use. It will be removed on reboot.
12:23 PM: 000075ef_437688dc_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 000026b1_4376a868_00066ff3 is in use. It will be removed on reboot.
12:23 PM: 00002528_4376a823_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00001366_43767281_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00003004_4376a73c_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00007049_4376764c_00031975 is in use. It will be removed on reboot.
12:23 PM: 0000468c_4376a827_000dd40a is in use. It will be removed on reboot.
12:23 PM: 000072ae_4375618e_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00001796_4376a73f_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00002ea6_43756194_00039387 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4375618d_00081b32 is in use. It will be removed on reboot.
12:23 PM: 000066bb_4376bb21_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00004944_43767194_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4375618e_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000026a6_4376bb77_0001312d is in use. It will be removed on reboot.
12:23 PM: 0000797d_43767191_0000f424 is in use. It will be removed on reboot.
12:23 PM: ipmagent.exe is in use. It will be removed on reboot.
12:23 PM: 00006e7e_4376a834_00098968 is in use. It will be removed on reboot.
12:23 PM: 00001649_4375618e_000e1113 is in use. It will be removed on reboot.
12:23 PM: 0000366b_43767375_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000060bf_43768694_0001312d is in use. It will be removed on reboot.
12:23 PM: 00005f49_43767191_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 00006df1_4375ebf1_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00005422_43767377_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00003ef6_43767378_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00004a80_43767832_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 0000305e_4376b8c4_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00005991_4376737d_000af79e is in use. It will be removed on reboot.
12:23 PM: 00002e39_4376a87f_00089544 is in use. It will be removed on reboot.
12:23 PM: 000048cc_43768685_0007270e is in use. It will be removed on reboot.
12:23 PM: 00006e89_4376a884_00090f56 is in use. It will be removed on reboot.
12:23 PM: 000057d3_43769c7e_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 00004823_4376b899_00076417 is in use. It will be removed on reboot.
12:23 PM: jetwrite.exe is in use. It will be removed on reboot.
12:23 PM: 0000047e_4376886e_00003d09 is in use. It will be removed on reboot.
12:23 PM: 000054de_4375f14b_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00006ad6_43768868_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00006443_4376bae9_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00002f14_43768867_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 0000491c_4376b8c5_000d9701 is in use. It will be removed on reboot.
12:23 PM: 00001ad4_4376bcac_00029f63 is in use. It will be removed on reboot.
12:23 PM: 0000428b_4376bb67_000af79e is in use. It will be removed on reboot.
12:23 PM: 00005af1_4375ec11_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 000037e6_43769d63_000a4083 is in use. It will be removed on reboot.
12:23 PM: 000049f7_43769f4f_00089544 is in use. It will be removed on reboot.
12:23 PM: 000019d9_43769d63_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000054dc_4376888d_000a037a is in use. It will be removed on reboot.
12:23 PM: 000026e9_4375ec16_00076417 is in use. It will be removed on reboot.
12:23 PM: 0000288f_437689ad_00039387 is in use. It will be removed on reboot.
12:23 PM: 000001eb_4375ec17_0009c671 is in use. It will be removed on reboot.
12:23 PM: 0000074d_4375f160_000d59f8 is in use. It will be removed on reboot.
12:23 PM: data.bin is in use. It will be removed on reboot.
12:23 PM: ace.dll is in use. It will be removed on reboot.
12:23 PM: 00003f97_4376a82c_0002dc6c is in use. It will be removed on reboot.
12:23 PM: quadmime.exe is in use. It will be removed on reboot.
12:23 PM: 000039b3_437561ad_00016e36 is in use. It will be removed on reboot.
12:23 PM: 000054de_437561a9_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_4375ec17_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00007f96_4376bcaf_00029f63 is in use. It will be removed on reboot.
12:23 PM: 0000301c_4376c111_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00002ea6_4375ec17_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00002d12_437561ad_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 00000f3e_43756199_000501bd is in use. It will be removed on reboot.
12:23 PM: 000012db_4375ec17_000dd40a is in use. It will be removed on reboot.
12:23 PM: 0000153c_4375ec17_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 00006784_4376b89d_000ec82e is in use. It will be removed on reboot.
12:23 PM: 0000390c_4375ec18_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00007e87_43756195_00022551 is in use. It will be removed on reboot.
12:23 PM: ai_12-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 000026e9_4376b8a9_00039387 is in use. It will be removed on reboot.
12:23 PM: 00004823_4375ebdd_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000041bb_4375ec14_00022551 is in use. It will be removed on reboot.
12:23 PM: 00000f3e_4375ec18_00031975 is in use. It will be removed on reboot.
12:23 PM: 00000124_4375ec18_0007a120 is in use. It will be removed on reboot.
12:23 PM: 0000305e_4375ec18_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 0000440d_4375ec19_00039387 is in use. It will be removed on reboot.
12:23 PM: 00002d12_4375f151_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 000026a6_4375f186_000501bd is in use. It will be removed on reboot.
12:23 PM: 00005d03_43766c00_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: ai_18-11-2005.log is in use. It will be removed on reboot.
12:23 PM: ai_13-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 00003cd5_437685f5_000487ab is in use. It will be removed on reboot.
12:23 PM: 0000458f_43769cf9_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00007f96_43766c2f_00022551 is in use. It will be removed on reboot.
12:23 PM: 00007ff5_43766c2f_00076417 is in use. It will be removed on reboot.
12:23 PM: 00004e45_43766c2f_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00002213_43766c30_00003d09 is in use. It will be removed on reboot.
12:23 PM: 0000260d_43766c30_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 0000301c_43766c31_00007a12 is in use. It will be removed on reboot.
12:23 PM: 000056ae_43766c31_000487ab is in use. It will be removed on reboot.
12:23 PM: 0000759a_43766dc3_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 0000676d_4376a86c_000a037a is in use. It will be removed on reboot.
12:23 PM: 000054d6_4376a828_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 000026ca_43767382_00031975 is in use. It will be removed on reboot.
12:23 PM: 00000ea9_4376a828_0006acfc is in use. It will be removed on reboot.
12:23 PM: 00006bc9_4376a90e_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000073da_43767381_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 000058b0_43767381_000d9701 is in use. It will be removed on reboot.
12:23 PM: 00004080_437685f5_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00003699_43767382_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000033ea_437685f6_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00005753_4376868c_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00005c67_43768694_00031975 is in use. It will be removed on reboot.
12:23 PM: 0000422d_43768872_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00002fff_437689a8_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 00006c69_437689ac_000af79e is in use. It will be removed on reboot.
12:23 PM: 0000494a_43768d77_00007a12 is in use. It will be removed on reboot.
12:23 PM: 00003a61_437689ad_00098968 is in use. It will be removed on reboot.
12:23 PM: ai_17-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 00007f4f_43768d76_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00000120_4376c415_00039387 is in use. It will be removed on reboot.
12:23 PM: 00000732_4376c322_0008583b is in use. It will be removed on reboot.
12:23 PM: 00001953_43768fa2_000aba95 is in use. It will be removed on reboot.
12:23 PM: 00002b0c_4376905c_00094c5f is in use. It will be removed on reboot.
12:23 PM: 0000127e_43769063_00094c5f is in use. It will be removed on reboot.
12:23 PM: 000007cf_4376907a_000af79e is in use. It will be removed on reboot.
12:23 PM: 00001af4_43769116_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00003a2d_43769c7e_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 0000252a_43769e56_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 00006270_4376a62e_00098968 is in use. It will be removed on reboot.
12:23 PM: 00001850_4376a1ba_00022551 is in use. It will be removed on reboot.
12:23 PM: 00003ee9_4376a834_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 000019da_4376a631_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00005005_4376a25d_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 00000c15_4376a25d_00022551 is in use. It will be removed on reboot.
12:23 PM: 00003807_4376a25e_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00006479_4376a799_0008583b is in use. It will be removed on reboot.
12:23 PM: 000068f5_4376a77e_00000000 is in use. It will be removed on reboot.
12:23 PM: 000045c5_4376a77e_00022551 is in use. It will be removed on reboot.
12:23 PM: 00003960_4376a77e_0007270e is in use. It will be removed on reboot.
12:23 PM: 00002959_4376a787_0008583b is in use. It will be removed on reboot.
12:23 PM: 00000e29_4376a86c_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00004325_4376a799_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 00004e08_4376a799_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 000075c1_4376a824_0002625a is in use. It will be removed on reboot.
12:23 PM: 00004e55_4376a841_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00005a9b_4376a82f_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00000ce1_4376a830_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 000030a7_4376a839_000e1113 is in use. It will be removed on reboot.
12:23 PM: 000046c2_4376a83b_0002625a is in use. It will be removed on reboot.
12:23 PM: 000028e2_4376a84f_0007270e is in use. It will be removed on reboot.
12:23 PM: 000050bf_4376a83f_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 0000662a_4376a85f_000dd40a is in use. It will be removed on reboot.
12:23 PM: 000010d9_4376a843_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 00006c6c_4376a844_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00006ea1_4376a844_0006acfc is in use. It will be removed on reboot.
12:23 PM: 00004fe2_4376a84e_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 00002ba5_4376a84e_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 00004365_4376a85c_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 000050a9_4376a863_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00004626_4376a868_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00006da6_4376a87f_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 00007e0e_4376a889_000bebc2 is in use. It will be removed on reboot.
12:23 PM: 00001dcb_4376a895_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 00000607_4376a8a1_000487ab is in use. It will be removed on reboot.
12:23 PM: 00002ea6_4376b8b9_00040d99 is in use. It will be removed on reboot.
12:23 PM: 0000390c_4376b8bc_0005f5e1 is in use. It will be removed on reboot.
12:23 PM: 0000440d_4376b8c4_0007de29 is in use. It will be removed on reboot.
12:23 PM: ai_16-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 00006e5d_4376bca8_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 00006bfc_4376bcaf_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00007ff5_4376bcaf_0003d090 is in use. It will be removed on reboot.
12:23 PM: ai_14-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 00004823_43756187_0008583b is in use. It will be removed on reboot.
12:23 PM: 000018be_43756187_000e4e1c is in use. It will be removed on reboot.
12:23 PM: ai_15-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 00000124_4375619d_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00004d06_437561a8_000af79e is in use. It will be removed on reboot.
12:23 PM: 00004db7_437561a9_0001312d is in use. It will be removed on reboot.
12:23 PM: 00001547_437561a9_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000018be_43755f74_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00002cd6_43755fc5_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00005f90_43755fca_00000000 is in use. It will be removed on reboot.
12:23 PM: Quarantining All Traces: downloadul
12:23 PM: Quarantining All Traces: apropos
12:23 PM: apropos is in use. It will be removed on reboot.
12:23 PM: wingenerics.dll is in use. It will be removed on reboot.
12:23 PM: Quarantining All Traces: commonname
12:23 PM: Quarantining All Traces: cram toolbar
12:23 PM: Quarantining All Traces: icannnews
********
7:51 AM: | Start of Session, Friday, November 18, 2005 |
7:51 AM: Spy Sweeper started
7:52 AM: Messenger service has been disabled.
7:52 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
7:52 AM: Updating spyware definitions
7:52 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
7:52 AM: Updating spyware definitions
7:52 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:53 AM
  • 0

