Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus/Malware Infection [RESOLVED]

Started by Die4me , Nov 24 2005 08:10 PM

This topic is locked

#1
Die4me

Posted 24 November 2005 - 08:10 PM

Banned

Banned
56 posts

My comp is infected with viruses and malware. Below are 3 logs -- Hijackthis, Online Panda Scan, and Ewido full scan in safe mode. The Ewido scan did not remove the major virus nor did the free version of AVG. Edit: Just ran the avast virus scan and it removed 2 files but the majority of the problems are still there.

Incident Status Location

Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-288a861f.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\jrl.jar-46a38335-612a4bf6.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\jrl.jar-46a38335-612a4bf6.zip[NewURLClassLoader.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e83161f-303afd8d.zip[Worker.class]
Possible Virus. Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e83161f-303afd8d.zip[javautil.zip]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e83161f-4984ac4b.zip[Worker.class]
Possible Virus. Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e83161f-4984ac4b.zip[javautil.zip]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-3e831620-5991091d.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\.jpi_cache\jar\1.0\menu.jr-6bee11d0-361ea068.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d73f6a9-2955c8bf.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d73f6a9-2955c8bf.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d73f6a9-2955c8bf.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d73f6a9-2955c8bf.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27bb3b03-55373495.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27bb3b03-55373495.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27bb3b03-55373495.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-27bb3b03-55373495.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3856d8e8-15593af5.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3856d8e8-15593af5.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3856d8e8-15593af5.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3856d8e8-15593af5.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6680b922-5a1ec57d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6680b922-5a1ec57d.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6680b922-5a1ec57d.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6680b922-5a1ec57d.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5d45dd39-14e88869.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5d45dd39-14e88869.zip[NewURLClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-70b9958a-1624f48a.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-70b9958a-1624f48a.zip[NewURLClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv402.jar-6634168d-7fd32857.zip[Matrix.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv402.jar-6634168d-7fd32857.zip[Counter.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv402.jar-6634168d-7fd32857.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv402.jar-6634168d-7fd32857.zip[Parser.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-267741e1.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-5c71dc77.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-16042425-7f207ac3.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[VerifierBug.class]
Virus:Trj/Downloader.EAA Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-473001be-5f9b6004.zip[bot.exe]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[NudeBox.class]
Virus:Trj/ClassLoader.P Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[Worker.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[VerifierBug.class]
Virus:Trj/Agent.AII Not disinfected C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7dbad855-751a8205.zip[javautil.zip]
Adware:adware/delfinmedia Not disinfected C:\keys.ini
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000140.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet2\mc-58-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet2\mc-58-12-0000140.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\mc-58-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\mc-58-12-0000140.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
Possible Virus. Not disinfected C:\Program Files\Internet Explorer\eppmkbuj.exe
Possible Virus. Not disinfected C:\Program Files\Internet Explorer\gcfyjmeg.exe
Possible Virus. Not disinfected C:\Program Files\Internet Explorer\yiqa.exe
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Adware:adware/keenvalue Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:adware/portalscan Not disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll

Logfile of HijackThis v1.99.1
Scan saved at 9:10:44 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.249.72.188:80
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o s e c u r i t y s u i t e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d o n : 2 : 3 5 : 3 1 P M , 1 1 / 2 4 / 2 0 0 5

+ R e p o r t - C h e c k s u m : C 8 3 4 6 D 0 6

+ S c a n r e s u l t :

H K L M \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 8 6 2 2 7 D 9 C - 0 E F E - 4 f 8 a - A A 5 5 - 3 0 3 8 6 A 3 F 5 6 8 6 } - > S p y w a r e . Y o u r S i t e B a r : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ C L S I D \ { 8 C B A 1 B 4 9 - 8 1 4 4 - 4 7 2 1 - A 7 B 1 - 6 4 C 5 7 8 C 9 E E D 7 } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ C L S I D \ { A F 8 B 3 C 8 1 - C D 1 9 - 4 5 F B - B 6 B E - 1 6 0 D 2 7 7 1 1 D E 8 } \ T y p e L i b \ \ - > S p y w a r e . I B I S : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ G S D A . G S D A C t l \ C L S I D \ \ - > S p y w a r e . G a m e S p y A r c a d e : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ G S D A . G S D A C t l . 1 \ C L S I D \ \ - > S p y w a r e . G a m e S p y A r c a d e : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { 1 9 C 8 E 5 6 3 - D 9 8 9 - 4 7 C E - B E D 8 - E A 7 2 B 5 E B 6 2 D 6 } \ T y p e L i b \ \ - > S p y w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { 3 3 9 D 8 A F F - 0 B 4 2 - 4 2 6 0 - A D 8 2 - 7 8 C E 6 0 5 A 9 5 4 3 } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { 3 3 9 D 8 A F F - 0 B 4 2 - 4 2 6 0 - A D 8 2 - 7 8 C E 6 0 5 A 9 5 4 3 } \ T y p e L i b \ \ - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { 6 F 5 9 D 8 5 0 - A 1 5 5 - 4 9 3 0 - 9 8 A E - 6 8 9 A 2 B C 7 B 8 E 8 } \ T y p e L i b \ \ - > S p y w a r e . I B I S : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { A 3 6 A 5 9 3 6 - C F D 9 - 4 B 4 1 - 8 6 B D - 3 1 9 A 1 9 3 1 8 8 7 F } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ I n t e r f a c e \ { A 3 6 A 5 9 3 6 - C F D 9 - 4 B 4 1 - 8 6 B D - 3 1 9 A 1 9 3 1 8 8 7 F } \ T y p e L i b \ \ - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ M i n i B u g T r a n s p o r t e r . M i n i B u g T r a n s p o r t e r X \ C L S I D \ \ - > S p y w a r e . M i n i B u g : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ M i n i B u g T r a n s p o r t e r . M i n i B u g T r a n s p o r t e r X . 1 \ C L S I D \ \ - > S p y w a r e . M i n i B u g : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ R u n M S C . L o a d e r \ C L S I D \ \ - > S p y w a r e . S a v e N o w : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ R u n M S C . L o a d e r . 1 \ C L S I D \ \ - > S p y w a r e . S a v e N o w : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ T y p e L i b \ { 5 8 6 3 4 3 6 7 - D 6 2 B - 4 C 2 C - 8 6 B E - 5 A A C 4 5 C D B 6 7 1 } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ T y p e L i b \ { D 0 2 8 8 A 4 1 - 9 8 5 5 - 4 A 9 B - 8 3 1 6 - B A B E 2 4 3 6 4 8 D A } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ W E B I n s t a l l e r . C E x e c u t e . 1 - > S p y w a r e . C a s h B a c k : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ W E B I n s t a l l e r . C E x e c u t e . 1 \ C L S I D \ \ - > S p y w a r e . C a s h B a c k : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ X P a r a m . X P a r a m O b j . 1 - > S p y w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ C l a s s e s \ X P a r a m . X P a r a m O b j . 1 \ C L S I D \ \ - > S p y w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ M i c r o s o f t \ S i d e F i n d - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M o d u l e U s a g e \ C : / W I N D O W S / D o w n l o a d e d P r o g r a m F i l e s / g s d a . d l l \ \ . O w n e r - > S p y w a r e . G a m e S p y A r c a d e : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M o d u l e U s a g e \ C : / W I N D O W S / D o w n l o a d e d P r o g r a m F i l e s / g s d a . d l l \ \ { 7 0 B A 8 8 C 8 - D A E 8 - 4 C E 9 - 9 2 B B - 9 7 9 C 4 A 7 5 F 5 3 B } - > S p y w a r e . G a m e S p y A r c a d e : C l e a n e d w i t h b a c k u p

H K L M \ S O F T W A R E \ P o w e r S c a n - > S p y w a r e . P o w e r S c a n : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ D N S - > A d w a r e . S h o r t y : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ I S T - > S p y w a r e . I S T B a r : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ E x p l o r e r B a r s \ { 8 C B A 1 B 4 9 - 8 1 4 4 - 4 7 2 1 - A 7 B 1 - 6 4 C 5 7 8 C 9 E E D 7 } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ E x t e n s i o n s \ C m d M a p p i n g \ \ { 1 0 E 4 2 0 4 7 - D E B 9 - 4 5 3 5 - A 1 1 8 - B 3 F 6 E C 3 9 B 8 0 7 } - > S p y w a r e . S i d e F i n d : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ T o o l b a r \ W e b B r o w s e r \ \ { 8 6 2 2 7 D 9 C - 0 E F E - 4 F 8 A - A A 5 5 - 3 0 3 8 6 A 3 F 5 6 8 6 } - > S p y w a r e . Y o u r S i t e B a r : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ P o w e r S c a n - > S p y w a r e . P o w e r S c a n : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 \ S o f t w a r e \ C l a s s e s \ C L S I D \ \ - > S p y w a r e . A p r o p o s M e d i a : C l e a n e d w i t h b a c k u p

H K U \ S - 1 - 5 - 2 1 - 7 7 6 5 6 1 7 4 1 - 2 6 1 4 7 8 9 6 7 - 7 2 5 3 4 5 5 4 3 - 1 0 0 3 _ C l a s s e s \ C L S I D \ \ - > S p y w a r e . A p r o p o s M e d i a : E r r o r d u r i n g c l e a n i n g

: m o z i l l a . 1 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 2 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A t d m t : C l e a n e d w i t h b a c k u p

: m o z i l l a . 3 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 4 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 5 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 6 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 7 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 8 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 4 9 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 5 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 5 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

: m o z i l l a . 5 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ G u e s t \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ o b x 3 n 0 q j . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . A d v e r

Edited by Die4me, 25 November 2005 - 10:30 PM.

#2
Linkmaster

Posted 29 November 2005 - 08:04 AM

Visiting Staff

Member
940 posts

Hi Die4me, Welcome to GTG !! :tazz:

Sorry for the delay in reviewing your post !

You may wish to print out a copy of these instructions to follow while you complete this procedure
Some of these instructions you may have already done but I would like you to try them again as it has been a while !!

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Since it has been so long, lets begin by downloading and running a few programs to help clean things up :

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via context menu"

Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click Update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Close Ewido when updates finish

Download and Install CCleaner© by CCleaner.com

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.

Close Ewido Security Suite

Run CCleaner
SETUP
DO NOT USE THE ISSUES TAB!!!!
Open CCleaner
Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Options>CustomFolders>Add Folder>Navigate to these folders (click on bold folder once and hit OK) :
(Depending on Operating System and/or Browser, some of the following folders may not be present)
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Windows\System32\config\systemprofile\cookies
* C:\Windows\System32\config\systemprofile\localsettings\Temp
* C:\Windows\System32\config\systemprofile\localsettings\Temporary Internet Files
* C:\Program Files\Firefox\Profiles\<user>\<num>\Cache
* C:\Program Files\Opera\Cache4
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp
* C:\Documents and Settings\<user>\Application Data\Firefox\Profiles\<user>\<num>\Cache
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK
In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
Then click on Run Cleaner
Put check in box to not show message again.
It will automatically clean.

Close out CCleaner

Please run ONE of these Online Virus Scans :

TrendMicro Housecall
Note: you must use Internet Explorer, other browsers will not work.
Under "Scan your PC", please click Scan now. It's free!
Select your location and click the Go button.
Click the red magnifying glass button.
Select Complete Scan.
Please be patient while Housecall downloads.
Please allow the ActiveX Control and when prompted click install
Put a check next to My Computer
Leave the following checked:
Scan for Spyware
Check security vulnerabilities
Click the Next button.
It will download the latest scan engine and pattern files.
When the definitions have been downloaded, the scan will start.
After it's done scanning it will take you to the summary page.
Click the Next button.
Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
Click the Next button to move onto the recovery (final) portion of the scan.
After everything has been removed, please click the show button on everything.
Highlight all the of text and press CTRL + C to copy the text.
Open Notepad, hit Ctrl + V to Paste

OR

Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot, run HijackThis and post a fresh HijackThis Log, the Ewido Log, and the Virus Scan Log here

Thank You !!

