Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan, Win32(?) .dll


  • Please log in to reply
30 replies to this topic

#1 Kodiak_Kid

Kodiak_Kid

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:03:22 AM

Posted 02 July 2009 - 08:49 PM

Hello,

First Time caller, long time listener.

So...I'm convinced my work pc has a flu no matter what the tools say. Now this may just be paranoia b/c I recently lost my laptop to malware that all the scanners claimed was clean when it actually had a rootkit w/ 2 keyloggers and 4 tcp/ip things. But my work pc is starting to act unusual, very similar to the way that my infected laptop was and I did email back and forth b/w my laptop and pc. I've read a number of forums/guides and, while I haven't been able to pinpoint my exact problem, my best guess is that its some sort of win32 Virus/worm, maybe some sort of dropper or downloader? Probably with a rootkit and keylogger (my keyboard feals wierd?)...But that's all speculation b/c I'm a newb and honestly have no clue what I'm talking about.

My OS is Windows XP Pro v2002, SP3 and I use Symantec SEP, Spybot SD, windows firewall, firefox, and use wireless internet.

Below is a list of things that I've noticed:

1- Programs that I've never used, and some I didn't even know about, started showing up on my desk top, in the startup tray located at the bottom right hand corner of the screen, and pegged to the start menu. It started with Windows messenger, which no matter how many times i turn it off always comes back. Then Search Desktop and Indexing showed up, along with Windows Magnifier, Narrator, Speech, and Language tools.

2- Java popped up claiming that it had automatically updated to the newest version but when I checked at the Java website it was actually an old version.

3- Some icons look different or have reverted to an older image. Definitely the Symantec shield.

4- SpyBot SD doesn't catch anything anymore; nothing not even cookies. It used to always catch things.

5- Some browser helper objects and add-ons showed up which I did not install. Specifically, JQSIESStartDetectorImpl Class, and the old Java.

6- Also, I looked around my c:\ drive and there seems to be a large amount of .dll objects that appear to be out of place. All of them seem to have the same creation date. Also, the creation date is five years before my PC was setup. I don't know if that means anything but a lot of the other files/programs/etc have the PC setup date as the creation date.

Below is a list of things I've done:

0- I was going to update java and remove the older versions but thought it best to wait.

1- Changed the security settings in Internet Options

2- Ran a butt load of virus scans: Trend Micro HouseCall, Malwarebytes, Panda Active Scan, Symantec SEP, Spybot SD, Live Onecare, BitDefender.

2.5- F-Secure just recently found 4 tracking cookies: 2o7, atdmt, Revsci, Atwola and removed them.


Well that's what I'm dealing with. It could be nothing but I would rather be safe than sorry. I would sure appreciate any help to confirm that it's nothing...or even a nice insult telling me I'm a paranoid goober would be relieving.

Thanks!

BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 05 July 2009 - 04:59 AM

See below.

Edited by superbird, 05 July 2009 - 05:10 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania

Posted 05 July 2009 - 05:04 AM

Hi Kodiak Kid, and :thumbsup: to BleepingComputer.

First of all, don't panic here, many of the symptoms might be explained easily. Lets take it one step at a time!

You mentioned a lot of DLLs 'out of place'. Don't mess with these, those files might be installed with windows and deleting them may cause severe problems!!

INSTALL FIREWALL
--------------------------
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


UPDATE JAVA
------------------
Your Java might be out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to install the latest update and to remove older version Java components and update:
  • Please visit this site Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
ATF-CLEANER
------------------
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 06 July 2009 - 02:58 PM

Thank you very much for the response. I will take all suggested actions and respond back with the results later this evening.

#5 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:03:22 AM

Posted 07 July 2009 - 12:54 AM

Hello,

I accomplished most of your recommendations and assume that everything is ok. But bad things always happen when I ASSume. The main issue is that Dr web. did not produce a scan log. So kinda confused about that. Below is a list of actions I took b/w the last post.