#6
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Something happened to the HijackThis report. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:43 PM, on 11/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\R-Undelete20\rloginsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\ToolBox\Reg-Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu...ferer=&logout=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\dnnq0155e.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: R-Studio Login Server - Unknown owner - C:\Program Files\R-Undelete20\rloginsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)
  • 0

#7
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

Please open Hijackthis, scan, and place a checkmark by the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)


Close all open windows/browsers and click Fix Checked.

Also, please Run SpySweeper again with the same settings as before.

Post back the results from SpySweeper, and a new Hijackthis log.
  • 0

#8
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Something is changing. I am not getting the WinPatrol alerts that something is trying to change my 'Hosts' file anymore.

Thanks for your help. I hope we are getting close.

Logfile of HijackThis v1.99.1
Scan saved at 11:15:39 AM, on 11/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\R-Undelete20\rloginsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\cidaemon.exe
C:\stub_113_4_0_4_0.exe
C:\WINNT\System32\cidaemon.exe
c:\winnt\system32\rldsregl.exe
D:\ToolBox\Reg-Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu...ferer=&logout=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\dnnq0155e.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: R-Studio Login Server - Unknown owner - C:\Program Files\R-Undelete20\rloginsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)


********
11:16 AM: | Start of Session, Saturday, November 19, 2005 |
11:16 AM: Spy Sweeper started
11:16 AM: Sweep initiated using definitions version 556
11:16 AM: Starting Memory Sweep
11:17 AM: Found Adware: icannnews
11:17 AM: Detected running threat: C:\WINNT\system32\dnnq0155e.dll (ID = 83)
11:17 AM: Detected running threat: C:\WINNT\system32\dhprop.dll (ID = 83)
11:18 AM: Memory Sweep Complete, Elapsed Time: 00:01:30
11:18 AM: Starting Registry Sweep
11:18 AM: Found Adware: safesurf
11:18 AM: HKLM\software\microsoft\windows\currentversion\app paths\sshelp.dll\ (2 subtraces) (ID = 140388)
11:18 AM: Found Adware: scbar
11:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\data compiler\ (1 subtraces) (ID = 140509)
11:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\indexing function\ (1 subtraces) (ID = 140510)
11:19 AM: Found Adware: win favorites
11:19 AM: HKLM\software\microsoft\windows\currentversion\uninstall\win favorites\ (1 subtraces) (ID = 146981)
11:19 AM: Found Adware: zenosearchassistant
11:19 AM: HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\ (2 subtraces) (ID = 147935)
11:19 AM: Found Adware: mediacharger
11:19 AM: HKU\WRSS_Profile_S-1-5-21-1214440339-879983540-682003330-500\software\mediacharger\ (3 subtraces) (ID = 134901)
11:19 AM: Found Adware: cram toolbar
11:19 AM: HKU\S-1-5-21-1214440339-879983540-682003330-1017\software\microsoft\internet explorer\toolbar\webbrowser\ || {01e69986-a054-4c52-abe8-ef63df1c5211} (ID = 826757)
11:19 AM: Registry Sweep Complete, Elapsed Time:00:00:43
11:19 AM: Starting Cookie Sweep
11:19 AM: Found Spy Cookie: yieldmanager cookie
11:19 AM: me@ad.yieldmanager[2].txt (ID = 3751)
11:19 AM: Found Spy Cookie: hbmediapro cookie
11:19 AM: me@adopt.hbmediapro[2].txt (ID = 2768)
11:19 AM: Found Spy Cookie: realmedia cookie
11:19 AM: me@realmedia[1].txt (ID = 3235)
11:19 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:19 AM: Starting File Sweep
11:19 AM: Found Adware: squire webhelper
11:19 AM: c:\program files\common files\sq (1 subtraces) (ID = -2147480239)
11:31 AM: ssurf022.dll (ID = 74301)
11:46 AM: Warning: Failed to access drive D:
11:46 AM: Warning: Failed to access drive D:
11:46 AM: File Sweep Complete, Elapsed Time: 00:27:32
11:46 AM: Full Sweep has completed. Elapsed time 00:29:59
11:46 AM: Traces Found: 25
12:50 PM: Removal process initiated
12:51 PM: Quarantining All Traces: cram toolbar
12:51 PM: Quarantining All Traces: icannnews
12:51 PM: icannnews is in use. It will be removed on reboot.
12:51 PM: C:\WINNT\system32\dnnq0155e.dll is in use. It will be removed on reboot.
12:51 PM: C:\WINNT\system32\dhprop.dll is in use. It will be removed on reboot.
12:51 PM: Quarantining All Traces: mediacharger
12:51 PM: Quarantining All Traces: safesurf
12:51 PM: Quarantining All Traces: scbar
12:51 PM: Quarantining All Traces: squire webhelper
12:51 PM: Quarantining All Traces: win favorites
12:51 PM: Quarantining All Traces: zenosearchassistant
12:51 PM: Quarantining All Traces: hbmediapro cookie
12:51 PM: Quarantining All Traces: realmedia cookie
12:51 PM: Quarantining All Traces: yieldmanager cookie
12:51 PM: Preparing to restart your computer. Please wait...
12:51 PM: Removal process completed. Elapsed time 00:00:54
********
7:56 AM: | Start of Session, Friday, November 18, 2005 |
7:56 AM: Spy Sweeper started
7:56 AM: Sweep initiated using definitions version 556
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:56 AM: Starting Memory Sweep
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:57 AM: Found Adware: icannnews
7:57 AM: Detected running threat: C:\WINNT\system32\dnnq0155e.dll (ID = 83)
7:59 AM: Detected running threat: C:\WINNT\system32\vqXMLRPC.dll (ID = 83)
7:59 AM: Memory Sweep Complete, Elapsed Time: 00:03:01
8:00 AM: Starting Registry Sweep
8:00 AM: Found Adware: safesurf
8:00 AM: HKLM\software\microsoft\windows\currentversion\app paths\sshelp.dll\ (2 subtraces) (ID = 140388)
8:00 AM: Found Adware: scbar
8:00 AM: HKLM\software\microsoft\windows\currentversion\uninstall\data compiler\ (1 subtraces) (ID = 140509)
8:00 AM: HKLM\software\microsoft\windows\currentversion\uninstall\indexing function\ (1 subtraces) (ID = 140510)
8:01 AM: Found Adware: win favorites
8:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\win favorites\ (1 subtraces) (ID = 146981)
8:01 AM: Found Adware: zenosearchassistant
8:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\zeno search assistant\ (2 subtraces) (ID = 147935)
8:01 AM: Found Trojan Horse: trojan - zerotollerance
8:01 AM: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 608255)
8:01 AM: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 609144)
8:01 AM: Found Adware: mediacharger
8:01 AM: HKU\WRSS_Profile_S-1-5-21-1214440339-879983540-682003330-500\software\mediacharger\ (3 subtraces) (ID = 134901)
8:01 AM: Found Adware: cram toolbar
8:01 AM: HKU\S-1-5-21-1214440339-879983540-682003330-1017\software\microsoft\internet explorer\toolbar\webbrowser\ || {01e69986-a054-4c52-abe8-ef63df1c5211} (ID = 826757)
8:01 AM: Registry Sweep Complete, Elapsed Time:00:01:17
8:01 AM: Starting Cookie Sweep
8:01 AM: Found Spy Cookie: yieldmanager cookie
8:01 AM: me@ad.yieldmanager[2].txt (ID = 3751)
8:01 AM: Found Spy Cookie: hbmediapro cookie
8:01 AM: me@adopt.hbmediapro[2].txt (ID = 2768)
8:01 AM: Found Spy Cookie: realmedia cookie
8:01 AM: me@realmedia[1].txt (ID = 3235)
8:01 AM: Cookie Sweep Complete, Elapsed Time: 00:00:05
8:01 AM: Starting File Sweep
8:01 AM: Found Adware: squire webhelper
8:01 AM: c:\program files\common files\sq (1 subtraces) (ID = -2147480239)
8:10 AM: Found Adware: commonname
8:10 AM: cnbabeie.exe (ID = 53748)
8:12 AM: ssurf022.dll (ID = 74301)
8:22 AM: Found Adware: apropos
8:22 AM: wingenerics.dll (ID = 50187)
8:22 AM: winnet.ini (ID = 53846)
8:25 AM: Found Trojan Horse: downloadul
8:25 AM: rpuxgbdz.inf (ID = 59264)