#3
Die4me

Posted 29 November 2005 - 05:41 PM

Banned

Topic Starter
Banned
56 posts

Followed all the steps. Still getting popup advertisements and many programs won't launch. Other virus programs I've tried were AVG, Avast, Anti Vir, and Panda. Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:38:43 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.249.72.188:80
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:52:23 PM, 11/29/2005
+ Report-Checksum: 91953365

+ Scan result:

C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs -> Trojan.Qhost.ew : Cleaned with backup

::Report End

Virus Scan 0 virus cleaned, 4 viruses deleted

Results:We have detected 4 infected file(s) with 4 virus(es) on your computer: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 4 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Program Files\Common Files\InetGet\mc-58-12-0000137.exe TROJ_DLOADER.ZT Deletion successful
C:\Program Files\Common Files\InetGet\mc-58-12-0000140.exe TROJ_DLOADER.ZT Deletion successful
C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe TROJ_DLOADER.ZT Deletion successful
C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe TROJ_DLOADER.ZT Deletion successful

Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:We have detected 0 Trojan horse program(s) and worm(s) on your computer: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable

Spyware Check 2 spyware programs removed

What we checked:Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:We have detected 2 spyware(s) on your computer: - 0 spyware(s) passed, 0 spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
ADW_MEDTICKS.A Adware Removal successful
ADW_GAMESPY.A Adware Removal successful

Microsoft Vulnerability Check No vulnerability detected

What we checked:Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:We have detected 0 vulnerability/vulnerabilities on your computer.

Edited by Die4me, 29 November 2005 - 06:04 PM.

#4
Linkmaster

Posted 29 November 2005 - 06:50 PM

Visiting Staff

Member
940 posts

Go to control panel and double click on the java plug-in icon.

Click the Cache tab.
Click the Clear JAR Cache button.

Add these folders in BOLD to the CCleaner Custom folders then run CCleaner :

C:\Documents and Settings\Phill\.jpi_cache\jar\1.0
C:\Documents and Settings\Phill\Application Data\Sun\Java\Deployment\cache

Download and install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

Setup & Run AdAwareSE
Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

Once the update is finished click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:

Under Safety:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Under Definitions:
Prompt to update outdated definitions - set the number of days
Click on the Scanning button on the left and select in green:

Under Driver, Folders & Files:
Scan Within Archives

Under Select drives & folders to scan:
Choose all hard drives

Under Memory & Registry:all green
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file

Click on the Advanced button on the left and select in green:

Under Shell Integration:
Move deleted files to recycle bin

Under Logfile Detail Level:all green
include addtional object information
DESELECT - include negligible objects information
include environment information

Under Alternate Data Streams:
Don't log streams smaller than 0 bytes
Don't log ADS with the following names: CA_INOCULATEIT

Click the Tweak button and select in green:

Under Scanning Engine:
Unload recognized processes during scanning
Scan registry for all users instead of current user only

Under Cleaning Engine:
Let Windows remove files in use at next reboot

Under Log Files:
Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please do not check: Include Module list in logfile

Click on Proceed to save the settings.

Click Start

Choose Perform Full System Scan

DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

Run a fresh HijackThis log and post it here Let us know if the popups still exist.

Edited by Linkmaster, 29 November 2005 - 07:10 PM.

#5
Die4me

Posted 29 November 2005 - 08:59 PM

Banned

Topic Starter
Banned
56 posts

There seems to be a problem with java. I couldn't select anything in the menu until I manually deleted those two entries with CCleaner. After I cleared the cache, I've been having off and on problems with this site (my assistant doesn't work, different skin type).

I ran ad-aware and it found 10 bad entry keys. I'm still getting the internet explorer pop-ups after following all those steps. Also I can't play a cd game (roller coaster tycoon. It never loads.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:03 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.249.72.188:80
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

Edited by Die4me, 29 November 2005 - 09:44 PM.

#6
Linkmaster

Posted 30 November 2005 - 06:31 AM

Visiting Staff

Member
940 posts

The folders I had you add in CCleaner just cleaned them out. It should have removed the entries in your first post!
I assume that was the Avast Scan ??
If it was run Avast again and save the log

What Antivirus are you running??
I dont see it running??

Make sure you still can see hidden files and folders as in my first post

Go to Start, ControlPanel, Add/Remove Programs, uninstall the following : (if present)

InetGet
BookedSpace
KeenValue
SaHAgent
SearchTheWeb
PortalScan

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\keys.ini
C:\Program Files\Common Files\mc-58-12-0000137.exe
C:\Program Files\Common Files\mc-58-12-0000140.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
C:\Program Files\Internet Explorer\eppmkbuj.exe
C:\Program Files\Internet Explorer\gcfyjmeg.exe
C:\Program Files\Internet Explorer\yiqa.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\system32\Cache\mswinstall.exe
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\winupdt.008
C:\WINDOWS\system32\xmltok.dll

While Windows Explorer is still open, locate and Delete the following folders in BOLD : (if present)

C:\Program Files\Common Files\InetGet
C:\Program Files\Common Files\InetGet2
C:\Program Files\BetterInternet
C:\Program Files\KeenValue
C:\Program Files\SaHAgent
C:\Program Files\PortalScan
C:\Program Files\SearchTheWeb
C:\Program Files\BookedSpace

Reboot to Normal Mode

Open HijackThis

Click on Config... button on bottom right

Click on Misc Tools

In the Startup List section at top check :

List also minor sections (full)
List empty sections (complete)

Click on Generate StartupList Log

Answer yes and Copy the entire contents of the Notepad file and Paste it here along with the Avast Scan log and any files or folders you could not delete

Edited by Linkmaster, 30 November 2005 - 07:05 AM.

#7
Die4me

Posted 01 December 2005 - 02:06 PM

Banned

Topic Starter
Banned
56 posts

I assume that was the Avast Scan ??
If it was run Avast again and save the log

The most recent virus scan I posted was Trend Micro. If you're talking about the first post, then yes it probably was Avast. I ran Avast, Trend Micro, and AVG again and all three showed no viruses. I didn't bother searching for the logs since they all showed 0 infections.

I don't usually have anti-virus software running in the background unless I'm surfing the web. The only questionable entry I wasn't sure of was C:\keys.ini There is a file called keys without the ini and it says "configuration settings" so I didn't delete it. Here is startup list for hijackthis.

StartupList report, 12/1/2005, 3:02:02 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Unable to get Internet Explorer version!
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Phill\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab31267.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.t...all/xscan60.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...er.cab31267.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://groups.msn.co...UC/MsnPUpld.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE = http://sc.groups.msn...eUC/MsnUpld.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/...ro.cab34246.cab

[Java Plug-in 1.4.0]
InProcServer32 = C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll
CODEBASE = http://java.sun.com/...tall-14-win.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE = http://messenger.zon...oF.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (disabled)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (disabled)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (disabled)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CWShredder Service: C:\Documents and Settings\Phill\Desktop\cwshredder.exe service (disabled)
d347bus: system32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
ENTECH: \??\C:\WINDOWS\system32\DRIVERS\ENTECH.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: System32\DRIVERS\fetnd5.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
Intel USB Video Camera III: System32\Drivers\Icam3.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (disabled)
InCdPass: System32\DRIVERS\InCDPass.sys (system)
InCD File System Service: C:\Program Files\Ahead\InCD\InCDsrv.exe (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
iteio: \??\C:\WINDOWS\System32\drivers\iteio.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mbmiodrvr: \??\C:\WINDOWS\system32\mbmiodrvr.sys (system)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Panda Process Protection Driver: \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (autostart)
Panda Process Protection Service: "C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe" (autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (disabled)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
rdsdrv: system32\DRIVERS\rdsdrv.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B3237F01-2671-4383-91DA-9D8D629505CE} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINDOWS\system32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaidexp.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
VNC Server: "C:\Program Files\ORL\VNC\WinVNC.exe" -service (disabled)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BuddyVM: \??\C:\Program Files\VMLaunch\BuddyVM.sys (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,402 bytes
Report generated in 0.218 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#8
Linkmaster

Posted 01 December 2005 - 06:40 PM

Visiting Staff

Member
940 posts

How is your system running now ??

Are you still getting the popups ??

Any program problems ??

**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

Edited by Linkmaster, 01 December 2005 - 06:47 PM.

#9
Die4me

Posted 01 December 2005 - 10:27 PM

Banned

Topic Starter
Banned
56 posts

Sorry to report I'm still getting internet explorer popups and my cd games still won't work. I do want to mention one thing: When I press alt+ctrl+del and view my processes, I noticed there is svchost.exe under local services (wasn't there before). When I try to close it, it just reopens.

I uninstalled that java plugin update. Java apps are running a lot smoother now.
I never had system restore enabled to begin with.

Edited by Die4me, 01 December 2005 - 11:03 PM.

#10
Linkmaster

Posted 02 December 2005 - 03:22 AM

Visiting Staff

Member
940 posts

The svchost.exe is a legit file

In your last HijackThis log it shows you have AVG and Avast running! Stop one of those because they only cause conflicts with each other when they run together.

Download ISTBar Removal Tool© by Symantec
Run it and let it fix what it finds.

Go to Start, Run, type in services.msc then hit OK
Find and Right click on :

BuddyVM or VMLaunch (if present) and click on Stop

Right click again and select Properties
In the middle of the box click the down arrow and select Disable
Select Apply and OK close services

Are the popups occuring in Firefox as well??

What is the error the game is giving you (if any) ??

reboot and post a fresh HijackThis log here

#11
Die4me

Posted 02 December 2005 - 02:29 PM

Banned

Topic Starter
Banned
56 posts

The istbar tool didn't find anything.

The BuddyVM program you mention is a problem I believe. Although we never actually found it, people in the XP forum think thats why my comp would get bad start ups every so many loads. I'm not sure if that's the case here though.

I went to the services.msc list and it's not there (never was).

The popups I'm getting are from internet explorer. I'll be using FF but the ads will come up through IE. One of the CD's will bring up the menu and when you click play it simply wont load. The other one will load, stall for a very long time, then freeze. I attached one of the popup windows I get. They range from blockbuster to winfixer.

Logfile of HijackThis v1.99.1
Scan saved at 3:18:01 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Phill\Desktop\spyware eliminators\spyware eliminators\hijackthis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.249.72.188:80
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

Attached Thumbnails

Edited by Die4me, 02 December 2005 - 02:32 PM.

#12
Linkmaster

Posted 02 December 2005 - 06:48 PM

Visiting Staff

Member
940 posts

OK, Lets try a couple of things here:

Start, ControlPanel, Add/Remove programs
Uninstall : (if present)

VMLaunch
WinFixer

Download SpySweeper© by WebRoot (its a 30 day free trial)

Click the Download Spy Sweeper Trial link on the right under Spy Sweeper Resources to download the program.
Double-click the file to install it as follows :
Click "Next", read the agreement, Click "Next"
Choose "Custom" click "Next"
Leave the default installation directory as it is, then click "Next"
Uncheck :
"Run SpySweeper at Windows Startup"
"Add Sweep for Spyware to Windows Explorer Context Menu"
Click "Next"
On the following screen you can leave the e-mail address field blank, if you wish
Click "Next"
Finally, click "Install"

Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:

Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits

Uncheck Do not Sweep System Restore Folder

Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish
Exit SpySweeper

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

While Windows Explorer is still open, locate and Delete the following folders in BOLD : (if present)

C:\Program Files\VMLaunch
C:\Program Files\Winfixer

Reboot to Normal Mode and post the SpySweeper Session log here

See if the popups persist

Edited by Linkmaster, 03 December 2005 - 01:34 AM.

#13
Die4me

Posted 03 December 2005 - 02:12 PM

Banned

Topic Starter
Banned
56 posts

VmLaunch and Winfixer weren't there. I think spy sweeper did the trick. It kept freezing in normal mode so I had to go into safe mode and delete the objects there. I'm not getting popups anymore and my games load now.

Thanks for your help. I know this problem was probably more challenging than others. For the future, do you know of any program that is like spy sweeper (won't be able to use after 14 days).

I'll include the log incase you want to find out what it was. Here's a ss of my task manager before I ran spy sweeper. Notice that system resources were 100% but no program was visably using them. Keep this topic open for a few days just incase any problems arise.