I was able to:
1)Download the newest version of Java and un-install the older version.
2) Download and run ATF Cleaner.
3) Download, update, and scan in safemode Dr. Web Cure-it. It Found no problems.

I was not able to:
1) After Dr. Web finished scanning it did not produce a scan log. And from the menu it would not allow me to check save report list.

I'm confused on one thing:
1) I use Symantec Endpoint Protection that has a firewall. Is it adequate? There is a networking section that allows me to view incoming/outgoing processes. Your advice suggests not to have multiple or conflicting firewalls, does that advice stand regarding SEP's firewall?


Thanks again for your time and help. It is greatly appreciated.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 AM

Posted 07 July 2009 - 02:11 AM

Hi Kodiak kid, I think you were not able to save Dr. Web scanresults because it didnt find anything. Thats a good thing :trumpet:

If SEP is your only firewall, its okay. I didnt make the link between SEP and a firewall when I looked at your first post :thumbsup: thats why I posted the information about firewalls. You said you used windows firewall and thats not good enough. But I think SEP disabled windows firewall automatically (as it should), so everything is allright.

Lets do another scan to see if it comes out clean as well. So far all looks nice :flowers:

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


Please let me know what the problems are that remain!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 07 July 2009 - 03:02 AM

Dear Elise 025,

Thank you very much for your quick response!

As it is midnight here and I'm trying to leave work, I'm going to run the full scan w/MBAM overnight and post the log tomorrow. I hope this does not inconvenience you.

Regarding the firewall, for some reason both windows firewall and SEP firewall are activated. This just happened recently b/c when I checked the Windows firewall previously it said that it was "turned off" and "governed by a group policy." Also, I recently noticed in the SEP System Log that tamper protection was disabled by 'System' and then the threat protection was disabled briefly and then re-enabled. So I don't know if that means much. Any insight?

And one more thing(sorry), a different computer that is connected to the same share-drive as this one just got diagnosed with virtumond(?)and the mywebsearch(?) viruses/malware. The tainted computer didn't have SEP and was detected with MBAM and SuperAntispyware. What's the chances of cross-pollination? Is the fact that another computer on the network was infected mean that I'm infected by default?

Sorry for all the questions.

Thanks again!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 AM

Posted 07 July 2009 - 03:22 AM

No prob at all!

I would recommend you isolate both computers from each other, since infections can spread via a shared drive.

I will await your scan results! You can repeat the steps for the other computer as well if you like. When posting the results, please specify for what machine they are.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 07 July 2009 - 10:55 PM

Hello again,

Sorry for the delay (boo work!). I have taken your advice and disconnected both of the computers from the share drive. Does it matter if they still use the same wireless router? And I would be interested in showing you the logs from the really sick computer but it will not connect to the Internet and I'm apprehensive about using a usb storage device to transfer data. I've heard that there may be a program that can protect against the spread of malware via flash drives but am unsure of their existence or efficacy. Do you have any advice on such a program? Either way, I'm happy just to get help with this computer!

Here are the scan results for the original computer:

Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.1.2600 Service Pack 3

7/7/2009 1:19:36 AM
mbam-log-2009-07-07 (01-19-36).txt

Scan type: Full Scan (C:\|D:\|E:\|Z:\|)
Objects scanned: 159619
Time elapsed: 43 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thanks!

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 AM

Posted 08 July 2009 - 02:16 AM

Hi Kodiak kid,

I recommend you isolate the computer in real bad shape completely from the internet (and from the router) untill we know what is going on there. I recommend you put ATF Cleaner and Dr. Web on an usb-device and transfer it to the isolated computer. You are right in assuming you can re-infect your other computer, thats why we are gonna use Flash Disinfector for that. Just put the dr. web and ATF cleaner on the usb device, use it on the infected computer and after that, follow the steps below on your clean computer (the one we were working on) to disinfect it.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

The following steps are for the good computer. It looks good, but I want to doublecheck with an online scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 08 July 2009 - 05:01 AM

Ahoy Elise 025,

I ran the ESET online scan and it found no threats(yay!). There was no text file; I think this is b/c it found no threats. There is one thing I'm curious regarding the ESET scan. Before starting the program, I turned off Symantec SEP and Spy-Bot SD. ESET didn't find these two programs but did find find Dr. Web and Windows Defender and mentioned that they may interfere with the scan. I know about the DR. Web AV and do not think it is set for active protection or anything. Would just having Dr. Web on my PC interfere w/ the ESET scan? Also, to my knowledge, I do not have Windows Defender. After the scan I searched my computer and could not find this program anywhere. I do have 'Windows Security Center' which informs whether you have a firewall in use, an active AV, and if Windows Update is on. Is this something to be concerned with?

About the other PC, I have taken your advice and quarantined it. I will have to wait until tomorrow to run ATF/Dr. Web and post the scan results. There is one problem I've already ran into and could use your expertise on. It appears that there is another administrator account on the computer. When entering into Safe mode w/o networking, the system asks me whether I wanted to log in as Administrator or Compaq_Owner_Administrator. The only account I know of (outside this mode) is Compaq_Owner_Admin, and it is supposed to be the admin account for the computer. The other mystery Admin account does not show up in Compaq_Owner_Admin Users and I cannot find away to access this Admin account. So...this could be nothing but I'm completely perplexed.

One more quick inquiry. After reading the BC Firewall Tutorial, I've been nosing around the Network Protection Log on SEP. While most of the info from the log is still foreign to me, I did notice something out-of-place. Last night b/w 1:30am and 6:30am, some incoming action was blocked thousands of times; sometimes multiple times a second. It had ethernet-protocol, source and destination host of 0.0.0.0, a source and destination port of 0. So besides looking out of place, I don't know what this means. Is it bad? Does ethernet protocol mean that it came via a cable and not wireless?

Thank you, thank you, thank you! You are the BEST!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 AM

Posted 08 July 2009 - 08:29 AM

Hi Kodiak Kid,

Well, good news, your first computer appears to be clean. ESET shows no log/results if it finds none. Also the security warnings are nothing to be concerned with. It most likely detected the presence/leftovers of programs and gave you that warning.

About the accounts.... XP always creates a default admin account which is usually not visible. But you should be able to log on with your normal account.

Let me know when you have the dr web results from the other computer, and make sure you keep that one isolated so you will not reinfect your computer. If you transfer data using an USB device make sure you use flash disinfector.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 11 July 2009 - 01:08 AM

Hello Elise,

Sorry it has taken me so long to reply. I should have let you know that I was getting busy. I really don't mean to be flaky. :thumbsup:
Hopefully, I will be able run the scans tomorrow, or sunday at the latest, and will post the logs soon after. If for some reason it is going to take longer, I wil be sure to let you know.

Thanks again for your time and patience.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:22 AM

Posted 11 July 2009 - 01:12 AM

No problem, I will keep track of this topic!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Kodiak_Kid

Kodiak_Kid
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Sonoran Desert
  • Local time:12:22 PM

Posted 13 July 2009 - 06:37 PM

Hi Elise 025,

I hope you had a nice weekend. It was super hot here, like 106F! Sorry it took a little longer than expected to respond. I decided against coming into work on the weekend. :thumbsup: But now it's Monday and back to the grind.

Just to remind you, this is regarding the other computer that we discussed. The machine is a bit older and was not used for a few years until recently. I installed all the Windows and Java updates but that was before running the AV scan so I'm not sure if that is okay. I'm still a bit confused about the difference between the Administrator Account and the Compaq_Owner_Administrator Account that both appear in safemode. The Admin Acct has many more programs and much more access than the C_O_A Acct. (I know you said it's nothing but I really am paranoid). There also appears to be some Spysubtract spyware manager and Spamsubtract Spam Manager AV on the computer that was downloaded the same day I was updating the computer. Unless those programs are part of SuperAnti Spyware or MalwareBytes, I didn't download any such thing.

The first log attached is the Dr. Web scan from the Administrator account completed today. Just in case they are of any use, I've attached the two original logs I ran before I spoke with you; an MBAM quickscan from the C_O_A acct. and two SAS logs from both the Admin and C_O_A Accts.

Sorry in advance for all the forthcoming alpha-numeric wordage.

Thanks for all the help!



Dr. Web Saved Report List 7-13-09:

AquaticDashbar_s_Inst-44.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
BeachDashbar_s_Inst-45.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
BFlyDashbar_s_Inst-46.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
MagicDashbar_s_Inst-47.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
MidnightDB_s_Inst-52.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
SeasideDB_s_Inst-54.exe;C:\Documents and Settings\All Users\Documents\My Music;Adware.Gator;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
msimg32.dll;C:\Program Files\MSN Messenger;Adware.MyWebSearch.2;Incurable.Moved.;
riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;Incurable.Moved.;
comp01.000/data015\data386;C:\Program Files\Online Services\AOL90US\comp01.000/data015;Probably DLOADER.Trojan;;
data015;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;;
comp01.000;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access\EarthLink Setup.msi/stream001;Probably STPAGE.Trojan;;
stream001;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
EarthLink Setup.exe;C:\Program Files\Online Services\EarthLink;Archive contains infected objects;Moved.;
A0018216.exe;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Gator.origin;Incurable.Moved.;
A0018220.exe;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Gator.origin;Incurable.Moved.;
A0018267.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MWS;Incurable.Moved.;
A0018268.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MWS;Incurable.Moved.;
A0018269.scr;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018272.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018273.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MWS;Incurable.Moved.;
A0018275.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Websearch;Incurable.Moved.;
A0018279.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018281.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Trojan.Isbar.438;Deleted.;
A0018282.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MyWebSearch.2;Incurable.Moved.;
A0018284.SCR;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018286.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018287.EXE;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018288.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Trojan.DownLoader.7028;Deleted.;
A0018289.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Funweb;Incurable.Moved.;
A0018290.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018292.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MyWebSearch.1;Incurable.Moved.;
A0018293.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.MWS;Incurable.Moved.;
A0018295.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018296.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018299.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Websearch;Incurable.Moved.;
A0018300.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442;Adware.Msearch;Incurable.Moved.;
A0018351.DLL;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP445;Adware.MWS;Incurable.Moved.;
A0018360.dll;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP445;Adware.MWS;Incurable.Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473\A0025911.exe/Windows\access\EarthLink Setup.m;Probably STPAGE.Trojan;;
stream001;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473\A0025911.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473\A0025911.exe/Windows\access;Archive contains infected objects;;
A0025911.exe;C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473;Archive contains infected objects;Moved.;
App28703.exe\hp/tmp/firstopt.js;D:\I386\Apps\APP28703\App28703.exe;Probably SCRIPT.Virus;;
App28703.exe;D:\I386\Apps\APP28703;Archive contains infected objects;Moved.;
App04664.exe/hp/tmp/src/SpyInst.exe\ssengine.dll;D:\I386\Apps\APP04664\App04664.exe/hp/tmp/src/SpyInst.exe;Probably MULDROP.Trojan;;
hp/tmp/src/SpyInst.exe;D:\I386\Apps\APP04664;Archive contains infected objects;;
App04664.exe;D:\I386\Apps\APP04664;Archive contains infected objects;Moved.;
A0025912.exe\hp/tmp/firstopt.js;D:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473\A0025912.exe;Probably SCRIPT.Virus;;
A0025912.exe;D:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473;Archive contains infected objects;Moved.;
A0025913.exe/hp/tmp/src/SpyInst.exe\ssengine.dll;D:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473\A0025913.exe/hp/tmp/src/SpyInst.exe;Probably MULDROP.Trojan;;
hp/tmp/src/SpyInst.exe;D:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473;Archive contains infected objects;;
A0025913.exe;D:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP473;Archive contains infected objects;Moved.;



*********************



Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.1.2600 Service Pack 3

7/6/2009 9:40:37 PM
mbam-log-2009-07-06 (21-40-37).txt

Scan type: Quick Scan
Objects scanned: 88345
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