8:25 AM: Warning: Failed to access drive D:
8:25 AM: Warning: Failed to access drive D:
8:25 AM: Found System Monitor: potentially rootkit-masked files
8:25 AM: 00005fa8_4376a835_00094c5f (ID = 0)
8:25 AM: 00006486_4376a83a_0000b71b (ID = 0)
8:25 AM: 000069d0_4376a789_00053ec6 (ID = 0)
8:25 AM: 00004fc0_4376a833_000e1113 (ID = 0)
8:25 AM: 00002db5_4376a83b_00066ff3 (ID = 0)
8:25 AM: 00000029_43756185_00016e36 (ID = 0)
8:26 AM: 00004027_4376a786_00094c5f (ID = 0)
8:26 AM: 00007a54_4376a83c_0007a120 (ID = 0)
8:26 AM: 00004b40_43766eb5_000501bd (ID = 0)
8:26 AM: 0000138a_4376a787_0001312d (ID = 0)
8:26 AM: 00007a5a_4376bb7d_000cdfe6 (ID = 0)
8:26 AM: 0000441d_4376a82e_0007a120 (ID = 0)
8:26 AM: 00001649_4375ebec_0006acfc (ID = 0)
8:26 AM: 0000591d_43769d70_00040d99 (ID = 0)
8:26 AM: 000012db_4376b8b9_000487ab (ID = 0)
8:26 AM: 00003295_4376a82e_000c28cb (ID = 0)
8:26 AM: 00005f23_4376a840_000632ea (ID = 0)
8:26 AM: 000000c1_4376a82f_0005b8d8 (ID = 0)
8:26 AM: 0000442b_4376a043_0008583b (ID = 0)
8:26 AM: 00002852_4376a76f_000632ea (ID = 0)
8:26 AM: 00000c1e_4376a892_000af79e (ID = 0)
8:26 AM: 00002120_4376a893_00016e36 (ID = 0)
8:26 AM: 00005078_4376a043_000d9701 (ID = 0)
8:26 AM: 00004087_4376a136_000b34a7 (ID = 0)
8:26 AM: 00007b44_4376a136_000e1113 (ID = 0)
8:26 AM: 00004328_4376a88b_0004c4b4 (ID = 0)
8:26 AM: 00003492_4376a62f_000baeb9 (ID = 0)
8:26 AM: 0000590e_4376a1b4_00081b32 (ID = 0)
8:26 AM: 0000765f_4376a1b8_000e4e1c (ID = 0)
8:26 AM: 00002b00_4376a1ba_000501bd (ID = 0)
8:26 AM: 000051d1_4376a843_000baeb9 (ID = 0)
8:26 AM: 000012db_43756194_00044aa2 (ID = 0)
8:26 AM: 000016d4_4376a1ba_000e8b25 (ID = 0)
8:26 AM: 000078d4_4376a796_00000000 (ID = 0)
8:26 AM: 00001049_4376a796_00029f63 (ID = 0)
8:26 AM: 00004509_4376bba1_000a4083 (ID = 0)
8:26 AM: 00007f61_4376a204_00053ec6 (ID = 0)
8:26 AM: 000058c5_4376a910_00031975 (ID = 0)
8:26 AM: 00003a8d_4376a235_000bebc2 (ID = 0)
8:26 AM: 00000bdb_4376c111_000baeb9 (ID = 0)
8:26 AM: 00004e45_4376bce3_0003d090 (ID = 0)
8:26 AM: 00001547_4376b950_00081b32 (ID = 0)
8:26 AM: 00006d4e_4376a845_000ca2dd (ID = 0)
8:26 AM: 000039ce_4376a72a_00031975 (ID = 0)
8:26 AM: 000001e1_4376a846_0003567e (ID = 0)
8:26 AM: 00007fbe_4376a250_00094c5f (ID = 0)
8:26 AM: 0000251f_4376a3fc_00094c5f (ID = 0)
8:26 AM: 00002b0f_4376a8a4_000aba95 (ID = 0)
8:26 AM: 00001d5e_4376a886_000632ea (ID = 0)
8:26 AM: 0000489c_43768a8a_00022551 (ID = 0)
8:26 AM: 00007dd1_43768a4c_0005b8d8 (ID = 0)
8:26 AM: 000022cd_43768a27_0008583b (ID = 0)
8:26 AM: 00001ff1_4376a887_0009c671 (ID = 0)
8:26 AM: 00002c49_4376898b_0001ab3f (ID = 0)
8:26 AM: 00001bd9_4376a84c_000e8b25 (ID = 0)
8:26 AM: 00003c61_437689a0_000d59f8 (ID = 0)
8:26 AM: 0000261e_43768a54_00029f63 (ID = 0)
8:26 AM: 00005e9d_43768a83_000f0537 (ID = 0)
8:26 AM: 00006172_43768aa4_000b34a7 (ID = 0)
8:26 AM: 00000871_4376a84d_00098968 (ID = 0)
8:26 AM: 00006b72_43768aac_0000b71b (ID = 0)
8:26 AM: 000032e6_43768ab6_0000f424 (ID = 0)
8:26 AM: 00003305_4376a8a7_00081b32 (ID = 0)
8:26 AM: pcipu401.sys (ID = 0)
8:26 AM: 000063cb_4376bcad_00089544 (ID = 0)
8:26 AM: 00000384_43768d49_00094c5f (ID = 0)
8:26 AM: 00004dc8_4375f162_0004c4b4 (ID = 0)
8:26 AM: 00006443_4375f164_0003d090 (ID = 0)
8:26 AM: 000066bb_4375f165_000e4e1c (ID = 0)
8:26 AM: 0000428b_4375f183_00094c5f (ID = 0)
8:26 AM: 000018d7_43768f8e_0003567e (ID = 0)
8:26 AM: 00006747_4376a85b_000dd40a (ID = 0)
8:26 AM: 00007346_4376a860_00003d09 (ID = 0)
8:26 AM: 00001289_4376a860_00098968 (ID = 0)
8:26 AM: 00003382_4376a864_000dd40a (ID = 0)
8:26 AM: 00000ecc_43769117_000cdfe6 (ID = 0)
8:26 AM: 00000878_4376a867_0002625a (ID = 0)
8:26 AM: 00004402_43768e69_0008d24d (ID = 0)
8:26 AM: 00003f4a_4376a750_0008583b (ID = 0)
8:26 AM: 00006be8_43768fa0_00040d99 (ID = 0)
8:26 AM: 00000a28_4376a77c_000dd40a (ID = 0)
8:26 AM: 00005064_4376a631_0009c671 (ID = 0)
8:26 AM: 000009ce_4376a77d_000501bd (ID = 0)
8:26 AM: 00004ae1_4376b89e_00039387 (ID = 0)
8:26 AM: 0000701f_4375f187_000cdfe6 (ID = 0)
8:26 AM: 000071f0_43768c1c_0009c671 (ID = 0)
8:26 AM: 00004963_4376a868_00053ec6 (ID = 0)
8:26 AM: 00003d6c_4376b89e_000b34a7 (ID = 0)
8:26 AM: 00001cdf_4376a868_000b71b0 (ID = 0)
8:26 AM: 00005039_43768fa2_0004c4b4 (ID = 0)
8:26 AM: 0000153c_4376b8bb_00098968 (ID = 0)
8:26 AM: 00002cd6_4376b89e_000ca2dd (ID = 0)
8:26 AM: 00007e87_4375ec18_00003d09 (ID = 0)
8:26 AM: 00000099_4375ec18_0003d090 (ID = 0)
8:26 AM: 0000542c_43768fa2_000a4083 (ID = 0)
8:26 AM: 00006bcb_43769052_000a7d8c (ID = 0)
8:26 AM: 000039b3_4375f14e_0002625a (ID = 0)
8:26 AM: 00005ed0_4376a751_0007de29 (ID = 0)
8:26 AM: 00007e87_4376b8bc_000501bd (ID = 0)
8:26 AM: 00000f3e_4376b8bc_000c65d4 (ID = 0)
8:26 AM: 00006b89_4376beaf_000cdfe6 (ID = 0)
8:26 AM: 000072ae_4376b89e_000dd40a (ID = 0)
8:26 AM: 00006952_4376b89e_000f0537 (ID = 0)
8:26 AM: 00005f90_4376b8a3_0001ab3f (ID = 0)
8:26 AM: 00001649_4376b8a3_0002dc6c (ID = 0)
8:26 AM: 0000520b_4376a77d_0007a120 (ID = 0)
8:26 AM: 0000074d_437561b0_000b71b0 (ID = 0)
8:26 AM: 00000d6a_4376a820_0007a120 (ID = 0)
8:26 AM: 00006df1_4376b8a5_00089544 (ID = 0)
8:26 AM: 00000fc9_43769055_00029f63 (ID = 0)
8:26 AM: 00000e12_43769055_0007a120 (ID = 0)
8:26 AM: 00005af1_4376b8a5_000d59f8 (ID = 0)
8:26 AM: 00005f1e_43769055_000baeb9 (ID = 0)
8:26 AM: 000041bb_4376b8a8_0007de29 (ID = 0)
8:26 AM: 000039b3_4376babd_00040d99 (ID = 0)
8:26 AM: 00002833_4376905b_00076417 (ID = 0)
8:26 AM: 00007874_4376905b_000e1113 (ID = 0)
8:26 AM: 000001eb_4376b8ae_0007de29 (ID = 0)
8:26 AM: 0000249e_4376905c_0007270e (ID = 0)
8:26 AM: 000011f4_4376905c_000b34a7 (ID = 0)
8:26 AM: 00005dd5_4376905d_00053ec6 (ID = 0)
8:26 AM: 00005d03_4376bb7d_0003567e (ID = 0)
8:26 AM: 00003bb1_4376a732_0001312d (ID = 0)
8:26 AM: 00006ad4_4376905d_0008583b (ID = 0)
8:26 AM: 0000293b_4376a81e_0000b71b (ID = 0)
8:26 AM: 00000099_4376b8c1_00057bcf (ID = 0)
8:27 AM: 00004cd4_43769061_000ec82e (ID = 0)
8:27 AM: 00005fa4_43769062_00040d99 (ID = 0)
8:27 AM: 00000bb3_4376b8b4_000d1cef (ID = 0)
8:27 AM: 00000124_4376b8c1_000a037a (ID = 0)
8:27 AM: 00002059_43769062_0008d24d (ID = 0)
8:27 AM: 00000035_43769066_0005f5e1 (ID = 0)
8:27 AM: 00006732_43769098_000ca2dd (ID = 0)
8:27 AM: 000046cf_43769143_00098968 (ID = 0)
8:27 AM: 00003bf6_4376718f_0006ea05 (ID = 0)
8:27 AM: 0000491c_437561a7_00081b32 (ID = 0)
8:27 AM: 000001d3_43769c51_000aba95 (ID = 0)
8:27 AM: 00006d22_437690bf_00057bcf (ID = 0)
8:27 AM: 000018be_4375ebde_00076417 (ID = 0)
8:27 AM: 00000c7b_4376a25c_00076417 (ID = 0)
8:27 AM: 00006784_4375ebe0_0000b71b (ID = 0)
8:27 AM: 00004ae1_4375ebe1_00081b32 (ID = 0)
8:27 AM: 00006b28_4376a8aa_00098968 (ID = 0)
8:27 AM: 00000a4a_4376a751_0003d090 (ID = 0)
8:27 AM: 00002cd6_4375618e_0000b71b (ID = 0)
8:27 AM: 00006b36_43766fa8_00040d99 (ID = 0)
8:27 AM: 00006952_4375618e_0007de29 (ID = 0)
8:27 AM: 00007983_437688c6_000c65d4 (ID = 0)
8:27 AM: 00004c66_4376a845_0008d24d (ID = 0)
8:27 AM: 00005c5e_4376a845_000af79e (ID = 0)
8:27 AM: 00004657_43768980_000632ea (ID = 0)
8:27 AM: 00004461_4376a8ab_0000f424 (ID = 0)
8:27 AM: 00003765_4376a8a8_0007270e (ID = 0)
8:27 AM: 0000767d_43766c02_000d1cef (ID = 0)
8:27 AM: 00007a5a_43766c02_00029f63 (ID = 0)
8:27 AM: 00001e1f_4376bca8_000632ea (ID = 0)
8:27 AM: 00003459_4376a77e_000d1cef (ID = 0)
8:27 AM: 00004509_43766c07_00016e36 (ID = 0)
8:27 AM: 000041bb_43756190_0007a120 (ID = 0)
8:27 AM: 000026e9_43756193_0002dc6c (ID = 0)
8:27 AM: 00001238_43766c08_000d9701 (ID = 0)
8:27 AM: 000001eb_43756193_00040d99 (ID = 0)
8:27 AM: 00000bb3_43756193_000e1113 (ID = 0)
8:27 AM: 00003b25_43766c13_000487ab (ID = 0)
8:27 AM: 00005d24_4376a75c_000e8b25 (ID = 0)
8:27 AM: 00004df2_43767193_0008583b (ID = 0)
8:27 AM: 00005968_4376a74d_0001312d (ID = 0)
8:27 AM: 000066b4_4376a85b_0009c671 (ID = 0)
8:27 AM: 00003d6c_4375ebe3_00040d99 (ID = 0)
8:27 AM: 00003b25_4376bca8_0004c4b4 (ID = 0)