Anyways nice job :tazz:

********
1:48 PM: | Start of Session, Saturday, December 03, 2005 |
1:48 PM: Spy Sweeper started
1:48 PM: Sweep initiated using definitions version 577
1:48 PM: Starting Memory Sweep
1:48 PM: Memory Sweep Complete, Elapsed Time: 00:00:42
1:48 PM: Starting Registry Sweep
1:48 PM: Found Adware: abcsearch
1:48 PM: HKCR\bman.bmanager\ (3 subtraces) (ID = 102391)
1:48 PM: HKCR\bman.ciexplorer\ (3 subtraces) (ID = 102392)
1:48 PM: HKCR\clsid\{408a9e15-a481-4fd1-9c2e-d03f7fc50be6}\ (11 subtraces) (ID = 102394)
1:48 PM: HKCR\clsid\{c7b44349-9060-4d07-8cad-80036c755a8d}\ (11 subtraces) (ID = 102395)
1:48 PM: HKLM\software\classes\bman.bmanager\ (3 subtraces) (ID = 102399)
1:48 PM: HKLM\software\classes\bman.ciexplorer\ (3 subtraces) (ID = 102400)
1:48 PM: HKLM\software\classes\clsid\{408a9e15-a481-4fd1-9c2e-d03f7fc50be6}\ (11 subtraces) (ID = 102402)
1:48 PM: HKLM\software\classes\clsid\{c7b44349-9060-4d07-8cad-80036c755a8d}\ (11 subtraces) (ID = 102403)
1:48 PM: HKLM\software\classes\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (8 subtraces) (ID = 102408)
1:48 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (8 subtraces) (ID = 102413)
1:48 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\1.2\helpdir\ (1 subtraces) (ID = 102414)
1:48 PM: Found Adware: bookedspace
1:48 PM: HKLM\software\configuration manager\cfgmgr52\ (2 subtraces) (ID = 104873)
1:48 PM: Found Adware: shopathomeselect
1:48 PM: HKLM\software\ || test (ID = 141678)
1:48 PM: Found Adware: spyanytime
1:48 PM: HKCR\jasonbutton.xpbutton\ (3 subtraces) (ID = 142085)
1:48 PM: HKCR\clsid\{f3c047af-74b1-4c61-9756-92f8d9f11a56}\ (23 subtraces) (ID = 142086)
1:48 PM: HKCR\interface\{92d590b4-a6b6-4841-9c47-cb8d86bfded0}\ (8 subtraces) (ID = 142087)
1:48 PM: HKCR\interface\{c793dc5a-4494-4c30-93b0-0784604871dc}\ (8 subtraces) (ID = 142088)
1:48 PM: HKCR\typelib\{56acc949-e6ee-4bf7-af56-0a44fede4b42}\ (9 subtraces) (ID = 142089)
1:48 PM: Found Adware: surfsidekick
1:48 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
1:48 PM: Found Adware: websearch toolbar
1:48 PM: HKCR\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 146339)
1:48 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 146402)
1:48 PM: HKLM\software\classes\tbps.plugincfgobj\ (3 subtraces) (ID = 146432)
1:48 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
1:48 PM: HKCR\tbps.plugincfgobj\ (3 subtraces) (ID = 146522)
1:48 PM: Found Adware: winad
1:48 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
1:49 PM: Found Adware: ist software
1:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
1:49 PM: Found Adware: ist yoursitebar
1:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 155047)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ (1 subtraces) (ID = 155049)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\ (5 subtraces) (ID = 155058)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155060)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155062)
1:49 PM: HKLM\software\classes\tbps.plugincfgobj\ (3 subtraces) (ID = 393070)
1:49 PM: HKLM\software\classes\tbps.plugincfgobj\clsid\ (1 subtraces) (ID = 393072)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ || threadingmodel (ID = 393216)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\progid\ (1 subtraces) (ID = 393217)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\typelib\ (ID = 393219)
1:49 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\version\ (1 subtraces) (ID = 393221)
1:49 PM: Found Adware: drsnsrch hijacker
1:49 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
1:49 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
1:49 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
1:49 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
1:49 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
1:49 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
1:49 PM: Found Adware: safesurf
1:49 PM: HKCR\funtools.picshow\ (5 subtraces) (ID = 730902)
1:49 PM: HKCR\funtools.picshow.1\ (3 subtraces) (ID = 730908)
1:49 PM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
1:49 PM: HKLM\software\classes\funtools.picshow\ (5 subtraces) (ID = 730957)
1:49 PM: HKLM\software\classes\funtools.picshow.1\ (3 subtraces) (ID = 730963)
1:49 PM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
1:49 PM: HKLM\software\picshow\ (27 subtraces) (ID = 730989)
1:49 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
1:49 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
1:49 PM: Found Adware: maxifiles
1:49 PM: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
1:49 PM: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
1:49 PM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
1:49 PM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
1:49 PM: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
1:49 PM: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
1:49 PM: Found Adware: clearsearch
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
1:49 PM: Found Adware: cws-aboutblank
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
1:49 PM: Found Adware: drsnsrch.com hijack
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
1:49 PM: Found Adware: startnow startnow hijack
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\search\ || local page (ID = 142622)
1:49 PM: Found Adware: winantispyware 2005
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254)
1:49 PM: Found Adware: tibs dialer
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\sbitplugin\ (6 subtraces) (ID = 552128)
1:49 PM: Found System Monitor: sc-keylog
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\classes\applications\main.exe\ (3 subtraces) (ID = 762247)
1:49 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\director\ || baseurl (ID = 980277)
1:49 PM: Registry Sweep Complete, Elapsed Time:00:00:12
1:49 PM: Starting Cookie Sweep
1:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:49 PM: Starting File Sweep
1:49 PM: c:\program files\common files\winsoftware (ID = -2147476682)
1:49 PM: c:\documents and settings\all users.windows\application data\msw (4 subtraces) (ID = -2147481510)
1:49 PM: Found Adware: delfin
1:49 PM: c:\documents and settings\all users.windows\application data\dpi (ID = -2147481137)
1:49 PM: c:\program files\common files\dpi (ID = -2147481129)
1:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.exe". Access is denied
1:58 PM: msw_uninstall.exe (ID = 48573)
2:01 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.inf". Access is denied
2:03 PM: installerv5.exe (ID = 138283)
2:04 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\wmpcore.dll". Access is denied
2:04 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\msdxm.ocx". Access is denied
2:06 PM: backup-20051007-160247-869.dll (ID = 156267)
2:07 PM: gah95on6.ini (ID = 75741)
2:10 PM: Found Trojan Horse: trojan downloader matcash
2:10 PM: autoit3.exe (ID = 119348)
2:10 PM: Found Adware: apropos
2:10 PM: wingenerics.dll (ID = 50187)
2:12 PM: xpbutton.ocx (ID = 76484)
2:14 PM: bln02nqv.ini (ID = 75683)
2:14 PM: Found System Monitor: potentially rootkit-masked files
2:14 PM: spuninst.exe (ID = 0)
2:14 PM: spuninst.inf (ID = 0)
2:14 PM: wmpcore.dll (ID = 0)
2:14 PM: msdxm.ocx (ID = 0)
2:14 PM: spuninst.txt (ID = 0)
2:17 PM: File Sweep Complete, Elapsed Time: 00:27:48
2:17 PM: Full Sweep has completed. Elapsed time 00:28:56
2:17 PM: Traces Found: 426
2:31 PM: Removal process initiated
2:31 PM: Quarantining All Traces: clearsearch
2:31 PM: Quarantining All Traces: cws-aboutblank
2:31 PM: Quarantining All Traces: potentially rootkit-masked files
2:31 PM: Warning: QF[866]: CmprsF(): Cannot open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.txt". Cannot acces files that are encrypted, compressed or sparse
2:31 PM: Warning: QF[866]: CmprsF(): Cannot open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\msdxm.ocx". Cannot acces files that are encrypted, compressed or sparse
2:31 PM: Warning: QF[866]: CmprsF(): Cannot open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\wmpcore.dll". Cannot acces files that are encrypted, compressed or sparse
2:31 PM: Warning: QF[866]: CmprsF(): Cannot open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.inf". Cannot acces files that are encrypted, compressed or sparse
2:31 PM: Warning: QF[866]: CmprsF(): Cannot open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.exe". Cannot acces files that are encrypted, compressed or sparse
2:31 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
2:31 PM: spuninst.exe is in use. It will be removed on reboot.
2:31 PM: spuninst.inf is in use. It will be removed on reboot.
2:31 PM: wmpcore.dll is in use. It will be removed on reboot.
2:31 PM: msdxm.ocx is in use. It will be removed on reboot.
2:31 PM: spuninst.txt is in use. It will be removed on reboot.
2:31 PM: Quarantining All Traces: sc-keylog
2:31 PM: Quarantining All Traces: trojan downloader matcash
2:31 PM: Quarantining All Traces: websearch toolbar
2:31 PM: Quarantining All Traces: apropos
2:31 PM: Quarantining All Traces: maxifiles
2:31 PM: Quarantining All Traces: surfsidekick
2:31 PM: Quarantining All Traces: tibs dialer
2:31 PM: Quarantining All Traces: abcsearch
2:31 PM: Quarantining All Traces: bookedspace
2:31 PM: Quarantining All Traces: delfin
2:31 PM: Quarantining All Traces: drsnsrch hijacker
2:31 PM: Quarantining All Traces: drsnsrch.com hijack
2:31 PM: Quarantining All Traces: ist software
2:31 PM: Quarantining All Traces: ist yoursitebar
2:31 PM: Quarantining All Traces: safesurf
2:31 PM: Quarantining All Traces: shopathomeselect
2:31 PM: Quarantining All Traces: spyanytime
2:31 PM: Quarantining All Traces: startnow startnow hijack
2:31 PM: Quarantining All Traces: winad
2:31 PM: Quarantining All Traces: winantispyware 2005
2:32 PM: Removal process completed. Elapsed time 00:00:37
********
12:48 PM: | Start of Session, Saturday, December 03, 2005 |
