Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log For "tman14"


  • Please log in to reply
7 replies to this topic

#1 tman14

tman14

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 26 October 2005 - 12:18 AM

//Mod edit: This log split away from post here


Try renaming the executable to something like HJT.exe

Tried that ... couldn't get it to stay on for long, but managed to get it to scan once.
Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 10:19:14 AM, on 26/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\Lmgrd.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\uglmd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\qqjnavj\svshost.exe
C:\WINDOWS\System32\msgame32.exe
C:\WINDOWS\etb\pokapoka78.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\GetRight\getright.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ronald McDonald\Desktop\fixit\Fixit.exe
C:\WINDOWS\System32\ipconfig.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\qqjnavj\svshost.exe
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyuk32.exe
O4 - HKLM\..\Run: [System service78] C:\WINDOWS\etb\pokapoka78.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\qqjnavj\svshost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3DxWare\3DxSrv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Lyric Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\RARELY~1\Toolbar\lyricbar.dll
O9 - Extra 'Tools' menuitem: Lyric Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\RARELY~1\Toolbar\lyricbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122182497765
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c356.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\Lmgrd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe

Edited by KoanYorel, 26 October 2005 - 12:36 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 October 2005 - 03:34 PM

Hi tman14 and Welcome to the Bleeping Computer!

Download this program:

Submit Files Packer
http://www.safer-networking.org/files/sfp.zip

Highlight the entries listed below in bold-> Right-Click and Select Copy.


C:\WINDOWS\System32\qqjnavj\svshost.exe
C:\WINDOWS\System32\msgame32.exe
C:\WINDOWS\System32\qqjnavj



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


After the Files have been submitted-> Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#3 tman14

tman14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 01 November 2005 - 09:58 PM