8:27 AM: 00004ae1_43755fc1_00000000 (ID = 0)
8:27 AM: 00002cd6_4375ebe3_0006acfc (ID = 0)
8:27 AM: 00006784_43755f75_000af79e (ID = 0)
8:27 AM: 00004d06_4375f120_0006ea05 (ID = 0)
8:27 AM: 000072ae_4375ebe5_000ec82e (ID = 0)
8:27 AM: 00000588_4376a760_000a4083 (ID = 0)
8:27 AM: 00004ad4_4376a74e_00081b32 (ID = 0)
8:27 AM: 00001d11_4376a823_00044aa2 (ID = 0)
8:27 AM: 000072ae_43755fc7_0005b8d8 (ID = 0)
8:27 AM: 00006048_43769c7e_0008d24d (ID = 0)
8:27 AM: 00002cf7_4376a74f_00007a12 (ID = 0)
8:27 AM: 0000390c_43756196_0000b71b (ID = 0)
8:27 AM: 000066c4_43767376_00090f56 (ID = 0)
8:27 AM: 0000305e_437561a2_000b34a7 (ID = 0)
8:27 AM: 00004230_43767376_000a7d8c (ID = 0)
8:27 AM: 00006952_4375ebec_00044aa2 (ID = 0)
8:27 AM: 00007eb7_43767376_000c65d4 (ID = 0)
8:27 AM: 00006e5d_43766c23_00039387 (ID = 0)
8:27 AM: 00001ad4_43766c23_000b71b0 (ID = 0)
8:27 AM: 00000099_4375619a_0008583b (ID = 0)
8:27 AM: 000063cb_43766c2c_00044aa2 (ID = 0)
8:27 AM: 00006bfc_43766c2c_00098968 (ID = 0)
8:27 AM: 00005f90_4375ebec_000487ab (ID = 0)
8:27 AM: 0000440d_437561a2_000b71b0 (ID = 0)
8:27 AM: 0000323b_43766c2f_000c28cb (ID = 0)
8:27 AM: 00001547_4375f120_000c28cb (ID = 0)
8:27 AM: 00006b89_43766c30_00081b32 (ID = 0)
8:27 AM: 0000030a_43766c30_000a7d8c (ID = 0)
8:27 AM: 00000bdb_43766c31_0000b71b (ID = 0)
8:27 AM: dns (ID = 0)
8:27 AM: 00000d66_437688b4_000a7d8c (ID = 0)
8:27 AM: 000036c2_4376a867_00066ff3 (ID = 0)
8:27 AM: index (ID = 0)
8:27 AM: 0000549b_4376a856_00081b32 (ID = 0)
8:27 AM: 00002350_43766dc4_000487ab (ID = 0)
8:27 AM: 00006899_437685e0_00081b32 (ID = 0)
8:27 AM: 00005db2_437685f6_0002dc6c (ID = 0)
8:27 AM: 000023c9_437685f7_00022551 (ID = 0)
8:27 AM: 00001a49_4376709b_00053ec6 (ID = 0)
8:27 AM: 00000fbf_437686d8_0007a120 (ID = 0)
8:27 AM: 0000153c_43756194_00094c5f (ID = 0)
8:27 AM: 00005772_43767559_0009c671 (ID = 0)
8:27 AM: 000075ef_437688dc_0005b8d8 (ID = 0)
8:27 AM: 000026b1_4376a868_00066ff3 (ID = 0)
8:27 AM: 00002528_4376a823_00094c5f (ID = 0)
8:27 AM: 00001366_43767281_0007de29 (ID = 0)
8:27 AM: 00003004_4376a73c_000a7d8c (ID = 0)
8:27 AM: 00007049_4376764c_00031975 (ID = 0)
8:27 AM: 0000468c_4376a827_000dd40a (ID = 0)
8:27 AM: 000072ae_4375618e_0000f424 (ID = 0)
8:27 AM: 00001796_4376a73f_0001e848 (ID = 0)
8:27 AM: 00002ea6_43756194_00039387 (ID = 0)
8:27 AM: 00003d6c_4375618d_00081b32 (ID = 0)
8:27 AM: 000066bb_4376bb21_000f0537 (ID = 0)
8:27 AM: 00004944_43767194_0006ea05 (ID = 0)
8:27 AM: 00005f90_4375618e_000d1cef (ID = 0)
8:27 AM: 000026a6_4376bb77_0001312d (ID = 0)
8:27 AM: 0000797d_43767191_0000f424 (ID = 0)
8:27 AM: ipmagent.exe (ID = 0)
8:27 AM: 00006e7e_4376a834_00098968 (ID = 0)
8:27 AM: 00001649_4375618e_000e1113 (ID = 0)
8:27 AM: 0000366b_43767375_000a7d8c (ID = 0)
8:27 AM: 000060bf_43768694_0001312d (ID = 0)
8:27 AM: 00005f49_43767191_0002dc6c (ID = 0)
8:27 AM: 00006df1_4375ebf1_00040d99 (ID = 0)
8:27 AM: 00005422_43767377_000d1cef (ID = 0)
8:27 AM: 00003ef6_43767378_0001e848 (ID = 0)
8:27 AM: 00004a80_43767832_0002dc6c (ID = 0)
8:27 AM: 0000305e_4376b8c4_00016e36 (ID = 0)
8:27 AM: 00005991_4376737d_000af79e (ID = 0)
8:27 AM: 00002e39_4376a87f_00089544 (ID = 0)
8:27 AM: 000048cc_43768685_0007270e (ID = 0)
8:27 AM: 00006e89_4376a884_00090f56 (ID = 0)
8:28 AM: 000057d3_43769c7e_000cdfe6 (ID = 0)
8:28 AM: 00004823_4376b899_00076417 (ID = 0)
8:28 AM: jetwrite.exe (ID = 0)
8:28 AM: 0000047e_4376886e_00003d09 (ID = 0)
8:28 AM: 000054de_4375f14b_000a4083 (ID = 0)
8:28 AM: 00006ad6_43768868_000e1113 (ID = 0)
8:28 AM: 00006443_4376bae9_00053ec6 (ID = 0)
8:28 AM: 00002f14_43768867_0001ab3f (ID = 0)
8:28 AM: 0000491c_4376b8c5_000d9701 (ID = 0)
8:28 AM: 00001ad4_4376bcac_00029f63 (ID = 0)
8:28 AM: 0000428b_4376bb67_000af79e (ID = 0)
8:28 AM: 00005af1_4375ec11_0006ea05 (ID = 0)
8:28 AM: 000037e6_43769d63_000a4083 (ID = 0)
8:28 AM: 000049f7_43769f4f_00089544 (ID = 0)
8:28 AM: 000019d9_43769d63_000d1cef (ID = 0)
8:28 AM: 000054dc_4376888d_000a037a (ID = 0)
8:28 AM: 000026e9_4375ec16_00076417 (ID = 0)
8:28 AM: 0000288f_437689ad_00039387 (ID = 0)
8:28 AM: 000001eb_4375ec17_0009c671 (ID = 0)
8:28 AM: 0000074d_4375f160_000d59f8 (ID = 0)
8:28 AM: data.bin (ID = 0)
8:28 AM: ace.dll (ID = 0)
8:28 AM: 00003f97_4376a82c_0002dc6c (ID = 0)
8:28 AM: quadmime.exe (ID = 0)
8:28 AM: 000039b3_437561ad_00016e36 (ID = 0)
8:28 AM: 000054de_437561a9_0007de29 (ID = 0)
8:28 AM: 00000bb3_4375ec17_000a7d8c (ID = 0)
8:28 AM: 00007f96_4376bcaf_00029f63 (ID = 0)
8:28 AM: 0000301c_4376c111_0008d24d (ID = 0)
8:28 AM: 00002ea6_4375ec17_000b71b0 (ID = 0)
8:28 AM: 00002d12_437561ad_000baeb9 (ID = 0)
8:28 AM: 00000f3e_43756199_000501bd (ID = 0)
8:28 AM: 000012db_4375ec17_000dd40a (ID = 0)
8:28 AM: 0000153c_4375ec17_000e4e1c (ID = 0)
8:28 AM: 00006784_4376b89d_000ec82e (ID = 0)
8:28 AM: 0000390c_4375ec18_00016e36 (ID = 0)
8:28 AM: 00007e87_43756195_00022551 (ID = 0)
8:28 AM: ai_12-11-2005.log (ID = 0)
8:28 AM: 000026e9_4376b8a9_00039387 (ID = 0)
8:28 AM: 00004823_4375ebdd_00044aa2 (ID = 0)
8:28 AM: 000041bb_4375ec14_00022551 (ID = 0)
8:28 AM: 00000f3e_4375ec18_00031975 (ID = 0)
8:28 AM: 00000124_4375ec18_0007a120 (ID = 0)
8:28 AM: 0000305e_4375ec18_000c65d4 (ID = 0)
8:28 AM: 0000440d_4375ec19_00039387 (ID = 0)
8:28 AM: 00002d12_4375f151_0002dc6c (ID = 0)
8:28 AM: 000026a6_4375f186_000501bd (ID = 0)
8:28 AM: 00005d03_43766c00_0005b8d8 (ID = 0)
8:28 AM: ai_18-11-2005.log (ID = 0)
8:28 AM: ai_13-11-2005.log (ID = 0)
8:28 AM: 00003cd5_437685f5_000487ab (ID = 0)
8:28 AM: 0000458f_43769cf9_00016e36 (ID = 0)
8:28 AM: 00007f96_43766c2f_00022551 (ID = 0)
8:28 AM: 00007ff5_43766c2f_00076417 (ID = 0)
8:28 AM: 00004e45_43766c2f_000b71b0 (ID = 0)
8:28 AM: 00002213_43766c30_00003d09 (ID = 0)
8:28 AM: 0000260d_43766c30_0004c4b4 (ID = 0)
8:28 AM: 0000301c_43766c31_00007a12 (ID = 0)
8:28 AM: 000056ae_43766c31_000487ab (ID = 0)
8:28 AM: 0000759a_43766dc3_00053ec6 (ID = 0)
8:28 AM: 0000676d_4376a86c_000a037a (ID = 0)
8:28 AM: 000054d6_4376a828_00053ec6 (ID = 0)
8:28 AM: 000026ca_43767382_00031975 (ID = 0)
8:28 AM: 00000ea9_4376a828_0006acfc (ID = 0)
8:28 AM: 00006bc9_4376a90e_000d1cef (ID = 0)
8:28 AM: 000073da_43767381_000d59f8 (ID = 0)
8:28 AM: 000058b0_43767381_000d9701 (ID = 0)
8:28 AM: 00004080_437685f5_000e1113 (ID = 0)
8:28 AM: 00003699_43767382_000d1cef (ID = 0)
8:28 AM: 000033ea_437685f6_0008d24d (ID = 0)
8:28 AM: 00005753_4376868c_000a4083 (ID = 0)
8:28 AM: 00005c67_43768694_00031975 (ID = 0)
8:28 AM: 0000422d_43768872_0001e848 (ID = 0)
8:28 AM: 00002fff_437689a8_000cdfe6 (ID = 0)
8:28 AM: 00006c69_437689ac_000af79e (ID = 0)
8:28 AM: 0000494a_43768d77_00007a12 (ID = 0)
8:28 AM: 00003a61_437689ad_00098968 (ID = 0)
8:28 AM: ai_17-11-2005.log (ID = 0)
8:28 AM: 00007f4f_43768d76_00081b32 (ID = 0)
8:28 AM: 00000120_4376c415_00039387 (ID = 0)
8:28 AM: 00000732_4376c322_0008583b (ID = 0)
8:28 AM: 00001953_43768fa2_000aba95 (ID = 0)
8:28 AM: 00002b0c_4376905c_00094c5f (ID = 0)
8:28 AM: 0000127e_43769063_00094c5f (ID = 0)
8:28 AM: 000007cf_4376907a_000af79e (ID = 0)
8:28 AM: 00001af4_43769116_000f0537 (ID = 0)
8:28 AM: 00003a2d_43769c7e_00053ec6 (ID = 0)
8:28 AM: 0000252a_43769e56_0002dc6c (ID = 0)
8:28 AM: 00006270_4376a62e_00098968 (ID = 0)
8:28 AM: 00001850_4376a1ba_00022551 (ID = 0)
8:28 AM: 00003ee9_4376a834_000ca2dd (ID = 0)
8:28 AM: 000019da_4376a631_00003d09 (ID = 0)
8:28 AM: 00005005_4376a25d_0001ab3f (ID = 0)
8:28 AM: 00000c15_4376a25d_00022551 (ID = 0)
8:28 AM: 00003807_4376a25e_000b34a7 (ID = 0)
8:28 AM: 00006479_4376a799_0008583b (ID = 0)
8:28 AM: 000068f5_4376a77e_00000000 (ID = 0)
8:28 AM: 000045c5_4376a77e_00022551 (ID = 0)
8:28 AM: 00003960_4376a77e_0007270e (ID = 0)
8:28 AM: 00002959_4376a787_0008583b (ID = 0)
8:28 AM: 00000e29_4376a86c_0000f424 (ID = 0)
8:28 AM: 00004325_4376a799_000ca2dd (ID = 0)