12:48 PM: Spy Sweeper started
12:48 PM: Sweep initiated using definitions version 577
12:49 PM: Starting Memory Sweep
12:50 PM: Memory Sweep Complete, Elapsed Time: 00:01:11
12:50 PM: Starting Registry Sweep
12:50 PM: Found Adware: abcsearch
12:50 PM: HKCR\bman.bmanager\ (3 subtraces) (ID = 102391)
12:50 PM: HKCR\bman.ciexplorer\ (3 subtraces) (ID = 102392)
12:50 PM: HKCR\clsid\{408a9e15-a481-4fd1-9c2e-d03f7fc50be6}\ (11 subtraces) (ID = 102394)
12:50 PM: HKCR\clsid\{c7b44349-9060-4d07-8cad-80036c755a8d}\ (11 subtraces) (ID = 102395)
12:50 PM: HKLM\software\classes\bman.bmanager\ (3 subtraces) (ID = 102399)
12:50 PM: HKLM\software\classes\bman.ciexplorer\ (3 subtraces) (ID = 102400)
12:50 PM: HKLM\software\classes\clsid\{408a9e15-a481-4fd1-9c2e-d03f7fc50be6}\ (11 subtraces) (ID = 102402)
12:50 PM: HKLM\software\classes\clsid\{c7b44349-9060-4d07-8cad-80036c755a8d}\ (11 subtraces) (ID = 102403)
12:50 PM: HKLM\software\classes\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (8 subtraces) (ID = 102408)
12:50 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\ (8 subtraces) (ID = 102413)
12:50 PM: HKCR\typelib\{a6713e88-e0c0-4e24-a2f3-11067ba30115}\1.2\helpdir\ (1 subtraces) (ID = 102414)
12:50 PM: Found Adware: bookedspace
12:50 PM: HKLM\software\configuration manager\cfgmgr52\ (2 subtraces) (ID = 104873)
12:50 PM: Found Adware: shopathomeselect
12:50 PM: HKLM\software\ || test (ID = 141678)
12:50 PM: Found Adware: spyanytime
12:50 PM: HKCR\jasonbutton.xpbutton\ (3 subtraces) (ID = 142085)
12:50 PM: HKCR\clsid\{f3c047af-74b1-4c61-9756-92f8d9f11a56}\ (23 subtraces) (ID = 142086)
12:50 PM: HKCR\interface\{92d590b4-a6b6-4841-9c47-cb8d86bfded0}\ (8 subtraces) (ID = 142087)
12:50 PM: HKCR\interface\{c793dc5a-4494-4c30-93b0-0784604871dc}\ (8 subtraces) (ID = 142088)
12:50 PM: HKCR\typelib\{56acc949-e6ee-4bf7-af56-0a44fede4b42}\ (9 subtraces) (ID = 142089)
12:50 PM: Found Adware: surfsidekick
12:50 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
12:50 PM: Found Adware: directrevenue-abetterinternet
12:50 PM: HKCR\appid\xparam.dll\ (1 subtraces) (ID = 145766)
12:50 PM: HKCR\appid\{4d980b0a-c3ef-4965-a58f-7f64f3b42e79}\ (1 subtraces) (ID = 145767)
12:50 PM: HKLM\software\classes\appid\xparam.dll\ (1 subtraces) (ID = 145852)
12:50 PM: HKLM\software\classes\appid\{4d980b0a-c3ef-4965-a58f-7f64f3b42e79}\ (1 subtraces) (ID = 145853)
12:50 PM: Found Adware: websearch toolbar
12:50 PM: HKCR\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 146339)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 146402)
12:50 PM: HKLM\software\classes\tbps.plugincfgobj\ (3 subtraces) (ID = 146432)
12:50 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
12:50 PM: HKCR\tbps.plugincfgobj\ (3 subtraces) (ID = 146522)
12:50 PM: Found Adware: winad
12:50 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
12:50 PM: Found Adware: ist software
12:50 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
12:50 PM: Found Adware: ist yoursitebar
12:50 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (14 subtraces) (ID = 155047)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ (1 subtraces) (ID = 155049)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\ (5 subtraces) (ID = 155058)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155060)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155062)
12:50 PM: HKLM\software\classes\tbps.plugincfgobj\ (3 subtraces) (ID = 393070)
12:50 PM: HKLM\software\classes\tbps.plugincfgobj\clsid\ (1 subtraces) (ID = 393072)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ || threadingmodel (ID = 393216)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\progid\ (1 subtraces) (ID = 393217)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\typelib\ (ID = 393219)
12:50 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\version\ (1 subtraces) (ID = 393221)
12:50 PM: Found Adware: drsnsrch hijacker
12:50 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
12:50 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
12:50 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
12:50 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
12:50 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
12:50 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
12:50 PM: Found Adware: safesurf
12:50 PM: HKCR\funtools.picshow\ (5 subtraces) (ID = 730902)
12:50 PM: HKCR\funtools.picshow.1\ (3 subtraces) (ID = 730908)
12:50 PM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
12:50 PM: HKLM\software\classes\funtools.picshow\ (5 subtraces) (ID = 730957)
12:50 PM: HKLM\software\classes\funtools.picshow.1\ (3 subtraces) (ID = 730963)
12:50 PM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
12:50 PM: HKLM\software\picshow\ (27 subtraces) (ID = 730989)
12:50 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
12:50 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
12:50 PM: Found Adware: maxifiles
12:50 PM: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
12:50 PM: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
12:50 PM: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
12:50 PM: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
12:50 PM: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
12:50 PM: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
12:50 PM: Found Adware: clearsearch
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
12:50 PM: Found Adware: cws-aboutblank
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
12:50 PM: Found Adware: drsnsrch.com hijack
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
12:50 PM: Found Adware: startnow startnow hijack
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\internet explorer\search\ || local page (ID = 142622)
12:50 PM: Found Adware: winantispyware 2005
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\winfixer 2005\ (1 subtraces) (ID = 543254)
12:50 PM: Found Adware: tibs dialer
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\sbitplugin\ (6 subtraces) (ID = 552128)
12:50 PM: Found System Monitor: sc-keylog
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\classes\applications\main.exe\ (3 subtraces) (ID = 762247)
12:50 PM: HKU\S-1-5-21-776561741-261478967-725345543-1003\software\director\ || baseurl (ID = 980277)
12:50 PM: Registry Sweep Complete, Elapsed Time:00:00:13
12:50 PM: Starting Cookie Sweep
12:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:50 PM: Starting File Sweep
12:50 PM: c:\program files\common files\winsoftware (ID = -2147476682)
12:50 PM: Found Adware: 180search assistant/zango
12:50 PM: c:\windows\system32\msbb (2 subtraces) (ID = -2147480555)
12:50 PM: Found Adware: delfin
12:50 PM: c:\documents and settings\all users.windows\application data\dpi (ID = -2147481137)
12:50 PM: c:\program files\common files\dpi (ID = -2147481129)
12:50 PM: c:\documents and settings\all users.windows\application data\msw (4 subtraces) (ID = -2147481510)
12:52 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.exe". Access is denied
12:55 PM: msw_uninstall.exe (ID = 48573)
12:57 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\spuninst\spuninst.inf". Access is denied
12:58 PM: installerv5.exe (ID = 138283)
12:59 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\wmpcore.dll". Access is denied
12:59 PM: Warning: Failed to open file "c:\windows\$ntuninstallkb824141$\$ntuninstallq828026$\msdxm.ocx". Access is denied
1:00 PM: backup-20051007-160247-869.dll (ID = 156267)
1:01 PM: gah95on6.ini (ID = 75741)
1:02 PM: npclntax.dll (ID = 146239)
1:03 PM: Found Trojan Horse: trojan downloader matcash
1:03 PM: autoit3.exe (ID = 119348)
1:03 PM: Found Adware: apropos
1:03 PM: wingenerics.dll (ID = 50187)
1:04 PM: xpbutton.ocx (ID = 76484)
1:06 PM: Found Adware: look2me
1:06 PM: apaamon.dll (ID = 65729)
1:06 PM: bln02nqv.ini (ID = 75683)
1:06 PM: npclntax.xpt (ID = 146238)
1:06 PM: Found System Monitor: potentially rootkit-masked files
1:06 PM: 00006e88_438c3f50_00057bcf (ID = 0)
1:06 PM: 00005991_438e6823_00016e36 (ID = 0)
1:06 PM: 00000029_4388a423_000d59f8 (ID = 0)
1:06 PM: 0000030a_438d111c_000a69d7 (ID = 0)
1:06 PM: 00007ff5_4388edc7_000d59f8 (ID = 0)
1:06 PM: 000006d8_438c3f00_0003d090 (ID = 0)
1:06 PM: 00003bf6_4388efbc_00003d09 (ID = 0)
1:06 PM: 000018be_4388a424_00098968 (ID = 0)
1:06 PM: 000026e9_438d12d2_000c521f (ID = 0)
1:06 PM: 00006784_4388a424_000ca2dd (ID = 0)
1:06 PM: 0000390c_4388e7ad_000c65d4 (ID = 0)
1:06 PM: 00000099_438a1994_000632ea (ID = 0)
1:06 PM: 000009ce_438929c2_00057bcf (ID = 0)
1:06 PM: 00000bb3_4388e675_000c28cb (ID = 0)
1:06 PM: 00004a80_438d1ad8_000ccc31 (ID = 0)
1:06 PM: 00000f3e_4388e7ae_000501bd (ID = 0)
1:06 PM: 0000121f_438a6777_000aba95 (ID = 0)
1:06 PM: 000045c5_43892a49_0008583b (ID = 0)
1:06 PM: 0000153c_4388e77f_00000000 (ID = 0)
1:06 PM: 0000520b_438929f3_0007de29 (ID = 0)
1:06 PM: 00006f3c_43891b49_000d1cef (ID = 0)
1:06 PM: 00004e45_438a234a_0007270e (ID = 0)
1:06 PM: 0000301c_438d112e_0000a366 (ID = 0)
1:06 PM: 000056ae_438a241e_00081b32 (ID = 0)
1:06 PM: 00005c67_4388f191_0007270e (ID = 0)
1:06 PM: 0000314f_438a3000_000c65d4 (ID = 0)
1:06 PM: 00002cd6_438ce61e_000d4643 (ID = 0)
1:06 PM: 000029d8_43891be5_00081b32 (ID = 0)
1:06 PM: 0000282d_43892b27_000cdfe6 (ID = 0)
1:06 PM: 00005f90_4388e5d4_00003d09 (ID = 0)
1:06 PM: 000077e7_438cac50_0007270e (ID = 0)
1:06 PM: 00000120_438a249c_00044aa2 (ID = 0)
1:06 PM: 0000153c_438cec7b_000c1516 (ID = 0)
1:06 PM: 000001eb_438d12d3_000473f6 (ID = 0)
1:06 PM: 00003a9e_4388efbc_00029f63 (ID = 0)
1:06 PM: 0000480b_438c3f01_00076417 (ID = 0)
1:06 PM: 00003807_4388f51e_000cdfe6 (ID = 0)
1:06 PM: 00005579_43890150_000f0537 (ID = 0)
1:06 PM: 00002d12_438f5f0f_00044aa2 (ID = 0)
1:06 PM: 0000797d_4388efbd_00003d09 (ID = 0)
1:06 PM: 000068f5_43892a04_0008d24d (ID = 0)
1:06 PM: 000013e9_438a6c2b_000b71b0 (ID = 0)
1:06 PM: 00005ab0_438ba314_00016e36 (ID = 0)
1:06 PM: 00001649_4388e5d8_00044aa2 (ID = 0)
1:06 PM: 000073da_438a678b_00039387 (ID = 0)