Thanks again .... will see how we go now.
********
12:18 PM: | Start of Session, Wednesday, 2 November 2005 |
12:18 PM: Spy Sweeper started
12:18 PM: Sweep initiated using definitions version 556
12:18 PM: Starting Memory Sweep
12:19 PM: Found Adware: 180search assistant/zango
12:19 PM: Detected running threat: c:\Program Files\180searchassistant\salmhook.dll (ID = 70604)
12:19 PM: Found Adware: winad
12:19 PM: Detected running threat: C:\Program Files\Preview AdService\PrevAdServ.exe (ID = 90433)
12:19 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Preview AdService (ID = 0)
12:19 PM: Detected running threat: C:\Program Files\Preview AdService\PrevAdComm.dll (ID = 90431)
12:19 PM: Found Adware: elitebar
12:19 PM: Detected running threat: C:\WINDOWS\system32\eliterjc32.exe (ID = 59979)
12:19 PM: Detected running threat: C:\Program Files\180searchassistant\salm.exe (ID = 93787)
12:19 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || salm (ID = 0)
12:19 PM: Found Adware: internetoptimizer
12:19 PM: Detected running threat: C:\Program Files\Internet Optimizer\optimize.exe (ID = 125734)
12:21 PM: Memory Sweep Complete, Elapsed Time: 00:02:20
12:21 PM: Starting Registry Sweep
12:21 PM: Found Adware: blazefind
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || preview adservice (ID = 104534)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\preview adservice\ (2 subtraces) (ID = 104549)
12:21 PM: HKLM\software\preview adservice\ (7 subtraces) (ID = 104556)
12:21 PM: Found Adware: comet cursor
12:21 PM: HKCR\clsid\{35e78239-811e-4c3f-b37d-f339ac16c2c0}\ (4 subtraces) (ID = 106324)
12:21 PM: HKCR\interface\{665abe65-2c16-4341-b4b8-01ff799e8f4c}\ (8 subtraces) (ID = 106467)
12:21 PM: HKLM\software\classes\clsid\{35e78239-811e-4c3f-b37d-f339ac16c2c0}\ (4 subtraces) (ID = 106543)
12:21 PM: HKLM\software\classes\interface\{665abe65-2c16-4341-b4b8-01ff799e8f4c}\ (8 subtraces) (ID = 106648)
12:21 PM: HKCR\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}\ (5 subtraces) (ID = 125690)
12:21 PM: HKCR\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}\ (4 subtraces) (ID = 125692)
12:21 PM: HKLM\software\classes\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}\ (5 subtraces) (ID = 125720)
12:21 PM: HKLM\software\classes\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}\ (4 subtraces) (ID = 125722)
12:21 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
12:21 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/v3.dll\ (2 subtraces) (ID = 125753)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || etbrun (ID = 125757)
12:21 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\v3.dll (ID = 125764)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar\ (3 subtraces) (ID = 125768)
12:21 PM: Found Adware: hi5 toolbar
12:21 PM: HKCR\toolbar.toolbarobj\ (5 subtraces) (ID = 127131)
12:21 PM: HKCR\toolbar.toolbarobj.1\ (3 subtraces) (ID = 127132)
12:21 PM: HKU\.default\software\avenue media\ (ID = 128878)
12:21 PM: HKU\.default\software\policies\avenue media\ (ID = 128879)
12:21 PM: HKCR\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128881)
12:21 PM: HKLM\software\avenue media\ (27 subtraces) (ID = 128888)
12:21 PM: HKLM\software\classes\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128892)
12:21 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 128916)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet optimizer\ (3 subtraces) (ID = 128921)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kapabout\ (2 subtraces) (ID = 128924)
12:21 PM: HKLM\software\policies\avenue media\ (ID = 128929)
12:21 PM: Found Adware: ist software
12:21 PM: HKU\.default\software\ist\ (3 subtraces) (ID = 129052)
12:21 PM: Found Adware: locators toolbar
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || default visible (ID = 129801)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || icon (ID = 129803)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || menustatusbar (ID = 129804)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || menutext (ID = 129805)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ (8 subtraces) (ID = 129810)
12:21 PM: Found Adware: moneytree
12:21 PM: HKCR\dyfuca_bh.bhobj.1\ (3 subtraces) (ID = 135175)
12:21 PM: HKCR\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135176)
12:21 PM: HKLM\software\classes\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135194)
12:21 PM: HKLM\software\classes\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135201)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dyfuca\ (ID = 135214)
12:21 PM: HKCR\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135217)
12:21 PM: HKCR\clientax.clientinstaller.1\ (3 subtraces) (ID = 135595)
12:21 PM: HKCR\clientax.clientinstaller\ (5 subtraces) (ID = 135596)
12:21 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
12:21 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
12:21 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
12:21 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
12:21 PM: HKCR\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (20 subtraces) (ID = 135602)
12:21 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
12:21 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
12:21 PM: HKLM\software\classes\clientax.clientinstaller.1\ (3 subtraces) (ID = 135620)
12:21 PM: HKLM\software\classes\clientax.clientinstaller\ (5 subtraces) (ID = 135621)
12:21 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
12:21 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
12:21 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
12:21 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
12:21 PM: HKLM\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (20 subtraces) (ID = 135626)
12:21 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
12:21 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (10 subtraces) (ID = 135637)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || salm (ID = 135728)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\salm\ (3 subtraces) (ID = 135779)
12:21 PM: HKLM\software\salm\ (10 subtraces) (ID = 135793)
12:21 PM: Found Adware: media-motor
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media-motor\ (2 subtraces) (ID = 140208)
12:21 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
12:21 PM: Found Adware: screensavers
12:21 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
12:21 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
12:21 PM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
12:21 PM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
12:21 PM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
12:21 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
12:21 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
12:21 PM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
12:21 PM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
12:21 PM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
12:21 PM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
12:21 PM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
12:21 PM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (9 subtraces) (ID = 140566)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
12:21 PM: HKLM\software\screensavers.com\ (11 subtraces) (ID = 140569)
12:21 PM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
12:21 PM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
12:21 PM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
12:21 PM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
12:21 PM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
12:21 PM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
12:21 PM: Found Trojan Horse: trojan_backdoor_retro64