8:28 AM: 00004e08_4376a799_000e4e1c (ID = 0)
8:28 AM: 000075c1_4376a824_0002625a (ID = 0)
8:28 AM: 00004e55_4376a841_0001e848 (ID = 0)
8:28 AM: 00005a9b_4376a82f_000a7d8c (ID = 0)
8:28 AM: 00000ce1_4376a830_0001ab3f (ID = 0)
8:28 AM: 000030a7_4376a839_000e1113 (ID = 0)
8:28 AM: 000046c2_4376a83b_0002625a (ID = 0)
8:28 AM: 000028e2_4376a84f_0007270e (ID = 0)
8:28 AM: 000050bf_4376a83f_000cdfe6 (ID = 0)
8:28 AM: 0000662a_4376a85f_000dd40a (ID = 0)
8:28 AM: 000010d9_4376a843_000ca2dd (ID = 0)
8:28 AM: 00006c6c_4376a844_0001e848 (ID = 0)
8:28 AM: 00006ea1_4376a844_0006acfc (ID = 0)
8:28 AM: 00004fe2_4376a84e_00044aa2 (ID = 0)
8:28 AM: 00002ba5_4376a84e_000e8b25 (ID = 0)
8:28 AM: 00004365_4376a85c_0001ab3f (ID = 0)
8:28 AM: 000050a9_4376a863_00029f63 (ID = 0)
8:28 AM: 00004626_4376a868_0009c671 (ID = 0)
8:28 AM: 00006da6_4376a87f_000ca2dd (ID = 0)
8:28 AM: 00007e0e_4376a889_000bebc2 (ID = 0)
8:28 AM: 00001dcb_4376a895_0006ea05 (ID = 0)
8:28 AM: 00000607_4376a8a1_000487ab (ID = 0)
8:28 AM: 00002ea6_4376b8b9_00040d99 (ID = 0)
8:28 AM: 0000390c_4376b8bc_0005f5e1 (ID = 0)
8:28 AM: 0000440d_4376b8c4_0007de29 (ID = 0)
8:28 AM: ai_16-11-2005.log (ID = 0)
8:28 AM: 00006e5d_4376bca8_000d59f8 (ID = 0)
8:28 AM: 00006bfc_4376bcaf_00003d09 (ID = 0)
8:29 AM: 00007ff5_4376bcaf_0003d090 (ID = 0)
8:29 AM: ai_14-11-2005.log (ID = 0)
8:29 AM: 00004823_43756187_0008583b (ID = 0)
8:29 AM: 000018be_43756187_000e4e1c (ID = 0)
8:29 AM: ai_15-11-2005.log (ID = 0)
8:29 AM: 00000124_4375619d_000a4083 (ID = 0)
8:29 AM: 00004d06_437561a8_000af79e (ID = 0)
8:29 AM: 00004db7_437561a9_0001312d (ID = 0)
8:29 AM: 00001547_437561a9_00044aa2 (ID = 0)
8:29 AM: 000018be_43755f74_000d1cef (ID = 0)
8:29 AM: 00002cd6_43755fc5_0000f424 (ID = 0)
8:29 AM: 00005f90_43755fca_00000000 (ID = 0)
8:30 AM: File Sweep Complete, Elapsed Time: 00:28:40
8:30 AM: Full Sweep has completed. Elapsed time 00:33:05
8:30 AM: Traces Found: 416
12:09 PM: Removal process initiated
12:09 PM: Quarantining All Traces: potentially rootkit-masked files
12:23 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
12:23 PM: 00005fa8_4376a835_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00006486_4376a83a_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000069d0_4376a789_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00004fc0_4376a833_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00002db5_4376a83b_00066ff3 is in use. It will be removed on reboot.
12:23 PM: 00000029_43756185_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00004027_4376a786_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00007a54_4376a83c_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00004b40_43766eb5_000501bd is in use. It will be removed on reboot.
12:23 PM: 0000138a_4376a787_0001312d is in use. It will be removed on reboot.
12:23 PM: 00007a5a_4376bb7d_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 0000441d_4376a82e_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00001649_4375ebec_0006acfc is in use. It will be removed on reboot.
12:23 PM: 0000591d_43769d70_00040d99 is in use. It will be removed on reboot.
12:23 PM: 000012db_4376b8b9_000487ab is in use. It will be removed on reboot.
12:23 PM: 00003295_4376a82e_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00005f23_4376a840_000632ea is in use. It will be removed on reboot.
12:23 PM: 000000c1_4376a82f_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 0000442b_4376a043_0008583b is in use. It will be removed on reboot.
12:23 PM: 00002852_4376a76f_000632ea is in use. It will be removed on reboot.
12:23 PM: 00000c1e_4376a892_000af79e is in use. It will be removed on reboot.
12:23 PM: 00002120_4376a893_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00005078_4376a043_000d9701 is in use. It will be removed on reboot.
12:23 PM: 00004087_4376a136_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00007b44_4376a136_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00004328_4376a88b_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00003492_4376a62f_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 0000590e_4376a1b4_00081b32 is in use. It will be removed on reboot.
12:23 PM: 0000765f_4376a1b8_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 00002b00_4376a1ba_000501bd is in use. It will be removed on reboot.
12:23 PM: 000051d1_4376a843_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 000012db_43756194_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000016d4_4376a1ba_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 000078d4_4376a796_00000000 is in use. It will be removed on reboot.
12:23 PM: 00001049_4376a796_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00004509_4376bba1_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00007f61_4376a204_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 000058c5_4376a910_00031975 is in use. It will be removed on reboot.
12:23 PM: 00003a8d_4376a235_000bebc2 is in use. It will be removed on reboot.
12:23 PM: 00000bdb_4376c111_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 00004e45_4376bce3_0003d090 is in use. It will be removed on reboot.
12:23 PM: 00001547_4376b950_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00006d4e_4376a845_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 000039ce_4376a72a_00031975 is in use. It will be removed on reboot.
12:23 PM: 000001e1_4376a846_0003567e is in use. It will be removed on reboot.
12:23 PM: 00007fbe_4376a250_00094c5f is in use. It will be removed on reboot.
12:23 PM: 0000251f_4376a3fc_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00002b0f_4376a8a4_000aba95 is in use. It will be removed on reboot.
12:23 PM: 00001d5e_4376a886_000632ea is in use. It will be removed on reboot.
12:23 PM: 0000489c_43768a8a_00022551 is in use. It will be removed on reboot.
12:23 PM: 00007dd1_43768a4c_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 000022cd_43768a27_0008583b is in use. It will be removed on reboot.
12:23 PM: 00001ff1_4376a887_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00002c49_4376898b_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 00001bd9_4376a84c_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 00003c61_437689a0_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 0000261e_43768a54_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00005e9d_43768a83_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00006172_43768aa4_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00000871_4376a84d_00098968 is in use. It will be removed on reboot.
12:23 PM: 00006b72_43768aac_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000032e6_43768ab6_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00003305_4376a8a7_00081b32 is in use. It will be removed on reboot.
12:23 PM: pcipu401.sys is in use. It will be removed on reboot.
12:23 PM: 000063cb_4376bcad_00089544 is in use. It will be removed on reboot.
12:23 PM: 00000384_43768d49_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00004dc8_4375f162_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00006443_4375f164_0003d090 is in use. It will be removed on reboot.
12:23 PM: 000066bb_4375f165_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 0000428b_4375f183_00094c5f is in use. It will be removed on reboot.
12:23 PM: 000018d7_43768f8e_0003567e is in use. It will be removed on reboot.
12:23 PM: 00006747_4376a85b_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00007346_4376a860_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00001289_4376a860_00098968 is in use. It will be removed on reboot.
12:23 PM: 00003382_4376a864_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00000ecc_43769117_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 00000878_4376a867_0002625a is in use. It will be removed on reboot.