1:06 PM: 00004657_438a6cc5_000b34a7 (ID = 0)
1:06 PM: 000069d0_43892b28_0003567e (ID = 0)
1:06 PM: 00001e1f_438d17ce_0002119c (ID = 0)
1:06 PM: 0000692c_438a67c2_00022551 (ID = 0)
1:06 PM: 00001dcb_438b6c85_0001e848 (ID = 0)
1:06 PM: 0000301c_4388eeb3_00040d99 (ID = 0)
1:06 PM: 00003cd6_4388f195_000baeb9 (ID = 0)
1:06 PM: 000026a6_4391caa5_00044aa2 (ID = 0)
1:06 PM: 00006df1_4388e5ea_000c65d4 (ID = 0)
1:06 PM: 00000384_438a6e1a_000ec82e (ID = 0)
1:06 PM: 00000fbf_4388f1a3_00089544 (ID = 0)
1:06 PM: 00003bf6_4391cc2c_0007270e (ID = 0)
1:06 PM: 00000732_438a242c_0002dc6c (ID = 0)
1:06 PM: 00005af1_4388e5eb_0001ab3f (ID = 0)
1:07 PM: 000058b0_438a678d_00031975 (ID = 0)
1:07 PM: 000058b0_4388f024_0007de29 (ID = 0)
1:07 PM: 000001d3_4388f43d_000a7d8c (ID = 0)
1:07 PM: 00002f14_4388f1a8_00022551 (ID = 0)
1:07 PM: 00003004_438a70de_0001312d (ID = 0)
1:07 PM: 00001649_438f5d67_00000000 (ID = 0)
1:07 PM: 00003a2d_438a6f50_0002625a (ID = 0)
1:07 PM: index (ID = 0)
1:07 PM: 00004987_438ba30a_000f0537 (ID = 0)
1:07 PM: 000058e6_438b7099_000cdfe6 (ID = 0)
1:07 PM: 000026e9_4388e5f1_0006ea05 (ID = 0)
1:07 PM: 00001a49_438d1934_00084486 (ID = 0)
1:07 PM: 00006d22_438a6f0b_0008583b (ID = 0)
1:07 PM: 00006be8_438d1fa5_000a2cce (ID = 0)
1:07 PM: 00004e45_4388edf1_00022551 (ID = 0)
1:07 PM: 00000e90_4388f441_0006acfc (ID = 0)
1:07 PM: 000023c9_438d1b4b_000305c0 (ID = 0)
1:07 PM: 00002833_438d2004_0009efc5 (ID = 0)
1:07 PM: 000001eb_4388e5f9_0001312d (ID = 0)
1:07 PM: 00006ad6_4388f1e9_00007a12 (ID = 0)
1:07 PM: 00003b65_438bb2f7_000b71b0 (ID = 0)
1:07 PM: 00004d06_438cef36_000d4643 (ID = 0)
1:07 PM: 0000491c_438d1381_0001d493 (ID = 0)
1:07 PM: 00004509_438d17bb_000f2e8b (ID = 0)
1:07 PM: 00000d6a_438f80bc_0007270e (ID = 0)
1:07 PM: 00000bb3_438d12e9_000a2cce (ID = 0)
1:07 PM: 0000422d_4388f1f9_00040d99 (ID = 0)
1:07 PM: 000012db_4388e6a9_00003d09 (ID = 0)
1:07 PM: 00003960_43892a67_0002625a (ID = 0)
1:07 PM: 000054de_4388eba2_000632ea (ID = 0)
1:07 PM: 00007282_4388f539_0004c4b4 (ID = 0)
1:07 PM: 00006048_4388f45d_0009c671 (ID = 0)
1:07 PM: 00004402_4388f367_00044aa2 (ID = 0)
1:07 PM: 0000251f_4388f53c_000e1113 (ID = 0)
1:07 PM: 000066fa_4388fe92_00007a12 (ID = 0)
1:07 PM: 00007ac2_43892b2d_000e1113 (ID = 0)
1:07 PM: 000019da_438a702f_000bebc2 (ID = 0)
1:07 PM: 00004df2_438f6311_0008d24d (ID = 0)
1:07 PM: 0000187e_438d1adf_000d834c (ID = 0)
1:07 PM: tsbbehci.sys (ID = 0)
1:07 PM: 00005a9f_438f6640_0000f424 (ID = 0)
1:07 PM: 00004cff_438b6d16_000501bd (ID = 0)
1:07 PM: 00004ae1_4389de3d_00007a12 (ID = 0)
1:07 PM: 000072ae_438ce622_000e3a67 (ID = 0)
1:07 PM: 000056ae_438d115b_0008be98 (ID = 0)
1:07 PM: 00000120_4391cbef_00098968 (ID = 0)
1:07 PM: 00000bdb_438d1140_00061f35 (ID = 0)
1:07 PM: 00005772_438d1ac0_000a69d7 (ID = 0)
1:07 PM: 00000029_4390b351_0005f5e1 (ID = 0)
1:07 PM: 00006be8_4388f367_000c65d4 (ID = 0)
1:07 PM: 00005e9d_438f6585_00053ec6 (ID = 0)
1:07 PM: 00001bd9_438f97cb_000d9701 (ID = 0)
1:07 PM: 000049bb_438f6e36_000a7d8c (ID = 0)
1:07 PM: 000073da_438f6393_000d59f8 (ID = 0)
1:07 PM: 0000305e_438cecf9_000f2e8b (ID = 0)
1:07 PM: 00001481_438f66f7_00003d09 (ID = 0)
1:07 PM: 00004ae1_438f5502_0008d24d (ID = 0)
1:07 PM: 00000588_438900e8_00081b32 (ID = 0)
1:07 PM: 00000732_438d118b_000a69d7 (ID = 0)
1:07 PM: 0000491c_438ced39_000dc055 (ID = 0)
1:07 PM: 00002ea6_438d12fc_000b20f2 (ID = 0)
1:07 PM: 00004e45_4390b6d0_0003567e (ID = 0)
1:07 PM: 00007f96_4391cb3f_000ca2dd (ID = 0)
1:07 PM: 000039b3_4388eba4_00000000 (ID = 0)
1:07 PM: 00007874_438d2005_00052b11 (ID = 0)
1:07 PM: 00002c3b_438d1a54_000d834c (ID = 0)
1:07 PM: 00002213_438f6016_00090f56 (ID = 0)
1:07 PM: 000012db_438d1303_0000e06f (ID = 0)
1:07 PM: 00000ddc_438d197d_000ae3e9 (ID = 0)
1:07 PM: 00001238_438d17bf_000c1516 (ID = 0)
1:07 PM: 0000440d_438ced0c_0004b0ff (ID = 0)
1:07 PM: 00000029_4390e28b_00066ff3 (ID = 0)
1:07 PM: 0000305e_4388e820_00081b32 (ID = 0)
1:07 PM: 0000153c_438ce4eb_0008be98 (ID = 0)
1:07 PM: 00004db7_438d1593_00052b11 (ID = 0)
1:07 PM: spuninst.exe (ID = 0)
1:07 PM: 0000767d_438f5f71_000ec82e (ID = 0)
1:07 PM: 0000134c_438ba27b_0008583b (ID = 0)
1:07 PM: 0000153c_438d130d_0003f9e4 (ID = 0)
1:07 PM: 00002cd6_438d125d_000975b3 (ID = 0)
1:07 PM: 00005f90_438ce68f_000342c9 (ID = 0)
1:07 PM: 00004ae1_4390afe7_0007270e (ID = 0)
1:07 PM: 00007e87_438d1313_0004b0ff (ID = 0)
1:07 PM: 00000975_4388f471_0008d24d (ID = 0)
1:07 PM: 00002959_43892ad7_0005f5e1 (ID = 0)
1:07 PM: 00006e5d_438d17e1_0003f9e4 (ID = 0)
1:07 PM: 000026ca_438a6790_000d59f8 (ID = 0)
1:07 PM: 00004d06_438d1381_000f2e8b (ID = 0)
1:07 PM: 00004d9a_438f86a0_000d9701 (ID = 0)
1:07 PM: 000016c5_438d1aeb_0005a523 (ID = 0)
1:07 PM: 000006e3_438b6c37_00029f63 (ID = 0)
1:07 PM: 0000491c_4388e84d_000ec82e (ID = 0)
1:07 PM: 00003699_438a6791_00022551 (ID = 0)
1:07 PM: 00003d6c_4388a45d_00076417 (ID = 0)
1:07 PM: 00001ad4_438d17ec_00052b11 (ID = 0)
1:07 PM: 00005f49_438d1978_0009b2bc (ID = 0)
1:07 PM: 00002cd6_4388a45d_0009c671 (ID = 0)
1:07 PM: 0000328a_438bb2c4_0002625a (ID = 0)
1:07 PM: 00007cfe_43891a67_000b34a7 (ID = 0)
1:07 PM: 0000491c_438a1a12_000b71b0 (ID = 0)
1:07 PM: 0000368e_438d1c06_000d834c (ID = 0)
1:07 PM: 000037e6_4388f473_000ec82e (ID = 0)
1:07 PM: 0000357e_438b6d7a_000501bd (ID = 0)
1:08 PM: 00002d12_4388ebb6_0001312d (ID = 0)
1:08 PM: 00007282_438f678f_0007de29 (ID = 0)
1:08 PM: 0000261e_438d1dfc_0004ee08 (ID = 0)
1:08 PM: 000010d9_438b6281_0007270e (ID = 0)
1:08 PM: 0000765f_4390bf66_0007a120 (ID = 0)
1:08 PM: 000015a1_438d1a5e_000e7770 (ID = 0)
1:08 PM: 00004d06_4388e850_00007a12 (ID = 0)
1:08 PM: 000049bb_4388fe92_0007de29 (ID = 0)
1:08 PM: 00002a38_438f967d_00016e36 (ID = 0)
1:08 PM: 00004509_438f5f7a_000e1113 (ID = 0)
1:08 PM: 00004b40_4390b866_000d1cef (ID = 0)
1:08 PM: 00002462_438b69c5_0003567e (ID = 0)
1:08 PM: 0000139d_4388f032_0002625a (ID = 0)
1:08 PM: 00005039_438d1fb3_0000a366 (ID = 0)
1:08 PM: 000066bb_438d16d2_000938aa (ID = 0)
1:08 PM: 000075ef_438d1c34_0005e22c (ID = 0)
1:08 PM: 00003699_438d1aae_00071359 (ID = 0)
1:08 PM: 00006b36_438d1921_000c1516 (ID = 0)
1:08 PM: 00002b00_4388f4ed_0001ab3f (ID = 0)
1:08 PM: 000066fa_438a72ba_0006ea05 (ID = 0)
1:08 PM: 00004c85_4390c15f_00081b32 (ID = 0)
1:08 PM: 000022e4_438bb1c1_00000000 (ID = 0)
1:08 PM: 00001238_438d0a9e_00084486 (ID = 0)
1:08 PM: 000063cb_438d17fb_00037fd2 (ID = 0)
1:08 PM: 000079d1_438b626a_0006acfc (ID = 0)
1:08 PM: 00003b25_438d0a9f_0003bcdb (ID = 0)
1:08 PM: 00004823_4388a424_0002625a (ID = 0)
1:08 PM: 00001796_438a7105_000aba95 (ID = 0)
1:08 PM: 00006b89_438d10f9_00075062 (ID = 0)
1:08 PM: 0000074d_4388ebb6_0007de29 (ID = 0)
1:08 PM: 00007049_4388f032_0005b8d8 (ID = 0)
1:08 PM: 000019d9_4388f474_000d59f8 (ID = 0)
1:08 PM: 00007e87_438ce51f_00065c3e (ID = 0)
1:08 PM: 00004dc8_4388ebb6_000b71b0 (ID = 0)
1:08 PM: 00000bdb_4388eef1_000b34a7 (ID = 0)
1:08 PM: 0000692c_4388f032_000baeb9 (ID = 0)
1:08 PM: 0000428b_438d16ec_00065c3e (ID = 0)
1:08 PM: 00002cd6_438e0859_000baeb9 (ID = 0)
1:08 PM: 00006f11_438a73c9_0003d090 (ID = 0)
1:08 PM: 00002568_438b7095_00057bcf (ID = 0)
1:08 PM: 000026a6_438d16f2_0008077d (ID = 0)
1:08 PM: 0000520b_438f6f4f_0000f424 (ID = 0)
1:08 PM: 0000701f_438d16f3_000d834c (ID = 0)
1:08 PM: 00003459_43892a8e_000aba95 (ID = 0)
1:08 PM: 00007e87_438cecb6_0000665d (ID = 0)
1:08 PM: 0000591d_4388f478_000487ab (ID = 0)
1:08 PM: 000066bb_4388ebe4_0006acfc (ID = 0)
1:08 PM: 00006952_438ce68e_000b20f2 (ID = 0)
1:08 PM: 00006b89_4388ee3e_000ec82e (ID = 0)
1:08 PM: 00002e40_438d19d8_0008fba1 (ID = 0)
1:08 PM: 00005d03_438d16fa_0002c8b7 (ID = 0)
1:08 PM: 00001547_438d1671_000dc055 (ID = 0)
1:08 PM: 00006bfc_438d1807_0000665d (ID = 0)
1:08 PM: 000072ae_4388a45f_000487ab (ID = 0)
1:08 PM: 0000428b_4388ebf9_0008583b (ID = 0)
1:08 PM: 000072ae_438d1278_000dc055 (ID = 0)
1:08 PM: 00004823_4390e28b_0006ea05 (ID = 0)
1:08 PM: 00002213_438a236a_0007de29 (ID = 0)
1:08 PM: 00000f3e_438a194b_0007a120 (ID = 0)
1:08 PM: 0000323b_4388ee15_0008d24d (ID = 0)
1:08 PM: 00004a80_4388f034_00053ec6 (ID = 0)
1:08 PM: 00000d66_4388f246_0007270e (ID = 0)
1:08 PM: 00006952_4388a460_000632ea (ID = 0)
1:08 PM: 00005064_4388f56f_0000b71b (ID = 0)
1:08 PM: 0000301c_438d18a9_00002954 (ID = 0)
1:08 PM: 00004cad_438d1996_0008077d (ID = 0)
1:08 PM: 00000bdb_438d18a9_0004b0ff (ID = 0)
1:08 PM: 00007f96_438d1811_0003f9e4 (ID = 0)
1:08 PM: 000041bb_4389e730_0007de29 (ID = 0)
1:08 PM: 000026a6_4388ec61_00029f63 (ID = 0)
1:08 PM: 00002d12_4390b516_000e1113 (ID = 0)
1:08 PM: 00007a5a_4388ecae_0005b8d8 (ID = 0)
1:08 PM: 00003bf6_438a2fc3_00000000 (ID = 0)
1:08 PM: 0000390c_438cecb6_000975b3 (ID = 0)
1:08 PM: 000057d3_438f6697_000f0537 (ID = 0)
1:08 PM: 00005db2_438a6c48_00022551 (ID = 0)
1:08 PM: 00006e5d_438d0aa4_000436ed (ID = 0)
1:08 PM: 00007fbe_438f6741_000e1113 (ID = 0)
1:08 PM: 0000798b_438ee22a_00090f56 (ID = 0)
1:08 PM: 000056ae_4388eef5_000cdfe6 (ID = 0)
1:08 PM: 00002934_438c3e5c_000e8b25 (ID = 0)
1:08 PM: 0000701f_4388ec87_00000000 (ID = 0)
1:08 PM: 00005e73_438a7115_000632ea (ID = 0)
1:08 PM: 00002350_4388ef21_0005f5e1 (ID = 0)
1:08 PM: 000026a6_438e5a35_00039387 (ID = 0)
1:08 PM: 00000f3e_4391ca0c_00098968 (ID = 0)
1:08 PM: 000027da_438fcd3e_00057bcf (ID = 0)
1:08 PM: 00004ae1_4391ae69_000bebc2 (ID = 0)
1:08 PM: 00007049_438d1ac6_000ccc31 (ID = 0)
1:09 PM: 000037e5_4388f47e_00039387 (ID = 0)
1:09 PM: 00002f14_438d1ba9_000e3a67 (ID = 0)
1:09 PM: 00002ba5_438b62e0_000b71b0 (ID = 0)
1:09 PM: 000037e6_438a6fad_000bebc2 (ID = 0)
1:09 PM: 00005f90_4390a5d3_00044aa2 (ID = 0)
1:09 PM: 00003f9a_438f8eb7_000487ab (ID = 0)
1:09 PM: 00001366_438d19e2_00002954 (ID = 0)
1:09 PM: 00007983_4388f24d_000d1cef (ID = 0)
1:09 PM: 000018be_438ce5ff_0000665d (ID = 0)
1:09 PM: 00001ad4_438d0aa8_0008077d (ID = 0)
1:09 PM: 00001953_4388f36b_00016e36 (ID = 0)
1:09 PM: 000016c5_4388f042_0008d24d (ID = 0)
1:09 PM: 00004908_438bb056_000b71b0 (ID = 0)
1:09 PM: 00000902_438a6791_0002625a (ID = 0)
1:09 PM: 000027c0_438bd214_0003567e (ID = 0)
1:09 PM: 0000494a_438a6e20_0005f5e1 (ID = 0)
1:09 PM: 00005db2_438d1b1d_0001d493 (ID = 0)
1:09 PM: 000072ae_438cdc7a_000938aa (ID = 0)
1:09 PM: 00006784_438ce5ff_00037fd2 (ID = 0)
1:09 PM: 0000065a_438ba314_000af79e (ID = 0)
1:09 PM: 00007e87_438a1949_00044aa2 (ID = 0)
1:09 PM: 000030a7_438b624b_0007270e (ID = 0)
1:09 PM: 00003d6c_438cdc22_00071359 (ID = 0)
1:09 PM: 000048cc_4388f062_0000b71b (ID = 0)
1:09 PM: 00006df1_438cebd6_000342c9 (ID = 0)
1:09 PM: 00005841_438b6e18_000501bd (ID = 0)
1:09 PM: 00004823_4390d475_00029f63 (ID = 0)
1:09 PM: 00000c7b_438f6756_0002dc6c (ID = 0)
1:09 PM: 00000822_438d1a89_0008fba1 (ID = 0)
1:09 PM: 000075ef_4388f254_0002dc6c (ID = 0)
1:09 PM: 000045c5_438b5a91_00039387 (ID = 0)
1:09 PM: 00004509_4388ecc6_000a037a (ID = 0)
1:09 PM: 00004657_4388f25a_00057bcf (ID = 0)
1:09 PM: 0000458f_4390be63_0007a120 (ID = 0)
1:09 PM: 00001316_438a73a1_000a037a (ID = 0)
1:09 PM: 00004823_438d1205_000d093a (ID = 0)
1:09 PM: 0000260d_4388ee24_0007a120 (ID = 0)
1:09 PM: 00000120_4388ef1c_000a037a (ID = 0)
1:09 PM: 00004ae1_438ce602_0002c8b7 (ID = 0)
1:09 PM: 00003cd5_4388f046_000bebc2 (ID = 0)
1:09 PM: 0000759a_4388ef1d_0003567e (ID = 0)
1:09 PM: 00001238_4388ecce_0007a120 (ID = 0)
1:09 PM: 00003b97_438f6f84_0003d090 (ID = 0)
1:09 PM: 00007ff5_438d181e_000305c0 (ID = 0)
1:09 PM: 000051d1_438b6278_0006ea05 (ID = 0)
1:09 PM: 00000390_438b6271_000501bd (ID = 0)
1:09 PM: 000012c2_438b6c8b_0003d090 (ID = 0)
1:09 PM: 00003d6c_438ce60c_0005e22c (ID = 0)
1:09 PM: 0000314f_438d19b7_0001d493 (ID = 0)
1:09 PM: 000018be_438d1208_0009efc5 (ID = 0)
1:09 PM: 0000390c_438ce523_00024ea5 (ID = 0)
1:09 PM: 0000676d_438b68ef_0003d090 (ID = 0)
1:09 PM: 000063cb_438d0ab1_000473f6 (ID = 0)
1:09 PM: 000018be_4390e28b_0008d24d (ID = 0)
1:09 PM: 000069d0_438b61ac_000c28cb (ID = 0)
1:09 PM: 00004e45_438d0ee7_00037fd2 (ID = 0)
1:09 PM: 00006bfc_438d0ab6_00015a81 (ID = 0)
1:09 PM: 00005af1_438cebe4_0000a366 (ID = 0)
1:09 PM: 00000a6c_438b6c49_0003567e (ID = 0)
1:09 PM: 0000323b_4390b6f6_000c28cb (ID = 0)
1:09 PM: 0000249e_438d2038_000a2cce (ID = 0)
1:09 PM: 0000456d_438fd258_000c28cb (ID = 0)
1:09 PM: 000041bb_438cebf7_0000e06f (ID = 0)
1:09 PM: 00000902_438d1aaf_000e3a67 (ID = 0)
1:09 PM: 000026e9_438cec1a_0008be98 (ID = 0)
1:09 PM: 000001eb_438cec1b_000342c9 (ID = 0)
1:09 PM: 00004e45_438d1826_000e7770 (ID = 0)
1:09 PM: 00006b89_438f6046_000dd40a (ID = 0)
1:09 PM: 0000390c_438d1336_0002119c (ID = 0)
1:09 PM: 0000260d_438f6021_00016e36 (ID = 0)
1:09 PM: 00006784_438cdbe3_000c1516 (ID = 0)
1:09 PM: 0000323b_438d0fa0_0008fba1 (ID = 0)
1:09 PM: 000054de_438cef7b_000342c9 (ID = 0)
1:09 PM: 00007f96_438d0b99_00024ea5 (ID = 0)
1:09 PM: 000039b3_438cef7b_00061f35 (ID = 0)
1:09 PM: 00001850_4388f4e5_0000f424 (ID = 0)
1:09 PM: 00003b25_4388ed26_0006acfc (ID = 0)
1:09 PM: 00000120_438f60f8_000d1cef (ID = 0)
1:09 PM: 00007ff5_438d0baa_0002c8b7 (ID = 0)
1:09 PM: 00000bb3_438cec42_000c1516 (ID = 0)
1:09 PM: 0000797d_438f61bb_0007de29 (ID = 0)
1:09 PM: 00004b40_4388ef22_0003d090 (ID = 0)
1:09 PM: 00005e73_4388f6a1_0005f5e1 (ID = 0)
1:09 PM: 00001e1f_4388ed4c_0007a120 (ID = 0)
1:09 PM: 00001796_4388f69e_000ca2dd (ID = 0)
1:09 PM: 00005878_4388ef23_00044aa2 (ID = 0)
1:09 PM: 00003b25_4390b5e7_0005b8d8 (ID = 0)
1:09 PM: 00002c49_4388f25e_000e4e1c (ID = 0)
1:09 PM: 00004080_4388f056_000af79e (ID = 0)
1:09 PM: 00000677_438a6e20_0007de29 (ID = 0)
1:09 PM: 00006e5d_4388ed78_00066ff3 (ID = 0)
1:09 PM: 000026e9_4389e732_0002dc6c (ID = 0)
1:10 PM: 00007e87_4391c9e4_0004c4b4 (ID = 0)
1:10 PM: 00001ad4_4388ed79_000c65d4 (ID = 0)
1:10 PM: 00000029_4389de06_0006ea05 (ID = 0)
1:10 PM: 00006b36_4388ef31_00039387 (ID = 0)
1:10 PM: 00006784_4390e28b_0008d24d (ID = 0)
1:10 PM: 00000a4a_4390c2f4_0006ea05 (ID = 0)
1:10 PM: 00002ea6_438cec48_0000e06f (ID = 0)
1:10 PM: 00007bb9_438a6791_0005b8d8 (ID = 0)
1:10 PM: 00005579_438a74b4_0003567e (ID = 0)
1:10 PM: 00003c61_4388f278_000f0537 (ID = 0)
1:10 PM: 00002213_438d0fef_000dfd5e (ID = 0)
1:10 PM: 00005af1_438f5d79_0002625a (ID = 0)
1:10 PM: 000033ea_4388f059_00076417 (ID = 0)
1:10 PM: 0000263d_43892a8e_000e8b25 (ID = 0)
1:10 PM: 000012db_438cec4d_000d834c (ID = 0)
1:10 PM: 00000f3e_438d1336_000ccc31 (ID = 0)
1:10 PM: 00001547_4390b4f1_0006acfc (ID = 0)
1:10 PM: 00004657_438d1c47_0008fba1 (ID = 0)
1:10 PM: 00006032_438d1a50_0009efc5 (ID = 0)
1:10 PM: 0000260d_438d0ff0_00024ea5 (ID = 0)
1:10 PM: 00000a4a_438f6d5f_00089544 (ID = 0)
1:10 PM: 00003e09_438c3e5e_00029f63 (ID = 0)
1:10 PM: 000033ea_438d1b2a_0002119c (ID = 0)
1:10 PM: 00005707_438bcf3d_0002dc6c (ID = 0)
1:10 PM: 0000767d_438d17b4_000aa6e0 (ID = 0)
1:10 PM: 00003260_438ba31c_000aba95 (ID = 0)
1:10 PM: 0000074d_438f5f1b_00044aa2 (ID = 0)
1:10 PM: 00003e12_4388ef38_0003567e (ID = 0)
1:10 PM: 0000323b_438d1830_0008fba1 (ID = 0)
1:10 PM: 00006952_4390a563_000a037a (ID = 0)
1:10 PM: 00001ad4_438e5a75_00094c5f (ID = 0)
1:10 PM: 000073da_438ee231_00098968 (ID = 0)
1:10 PM: 00002213_4390b757_000baeb9 (ID = 0)
1:10 PM: 000066c4_438e5e71_000487ab (ID = 0)
1:10 PM: 00007f96_4388ed92_000c65d4 (ID = 0)
1:10 PM: 00002ea6_4388e67b_000c65d4 (ID = 0)
1:10 PM: 00005878_4390b89a_000501bd (ID = 0)
1:10 PM: 00003d6c_438d1216_00065c3e (ID = 0)
1:10 PM: 000068f5_438f6f53_000ec82e (ID = 0)
1:10 PM: 000018be_4390d475_0003567e (ID = 0)
1:10 PM: 0000117a_438fcab4_00057bcf (ID = 0)
1:10 PM: 00004823_4390a51c_000a7d8c (ID = 0)
1:10 PM: 0000442b_4388f497_000f0537 (ID = 0)
1:10 PM: 000012e1_4391d067_000632ea (ID = 0)
1:10 PM: 00000728_438f967e_000a037a (ID = 0)
1:10 PM: 00004230_438f6344_0006acfc (ID = 0)
1:10 PM: 00003b97_43892a91_0008d24d (ID = 0)
1:10 PM: 00003e12_438a24ce_000dd40a (ID = 0)
1:10 PM: 0000030a_438f606a_0001ab3f (ID = 0)
1:10 PM: 00000124_438d1338_000473f6 (ID = 0)
1:10 PM: 00002d12_438cef8a_00002954 (ID = 0)
1:10 PM: 000015a1_4390bc0c_0007a120 (ID = 0)
1:10 PM: 00005f32_4388ef45_000d59f8 (ID = 0)
1:10 PM: 00005753_4388f062_0002dc6c (ID = 0)
1:10 PM: 00002b0c_4388f3df_00053ec6 (ID = 0)
1:10 PM: 0000390c_438a1949_000e4e1c (ID = 0)
1:10 PM: 000029d8_438af0ee_0007de29 (ID = 0)
1:10 PM: 00000029_4390aeb2_0007270e (ID = 0)
1:10 PM: 000060bf_4388f065_000b34a7 (ID = 0)
1:10 PM: 00004230_4388efd9_0005f5e1 (ID = 0)
1:10 PM: 0000701f_438f5f25_000a7d8c (ID = 0)
1:10 PM: 00003459_438b5a92_0002dc6c (ID = 0)
1:10 PM: 00006c69_4388f2b0_000af79e (ID = 0)
1:10 PM: 00001ad4_438f5fca_0002dc6c (ID = 0)
1:10 PM: 00007eb7_4391ccd5_0006acfc (ID = 0)
1:10 PM: 0000701f_4391cab4_000af79e (ID = 0)
1:10 PM: 00003d6c_4391ae6f_000e1113 (ID = 0)
1:10 PM: 0000198c_438ba305_0001ab3f (ID = 0)
1:10 PM: 000026e9_438ce492_00028bae (ID = 0)
1:10 PM: 00005d03_4391cabb_00081b32 (ID = 0)
1:10 PM: 000012e1_438e6be1_00076417 (ID = 0)
1:10 PM: 00005078_4388f499_000ca2dd (ID = 0)
1:10 PM: spuninst.inf (ID = 0)
1:10 PM: 0000759a_4391cbf4_00081b32 (ID = 0)
1:10 PM: 00004823_4390aeb6_000baeb9 (ID = 0)
1:10 PM: 00004d54_438a7043_00081b32 (ID = 0)
1:10 PM: 000018be_4390b351_00094c5f (ID = 0)
1:10 PM: 00002ea6_4390b3f1_000b34a7 (ID = 0)
1:10 PM: 00002350_4391cc03_000a4083 (ID = 0)
1:10 PM: 00007a5a_4391cac7_000487ab (ID = 0)
1:10 PM: 00006952_438d128e_0008818f (ID = 0)
1:10 PM: 00006784_4390d475_000487ab (ID = 0)
1:10 PM: 000001eb_438ce493_00061f35 (ID = 0)
1:10 PM: 00005d03_438a2278_000e1113 (ID = 0)
1:10 PM: 0000260d_438a2387_000cdfe6 (ID = 0)
1:10 PM: 00005f1e_4388f36c_00029f63 (ID = 0)
1:10 PM: 000040a5_438f82ee_000cdfe6 (ID = 0)
1:11 PM: 0000798b_4391d069_000632ea (ID = 0)
1:11 PM: 0000288f_4388f2cf_000ca2dd (ID = 0)
1:11 PM: cfgrcl32.exe (ID = 0)
1:11 PM: 00005e14_438d19b9_000c1516 (ID = 0)
1:11 PM: 00004027_43892a94_00053ec6 (ID = 0)
1:11 PM: 00004d06_438a1a15_00076417 (ID = 0)
1:11 PM: 00001cd0_4388efd4_0008583b (ID = 0)
1:11 PM: 00003a61_4388f2e9_0000b71b (ID = 0)
1:11 PM: 00005772_438a6791_00066ff3 (ID = 0)
1:11 PM: 000022cd_4388f2e9_00076417 (ID = 0)
1:11 PM: 00001af4_438a6f12_000a7d8c (ID = 0)
1:11 PM: 00000a28_438928cf_00003d09 (ID = 0)
1:11 PM: 00000a28_438af0f0_0006acfc (ID = 0)
1:11 PM: 0000074d_438cef8a_000c8f28 (ID = 0)
1:11 PM: 000009ce_438af0f0_0007270e (ID = 0)
1:11 PM: 000016d4_4388f4f1_00090f56 (ID = 0)
1:11 PM: 00005173_438ba27b_00094c5f (ID = 0)
1:11 PM: 00006032_4388efdc_000e1113 (ID = 0)
1:11 PM: 00003d6c_4389de92_000bebc2 (ID = 0)
1:11 PM: 00003004_4388f60a_00094c5f (ID = 0)
1:11 PM: 000066c4_4388efd5_00022551 (ID = 0)
1:11 PM: 00001643_438f6efe_000d9701 (ID = 0)
1:11 PM: 0000305e_438d133c_0007ca74 (ID = 0)
1:11 PM: 0000520b_438af0f2_00094c5f (ID = 0)
1:11 PM: 00005f90_438d1290_0003f9e4 (ID = 0)
1:11 PM: 0000759a_438f610e_000632ea (ID = 0)
1:11 PM: 0000261e_4388f302_00031975 (ID = 0)
1:11 PM: 00002b00_4390bf8f_0001ab3f (ID = 0)
1:11 PM: 00002833_4388f372_0007270e (ID = 0)
1:11 PM: 00004dc8_438cef8b_0007ca74 (ID = 0)
1:11 PM: 000066b4_438b62f3_0006ea05 (ID = 0)
1:11 PM: 00004d67_4388f6c0_0005b8d8 (ID = 0)
1:11 PM: 00005e9d_4388f302_000cdfe6 (ID = 0)
1:11 PM: 00000bdb_4391cb98_0001e848 (ID = 0)
1:11 PM: 00006747_438b62f8_0006acfc (ID = 0)
1:11 PM: 0000489c_4388f307_000632ea (ID = 0)
1:11 PM: 00006f11_438f6e3d_0005b8d8 (ID = 0)
1:11 PM: 00004ae1_4390d475_00053ec6 (ID = 0)
1:11 PM: 00000ea9_438f85a7_00057bcf (ID = 0)
1:11 PM: 000039b3_438f5eea_000b34a7 (ID = 0)
1:11 PM: 00000732_438d18aa_000e3a67 (ID = 0)
1:11 PM: 00006952_438cdc88_000eb479 (ID = 0)
1:11 PM: 00001916_4388f307_00089544 (ID = 0)
1:11 PM: 00002c3b_4388efea_000b71b0 (ID = 0)
1:11 PM: 000015a1_4388efea_000c65d4 (ID = 0)
1:11 PM: 00000f3e_438e5a02_00000000 (ID = 0)
1:11 PM: 0000342d_438ba315_00098968 (ID = 0)
1:11 PM: 0000745e_438ba1f6_00031975 (ID = 0)
1:11 PM: 000054de_438d1673_000ef182 (ID = 0)
1:11 PM: 00006172_4388f307_00094c5f (ID = 0)
1:11 PM: 0000767d_4391cacb_000b71b0 (ID = 0)
1:11 PM: 00005422_4388eff3_0004c4b4 (ID = 0)
1:11 PM: 00002cd6_4389de92_000dd40a (ID = 0)
1:11 PM: 000068f5_438af0f2_0009c671 (ID = 0)
1:11 PM: 00007a5a_438d1779_000bd80d (ID = 0)
1:11 PM: 00002213_438d183a_000436ed (ID = 0)
1:11 PM: 000000c1_438f8b7d_00090f56 (ID = 0)
1:11 PM: 0000030a_4388eead_0003d090 (ID = 0)
1:11 PM: 00006b72_4388f309_000a037a (ID = 0)
1:11 PM: 00002213_4388ee16_0007de29 (ID = 0)
1:11 PM: 00005991_438d1a94_0003f9e4 (ID = 0)
1:11 PM: 00002852_43891a70_000af79e (ID = 0)
1:11 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\program files\reaaimer\cache\000075ec_438ba1fa_000af79e.
1:11 PM: 00004402_438a6e28_000e8b25 (ID = 0)
1:11 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\program files\reaaimer\cache\000007cf_438a6ef0_000af79e.
1:11 PM: 000001eb_438f5d86_00094c5f (ID = 0)
1:11 PM: 00001649_438d12a5_0009efc5 (ID = 0)
1:11 PM: 0000701f_438e5a39_000c28cb (ID = 0)
1:11 PM: 00005f90_438ce164_0005681a (ID = 0)
1:11 PM: 00006952_438e0955_0007a120 (ID = 0)
1:11 PM: 00000029_438fd47a_000b71b0 (ID = 0)
1:11 PM: 00005f90_438e095b_000cdfe6 (ID = 0)
1:11 PM: 00006443_438f5f21_0000f424 (ID = 0)
1:11 PM: 00006952_438f5cd3_00022551 (ID = 0)
1:11 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\program files\reaaimer\cache\00004df2_438d19be_0008be98.
1:11 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\program files\reaaimer\cache\0000366b_438e5d96_00000000.
1:11 PM: 00006df1_438d12a6_00052b11 (ID = 0)
1:11 PM: 00005af1_438ce490_000ccc31 (ID = 0)
1:11 PM: 00006899_438d1af1_0008818f (ID = 0)
1:11 PM: 00000124_438a19bf_0008583b (ID = 0)
1:11 PM: 00002ea6_438a18ab_000501bd (ID = 0)
1:11 PM: 00005af1_4389e6df_00066ff3 (ID = 0)
1:11 PM: 000072ae_4389de98_0001ab3f (ID = 0)
1:11 PM: 00001649_438e09d9_000a7d8c (ID = 0)
1:11 PM: 00003ef6_4388eff5_000af79e (ID = 0)
1:11 PM: 000041bb_438d12a7_0005a523 (ID = 0)
1:11 PM: 00006df1_438e09d9_000dd40a (ID = 0)
1:11 PM: 00004ebf_438fd0a0_00040d99 (ID = 0)
1:11 PM: 00003cd5_438d1afb_0003bcdb (ID = 0)
1:11 PM: 00004b40_438a24ca_000c28cb (ID = 0)
1:11 PM: 00006952_4389de9e_00029f63 (ID = 0)
1:11 PM: 0000323b_438a235a_000aba95 (ID = 0)
1:11 PM: 0000074d_438d167f_000dc055 (ID = 0)
1:11 PM: 00005878_438a24ca_000d59f8 (ID = 0)
1:11 PM: 00003181_438cac18_00003d09 (ID = 0)
1:11 PM: 00006b36_438a24cb_0000b71b (ID = 0)
1:11 PM: 0000138a_43892aa7_0008583b (ID = 0)
1:11 PM: 000064a0_438b6d1f_0003d090 (ID = 0)
1:11 PM: 000027da_438b6890_000e1113 (ID = 0)
1:11 PM: 00005cfd_438a24cb_0001312d (ID = 0)
1:11 PM: 00002cd6_4391aef0_00044aa2 (ID = 0)
1:12 PM: 0000662a_438fb94a_0006acfc (ID = 0)
1:12 PM: 00006fc9_43892b3a_00044aa2 (ID = 0)
1:12 PM: 0000263d_438b5ae6_000cdfe6 (ID = 0)
1:12 PM: 00000822_4388efff_000c28cb (ID = 0)
1:12 PM: 00005991_4388f006_000632ea (ID = 0)
1:12 PM: 0000159f_438f98cf_000aba95 (ID = 0)
1:12 PM: 0000409d_4388f00d_000501bd (ID = 0)
1:12 PM: 00007ac2_438b61ae_00016e36 (ID = 0)
1:12 PM: 000012e1_4388f00e_00090f56 (ID = 0)
1:12 PM: 00006486_438b624b_000d9701 (ID = 0)
1:12 PM: 0000409d_438d1a96_0008077d (ID = 0)
1:12 PM: 000001eb_4389e734_00029f63 (ID = 0)
1:12 PM: 00005503_438ba1fb_00066ff3 (ID = 0)
1:12 PM: 00005e14_438f62f9_000bebc2 (ID = 0)
1:12 PM: 00001238_438f5f84_000a037a (ID = 0)
1:12 PM: 000041bb_438e09db_00022551 (ID = 0)
1:12 PM: 00004944_438d19d2_0002c8b7 (ID = 0)
1:12 PM: 00003b97_438b5af7_00040d99 (ID = 0)
1:12 PM: 0000301c_438f6075_0007a120 (ID = 0)
1:12 PM: 00001ad4_438a230a_0001ab3f (ID = 0)
1:12 PM: 00006b89_438a23a0_0003567e (ID = 0)
1:12 PM: 000026e9_438e09de_000e1113 (ID = 0)
1:12 PM: 00003d6c_438f57e6_000b71b0 (ID = 0)
1:12 PM: 00006e5d_4390b617_00090f56 (ID = 0)
1:12 PM: 00006e5d_438f5fa2_000e8b25 (ID = 0)
1:12 PM: 000001eb_438e09eb_000501bd (ID = 0)
1:12 PM: 00000029_438e082b_000c28cb (ID = 0)
1:12 PM: 0000798b_4388f019_000a4083 (ID = 0)
1:12 PM: 00006c69_438a6cdd_00039387 (ID = 0)
1:12 PM: 0000470e_438a7125_0002dc6c (ID = 0)
1:12 PM: 00005064_4390c060_00089544 (ID = 0)
1:12 PM: 00001850_4390bf72_000c28cb (ID = 0)
1:12 PM: 00000bb3_438ce494_000aa6e0 (ID = 0)
1:12 PM: 0000121f_4388f01c_00040d99 (ID = 0)
1:12 PM: 0000030a_438a23a4_000e8b25 (ID = 0)
1:12 PM: 00002ea6_438ce494_000d4643 (ID = 0)
1:12 PM: 00004027_438b5af7_00053ec6 (ID = 0)
1:12 PM: 00006d76_438fcb19_000ca2dd (ID = 0)
1:12 PM: 00005cfd_438f617a_000d59f8 (ID = 0)
1:12 PM: 000010d9_438f9680_000aba95 (ID = 0)
1:12 PM: 00004823_438e082c_0001ab3f (ID = 0)
1:12 PM: 00004fc0_438b623b_000ec82e (ID = 0)
1:12 PM: 00002cd6_438f57e7_000b34a7 (ID = 0)
1:12 PM: 000071f0_4388f352_000a037a (ID = 0)
1:12 PM: 00005ccd_43892b3b_00003d09 (ID = 0)
1:12 PM: 00000035_4388f41b_0007de29 (ID = 0)
1:12 PM: 00005e76_43892ad7_000c65d4 (ID = 0)
1:12 PM: 00003bf6_438e5b12_00040d99 (ID = 0)
1:12 PM: 00006bfc_438a230c_0000f424 (ID = 0)
1:12 PM: 00003f0b_438f85a7_000b71b0 (ID = 0)
1:12 PM: 00005d03_4388ec8d_00031975 (ID = 0)
1:12 PM: 00005772_4388f02f_00007a12 (ID = 0)
1:12 PM: 0000428b_438f5f23_00053ec6 (ID = 0)
1:12 PM: 00007a5a_438a227c_000d59f8 (ID = 0)
1:12 PM: 00002668_43892b56_0006ea05 (ID = 0)
1:12 PM: 00007f96_438a230e_00000000 (ID = 0)
1:12 PM: 000007cf_4388f423_000b34a7 (ID = 0)
1:12 PM: 00000e29_438fcd44_0002625a (ID = 0)
1:12 PM: 00004823_4389de17_0009c671 (ID = 0)
1:12 PM: 000018d7_438a6e43_000baeb9 (ID = 0)
1:12 PM: 00002e39_438fd0a0_000bebc2 (ID = 0)
1:12 PM: 00001643_43891abf_00003d09 (ID = 0)
1:12 PM: 00006784_438e082e_000baeb9 (ID = 0)
1:12 PM: 000023c9_438f646c_000e4e1c (ID = 0)
1:12 PM: 00004ae1_438e0838_000487ab (ID = 0)
1:12 PM: 00006732_4388f424_0000b71b (ID = 0)
1:12 PM: 00000bb3_438f5de1_000f0537 (ID = 0)
1:12 PM: 000018be_4389de19_000e8b25 (ID = 0)
1:12 PM: 00002c49_438d1c6b_00061f35 (ID = 0)
1:12 PM: 0000138a_438b5af9_000c28cb (ID = 0)
1:12 PM: 000078d4_43892b5b_00081b32 (ID = 0)
1:12 PM: 00006d22_4388f424_0005f5e1 (ID = 0)
1:12 PM: 0000260d_4390b786_0007270e (ID = 0)
1:12 PM: 00006784_4389de1c_00094c5f (ID = 0)
1:12 PM: 00000ddc_4390b95b_00029f63 (ID = 0)
1:12 PM: 000048db_43891a7a_000e8b25 (ID = 0)
1:12 PM: 00002ea6_438f5e02_00044aa2 (ID = 0)
1:12 PM: 00000ecc_4388f426_0005f5e1 (ID = 0)
1:12 PM: 00001003_438b6c8e_0007270e (ID = 0)
1:12 PM: 000023c9_4388f061_00000000 (ID = 0)
1:12 PM: 00003d6c_438e083d_000dd40a (ID = 0)
1:12 PM: 00001049_43892b66_00022551 (ID = 0)
1:12 PM: 0000030a_438d185a_00061f35 (ID = 0)
1:12 PM: 00007f4f_4388f35b_000cdfe6 (ID = 0)
1:12 PM: 0000288f_438d1de0_0008fba1 (ID = 0)
1:12 PM: 00005f90_4389df2c_0001ab3f (ID = 0)
1:12 PM: 00002350_438f612e_0000b71b (ID = 0)
1:12 PM: 0000390c_4391c9f4_0001312d (ID = 0)
1:12 PM: 000012db_438a18ac_0006ea05 (ID = 0)
1:12 PM: 00000ce1_438b623b_000c65d4 (ID = 0)
1:12 PM: 0000798b_438d1a9b_000dc055 (ID = 0)
1:12 PM: 00005d03_438f5f2a_0002dc6c (ID = 0)
1:12 PM: 000012db_438f5e05_0006acfc (ID = 0)
1:12 PM: 00000120_438d18b5_000975b3 (ID = 0)
1:12 PM: 00006df1_4389e6de_00022551 (ID = 0)
1:12 PM: 00001049_438f6fd9_000a037a (ID = 0)
1:12 PM: 0000759a_438d18c2_000436ed (ID = 0)
1:13 PM: 00006cf4_43891b82_00029f63 (ID = 0)
1:13 PM: 00002ea6_438e09f6_00003d09 (ID = 0)
1:13 PM: 00001289_438fca6f_00003d09 (ID = 0)
1:13 PM: 00005f45_43891b86_000487ab (ID = 0)
1:13 PM: 00007e87_4388e780_00000000 (ID = 0)
1:13 PM: 0000121f_438f6382_000632ea (ID = 0)
1:13 PM: 00002959_438b5af9_000ca2dd (ID = 0)
1:13 PM: 000012db_438e09fc_00090f56 (ID = 0)
1:13 PM: 00002350_438d18c8_00052b11 (ID = 0)
1:13 PM: 000022ee_4391cc07_00090f56 (ID = 0)
1:13 PM: 0000086a_43892b68_0004c4b4 (ID = 0)
1:13 PM: 000039b3_4390b500_000487ab (ID = 0)
1:13 PM: 0000305e_438a19c1_00016e36 (ID = 0)
1:13 PM: 000012db_4390b3f4_0000b71b (ID = 0)
1:13 PM: 00006784_4390b351_0009c671 (ID = 0)
1:13 PM: 00005753_438d1b84_00069947 (ID = 0)
1:13 PM: 00003c61_438d1c6c_000eb479 (ID = 0)
1:13 PM: 00000ea9_438b61ff_000487ab (ID = 0)
1:13 PM: 000022ee_438d1906_000c8f28 (ID = 0)
1:13 PM: 000013d3_43891b88_000b34a7 (ID = 0)
1:13 PM: 00001ad4_4390b61b_0004c4b4 (ID = 0)
1:13 PM: 000046c2_438b624c_000487ab (ID = 0)
1:13 PM: 0000301c_438a23ab_0006acfc (ID = 0)
1:13 PM: 0000153c_438f5e0b_00016e36 (ID = 0)
1:13 PM: 000018be_4390af3b_000baeb9 (ID = 0)
1:13 PM: 0000153c_4390b402_0000b71b (ID = 0)
1:13 PM: 00005d2b_438b6e18_000a037a (ID = 0)
1:13 PM: 0000251f_438f67c6_0007de29 (ID = 0)
1:13 PM: 00004626_438fcb51_0007a120 (ID = 0)
1:13 PM: 000054de_438f5ee7_00090f56 (ID = 0)
1:13 PM: 00002d41_438bb05b_000b71b0 (ID = 0)
1:13 PM: 00004823_438fd47b_000aba95 (ID = 0)
1:13 PM: 00001a49_4391cc22_000a4083 (ID = 0)
1:13 PM: 000058b0_438f639a_0006acfc (ID = 0)
1:13 PM: 000073da_438d1aaa_000938aa (ID = 0)
1:13 PM: 00003b25_438d17c8_000473f6 (ID = 0)
1:13 PM: 0000767d_438a227e_0008d24d (ID = 0)
1:13 PM: 00004b40_438d1908_000ae3e9 (ID = 0)
1:13 PM: 000039b3_438a1fe2_000e1113 (ID = 0)
1:13 PM: 00005fa4_438e0142_00024d5b (ID = 0)
1:13 PM: 000049d0_438b6d21_000e8b25 (ID = 0)
1:13 PM: 00002fff_438d1cb9_0004ee08 (ID = 0)
1:13 PM: 0000366b_438d19ff_0007ca74 (ID = 0)
1:13 PM: 00003a61_438d1de2_0004ee08 (ID = 0)
1:13 PM: 000013e9_438d1b07_000a69d7 (ID = 0)
1:13 PM: 000058b0_438d1aab_000dc055 (ID = 0)
1:13 PM: 00007a5a_438f5f3e_0001ab3f (ID = 0)
1:13 PM: 00006479_43892b69_00044aa2 (ID = 0)
1:13 PM: 000060bf_438d1b88_0003f9e4 (ID = 0)
1:13 PM: 000066c4_438d1a06_000c1516 (ID = 0)
1:13 PM: 000022cd_438d1de4_00011d78 (ID = 0)
1:13 PM: 00004080_438d1b12_000dfd5e (ID = 0)
1:13 PM: 00004230_438d1a0d_0004b0ff (ID = 0)
1:13 PM: 00005c67_438d1b8e_000a2cce (ID = 0)
1:13 PM: 00007eb7_438d1a27_00078d6b (ID = 0)
1:13 PM: 00007e87_438f5e55_000c28cb (ID = 0)
1:13 PM: 000063cb_4390b61e_00039387 (ID = 0)
1:13 PM: 000026ca_438d1aad_000d4643 (ID = 0)
1:13 PM: 00001cd0_438d19fc_0007ca74 (ID = 0)
1:13 PM: 00005f49_438f61be_000d59f8 (ID = 0)
1:13 PM: 00006172_438f65b0_0001312d (ID = 0)
1:13 PM: 00005a9f_438e0137_0004afb5 (ID = 0)
1:13 PM: 00001796_4390c24e_0007de29 (ID = 0)
1:13 PM: 00006c69_438d1cbd_00037fd2 (ID = 0)
1:13 PM: 00005039_4388f368_00089544 (ID = 0)
1:13 PM: 0000489c_438f6585_00066ff3 (ID = 0)
1:13 PM: 00007bb9_438d1ab4_0003f9e4 (ID = 0)
1:13 PM: 00000fbf_438d1b98_00015a81 (ID = 0)
1:13 PM: 00004b40_4391cc0a_000c28cb (ID = 0)
1:13 PM: 00003cd6_438d1b8f_000ccc31 (ID = 0)
1:13 PM: 000026ca_438f63a1_000baeb9 (ID = 0)
1:13 PM: 00005e9d_438d1e00_0005e22c (ID = 0)
1:13 PM: 00000124_4388e813_000ec82e (ID = 0)
1:13 PM: 000048cc_438d1b81_000dfd5e (ID = 0)
1:13 PM: 0000489c_438d1e02_0005a523 (ID = 0)
1:13 PM: 000073d9_4388f6a4_00

Attached Thumbnails

Edited by Die4me, 03 December 2005 - 02:13 PM.

#14
Linkmaster

Posted 03 December 2005 - 02:27 PM

Visiting Staff

Member
940 posts

Great ! I am glad that fixed the problem!!
Thank You !!

Here are a few tools that I recommend for protecting your system and keeping your system clean !!

Real Time Prevention
SpywareBlaster© by Javacool Software

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
IESpyad© by EHowes : This will add several hundred Restricted Sites to the Restricted site zone in IE.

CCleaner© by CCleaner.com is a good app to clean out temp files, cookies, recent folder(win2000) and Prefetch folder(XP), etc

Spyware Scanners:
Ad-aware SE© by Lavasoft Scans your system for spyware and other threats
a² Scanner© by Emsi Software : Scans for Malware and Trojans on your system.

Good Free Antivirus Programs:
AVG© by Grisoft
Avast© by ALWIL Software
NOTE:Remember always have just 1 antivirus program running at a time. Having more than one running causes a conflict between the programs !! You can use one as a backup to run manually

Windows Update:
It's also very important to keep your system up to date to avoid unnecessary security risks
Windows Update

Firewalls:
If you have an "always on " internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
Very good Firewall:
ZoneAlarm Firewall© by Zone Labs

These next steps are optional, but will provide the greatest protection
Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness.
Alternative Browsers:
FireFox© by Mozilla
Opera© by Opera Software ASA

Java Plug-in© Sun Microsystems. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the HijackThis folder if everything is working okay.

Always keep your Antivirus & Spyware Removal Tools current with the latest definitions and updates !!

Using these tools and keeping them updated will reduce the risk of future infections!!

Do you have any questions??

#15
Die4me

Posted 03 December 2005 - 04:20 PM

Banned

Topic Starter
Banned
56 posts

Just one. Is there another program I can use that is like spy sweeper incase something similiar ever happens? The free trial I'm using now will expire in 14 days.