***************************


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2009 at 11:23 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 01:07:34

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 4871
Registry threats detected : 104
File items scanned : 25682
File threats detected : 5

Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\AppInfo
HKLM\Software\Gator.com\CMEII
HKLM\Software\Gator.com\CMEII#AppHist
HKLM\Software\Gator.com\CMEII#numInst
HKLM\Software\Gator.com\CMEII\GSNUninstalled
HKLM\Software\Gator.com\CMEII\GSNUninstalled#GotSmiley
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\dyn\GCH
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#264-200
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#264-bytes
HKLM\Software\Gator.com\Gator\dyn\GUS
HKLM\Software\Gator.com\Gator\dyn\GUS#TC
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\Gator\stat#Guid
HKLM\Software\Gator.com\trickles
HKLM\Software\Gator.com\trickles\TRICKLER_6106
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#AccumFile
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#UrlSize
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#UrlTime

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt

Adware.MyWebSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442\A0018274.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP445\A0018358.EXE



*******************************


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2009 at 01:25 AM

Application Version : 4.26.1006

Core Rules Database Version : 3975
Trace Rules Database Version: 1915

Scan type : Complete Scan
Total Scan Time : 01:08:45

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 5210
Registry threats detected : 9
File items scanned : 25749
File threats detected : 0

Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\CMEII
HKLM\Software\Gator.com\CMEII\GSNUninstalled
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\trickles
HKLM\Software\Gator.com\trickles\TRICKLER_6106

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-3005362880-508892632-2227843483-1009\SOFTWARE\FunWebProducts



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2009 at 11:23 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 01:07:34

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 4871
Registry threats detected : 104
File items scanned : 25682
File threats detected : 5

Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\AppInfo
HKLM\Software\Gator.com\CMEII
HKLM\Software\Gator.com\CMEII#AppHist
HKLM\Software\Gator.com\CMEII#numInst
HKLM\Software\Gator.com\CMEII\GSNUninstalled
HKLM\Software\Gator.com\CMEII\GSNUninstalled#GotSmiley
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\dyn\GCH
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#063-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#064-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#065-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#066-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#067-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#070-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#071-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#072-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#073-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#074-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#075-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#076-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#077-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#078-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#079-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#080-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#081-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#082-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#083-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#084-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#085-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#086-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#087-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#091-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-304
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-bytes
HKLM\Software\Gator.com\Gator\dyn\GCH\_gatorcme#093-404
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#StartTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#OldestTime
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#264-200
HKLM\Software\Gator.com\Gator\dyn\GCH\_gs#264-bytes
HKLM\Software\Gator.com\Gator\dyn\GUS
HKLM\Software\Gator.com\Gator\dyn\GUS#TC
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\Gator\stat#Guid
HKLM\Software\Gator.com\trickles
HKLM\Software\Gator.com\trickles\TRICKLER_6106
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#AccumFile
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#UrlSize
HKLM\Software\Gator.com\trickles\TRICKLER_6106\Trickler\trickle.gator.com:80/download/trickler6.cfg#UrlTime

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt

Adware.MyWebSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP442\A0018274.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP445\A0018358.EXE





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2009 at 01:25 AM

Application Version : 4.26.1006

Core Rules Database Version : 3975
Trace Rules Database Version: 1915

Scan type : Complete Scan
Total Scan Time : 01:08:45

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 5210
Registry threats detected : 9
File items scanned : 25749
File threats detected : 0

Adware.GAIN/Gator
HKLM\Software\Gator.com
HKLM\Software\Gator.com\CMEII
HKLM\Software\Gator.com\CMEII\GSNUninstalled
HKLM\Software\Gator.com\Gator
HKLM\Software\Gator.com\Gator\dyn
HKLM\Software\Gator.com\Gator\stat
HKLM\Software\Gator.com\trickles
HKLM\Software\Gator.com\trickles\TRICKLER_6106

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-3005362880-508892632-2227843483-1009\SOFTWARE\FunWebProducts




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users