12:23 PM: 00004402_43768e69_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00003f4a_4376a750_0008583b is in use. It will be removed on reboot.
12:23 PM: 00006be8_43768fa0_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000a28_4376a77c_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00005064_4376a631_0009c671 is in use. It will be removed on reboot.
12:23 PM: 000009ce_4376a77d_000501bd is in use. It will be removed on reboot.
12:23 PM: 00004ae1_4376b89e_00039387 is in use. It will be removed on reboot.
12:23 PM: 0000701f_4375f187_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 000071f0_43768c1c_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00004963_4376a868_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4376b89e_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00001cdf_4376a868_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00005039_43768fa2_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 0000153c_4376b8bb_00098968 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4376b89e_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 00007e87_4375ec18_00003d09 is in use. It will be removed on reboot.
12:23 PM: 00000099_4375ec18_0003d090 is in use. It will be removed on reboot.
12:23 PM: 0000542c_43768fa2_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00006bcb_43769052_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000039b3_4375f14e_0002625a is in use. It will be removed on reboot.
12:23 PM: 00005ed0_4376a751_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00007e87_4376b8bc_000501bd is in use. It will be removed on reboot.
12:23 PM: 00000f3e_4376b8bc_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00006b89_4376beaf_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 000072ae_4376b89e_000dd40a is in use. It will be removed on reboot.
12:23 PM: 00006952_4376b89e_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4376b8a3_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 00001649_4376b8a3_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 0000520b_4376a77d_0007a120 is in use. It will be removed on reboot.
12:23 PM: 0000074d_437561b0_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00000d6a_4376a820_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00006df1_4376b8a5_00089544 is in use. It will be removed on reboot.
12:23 PM: 00000fc9_43769055_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00000e12_43769055_0007a120 is in use. It will be removed on reboot.
12:23 PM: 00005af1_4376b8a5_000d59f8 is in use. It will be removed on reboot.
12:23 PM: 00005f1e_43769055_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 000041bb_4376b8a8_0007de29 is in use. It will be removed on reboot.
12:23 PM: 000039b3_4376babd_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00002833_4376905b_00076417 is in use. It will be removed on reboot.
12:23 PM: 00007874_4376905b_000e1113 is in use. It will be removed on reboot.
12:23 PM: 000001eb_4376b8ae_0007de29 is in use. It will be removed on reboot.
12:23 PM: 0000249e_4376905c_0007270e is in use. It will be removed on reboot.
12:23 PM: 000011f4_4376905c_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00005dd5_4376905d_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00005d03_4376bb7d_0003567e is in use. It will be removed on reboot.
12:23 PM: 00003bb1_4376a732_0001312d is in use. It will be removed on reboot.
12:23 PM: 00006ad4_4376905d_0008583b is in use. It will be removed on reboot.
12:23 PM: 0000293b_4376a81e_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00000099_4376b8c1_00057bcf is in use. It will be removed on reboot.
12:23 PM: 00004cd4_43769061_000ec82e is in use. It will be removed on reboot.
12:23 PM: 00005fa4_43769062_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_4376b8b4_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00000124_4376b8c1_000a037a is in use. It will be removed on reboot.
12:23 PM: 00002059_43769062_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00000035_43769066_0005f5e1 is in use. It will be removed on reboot.
12:23 PM: 00006732_43769098_000ca2dd is in use. It will be removed on reboot.
12:23 PM: 000046cf_43769143_00098968 is in use. It will be removed on reboot.
12:23 PM: 00003bf6_4376718f_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 0000491c_437561a7_00081b32 is in use. It will be removed on reboot.
12:23 PM: 000001d3_43769c51_000aba95 is in use. It will be removed on reboot.
12:23 PM: 00006d22_437690bf_00057bcf is in use. It will be removed on reboot.
12:23 PM: 000018be_4375ebde_00076417 is in use. It will be removed on reboot.
12:23 PM: 00000c7b_4376a25c_00076417 is in use. It will be removed on reboot.
12:23 PM: 00006784_4375ebe0_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00004ae1_4375ebe1_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00006b28_4376a8aa_00098968 is in use. It will be removed on reboot.
12:23 PM: 00000a4a_4376a751_0003d090 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4375618e_0000b71b is in use. It will be removed on reboot.
12:23 PM: 00006b36_43766fa8_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00006952_4375618e_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00007983_437688c6_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00004c66_4376a845_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00005c5e_4376a845_000af79e is in use. It will be removed on reboot.
12:23 PM: 00004657_43768980_000632ea is in use. It will be removed on reboot.
12:23 PM: 00004461_4376a8ab_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00003765_4376a8a8_0007270e is in use. It will be removed on reboot.
12:23 PM: 0000767d_43766c02_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00007a5a_43766c02_00029f63 is in use. It will be removed on reboot.
12:23 PM: 00001e1f_4376bca8_000632ea is in use. It will be removed on reboot.
12:23 PM: 00003459_4376a77e_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00004509_43766c07_00016e36 is in use. It will be removed on reboot.
12:23 PM: 000041bb_43756190_0007a120 is in use. It will be removed on reboot.
12:23 PM: 000026e9_43756193_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 00001238_43766c08_000d9701 is in use. It will be removed on reboot.
12:23 PM: 000001eb_43756193_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_43756193_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00003b25_43766c13_000487ab is in use. It will be removed on reboot.
12:23 PM: 00005d24_4376a75c_000e8b25 is in use. It will be removed on reboot.
12:23 PM: 00004df2_43767193_0008583b is in use. It will be removed on reboot.
12:23 PM: 00005968_4376a74d_0001312d is in use. It will be removed on reboot.
12:23 PM: 000066b4_4376a85b_0009c671 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4375ebe3_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00003b25_4376bca8_0004c4b4 is in use. It will be removed on reboot.
12:23 PM: 00004ae1_43755fc1_00000000 is in use. It will be removed on reboot.
12:23 PM: 00002cd6_4375ebe3_0006acfc is in use. It will be removed on reboot.
12:23 PM: 00006784_43755f75_000af79e is in use. It will be removed on reboot.
12:23 PM: 00004d06_4375f120_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 000072ae_4375ebe5_000ec82e is in use. It will be removed on reboot.
12:23 PM: 00000588_4376a760_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00004ad4_4376a74e_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00001d11_4376a823_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000072ae_43755fc7_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 00006048_43769c7e_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00002cf7_4376a74f_00007a12 is in use. It will be removed on reboot.