12:21 PM: HKCR\clsid\{288c5f13-7e52-4ada-a32e-f5bf9d125f98}\ (20 subtraces) (ID = 144993)
12:21 PM: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
12:21 PM: HKLM\software\classes\clsid\{288c5f13-7e52-4ada-a32e-f5bf9d125f98}\ (20 subtraces) (ID = 144998)
12:21 PM: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
12:21 PM: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
12:21 PM: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
12:21 PM: HKLM\software\classes\typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}\ (9 subtraces) (ID = 147899)
12:21 PM: HKCR\typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}\ (9 subtraces) (ID = 147925)
12:21 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
12:21 PM: HKCR\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ (8 subtraces) (ID = 169495)
12:21 PM: HKLM\software\classes\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ (8 subtraces) (ID = 169496)
12:21 PM: HKCR\interface\{2b0eceac-f597-4858-a542-d966b49055b9}\ (8 subtraces) (ID = 169515)
12:21 PM: HKCR\interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}\ (8 subtraces) (ID = 169516)
12:21 PM: HKCR\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169517)
12:21 PM: HKLM\software\classes\interface\{2b0eceac-f597-4858-a542-d966b49055b9}\ (8 subtraces) (ID = 169518)
12:21 PM: HKLM\software\classes\interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}\ (8 subtraces) (ID = 169519)
12:21 PM: HKLM\software\classes\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169520)
12:21 PM: HKLM\software\media gateway\ (11 subtraces) (ID = 359545)
12:21 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
12:21 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
12:21 PM: HKLM\software\avenue media\internet optimizer\ (26 subtraces) (ID = 394594)
12:21 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
12:21 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
12:21 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
12:21 PM: HKCR\clsid\{e2e40140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 762062)
12:21 PM: HKCR\typelib\{df54d7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 762084)
12:21 PM: HKLM\software\classes\typelib\{df54d7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 762116)
12:21 PM: HKLM\software\classes\clsid\{e2e40140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 762136)
12:21 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
12:21 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
12:21 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
12:21 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
12:21 PM: Found Adware: cws_195.95.218.172 hijack
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\main\ || default_page_url (ID = 112691)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\main\ || local page (ID = 112694)
12:21 PM: Found Adware: easysearchbar
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\lq\ (6 subtraces) (ID = 125741)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\zango\ (12 subtraces) (ID = 147919)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\main\ || default_page_url (ID = 112691)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\main\ || local page (ID = 112694)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\lq\ (13 subtraces) (ID = 125741)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\avenue media\ (ID = 128887)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\salm\ (11 subtraces) (ID = 135792)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
12:21 PM: Found Adware: cws_xplugin
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || sethp (ID = 124467)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\lq\ (8 subtraces) (ID = 125741)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\avenue media\ (ID = 128887)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\salm\ (3 subtraces) (ID = 135792)
12:21 PM: Found Adware: type2find.com hijack
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\ || searchurl (ID = 776637)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || search page (ID = 776638)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || search bar (ID = 776639)
12:22 PM: Registry Sweep Complete, Elapsed Time:00:00:50
12:22 PM: Starting Cookie Sweep
12:22 PM: Found Spy Cookie: 2o7.net cookie
12:22 PM: mia taylor@122.2o7[2].txt (ID = 1958)
12:22 PM: Found Spy Cookie: websponsors cookie
12:22 PM: mia taylor@a.websponsors[2].txt (ID = 3665)
12:22 PM: Found Spy Cookie: yieldmanager cookie
12:22 PM: mia taylor@ad.yieldmanager[1].txt (ID = 3751)
12:22 PM: Found Spy Cookie: belnk cookie
12:22 PM: mia taylor@ath.belnk[1].txt (ID = 2293)
12:22 PM: Found Spy Cookie: atwola cookie
12:22 PM: mia taylor@atwola[1].txt (ID = 2255)
12:22 PM: Found Spy Cookie: banner cookie
12:22 PM: mia taylor@banner[1].txt (ID = 2276)
12:22 PM: mia taylor@belnk[2].txt (ID = 2292)
12:22 PM: Found Spy Cookie: burstnet cookie
12:22 PM: mia taylor@burstnet[1].txt (ID = 2336)
12:22 PM: mia taylor@dist.belnk[1].txt (ID = 2293)
12:22 PM: Found Spy Cookie: go.com cookie
12:22 PM: mia taylor@go[2].txt (ID = 2728)
12:22 PM: mia taylor@hollywoodrecords.go[1].txt (ID = 2729)
12:22 PM: Found Spy Cookie: aptimus cookie
12:22 PM: mia taylor@network.aptimus[2].txt (ID = 2235)
12:22 PM: Found Spy Cookie: paypopup cookie
12:22 PM: mia taylor@paypopup[2].txt (ID = 3119)
12:22 PM: mia taylor@popunder.paypopup[1].txt (ID = 3120)
12:22 PM: mia taylor@sensis.122.2o7[1].txt (ID = 1958)
12:22 PM: Found Spy Cookie: stlyrics cookie
12:22 PM: mia taylor@stlyrics[1].txt (ID = 3461)
12:22 PM: Found Spy Cookie: affiliatefuel.com cookie
12:22 PM: mia taylor@www.affiliatefuel[1].txt (ID = 2202)
12:22 PM: Found Spy Cookie: screensavers.com cookie
12:22 PM: mia taylor@www.screensavers[2].txt (ID = 3298)
12:22 PM: go josh@2o7[1].txt (ID = 1957)
12:22 PM: Found Spy Cookie: atlas dmt cookie
12:22 PM: go josh@atdmt[2].txt (ID = 2253)
12:22 PM: go josh@atwola[1].txt (ID = 2255)
12:22 PM: go josh@belnk[1].txt (ID = 2292)
12:22 PM: go josh@burstnet[1].txt (ID = 2336)
12:22 PM: Found Spy Cookie: clickbank cookie
12:22 PM: go josh@clickbank[1].txt (ID = 2398)
12:22 PM: go josh@dist.belnk[2].txt (ID = 2293)
12:22 PM: Found Spy Cookie: empnads cookie
12:22 PM: go josh@empnads[1].txt (ID = 5012)
12:22 PM: Found Spy Cookie: touchclarity cookie
12:22 PM: go josh@msn.touchclarity[2].txt (ID = 3566)
12:22 PM: Found Spy Cookie: adserver cookie
12:22 PM: go josh@z1.adserver[1].txt (ID = 2142)
12:22 PM: ronald mcdonald@empnads[2].txt (ID = 5012)
12:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:22 PM: Starting File Sweep
12:22 PM: c:\program files\screensavers.com (9 subtraces) (ID = -2147480365)
12:22 PM: c:\program files\internet optimizer (1 subtraces) (ID = -2147480830)
12:22 PM: c:\program files\180searchassistant (5 subtraces) (ID = -2147480569)
12:22 PM: c:\windows\etb (16 subtraces) (ID = -2147476235)
12:22 PM: c:\windows\elitetoolbar (ID = -2147481052)
12:22 PM: c:\documents and settings\all users\start menu\programs\180search assistant (2 subtraces) (ID = -2147480571)
12:22 PM: c:\program files\preview adservice (4 subtraces) (ID = -2147477102)
12:22 PM: v3cab[1].cab (ID = 145376)
12:22 PM: 00285399.exe (ID = 60024)
12:23 PM: 00288951.dll (ID = 59985)
12:23 PM: 00288955.exe (ID = 60024)
12:23 PM: elitetoolbar version 60.dll (ID = 59985)
12:23 PM: 00279209.dll (ID = 59985)
12:24 PM: 00286616.dll (ID = 70604)
12:24 PM: screensaversinst.dll (ID = 74752)
12:24 PM: siuninst.exe (ID = 74757)
12:24 PM: ActiveX Shield: found: Adware: moneytree, version 1.0.0.0 -- Installation denied
12:24 PM: 00286458.dll (ID = 93785)
12:24 PM: BHO Shield: found: -- BHO installation denied at user request
12:24 PM: BHO Shield: found: -- BHO installation denied at user request
12:25 PM: mmxxxxmas2[1].exe (ID = 162574)
12:28 PM: 00286484.dat (ID = 93789)
12:29 PM: 00287476.dat (ID = 93789)
12:30 PM: 00285406.exe (ID = 59979)
12:32 PM: bridge-c356[1].cab (ID = 159736)
12:32 PM: 00288957.exe (ID = 59979)
12:32 PM: mediagateway[1].exe (ID = 161148)
12:33 PM: nem220[1].dll (ID = 64043)
12:33 PM: Found Adware: ist istbar
12:33 PM: istsvc[1].exe (ID = 161561)
12:33 PM: res3e.tmp (ID = 157832)
12:34 PM: res5.tmp (ID = 93785)
12:36 PM: clientax.dll (ID = 111353)
12:36 PM: prevadserv.exe (ID = 90433)
12:36 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Preview AdService (ID = 0)
12:36 PM: eliterjc32.exe (ID = 59979)
12:36 PM: eliteyuk32.exe (ID = 59979)
12:36 PM: clqr.exe (ID = 70475)
12:36 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || clqr (ID = 0)
12:36 PM: optimize.exe (ID = 125734)
12:36 PM: Found Adware: coolwebsearch (cws)
12:36 PM: kl.exe (ID = 54306)
12:36 PM: salm.exe (ID = 93787)
12:36 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || salm (ID = 0)
12:36 PM: mediagatewayx.dll (ID = 156819)
12:36 PM: miniclipgameloader.dll (ID = 81259)
12:36 PM: v3.dll (ID = 144813)
12:36 PM: prevadcomm.dll (ID = 90431)
12:36 PM: nem220.dll (ID = 64043)
12:36 PM: 00287477.dat (ID = 93789)
12:36 PM: salm_gdf.dat (ID = 93789)
12:36 PM: salmhook.dll (ID = 70604)
12:36 PM: salmau.dat (ID = 93788)
12:36 PM: mmxxxxmas2[1].exe (ID = 162574)
12:36 PM: mmxxxxmas2.exe (ID = 162574)
12:36 PM: elitezka32.exe (ID = 59979)
12:46 PM: osd25.osd (ID = 60007)
12:46 PM: clientax.inf (ID = 70515)
12:46 PM: sinstaller.inf (ID = 74756)
12:46 PM: Found System Monitor: potentially rootkit-masked files
12:46 PM: elite_counter (2).doc (ID = 0)
12:46 PM: elitetoolbar version 61.dll (ID = 0)
12:46 PM: eliteyuk32.exe-0e19f9b6.pf (ID = 0)
12:46 PM: elitumelitebar16.zip (ID = 0)
12:46 PM: eliterjc32.exe-3a127f7e.pf (ID = 0)
12:46 PM: elitumelitebar.zip (ID = 0)
12:46 PM: elitumelitebar1.zip (ID = 0)
12:46 PM: elitumelitebar2.zip (ID = 0)
12:46 PM: elitumelitebar3.zip (ID = 0)
12:46 PM: elitumelitebar18.zip (ID = 0)
12:46 PM: elitumelitebar19.zip (ID = 0)
12:46 PM: elitumelitebar9.zip (ID = 0)
12:46 PM: elitumelitebar10.zip (ID = 0)
12:46 PM: elitumelitebar11.zip (ID = 0)
12:46 PM: elitumelitebar17.zip (ID = 0)
12:46 PM: elitumelitebar12.zip (ID = 0)
12:46 PM: elitumelitebar13.zip (ID = 0)
12:46 PM: elitumelitebar14.zip (ID = 0)
12:46 PM: elitumelitebar15.zip (ID = 0)
12:46 PM: elitezka32.exe-2b3fd6ce.pf (ID = 0)
12:46 PM: 00141854. (ID = 0)
12:46 PM: elitumelitebar4.zip (ID = 0)
12:46 PM: elitumelitebar5.zip (ID = 0)
12:46 PM: elitumelitebar6.zip (ID = 0)
12:46 PM: elitetoolbar version 61.dll (ID = 0)
12:46 PM: elitumelitebar7.zip (ID = 0)
12:46 PM: elitumelitebar8.zip (ID = 0)
12:46 PM: 00141641. (ID = 0)
12:46 PM: 00141650. (ID = 0)
12:46 PM: 00190438. (ID = 0)
12:46 PM: 00141649. (ID = 0)
12:46 PM: 00141879. (ID = 0)
12:46 PM: 00190441. (ID = 0)
12:46 PM: Warning: File not found
12:46 PM: Warning: File not found
12:46 PM: Warning: File not found
12:46 PM: Warning: File not found
12:46 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:48 PM: Warning: File not found
12:55 PM: ActiveX Shield: found: Adware: moneytree, version 1.0.0.0 -- Installation denied
12:55 PM: BHO Shield: found: -- BHO installation denied at user request
12:56 PM: BHO Shield: found: -- BHO installation denied at user request
12:59 PM: File Sweep Complete, Elapsed Time: 00:37:05
12:59 PM: Full Sweep has completed. Elapsed time 00:40:29
12:59 PM: Traces Found: 1176
1:02 PM: Removal process initiated
1:02 PM: Quarantining All Traces: potentially rootkit-masked files
1:03 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:03 PM: 00141854. is in use. It will be removed on reboot.
1:03 PM: 00141641. is in use. It will be removed on reboot.
1:03 PM: 00141650. is in use. It will be removed on reboot.
1:03 PM: 00190438. is in use. It will be removed on reboot.
1:03 PM: 00141649. is in use. It will be removed on reboot.
1:03 PM: 00141879. is in use. It will be removed on reboot.
1:03 PM: 00190441. is in use. It will be removed on reboot.
1:03 PM: Quarantining All Traces: elitebar
1:04 PM: elitebar is in use. It will be removed on reboot.
1:04 PM: c:\windows\etb is in use. It will be removed on reboot.
1:04 PM: eliterjc32.exe is in use. It will be removed on reboot.
1:04 PM: Quarantining All Traces: trojan_backdoor_retro64
1:04 PM: Quarantining All Traces: 180search assistant/zango
1:05 PM: 180search assistant/zango is in use. It will be removed on reboot.
1:05 PM: salm.exe is in use. It will be removed on reboot.
1:05 PM: salmhook.dll is in use. It will be removed on reboot.
1:05 PM: Quarantining All Traces: blazefind
1:05 PM: blazefind is in use. It will be removed on reboot.
1:05 PM: c:\program files\preview adservice is in use. It will be removed on reboot.
1:05 PM: Quarantining All Traces: comet cursor
1:05 PM: Quarantining All Traces: coolwebsearch (cws)
1:05 PM: Quarantining All Traces: cws_195.95.218.172 hijack
1:05 PM: Quarantining All Traces: cws_xplugin
1:05 PM: Quarantining All Traces: easysearchbar
1:05 PM: Quarantining All Traces: hi5 toolbar
1:05 PM: Quarantining All Traces: internetoptimizer
1:05 PM: internetoptimizer is in use. It will be removed on reboot.
1:05 PM: optimize.exe is in use. It will be removed on reboot.
1:05 PM: Quarantining All Traces: ist istbar
1:05 PM: Quarantining All Traces: ist software
1:05 PM: Quarantining All Traces: locators toolbar
1:05 PM: Quarantining All Traces: media-motor
1:05 PM: Quarantining All Traces: screensavers
1:05 PM: Quarantining All Traces: type2find.com hijack
1:05 PM: Quarantining All Traces: winad
1:05 PM: winad is in use. It will be removed on reboot.
1:05 PM: prevadserv.exe is in use. It will be removed on reboot.
1:05 PM: prevadcomm.dll is in use. It will be removed on reboot.
1:05 PM: C:\Program Files\Preview AdService\PrevAdServ.exe is in use. It will be removed on reboot.
1:05 PM: C:\Program Files\Preview AdService\PrevAdComm.dll is in use. It will be removed on reboot.
1:05 PM: Quarantining All Traces: 2o7.net cookie
1:05 PM: Quarantining All Traces: adserver cookie
1:05 PM: Quarantining All Traces: affiliatefuel.com cookie
1:05 PM: Quarantining All Traces: aptimus cookie
1:05 PM: Quarantining All Traces: atlas dmt cookie
1:05 PM: Quarantining All Traces: atwola cookie
1:05 PM: Quarantining All Traces: banner cookie
1:05 PM: Quarantining All Traces: belnk cookie
1:05 PM: Quarantining All Traces: burstnet cookie
1:05 PM: Quarantining All Traces: clickbank cookie
1:05 PM: Quarantining All Traces: empnads cookie
1:05 PM: Quarantining All Traces: go.com cookie
1:05 PM: Quarantining All Traces: paypopup cookie
1:05 PM: Quarantining All Traces: screensavers.com cookie
1:05 PM: Quarantining All Traces: stlyrics cookie
1:05 PM: Quarantining All Traces: touchclarity cookie
1:05 PM: Quarantining All Traces: websponsors cookie
1:05 PM: Quarantining All Traces: yieldmanager cookie
1:05 PM: Warning: Timed out waiting for explorer.exe
1:05 PM: Warning: Timed out waiting for explorer.exe
1:06 PM: Warning: Timed out waiting for explorer.exe
1:06 PM: Warning: Quarantine process could not restart Explorer.
1:07 PM: Quarantining All Traces: moneytree
1:07 PM: Preparing to restart your computer. Please wait...
1:07 PM: Removal process completed. Elapsed time 00:04:39
********
12:10 PM: | Start of Session, Wednesday, 2 November 2005 |
12:10 PM: Spy Sweeper started
12:11 PM: Messenger service has been disabled.
12:15 PM: Deleted error log without sending: C:\Documents and Settings\Ronald McDonald\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
12:16 PM: Processing Startup Alerts
12:16 PM: Removed Startup entry: System service79
12:18 PM: | End of Session, Wednesday, 2 November 2005 |

Edited by tman14, 01 November 2005 - 10:01 PM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 November 2005 - 05:28 AM

I see the upload for the files,thank you very much!

SpySweeper definatly picked up a bunch of uglies!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Post the results of the WinPFind scan and a fresh HijackThis log and lets have a look!

#5 tman14

tman14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 07 November 2005 - 08:12 AM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts


Checking %System% folder...
UPX! 4/01/2005 11:58:40 PM 75677 C:\WINDOWS\SYSTEM32\124788.exe
UPX! 4/11/2005 5:09:28 PM 451584 C:\WINDOWS\SYSTEM32\ass.exe
FSG! 4/11/2005 5:09:28 PM 451584 C:\WINDOWS\SYSTEM32\ass.exe
PEC2 4/11/2005 5:09:28 PM 451584 C:\WINDOWS\SYSTEM32\ass.exe
PECompact2 4/11/2005 5:09:28 PM 451584 C:\WINDOWS\SYSTEM32\ass.exe
UPX! 1/09/2004 12:37:18 AM 11776 C:\WINDOWS\SYSTEM32\casino.exe
PEC2 24/08/2001 1:30:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/11/2005 8:43:34 PM 14536 C:\WINDOWS\SYSTEM32\eraseme_02664.exe
PTech 12/07/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/11/2005 6:19:16 PM 99328 C:\WINDOWS\SYSTEM32\msconfigx32.exe
Umonitor 29/08/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/07/2004 2:07:08 AM 20480 C:\WINDOWS\SYSTEM32\sysupd1003.exe
UPX! 1/11/2005 6:22:14 PM R 60416 C:\WINDOWS\SYSTEM32\TFTP2188
winsync 24/08/2001 1:30:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 26/03/2002 7:20:18 PM 1766472 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/11/2005 7:13:54 PM S 2048 C:\WINDOWS\bootstat.dat
4/11/2005 7:13:58 PM H 16384 C:\WINDOWS\system32\config\DEFAULT.LOG
4/11/2005 7:15:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/11/2005 7:13:54 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
4/11/2005 7:15:26 PM H 81920 C:\WINDOWS\system32\config\SOFTWARE.LOG
4/11/2005 7:15:26 PM H 1134592 C:\WINDOWS\system32\config\SYSTEM.LOG
2/11/2005 1:08:10 PM H 28 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\index.dat
1/11/2005 1:08:06 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\145d68d8-7d00-469d-ac81-3cf49cc7d278
1/11/2005 1:08:06 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
24/10/2005 7:24:04 PM RHS 90112 C:\WINDOWS\system32\qqjnavj\svshost.exe
3/10/2005 10:43:38 AM H 13936 C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMMHyd.GID
4/11/2005 7:12:52 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 24/08/2001 1:30:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 30/07/2003 11:39:40 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 9:11:00 PM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/12/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 22/12/2003 9:28:12 AM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Silicon Image 26/11/2003 6:29:36 PM R 69120 C:\WINDOWS\SYSTEM32\SilSupp.cpl
SmartLink 27/03/2002 11:53:56 AM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 9:11:00 PM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/12/2003 5:18:08 PM 1023 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
12/10/2003 4:56:10 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/05/2004 2:48:20 PM 731 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
24/10/2003 7:55:20 AM 1767 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
3/03/2005 12:17:00 AM 1685 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
6/02/2005 10:49:48 AM 1726 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start 3DxWare.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/10/2003 9:41:52 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/10/2003 4:56:10 PM HS 84 C:\Documents and Settings\Ronald McDonald\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/10/2003 9:41:52 AM HS 62 C:\Documents and Settings\Ronald McDonald\Application Data\desktop.ini
2/06/2004 3:37:34 PM 0 C:\Documents and Settings\Ronald McDonald\Application Data\dm.ini
3/02/2004 8:35:08 PM 19504 C:\Documents and Settings\Ronald McDonald\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Rare-Lyrics Toolbar =
acc=xrevxoltx =
acc=none =
(none) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\Program Files\Microsoft ActiveSync\inetrepl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
svshost C:\WINDOWS\System32\qqjnavj\svshost.exe
Microsoft Windows Game Updater msgame32.exe
Microsoft Config 32 msconfigx32.exe
Compaq32 Service Drivers msconfig32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Microsoft Windows Game Updater msgame32.exe
Microsoft Config 32 msconfigx32.exe
Compaq32 Service Drivers msconfig32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
svshost C:\WINDOWS\System32\qqjnavj\svshost.exe
Microsoft Config 32 msconfigx32.exe
Compaq32 Service Drivers msconfig32.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Compaq32 Service Drivers msconfig32.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/11/2005 7:22:29 PM


Logfile of HijackThis v1.99.1
Scan saved at 10:14:39 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\qqjnavj\svshost.exe
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\System32\qqjnavj\svshost.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3DxWare\3DxSrv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122182497765
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\Lmgrd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 November 2005 - 06:49 PM

Im attaching a zip folder with a batch file inside it.

Please download the Zip file to your Desktop and Unzip it but dont run it just yet.


Restart in Safe Mode-> Locate and Double Click tman.bat-> A dos window will appear and begin a series of commands.

If you get a prompt at any point to confirm a deletion,please enter "Y" and press enter.

After the dos window has closed,Scan again with WinPFind while in Safe Mode!

Restart Normal and Update SpySweeper with the latest definitions.

Scan the System and Save the Session Log.


Post back with a fresh HijackThis log and the reports from WinPFind and SpySweeper

Attached Files

  • Attached File  tman.zip   586bytes   9 downloads

Edited by Cretemonster, 08 November 2005 - 06:50 PM.


#7 tman14

tman14
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 14 November 2005 - 03:39 AM

I have been a little busy with work ....
I ran the batch file before I was in Safe Mode ... hope I didn't mess up after all your hard work
Have you found some new viruses in going thru my log files?
Thanks again

Logfile of HijackThis v1.99.1
Scan saved at 7:00:41 PM, on 14/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\Lmgrd.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\uglmd.exe
C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\GetRight\getright.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\HJT\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3DxWare\3DxSrv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122182497765
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B12\intel_a\code\bin\CATSysDemon.exe
O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\Program Files\EDS\Unigraphics NX 2.0\UGFLEXLM\Lmgrd.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 24/08/2001 1:30:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/07/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
Umonitor 29/08/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 24/08/2001 1:30:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 26/03/2002 7:20:18 PM 1766472 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
14/11/2005 5:58:32 PM S 2048 C:\WINDOWS\bootstat.dat
14/11/2005 5:58:36 PM H 16384 C:\WINDOWS\system32\config\DEFAULT.LOG
14/11/2005 5:59:26 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
14/11/2005 5:58:32 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
14/11/2005 6:00:02 PM H 122880 C:\WINDOWS\system32\config\SOFTWARE.LOG
14/11/2005 5:59:28 PM H 1114112 C:\WINDOWS\system32\config\SYSTEM.LOG
2/11/2005 1:08:10 PM H 28 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\index.dat
1/11/2005 1:08:06 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\145d68d8-7d00-469d-ac81-3cf49cc7d278
1/11/2005 1:08:06 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
3/10/2005 10:43:38 AM H 13936 C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMMHyd.GID
14/11/2005 5:57:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 24/08/2001 1:30:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 30/07/2003 11:39:40 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 9:11:00 PM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/12/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 22/12/2003 9:28:12 AM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Silicon Image 26/11/2003 6:29:36 PM R 69120 C:\WINDOWS\SYSTEM32\SilSupp.cpl
SmartLink 27/03/2002 11:53:56 AM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 9:11:00 PM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 24/08/2001 1:30:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/12/2003 5:18:08 PM 1023 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
12/10/2003 4:56:10 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/05/2004 2:48:20 PM 731 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
24/10/2003 7:55:20 AM 1767 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
3/03/2005 12:17:00 AM 1685 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
6/02/2005 10:49:48 AM 1726 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start 3DxWare.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/10/2003 9:41:52 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/10/2003 4:56:10 PM HS 84 C:\Documents and Settings\Ronald McDonald\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/10/2003 9:41:52 AM HS 62 C:\Documents and Settings\Ronald McDonald\Application Data\desktop.ini
2/06/2004 3:37:34 PM 0 C:\Documents and Settings\Ronald McDonald\Application Data\dm.ini
3/02/2004 8:35:08 PM 19504 C:\Documents and Settings\Ronald McDonald\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\Program Files\Microsoft ActiveSync\inetrepl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 14/11/2005 6:07:34 PM


********
6:32 PM: | Start of Session, Monday, 14 November 2005 |
6:32 PM: Spy Sweeper started
6:32 PM: Sweep initiated using definitions version 572
6:32 PM: Starting Memory Sweep
6:33 PM: Memory Sweep Complete, Elapsed Time: 00:01:18
6:33 PM: Starting Registry Sweep
6:33 PM: Found Adware: elitemediagroup-mediamotor
6:33 PM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
6:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
6:33 PM: HKLM\software\classes\iobjsafety.democtl\ (3 subtraces) (ID = 140120)
6:33 PM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
6:33 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
6:33 PM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
6:33 PM: Found Trojan Horse: trojan-backdoor-soundcheck
6:33 PM: HKLM\system\currentcontrolset\services\msdirectx\ (11 subtraces) (ID = 144200)
6:33 PM: HKLM\software\microsoft\ole\ || compaq32 service drivers (ID = 359520)
6:33 PM: HKLM\system\currentcontrolset\control\lsa\ || compaq32 service drivers (ID = 359526)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\ole\ || compaq32 service drivers (ID = 359519)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\windows\currentversion\run\ || compaq32 service drivers (ID = 359521)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\windows\currentversion\runservices\ || compaq32 service drivers (ID = 359523)
6:33 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\system\currentcontrolset\control\lsa\ || compaq32 service drivers (ID = 359525)
6:33 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\ole\ || compaq32 service drivers (ID = 359519)
6:33 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\system\currentcontrolset\control\lsa\ || compaq32 service drivers (ID = 359525)
6:33 PM: Registry Sweep Complete, Elapsed Time:00:00:14
6:33 PM: Starting Cookie Sweep
6:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:34 PM: Starting File Sweep
6:34 PM: Found Adware: elitebar
6:34 PM: proxy_inst[1].exe (ID = 186002)
6:35 PM: pre7[1].exe (ID = 186002)
6:36 PM: pre5[1].exe (ID = 186002)
6:39 PM: mmxxxxmas2[1].exe (ID = 162574)
6:39 PM: mm83[1].ocx (ID = 188117)
6:40 PM: Found Trojan Horse: fu rootkit components
6:40 PM: msdirectx.sys (ID = 134168)
6:41 PM: Found Adware: ist istbar
6:41 PM: istdownload[1].exe (ID = 181597)
6:41 PM: kwlist7[1].exe (ID = 185991)
6:43 PM: pre8[1].exe (ID = 186002)
6:44 PM: msdirectx.sys (ID = 134168)
6:44 PM: msdirectx.sys (ID = 134168)
6:44 PM: mmxxxxmas2[1].exe (ID = 162574)
6:44 PM: fca0ivf.exe (ID = 181597)
6:44 PM: mmxxxxmas2.exe (ID = 162574)
6:45 PM: mmxxxxmas2[1].exe (ID = 162574)
6:53 PM: File Sweep Complete, Elapsed Time: 00:19:03
6:53 PM: Full Sweep has completed. Elapsed time 00:20:43
6:53 PM: Traces Found: 100
6:53 PM: Removal process initiated
6:53 PM: Quarantining All Traces: elitebar
6:53 PM: Quarantining All Traces: ist istbar
6:53 PM: Quarantining All Traces: fu rootkit components
6:53 PM: Quarantining All Traces: trojan-backdoor-soundcheck
6:53 PM: Quarantining All Traces: elitemediagroup-mediamotor
6:54 PM: Removal process completed. Elapsed time 00:00:54
********
1:55 PM: | Start of Session, Wednesday, 2 November 2005 |
1:55 PM: Spy Sweeper started
1:55 PM: Sweep initiated using definitions version 556
1:55 PM: Starting Memory Sweep
1:57 PM: Memory Sweep Complete, Elapsed Time: 00:01:53
1:57 PM: Starting Registry Sweep
1:57 PM: Registry Sweep Complete, Elapsed Time:00:00:27
1:57 PM: Starting Cookie Sweep
1:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:57 PM: Starting File Sweep
1:58 PM: Found Adware: elitebar
1:58 PM: 00289961.dll (ID = 59985)
1:59 PM: Found Adware: screensavers
1:59 PM: 00290069.dll (ID = 74752)
1:59 PM: 00290065.exe (ID = 74757)
2:13 PM: Found Adware: 180search assistant/zango
2:13 PM: 00290006.dll (ID = 111353)
2:13 PM: 00289944.exe (ID = 59979)
2:13 PM: 00289953.exe (ID = 59979)
2:14 PM: 00290002.exe (ID = 70475)
2:14 PM: Found Adware: internetoptimizer
2:14 PM: 00290044.exe (ID = 125734)
2:14 PM: Found Adware: coolwebsearch (cws)
2:14 PM: 00290040.exe (ID = 54306)
2:14 PM: 00289991.exe (ID = 93787)
2:14 PM: Found Adware: winad
2:14 PM: 00290091.dll (ID = 156819)
2:14 PM: Found Trojan Horse: trojan_backdoor_retro64
2:14 PM: 00289984.dll (ID = 81259)
2:14 PM: 00289951.dll (ID = 144813)
2:14 PM: 00290087.dll (ID = 90431)
2:14 PM: Found Adware: moneytree
2:14 PM: 00290193.dll (ID = 64043)
2:14 PM: 00289998.dat (ID = 93789)
2:14 PM: 00289989.dll (ID = 70604)
2:14 PM: Found Adware: media-motor
2:14 PM: 00290057.exe (ID = 162574)
2:14 PM: 00289948.exe (ID = 59979)
2:22 PM: 00289946.osd (ID = 60007)
2:22 PM: 00289993.inf (ID = 70515)
2:22 PM: 00290063.inf (ID = 74756)
2:25 PM: File Sweep Complete, Elapsed Time: 00:27:58
2:25 PM: Full Sweep has completed. Elapsed time 00:30:32
2:25 PM: Traces Found: 22
2:26 PM: Removal process initiated
2:26 PM: Quarantining All Traces: elitebar
2:26 PM: Quarantining All Traces: trojan_backdoor_retro64
2:26 PM: Quarantining All Traces: 180search assistant/zango
2:26 PM: Quarantining All Traces: coolwebsearch (cws)
2:26 PM: Quarantining All Traces: internetoptimizer
2:26 PM: Quarantining All Traces: media-motor
2:26 PM: Quarantining All Traces: screensavers
2:26 PM: Quarantining All Traces: winad
2:26 PM: Quarantining All Traces: moneytree
2:26 PM: Removal process completed. Elapsed time 00:00:14
6:31 PM: Your spyware definitions have been updated.
6:32 PM: | End of Session, Monday, 14 November 2005 |
********
12:18 PM: | Start of Session, Wednesday, 2 November 2005 |
12:18 PM: Spy Sweeper started
12:18 PM: Sweep initiated using definitions version 556
12:18 PM: Starting Memory Sweep
12:19 PM: Found Adware: 180search assistant/zango
12:19 PM: Detected running threat: c:\Program Files\180searchassistant\salmhook.dll (ID = 70604)
12:19 PM: Found Adware: winad
12:19 PM: Detected running threat: C:\Program Files\Preview AdService\PrevAdServ.exe (ID = 90433)
12:19 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Preview AdService (ID = 0)
12:19 PM: Detected running threat: C:\Program Files\Preview AdService\PrevAdComm.dll (ID = 90431)
12:19 PM: Found Adware: elitebar
12:19 PM: Detected running threat: C:\WINDOWS\system32\eliterjc32.exe (ID = 59979)
12:19 PM: Detected running threat: C:\Program Files\180searchassistant\salm.exe (ID = 93787)
12:19 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || salm (ID = 0)
12:19 PM: Found Adware: internetoptimizer
12:19 PM: Detected running threat: C:\Program Files\Internet Optimizer\optimize.exe (ID = 125734)
12:21 PM: Memory Sweep Complete, Elapsed Time: 00:02:20
12:21 PM: Starting Registry Sweep
12:21 PM: Found Adware: blazefind
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || preview adservice (ID = 104534)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\preview adservice\ (2 subtraces) (ID = 104549)
12:21 PM: HKLM\software\preview adservice\ (7 subtraces) (ID = 104556)
12:21 PM: Found Adware: comet cursor
12:21 PM: HKCR\clsid\{35e78239-811e-4c3f-b37d-f339ac16c2c0}\ (4 subtraces) (ID = 106324)
12:21 PM: HKCR\interface\{665abe65-2c16-4341-b4b8-01ff799e8f4c}\ (8 subtraces) (ID = 106467)
12:21 PM: HKLM\software\classes\clsid\{35e78239-811e-4c3f-b37d-f339ac16c2c0}\ (4 subtraces) (ID = 106543)
12:21 PM: HKLM\software\classes\interface\{665abe65-2c16-4341-b4b8-01ff799e8f4c}\ (8 subtraces) (ID = 106648)
12:21 PM: HKCR\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}\ (5 subtraces) (ID = 125690)
12:21 PM: HKCR\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}\ (4 subtraces) (ID = 125692)
12:21 PM: HKLM\software\classes\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}\ (5 subtraces) (ID = 125720)
12:21 PM: HKLM\software\classes\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}\ (4 subtraces) (ID = 125722)
12:21 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
12:21 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/v3.dll\ (2 subtraces) (ID = 125753)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || etbrun (ID = 125757)
12:21 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\v3.dll (ID = 125764)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar\ (3 subtraces) (ID = 125768)
12:21 PM: Found Adware: hi5 toolbar
12:21 PM: HKCR\toolbar.toolbarobj\ (5 subtraces) (ID = 127131)
12:21 PM: HKCR\toolbar.toolbarobj.1\ (3 subtraces) (ID = 127132)
12:21 PM: HKU\.default\software\avenue media\ (ID = 128878)
12:21 PM: HKU\.default\software\policies\avenue media\ (ID = 128879)
12:21 PM: HKCR\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128881)
12:21 PM: HKLM\software\avenue media\ (27 subtraces) (ID = 128888)
12:21 PM: HKLM\software\classes\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}\ (11 subtraces) (ID = 128892)
12:21 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 128916)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet optimizer\ (3 subtraces) (ID = 128921)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kapabout\ (2 subtraces) (ID = 128924)
12:21 PM: HKLM\software\policies\avenue media\ (ID = 128929)
12:21 PM: Found Adware: ist software
12:21 PM: HKU\.default\software\ist\ (3 subtraces) (ID = 129052)
12:21 PM: Found Adware: locators toolbar
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || default visible (ID = 129801)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || icon (ID = 129803)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || menustatusbar (ID = 129804)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ || menutext (ID = 129805)
12:21 PM: HKLM\software\microsoft\internet explorer\extensions\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}\ (8 subtraces) (ID = 129810)
12:21 PM: Found Adware: moneytree
12:21 PM: HKCR\dyfuca_bh.bhobj.1\ (3 subtraces) (ID = 135175)
12:21 PM: HKCR\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135176)
12:21 PM: HKLM\software\classes\dyfuca_bh.bhobj\ (5 subtraces) (ID = 135194)
12:21 PM: HKLM\software\classes\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135201)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dyfuca\ (ID = 135214)
12:21 PM: HKCR\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}\ (9 subtraces) (ID = 135217)
12:21 PM: HKCR\clientax.clientinstaller.1\ (3 subtraces) (ID = 135595)
12:21 PM: HKCR\clientax.clientinstaller\ (5 subtraces) (ID = 135596)
12:21 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
12:21 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
12:21 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
12:21 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
12:21 PM: HKCR\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (20 subtraces) (ID = 135602)
12:21 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
12:21 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
12:21 PM: HKLM\software\classes\clientax.clientinstaller.1\ (3 subtraces) (ID = 135620)
12:21 PM: HKLM\software\classes\clientax.clientinstaller\ (5 subtraces) (ID = 135621)
12:21 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
12:21 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
12:21 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
12:21 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
12:21 PM: HKLM\software\classes\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (20 subtraces) (ID = 135626)
12:21 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
12:21 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}\ (10 subtraces) (ID = 135637)
12:21 PM: HKLM\software\microsoft\windows\currentversion\run\ || salm (ID = 135728)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\salm\ (3 subtraces) (ID = 135779)
12:21 PM: HKLM\software\salm\ (10 subtraces) (ID = 135793)
12:21 PM: Found Adware: media-motor
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\media-motor\ (2 subtraces) (ID = 140208)
12:21 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
12:21 PM: Found Adware: screensavers
12:21 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
12:21 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
12:21 PM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
12:21 PM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
12:21 PM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
12:21 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
12:21 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
12:21 PM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
12:21 PM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
12:21 PM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
12:21 PM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
12:21 PM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
12:21 PM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
12:21 PM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (9 subtraces) (ID = 140566)
12:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
12:21 PM: HKLM\software\screensavers.com\ (11 subtraces) (ID = 140569)
12:21 PM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
12:21 PM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
12:21 PM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
12:21 PM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
12:21 PM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
12:21 PM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
12:21 PM: Found Trojan Horse: trojan_backdoor_retro64
12:21 PM: HKCR\clsid\{288c5f13-7e52-4ada-a32e-f5bf9d125f98}\ (20 subtraces) (ID = 144993)
12:21 PM: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
12:21 PM: HKLM\software\classes\clsid\{288c5f13-7e52-4ada-a32e-f5bf9d125f98}\ (20 subtraces) (ID = 144998)
12:21 PM: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
12:21 PM: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
12:21 PM: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
12:21 PM: HKLM\software\classes\typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}\ (9 subtraces) (ID = 147899)
12:21 PM: HKCR\typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}\ (9 subtraces) (ID = 147925)
12:21 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
12:21 PM: HKCR\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ (8 subtraces) (ID = 169495)
12:21 PM: HKLM\software\classes\interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}\ (8 subtraces) (ID = 169496)
12:21 PM: HKCR\interface\{2b0eceac-f597-4858-a542-d966b49055b9}\ (8 subtraces) (ID = 169515)
12:21 PM: HKCR\interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}\ (8 subtraces) (ID = 169516)
12:21 PM: HKCR\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169517)
12:21 PM: HKLM\software\classes\interface\{2b0eceac-f597-4858-a542-d966b49055b9}\ (8 subtraces) (ID = 169518)
12:21 PM: HKLM\software\classes\interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}\ (8 subtraces) (ID = 169519)
12:21 PM: HKLM\software\classes\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169520)
12:21 PM: HKLM\software\media gateway\ (11 subtraces) (ID = 359545)
12:21 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
12:21 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
12:21 PM: HKLM\software\avenue media\internet optimizer\ (26 subtraces) (ID = 394594)
12:21 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
12:21 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
12:21 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
12:21 PM: HKCR\clsid\{e2e40140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 762062)
12:21 PM: HKCR\typelib\{df54d7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 762084)
12:21 PM: HKLM\software\classes\typelib\{df54d7dd-ea6f-11d4-abf3-000102378429}\ (9 subtraces) (ID = 762116)
12:21 PM: HKLM\software\classes\clsid\{e2e40140-76f8-4763-83d5-b660107babcd}\ (21 subtraces) (ID = 762136)
12:21 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
12:21 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
12:21 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
12:21 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
12:21 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
12:21 PM: Found Adware: cws_195.95.218.172 hijack
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\main\ || default_page_url (ID = 112691)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\main\ || local page (ID = 112694)
12:21 PM: Found Adware: easysearchbar
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\lq\ (6 subtraces) (ID = 125741)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {825cf5bd-8862-4430-b771-0c15c5ca8def} (ID = 125745)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1006\software\zango\ (12 subtraces) (ID = 147919)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\main\ || default_page_url (ID = 112691)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\main\ || local page (ID = 112694)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\lq\ (13 subtraces) (ID = 125741)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\avenue media\ (ID = 128887)
12:21 PM: HKU\WRSS_Profile_S-1-5-21-839522115-606747145-725345543-1005\software\salm\ (11 subtraces) (ID = 135792)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
12:21 PM: Found Adware: cws_xplugin
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || sethp (ID = 124467)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} (ID = 125568)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\lq\ (8 subtraces) (ID = 125741)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\avenue media\ (ID = 128887)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\salm\ (3 subtraces) (ID = 135792)
12:21 PM: Found Adware: type2find.com hijack
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\ || searchurl (ID = 776637)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || search page (ID = 776638)
12:21 PM: HKU\S-1-5-21-839522115-606747145-725345543-1003\software\microsoft\internet explorer\main\ || search bar (ID = 776639)
12:22 PM: Registry Sweep Complete, Elapsed Time:00:00:50
12:22 PM: Starting Cookie Sweep
12:22 PM: Found Spy Cookie: 2o7.net cookie
12:22 PM: mia taylor@122.2o7[2].txt (ID = 1958)
12:22 PM: Found Spy Cookie: websponsors cookie
12:22 PM: mia taylor@a.websponsors[2].txt (ID = 3665)
12:22 PM: Found Spy Cookie: yieldmanager cookie
12:22 PM: mia taylor@ad.yieldmanager[1].txt (ID = 3751)
12:22 PM: Found Spy Cookie: belnk cookie
12:22 PM: mia taylor@ath.belnk[1].txt (ID = 2293)
12:22 PM: Found Spy Cookie: atwola cookie
12:22 PM: mia taylor@atwola[1].txt (ID = 2255)
12:22 PM: Found Spy Cookie: banner cookie
12:22 PM: mia taylor@banner[1].txt (ID = 2276)
12:22 PM: mia taylor@belnk[2].txt (ID = 2292)
12:22 PM: Found Spy Cookie: burstnet cookie
12:22 PM: mia taylor@burstnet[1].txt (ID = 2336)
12:22 PM: mia taylor@dist.belnk[1].txt (ID = 2293)
12:22 PM: Found Spy Cookie: go.com cookie
12:22 PM: mia taylor@go[2].txt (ID = 2728)
12:22 PM: mia taylor@hollywoodrecords.go[1].txt (ID = 2729)
12:22 PM: Found Spy Cookie: aptimus cookie
12:22 PM: mia taylor@network.aptimus[2].txt (ID = 2235)
12:22 PM: Found Spy Cookie: paypopup cookie
12:22 PM: mia taylor@paypopup[2].txt (ID = 3119)
12:22 PM: mia taylor@popunder.paypopup[1].txt (ID = 3120)
12:22 PM: mia taylor@sensis.122.2o7[1].txt (ID = 1958)
12:22 PM: Found Spy Cookie: stlyrics cookie
12:22 PM: mia taylor@stlyrics[1].txt (ID = 3461)
12:22 PM: Found Spy Cookie: affiliatefuel.com cookie
12:22 PM: mia taylor@www.affiliatefuel[1].txt (ID = 2202)
12:22 PM: Found Spy Cookie: screensavers.com cookie
12:22 PM: mia taylor@www.screensavers[2].txt (ID = 3298)
12:22 PM: go josh@2o7[1].txt (ID = 1957)
12:22 PM: Found Spy Cookie: atlas dmt cookie
12:22 PM: go josh@atdmt[2].txt (ID = 2253)
12:22 PM: go josh@atwola[1].txt (ID = 2255)
12:22 PM: go josh@belnk[1].txt (ID = 2292)
12:22 PM: go josh@burstnet[1].txt (ID = 2336)
12:22 PM: Found Spy Cookie: clickbank cookie
12:22 PM: go josh@clickbank[1].txt (ID = 2398)
12:22 PM: go josh@dist.belnk[2].txt (ID = 2293)
12:22 PM: Found Spy Cookie: empnads cookie
12:22 PM: go josh@empnads[1].txt (ID = 5012)
12:22 PM: Found Spy Cookie: touchclarity cookie
12:22 PM: go josh@msn.touchclarity[2].txt (ID = 3566)
12:22 PM: Found Spy Cookie: adserver cookie
12:22 PM: go josh@z1.adserver[1].txt (ID = 2142)
12:22 PM: ronald mcdonald@empnads[2].txt (ID = 5012)
12:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:22 PM: Starting File Sweep
12:22 PM: c:\program files\screensavers.com (9 subtraces) (ID = -2147480365)
12:22 PM: c:\program files\internet optimizer (1 subtraces) (ID = -2147480830)
12:22 PM: c:\program files\180searchassistant (5 subtraces) (ID = -2147480569)
12:22 PM: c:\windows\etb (16 subtraces) (ID = -2147476235)
12:22 PM: c:\windows\elitetoolbar (ID = -2147481052)
12:22 PM: c:\documents and settings\all users\start menu\programs\180search assistant (2 subtraces) (ID = -2147480571)
12:22 PM: c:\program files\preview adservice (4 subtraces) (ID = -2147477102)
12:22 PM: v3cab[1].cab (ID = 145376)
12:22 PM: 00285399.exe (ID = 60024)
12:23 PM: 00288951.dll (ID = 59985)
12:23 PM: 00288955.exe (ID = 60024)
12:23 PM: elitetoolbar version 60.dll (ID = 59985)
12:23 PM: 00279209.dll (ID = 59985)
12:24 PM: 00286616.dll (ID = 70604)
12:24 PM: screensaversinst.dll (ID = 74752)
12:24 PM: siuninst.exe (ID = 74757)
12:24 PM: ActiveX Shield: found: Adware: moneytree, version 1.0.0.0 -- Installation denied
12:24 PM: 00286458.dll (ID = 93785)
12:24 PM: BHO Shield: found: -- BHO installation denied at user request
12:24 PM: BHO Shield: found: -- BHO installation denied at user request
12:25 PM: mmxxxxmas2[1].exe (ID = 162574)
12:28 PM: 00286484.dat (ID = 93789)
12:29 PM: 00287476.dat (ID = 93789)
12:30 PM:

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 November 2005 - 06:05 PM

Im so sorry about the delays.

Lets catch up now.

Run SpySweeper once more and post those results.

I need you to check out windows updates and see if you can access the site OK?

Dont get the updates just yet,simply try to access the site.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users