12:23 PM: 0000390c_43756196_0000b71b is in use. It will be removed on reboot.
12:23 PM: 000066c4_43767376_00090f56 is in use. It will be removed on reboot.
12:23 PM: 0000305e_437561a2_000b34a7 is in use. It will be removed on reboot.
12:23 PM: 00004230_43767376_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00006952_4375ebec_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 00007eb7_43767376_000c65d4 is in use. It will be removed on reboot.
12:23 PM: 00006e5d_43766c23_00039387 is in use. It will be removed on reboot.
12:23 PM: 00001ad4_43766c23_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00000099_4375619a_0008583b is in use. It will be removed on reboot.
12:23 PM: 000063cb_43766c2c_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 00006bfc_43766c2c_00098968 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4375ebec_000487ab is in use. It will be removed on reboot.
12:23 PM: 0000440d_437561a2_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 0000323b_43766c2f_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00001547_4375f120_000c28cb is in use. It will be removed on reboot.
12:23 PM: 00006b89_43766c30_00081b32 is in use. It will be removed on reboot.
12:23 PM: 0000030a_43766c30_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00000bdb_43766c31_0000b71b is in use. It will be removed on reboot.
12:23 PM: dns is in use. It will be removed on reboot.
12:23 PM: 00000d66_437688b4_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000036c2_4376a867_00066ff3 is in use. It will be removed on reboot.
12:23 PM: index is in use. It will be removed on reboot.
12:23 PM: 0000549b_4376a856_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00002350_43766dc4_000487ab is in use. It will be removed on reboot.
12:23 PM: 00006899_437685e0_00081b32 is in use. It will be removed on reboot.
12:23 PM: 00005db2_437685f6_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 000023c9_437685f7_00022551 is in use. It will be removed on reboot.
12:23 PM: 00001a49_4376709b_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00000fbf_437686d8_0007a120 is in use. It will be removed on reboot.
12:23 PM: 0000153c_43756194_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00005772_43767559_0009c671 is in use. It will be removed on reboot.
12:23 PM: 000075ef_437688dc_0005b8d8 is in use. It will be removed on reboot.
12:23 PM: 000026b1_4376a868_00066ff3 is in use. It will be removed on reboot.
12:23 PM: 00002528_4376a823_00094c5f is in use. It will be removed on reboot.
12:23 PM: 00001366_43767281_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00003004_4376a73c_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00007049_4376764c_00031975 is in use. It will be removed on reboot.
12:23 PM: 0000468c_4376a827_000dd40a is in use. It will be removed on reboot.
12:23 PM: 000072ae_4375618e_0000f424 is in use. It will be removed on reboot.
12:23 PM: 00001796_4376a73f_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00002ea6_43756194_00039387 is in use. It will be removed on reboot.
12:23 PM: 00003d6c_4375618d_00081b32 is in use. It will be removed on reboot.
12:23 PM: 000066bb_4376bb21_000f0537 is in use. It will be removed on reboot.
12:23 PM: 00004944_43767194_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 00005f90_4375618e_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000026a6_4376bb77_0001312d is in use. It will be removed on reboot.
12:23 PM: 0000797d_43767191_0000f424 is in use. It will be removed on reboot.
12:23 PM: ipmagent.exe is in use. It will be removed on reboot.
12:23 PM: 00006e7e_4376a834_00098968 is in use. It will be removed on reboot.
12:23 PM: 00001649_4375618e_000e1113 is in use. It will be removed on reboot.
12:23 PM: 0000366b_43767375_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 000060bf_43768694_0001312d is in use. It will be removed on reboot.
12:23 PM: 00005f49_43767191_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 00006df1_4375ebf1_00040d99 is in use. It will be removed on reboot.
12:23 PM: 00005422_43767377_000d1cef is in use. It will be removed on reboot.
12:23 PM: 00003ef6_43767378_0001e848 is in use. It will be removed on reboot.
12:23 PM: 00004a80_43767832_0002dc6c is in use. It will be removed on reboot.
12:23 PM: 0000305e_4376b8c4_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00005991_4376737d_000af79e is in use. It will be removed on reboot.
12:23 PM: 00002e39_4376a87f_00089544 is in use. It will be removed on reboot.
12:23 PM: 000048cc_43768685_0007270e is in use. It will be removed on reboot.
12:23 PM: 00006e89_4376a884_00090f56 is in use. It will be removed on reboot.
12:23 PM: 000057d3_43769c7e_000cdfe6 is in use. It will be removed on reboot.
12:23 PM: 00004823_4376b899_00076417 is in use. It will be removed on reboot.
12:23 PM: jetwrite.exe is in use. It will be removed on reboot.
12:23 PM: 0000047e_4376886e_00003d09 is in use. It will be removed on reboot.
12:23 PM: 000054de_4375f14b_000a4083 is in use. It will be removed on reboot.
12:23 PM: 00006ad6_43768868_000e1113 is in use. It will be removed on reboot.
12:23 PM: 00006443_4376bae9_00053ec6 is in use. It will be removed on reboot.
12:23 PM: 00002f14_43768867_0001ab3f is in use. It will be removed on reboot.
12:23 PM: 0000491c_4376b8c5_000d9701 is in use. It will be removed on reboot.
12:23 PM: 00001ad4_4376bcac_00029f63 is in use. It will be removed on reboot.
12:23 PM: 0000428b_4376bb67_000af79e is in use. It will be removed on reboot.
12:23 PM: 00005af1_4375ec11_0006ea05 is in use. It will be removed on reboot.
12:23 PM: 000037e6_43769d63_000a4083 is in use. It will be removed on reboot.
12:23 PM: 000049f7_43769f4f_00089544 is in use. It will be removed on reboot.
12:23 PM: 000019d9_43769d63_000d1cef is in use. It will be removed on reboot.
12:23 PM: 000054dc_4376888d_000a037a is in use. It will be removed on reboot.
12:23 PM: 000026e9_4375ec16_00076417 is in use. It will be removed on reboot.
12:23 PM: 0000288f_437689ad_00039387 is in use. It will be removed on reboot.
12:23 PM: 000001eb_4375ec17_0009c671 is in use. It will be removed on reboot.
12:23 PM: 0000074d_4375f160_000d59f8 is in use. It will be removed on reboot.
12:23 PM: data.bin is in use. It will be removed on reboot.
12:23 PM: ace.dll is in use. It will be removed on reboot.
12:23 PM: 00003f97_4376a82c_0002dc6c is in use. It will be removed on reboot.
12:23 PM: quadmime.exe is in use. It will be removed on reboot.
12:23 PM: 000039b3_437561ad_00016e36 is in use. It will be removed on reboot.
12:23 PM: 000054de_437561a9_0007de29 is in use. It will be removed on reboot.
12:23 PM: 00000bb3_4375ec17_000a7d8c is in use. It will be removed on reboot.
12:23 PM: 00007f96_4376bcaf_00029f63 is in use. It will be removed on reboot.
12:23 PM: 0000301c_4376c111_0008d24d is in use. It will be removed on reboot.
12:23 PM: 00002ea6_4375ec17_000b71b0 is in use. It will be removed on reboot.
12:23 PM: 00002d12_437561ad_000baeb9 is in use. It will be removed on reboot.
12:23 PM: 00000f3e_43756199_000501bd is in use. It will be removed on reboot.
12:23 PM: 000012db_4375ec17_000dd40a is in use. It will be removed on reboot.
12:23 PM: 0000153c_4375ec17_000e4e1c is in use. It will be removed on reboot.
12:23 PM: 00006784_4376b89d_000ec82e is in use. It will be removed on reboot.
12:23 PM: 0000390c_4375ec18_00016e36 is in use. It will be removed on reboot.
12:23 PM: 00007e87_43756195_00022551 is in use. It will be removed on reboot.
12:23 PM: ai_12-11-2005.log is in use. It will be removed on reboot.
12:23 PM: 000026e9_4376b8a9_00039387 is in use. It will be removed on reboot.
12:23 PM: 00004823_4375ebdd_00044aa2 is in use. It will be removed on reboot.
12:23 PM: 000041bb_4375ec14_00022551 is in use. It will be removed on reboot.
12:23 PM: 00000f3e_4375e
  • 0

#9
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

You will need to print these instructions out or save them in notepad for use in safe mode.

Please open Hijackthis, scan, and place a checkmark by the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all open windows/browsers and click Fix Checked.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\stub_113_4_0_4_0.exe
c:\winnt\system32\rldsregl.exe
C:\WINNT\system32\dnnq0155e.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

After it reboots, I need another L2MFix log. Please run L2MFix option #1 and post the log back here.
  • 0

#10
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I ran KillBox like you asked, but I did not see a prompt for pending operations. I don't really know what the two prompts said, but they both had something to do with deleting on reboot, so I said yes to both. I hope I did not mess it up.


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6A30BCC5-754C-8741-1C6A-EAE9CC60B2DC}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8f7261d0-d2b9-11d2-9909-00605205b24c}"="CuteFTP Shell Extension"
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}"="IntelliType Pro Key Settings Control Panel Property Page"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5E7D9611-0A92-11D6-BCC6-C117EB0C4E52}"="RStudio Menu Handler"
"{3C7BE262-0E51-11D6-BCC6-A29C3C5B2152}"="R-Undelete"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{0FBEE6A8-52E6-4589-8188-8E60F8007573}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atmtd.dll Fri Nov 11 2005 10:17:54p A.... 687,592 671.48 K
catsrv.dll Mon Sep 5 2005 3:18:46a A.... 165,648 161.77 K
catsrvut.dll Mon Sep 5 2005 3:18:46a A.... 595,728 581.77 K
cdosys.dll Tue Aug 30 2005 4:29:42a A.... 2,532,112 2.41 M
clbcatex.dll Mon Sep 5 2005 3:18:46a A.... 97,040 94.77 K
clbcatq.dll Mon Sep 5 2005 3:18:46a A.... 551,184 538.27 K
colbact.dll Mon Sep 5 2005 3:18:46a A.... 41,744 40.77 K
comrepl.dll Mon Sep 5 2005 3:18:46a A.... 97,552 95.27 K
comsvcs.dll Mon Sep 5 2005 3:18:48a A.... 1,471,248 1.40 M
comuid.dll Mon Sep 5 2005 3:18:48a A.... 625,936 611.27 K
danim.dll Fri Sep 2 2005 10:06:58a A.... 986,112 963.00 K
dnro01~1.dll Fri Nov 18 2005 7:04:46p ..S.R 235,855 230.32 K
dxtrans.dll Fri Sep 2 2005 3:35:16p A.... 192,000 187.50 K
es.dll Mon Sep 5 2005 3:18:46a A.... 242,448 236.77 K
gdi32.dll Fri Oct 7 2005 1:19:38a A.... 233,744 228.27 K
linkinfo.dll Fri Sep 23 2005 6:03:26a A.... 17,680 17.27 K
m6nqlg~1.dll Wed Nov 16 2005 4:35:00p ..S.R 237,020 231.46 K
msdtclog.dll Mon Sep 5 2005 3:18:48a A.... 96,016 93.77 K
msdtcprx.dll Mon Sep 5 2005 3:18:48a A.... 726,288 709.27 K
msdtctm.dll Mon Sep 5 2005 3:18:48a A.... 1,200,400 1.14 M
msdtcui.dll Mon Sep 5 2005 3:18:48a A.... 153,872 150.27 K
mshtml.dll Tue Oct 4 2005 11:19:14a A.... 2,700,288 2.57 M
mstime.dll Fri Sep 2 2005 3:35:12p A.... 496,128 484.50 K
mtxclu.dll Mon Sep 5 2005 3:18:48a A.... 52,496 51.27 K
mtxdm.dll Mon Sep 5 2005 3:18:48a A.... 26,896 26.27 K
mtxlegih.dll Mon Sep 5 2005 3:18:50a A.... 35,600 34.77 K
mtxoci.dll Mon Sep 5 2005 3:18:50a A.... 122,640 119.77 K
nwwks.dll Mon Aug 22 2005 4:20:40a A.... 61,200 59.77 K
ole32.dll Mon Sep 5 2005 3:18:46a A.... 957,712 935.27 K
olecli32.dll Mon Sep 5 2005 3:18:46a A.... 69,392 67.77 K
olecnv32.dll Mon Sep 5 2005 3:18:46a A.... 36,624 35.77 K
quartz.dll Tue Aug 30 2005 8:14:00a A.... 1,227,776 1.17 M
rpcss.dll Mon Sep 5 2005 3:18:46a A.... 212,240 207.27 K
sengwi~1.dll Sat Sep 17 2005 10:23:58a A.... 24,575 23.99 K
shell32.dll Fri Sep 23 2005 6:03:26a A.... 2,360,592 2.25 M
shlwapi.dll Wed Aug 31 2005 5:49:30p A.... 409,088 399.50 K
spmsg.dll Mon Oct 10 2005 12:31:28a ..... 13,536 13.22 K
stclient.dll Mon Sep 5 2005 3:18:50a A.... 71,440 69.77 K
txfaux.dll Mon Sep 5 2005 3:18:46a A.... 398,608 389.27 K
umpnpmgr.dll Fri Sep 2 2005 4:24:06a A.... 94,480 92.27 K
urlmon.dll Fri Sep 2 2005 2:19:16p A.... 457,216 446.50 K
vqxmlrpc.dll Wed Nov 16 2005 4:35:02p ..S.R 235,464 229.95 K
webvw.dll Fri Sep 23 2005 6:03:26a A.... 1,120,016 1.07 M
winsrv.dll Fri Sep 23 2005 6:03:26a A.... 245,008 239.27 K
wrlogo~1.dll Wed Nov 16 2005 2:38:16p A.... 492,544 481.00 K
wrlzma.dll Wed Nov 16 2005 2:38:12p A.... 17,920 17.50 K
xolehlp.dll Mon Sep 5 2005 3:18:50a A.... 19,216 18.77 K

47 items found: 47 files (3 H/S), 0 directories.
Total of file sizes: 23,145,914 bytes 22.07 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8C05-C945

Directory of C:\WINNT\System32

11/18/2005 07:04p 235,855 dnro0193e.dll
11/16/2005 04:35p 235,464 vqXMLRPC.dll
11/16/2005 04:34p 237,020 m6nqlg5516.dll
11/09/2005 08:56a <DIR> dllcache
11/13/2003 09:21p 0 insqcb.ins
09/19/2001 10:43p 244,232 Msflxgrd.ocx
04/05/2001 12:43p 94,208 msstkprp.dll
6 File(s) 1,046,779 bytes
1 Dir(s) 11,752,771,584 bytes free
  • 0

Advertisements


#11
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please reboot after that.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

Please post back the SpySweeper log, the L2MFix log, and a new Hijackthis log.
  • 0

#12
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, did as directed and provide the following that I noticed.
First, when SpySweeper starts its scan, an IE window opens with and address of 'about:blank' Is this normal?
Second, when i ran L2MFix, it performed as explained until after the reboot. It scanned and did it's thing and then I got my login prompt and then all I got was my background, no icons, no task bar, just a blank screen. :tazz: Nothing else happened. I tried Ctrl-Alt-Del and got the Task Manager, so I restarted again. So I never saw the log from L2MFix. I looked to see if it had saved it, but could not find anything. I did see that it identified at least three files when it was scanning though, if that helps. Here are the SpySweeper and HijackThis logs.

********
9:58 PM: | Start of Session, Monday, November 21, 2005 |
9:58 PM: Spy Sweeper started
9:58 PM: Sweep initiated using definitions version 556
9:58 PM: Starting Memory Sweep
10:00 PM: Memory Sweep Complete, Elapsed Time: 00:01:22
10:00 PM: Starting Registry Sweep
10:00 PM: Registry Sweep Complete, Elapsed Time:00:00:42
10:00 PM: Starting Cookie Sweep
10:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:00 PM: Starting File Sweep
10:22 PM: Warning: Failed to access drive D:
10:22 PM: Warning: Failed to access drive D:
10:22 PM: File Sweep Complete, Elapsed Time: 00:21:47
10:22 PM: Full Sweep has completed. Elapsed time 00:24:01
10:22 PM: Traces Found: 0
********
9:57 PM: | Start of Session, Monday, November 21, 2005 |
9:57 PM: Spy Sweeper started
9:58 PM: | End of Session, Monday, November 21, 2005 |


Logfile of HijackThis v1.99.1
Scan saved at 8:28:56 AM, on 11/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\R-Undelete20\rloginsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
D:\ToolBox\Reg-Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aiu...ferer=&logout=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\winnt\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: R-Studio Login Server - Unknown owner - C:\Program Files\R-Undelete20\rloginsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)
  • 0

#13
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark.

Please open Hijackthis, scan, and place a checkmark by the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all open windows/browsers and click Fix Checked.

How is your system running now?
  • 0

#14
arepark

arepark

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
:) :tazz: You Rock!!
Not only have the popups been eliminated, it seems to run a lot faster. Thank you so much for all of your help.

Ron
  • 0

#15
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, arepark. :tazz:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP