Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websearchtv


  • Please log in to reply
6 replies to this topic

#1 fred.champy

fred.champy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 18 December 2005 - 08:53 PM

I have been infected with a trojan addclicker that goes by the name of websearchtv. This tries to hijack my browser and change my home page. It also creates irritating popups that come up every few minutes or so. I ran hijackthis and here is the log. If some one has dealt with this your help would be greatly appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 4:14:56 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\RnJlZCBDaGFtcHkgSUk\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\VERIZO~2\SMARTB~1\MotiveSB.exe
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\pgws.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NoAdware4\NoAdware4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Desktop Alert\desktopalert_1666446.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Fred\LOCALS~1\Temp\Temporary Directory 2 for HijackThis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0ce80c5c.dll] RUNDLL32.EXE 0ce80c5c.dll,b 1351252343
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1666446.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134415526296
O16 - DPF: {6EE8BB87-D9D6-423D-8ACE-F5F6D08308FB} (LiveChatApplet Class) - http://www.tastylive.com/apps/livechat.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://204.249.164.75/activex/AxisCamControl.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RnJlZCBDaGFtcHkgSUk\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2005 - 04:29 AM

Hi fred.champy and Welcome to the Bleeping Computer!


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#3 fred.champy

fred.champy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 21 December 2005 - 11:38 PM

Thank you for your help! Here is the log file from Spy Sweeper....

9:40 PM: | Start of Session, Wednesday, December 21, 2005 |
9:40 PM: Spy Sweeper started
9:40 PM: Sweep initiated using definitions version 589
9:40 PM: Starting Memory Sweep
9:40 PM: Found Adware: quicklink search toolbar
9:40 PM: Detected running threat: C:\Program Files\QL\qlink32.dll (ID = 200308)
9:41 PM: Found Adware: command
9:41 PM: Detected running threat: C:\WINDOWS\RnJlZCBDaGFtcHkgSUk\asappsrv.dll (ID = 144945)
9:41 PM: Detected running threat: C:\WINDOWS\system32\pgws.exe (ID = 200314)
9:44 PM: Detected running threat: C:\WINDOWS\RnJlZCBDaGFtcHkgSUk\command.exe (ID = 144946)
9:45 PM: Detected running threat: C:\WINDOWS\system32\igps.exe (ID = 200311)
9:45 PM: Found Adware: wfgtech
9:45 PM: Detected running threat: C:\WINDOWS\system32\0ce80c5c.dll (ID = 203552)
9:45 PM: Detected running threat: C:\WINDOWS\system32\0ce8rglo.dll (ID = 209436)
9:46 PM: Memory Sweep Complete, Elapsed Time: 00:05:33
9:46 PM: Starting Registry Sweep
9:46 PM: Found Adware: coolsavings
9:46 PM: HKCR\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (2 subtraces) (ID = 106999)
9:46 PM: HKLM\software\classes\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (2 subtraces) (ID = 107005)
9:46 PM: Found Adware: cws-aboutblank
9:46 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
9:46 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
9:46 PM: Found Adware: delfin
9:46 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\delfin media viewer\ (2 subtraces) (ID = 124859)
9:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\delfin media viewer\ (2 subtraces) (ID = 124878)
9:46 PM: Found Adware: hotbar
9:46 PM: HKCR\clsid\{cdc6e08a-2b2e-4a7f-9aff-78d55fcb2591}\ (3 subtraces) (ID = 127268)
9:46 PM: HKLM\software\classes\clsid\{cdc6e08a-2b2e-4a7f-9aff-78d55fcb2591}\ (3 subtraces) (ID = 127432)
9:46 PM: Found Adware: linkmaker
9:46 PM: HKLM\software\classes\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129743)
9:46 PM: HKCR\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129750)
9:46 PM: Found Adware: purityscan
9:46 PM: HKLM\software\clickspring\ (2 subtraces) (ID = 137699)
9:46 PM: Found Adware: websearch toolbar
9:46 PM: HKCR\clsid\{3c53010d-97ba-4650-84c5-1a6faa31055e}\ (6 subtraces) (ID = 146315)
9:46 PM: HKCR\protocols\handler\relatedlinks\ (2 subtraces) (ID = 146362)
9:46 PM: HKLM\software\btiein\ (5 subtraces) (ID = 146369)
9:46 PM: HKLM\software\btlink\ (51 subtraces) (ID = 146371)
9:46 PM: HKLM\software\btlink\btlink\ (50 subtraces) (ID = 146372)
9:46 PM: HKLM\software\classes\clsid\{3c53010d-97ba-4650-84c5-1a6faa31055e}\ (6 subtraces) (ID = 146378)
9:46 PM: HKLM\software\classes\protocols\handler\relatedlinks\ (2 subtraces) (ID = 146425)
9:46 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
9:46 PM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)
9:46 PM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)
9:46 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
9:46 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
9:46 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
9:46 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
9:46 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
9:46 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
9:46 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
9:46 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
9:46 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (ID = 359456)
9:46 PM: HKLM\software\ql\ (3 subtraces) (ID = 359458)
9:47 PM: HKCR\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727328)
9:47 PM: HKLM\software\classes\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727357)
9:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
9:47 PM: Found Adware: dollarrevenue
9:47 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
9:47 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
9:47 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064)
9:47 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072)
9:47 PM: HKLM\software\microsoft\windows\currentversion\run\ || lspins (ID = 1027202)
9:47 PM: Found Adware: great net downloadware
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\downloadware\ (11 subtraces) (ID = 125353)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\hotbar\ (440 subtraces) (ID = 127565)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:47 PM: Found Adware: ieplugin
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\intexp\ (2 subtraces) (ID = 128173)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\btlink\ (8 subtraces) (ID = 146370)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\microsoft\internet explorer\urlsearchhooks\ || {d6dff6d8-b94b-4720-b730-1c38c7065c3b} (ID = 146468)
9:47 PM: Found Adware: websearch.com hijacker
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
9:47 PM: Found Adware: cydoor
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\cydoor\ (401 subtraces) (ID = 639126)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\cydoor services\ (10 subtraces) (ID = 639128)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1007\software\downloadware\ (11 subtraces) (ID = 775210)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\delfin\ (5 subtraces) (ID = 124848)
9:47 PM: Found Adware: findthewebsiteyouneed hijacker
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\downloadware\ (11 subtraces) (ID = 125353)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\hotbar\ (3 subtraces) (ID = 127565)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\explorer bars\{becafc17-baf9-11d4-b492-00d0b77f0a6d}\ (2 subtraces) (ID = 127573)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\explorer bars\{ff6b2fd5-093c-4d4f-bb98-5641130a9de6}\ (2 subtraces) (ID = 127574)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\intexp\ (43 subtraces) (ID = 128173)
9:47 PM: Found Adware: ieplugin hijacker
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\searchurl\ (ID = 128220)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\btiein\ (4 subtraces) (ID = 146368)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\btlink\ (12 subtraces) (ID = 146370)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\urlsearchhooks\ || {d6dff6d8-b94b-4720-b730-1c38c7065c3b} (ID = 146468)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\toolbar\ (18 subtraces) (ID = 146513)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\cydoor\ (16 subtraces) (ID = 639126)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\cydoor services\ (ID = 639128)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\toolbar\ (18 subtraces) (ID = 646239)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\downloadware\ (11 subtraces) (ID = 775210)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1006\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
9:47 PM: Found Adware: cws obfuscated bho hijack
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\microsoft\internet explorer\main\ || search bar (ID = 116786)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\microsoft\internet explorer\main\ || search page (ID = 116787)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\microsoft\internet explorer\search\ || searchassistant (ID = 116796)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\downloadware\ (9 subtraces) (ID = 125353)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\btiein\ (3 subtraces) (ID = 146368)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\btlink\ (8 subtraces) (ID = 146370)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\microsoft\internet explorer\urlsearchhooks\ || {d6dff6d8-b94b-4720-b730-1c38c7065c3b} (ID = 146468)
9:47 PM: HKU\WRSS_Profile_S-1-5-21-789336058-220523388-682003330-1005\software\downloadware\ (9 subtraces) (ID = 775210)
9:47 PM: HKU\S-1-5-21-789336058-220523388-682003330-1004\software\btlink\ (12 subtraces) (ID = 146370)
9:47 PM: HKU\S-1-5-21-789336058-220523388-682003330-1004\software\microsoft\internet explorer\urlsearchhooks\ || {d6dff6d8-b94b-4720-b730-1c38c7065c3b} (ID = 146468)
9:47 PM: HKU\S-1-5-18\software\btlink\ (7 subtraces) (ID = 146370)
9:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\urlsearchhooks\ || {d6dff6d8-b94b-4720-b730-1c38c7065c3b} (ID = 146468)
9:47 PM: Registry Sweep Complete, Elapsed Time:00:01:07
9:47 PM: Starting Cookie Sweep
9:47 PM: Found Spy Cookie: 216.221.138 cookie
9:47 PM: krystle@216.221.138[2].txt (ID = 1947)
9:47 PM: Found Spy Cookie: 2o7.net cookie
9:47 PM: krystle@2o7[1].txt (ID = 1957)
9:47 PM: Found Spy Cookie: websponsors cookie
9:47 PM: krystle@a.websponsors[2].txt (ID = 3665)
9:47 PM: Found Spy Cookie: abcsearch cookie
9:47 PM: krystle@abcsearch[1].txt (ID = 2033)
9:47 PM: Found Spy Cookie: about cookie
9:47 PM: krystle@about[1].txt (ID = 2037)
9:47 PM: Found Spy Cookie: yieldmanager cookie
9:47 PM: krystle@ad.yieldmanager[2].txt (ID = 3751)
9:47 PM: Found Spy Cookie: adecn cookie
9:47 PM: krystle@adecn[1].txt (ID = 2063)
9:47 PM: Found Spy Cookie: adknowledge cookie
9:47 PM: krystle@adknowledge[2].txt (ID = 2072)
9:47 PM: Found Spy Cookie: hbmediapro cookie
9:47 PM: krystle@adopt.hbmediapro[2].txt (ID = 2768)
9:47 PM: Found Spy Cookie: hotbar cookie
9:47 PM: krystle@adopt.hotbar[1].txt (ID = 4207)
9:47 PM: Found Spy Cookie: specificclick.com cookie
9:47 PM: krystle@adopt.specificclick[2].txt (ID = 3400)
9:47 PM: Found Spy Cookie: adrevolver cookie
9:47 PM: krystle@adrevolver[2].txt (ID = 2088)
9:47 PM: Found Spy Cookie: addynamix cookie
9:47 PM: krystle@ads.addynamix[1].txt (ID = 2062)
9:47 PM: Found Spy Cookie: belointeractive cookie
9:47 PM: krystle@ads.belointeractive[1].txt (ID = 2295)
9:47 PM: Found Spy Cookie: pointroll cookie
9:47 PM: krystle@ads.pointroll[2].txt (ID = 3148)
9:47 PM: krystle@ads.specificclick[2].txt (ID = 3400)
9:47 PM: Found Spy Cookie: specificpop cookie
9:47 PM: krystle@ads.specificpop[2].txt (ID = 3402)
9:47 PM: Found Spy Cookie: advertising cookie
9:47 PM: krystle@advertising[2].txt (ID = 2175)
9:47 PM: Found Spy Cookie: adviva cookie
9:47 PM: krystle@adviva[2].txt (ID = 2177)
9:47 PM: Found Spy Cookie: agent cookie
9:47 PM: krystle@agent[2].txt (ID = 2207)
9:47 PM: Found Spy Cookie: apmebf cookie
9:47 PM: krystle@apmebf[2].txt (ID = 2229)
9:47 PM: Found Spy Cookie: falkag cookie
9:47 PM: krystle@as-us.falkag[1].txt (ID = 2650)
9:47 PM: Found Spy Cookie: ask cookie
9:47 PM: krystle@ask[1].txt (ID = 2245)
9:47 PM: Found Spy Cookie: atlas dmt cookie
9:47 PM: krystle@atdmt[2].txt (ID = 2253)
9:47 PM: Found Spy Cookie: atwola cookie
9:47 PM: krystle@atwola[1].txt (ID = 2255)
9:47 PM: Found Spy Cookie: azjmp cookie
9:47 PM: krystle@azjmp[2].txt (ID = 2270)
9:47 PM: Found Spy Cookie: a cookie
9:47 PM: krystle@a[1].txt (ID = 2027)
9:47 PM: krystle@belointeractive[1].txt (ID = 2294)
9:47 PM: krystle@birding.about[1].txt (ID = 2038)
9:47 PM: Found Spy Cookie: bluestreak cookie
9:47 PM: krystle@bluestreak[2].txt (ID = 2314)
9:47 PM: Found Spy Cookie: bs.serving-sys cookie
9:47 PM: krystle@bs.serving-sys[1].txt (ID = 2330)
9:47 PM: Found Spy Cookie: burstnet cookie
9:47 PM: krystle@burstnet[1].txt (ID = 2336)
9:47 PM: krystle@cartoonnetwork.122.2o7[1].txt (ID = 1958)
9:47 PM: Found Spy Cookie: casalemedia cookie
9:47 PM: krystle@casalemedia[2].txt (ID = 2354)
9:47 PM: Found Spy Cookie: centrport net cookie
9:47 PM: krystle@centrport[2].txt (ID = 2374)
9:47 PM: Found Spy Cookie: classmates cookie
9:47 PM: krystle@classmates[1].txt (ID = 2384)
9:47 PM: Found Spy Cookie: commission junction cookie
9:47 PM: krystle@commission-junction[1].txt (ID = 2455)
9:47 PM: Found Spy Cookie: hitslink cookie
9:47 PM: krystle@counter2.hitslink[1].txt (ID = 2790)
9:47 PM: Found Spy Cookie: go.com cookie
9:47 PM: krystle@disney.go[2].txt (ID = 2729)
9:47 PM: krystle@dogs.about[1].txt (ID = 2038)
9:47 PM: Found Spy Cookie: ru4 cookie
9:47 PM: krystle@edge.ru4[2].txt (ID = 3269)
9:47 PM: Found Spy Cookie: exitexchange cookie
9:47 PM: krystle@exitexchange[1].txt (ID = 2633)
9:47 PM: krystle@exoticpets.about[1].txt (ID = 2038)
9:47 PM: Found Spy Cookie: fastclick cookie
9:47 PM: krystle@fastclick[2].txt (ID = 2651)
9:47 PM: Found Spy Cookie: findwhat cookie
9:47 PM: krystle@findwhat[1].txt (ID = 2674)
9:47 PM: krystle@forestry.about[1].txt (ID = 2038)
9:47 PM: Found Spy Cookie: fortunecity cookie
9:47 PM: krystle@fortunecity[1].txt (ID = 2686)
9:47 PM: Found Spy Cookie: gator cookie
9:47 PM: krystle@gator[1].txt (ID = 2722)
9:47 PM: Found Spy Cookie: go2net.com cookie
9:47 PM: krystle@go2net[1].txt (ID = 2730)
9:47 PM: krystle@go[2].txt (ID = 2728)
9:47 PM: Found Spy Cookie: humanclick cookie
9:47 PM: krystle@hc2.humanclick[1].txt (ID = 2810)
9:47 PM: Found Spy Cookie: clickandtrack cookie
9:47 PM: krystle@hits.clickandtrack[2].txt (ID = 2397)
9:47 PM: krystle@hotbar[1].txt (ID = 2797)
9:47 PM: Found Spy Cookie: maxserving cookie
9:47 PM: krystle@maxserving[2].txt (ID = 2966)
9:47 PM: krystle@media.fastclick[1].txt (ID = 2652)
9:47 PM: Found Spy Cookie: overture cookie
9:47 PM: krystle@overture[1].txt (ID = 3105)
9:47 PM: krystle@partygaming.122.2o7[1].txt (ID = 1958)
9:47 PM: Found Spy Cookie: partypoker cookie
9:47 PM: krystle@partypoker[1].txt (ID = 3111)
9:47 PM: krystle@perf.overture[1].txt (ID = 3106)
9:47 PM: krystle@pointroll[2].txt (ID = 3147)
9:47 PM: Found Spy Cookie: qksrv cookie
9:47 PM: krystle@qksrv[1].txt (ID = 3213)
9:47 PM: Found Spy Cookie: qsrch cookie
9:47 PM: krystle@qsrch[2].txt (ID = 3215)
9:47 PM: Found Spy Cookie: questionmarket cookie
9:47 PM: krystle@questionmarket[1].txt (ID = 3217)
9:47 PM: Found Spy Cookie: realmedia cookie
9:47 PM: krystle@realmedia[1].txt (ID = 3235)
9:47 PM: krystle@register.go[1].txt (ID = 2729)
9:47 PM: Found Spy Cookie: revenue.net cookie
9:47 PM: krystle@revenue[2].txt (ID = 3257)
9:47 PM: Found Spy Cookie: server.iad.liveperson cookie
9:47 PM: krystle@server.iad.liveperson[2].txt (ID = 3341)
9:47 PM: Found Spy Cookie: serving-sys cookie
9:47 PM: krystle@serving-sys[1].txt (ID = 3343)
9:47 PM: Found Spy Cookie: webtrendslive cookie
9:47 PM: krystle@statse.webtrendslive[2].txt (ID = 3667)
9:47 PM: Found Spy Cookie: tickle cookie
9:47 PM: krystle@tickle[2].txt (ID = 3529)
9:47 PM: Found Spy Cookie: trafficmp cookie
9:47 PM: krystle@trafficmp[1].txt (ID = 3581)
9:47 PM: Found Spy Cookie: tribalfusion cookie
9:47 PM: krystle@tribalfusion[2].txt (ID = 3589)
9:47 PM: Found Spy Cookie: tripod cookie
9:47 PM: krystle@tripod[1].txt (ID = 3591)
9:47 PM: krystle@tv.disney.go[2].txt (ID = 2729)
9:47 PM: krystle@urbanlegends.about[1].txt (ID = 2038)
9:47 PM: Found Spy Cookie: realtracker cookie
9:47 PM: krystle@web4.realtracker[1].txt (ID = 3242)
9:47 PM: Found Spy Cookie: affiliatefuel.com cookie
9:47 PM: krystle@www.affiliatefuel[1].txt (ID = 2202)
9:47 PM: Found Spy Cookie: burstbeacon cookie
9:47 PM: krystle@www.burstbeacon[1].txt (ID = 2335)
9:47 PM: Found Spy Cookie: xiti cookie
9:47 PM: krystle@xiti[1].txt (ID = 3717)
9:47 PM: Found Spy Cookie: adserver cookie
9:47 PM: krystle@z1.adserver[2].txt (ID = 2142)
9:47 PM: Found Spy Cookie: zedo cookie
9:47 PM: krystle@zedo[1].txt (ID = 3762)
9:47 PM: Found Spy Cookie: sandboxer cookie
9:47 PM: ashley@0[1].txt (ID = 3282)
9:47 PM: ashley@0[2].txt (ID = 3282)
9:47 PM: Found Spy Cookie: primaryads cookie
9:47 PM: ashley@1.primaryads[1].txt (ID = 3190)
9:47 PM: Found Spy Cookie: 247realmedia cookie
9:47 PM: ashley@247realmedia[2].txt (ID = 1953)
9:47 PM: ashley@2o7[1].txt (ID = 1957)
9:47 PM: Found Spy Cookie: 412 cookie
9:47 PM: ashley@412[2].txt (ID = 1969)
9:47 PM: Found Spy Cookie: 447 cookie
9:47 PM: ashley@447[1].txt (ID = 1973)
9:47 PM: ashley@a.websponsors[2].txt (ID = 3665)
9:47 PM: ashley@about[2].txt (ID = 2037)
9:47 PM: ashley@ad.yieldmanager[2].txt (ID = 3751)
9:47 PM: ashley@adecn[2].txt (ID = 2063)
9:47 PM: ashley@adknowledge[2].txt (ID = 2072)
9:47 PM: ashley@adopt.hbmediapro[2].txt (ID = 2768)
9:47 PM: Found Spy Cookie: precisead cookie
9:47 PM: ashley@adopt.precisead[2].txt (ID = 3182)
9:47 PM: ashley@adopt.specificclick[2].txt (ID = 3400)
9:47 PM: ashley@adrevolver[1].txt (ID = 2088)
9:47 PM: ashley@adrevolver[2].txt (ID = 2088)
9:47 PM: ashley@adrevolver[3].txt (ID = 2088)
9:47 PM: ashley@ads.addynamix[1].txt (ID = 2062)
9:47 PM: Found Spy Cookie: ads.adsag cookie
9:47 PM: ashley@ads.adsag[2].txt (ID = 2108)
9:47 PM: Found Spy Cookie: cc214142 cookie
9:47 PM: ashley@ads.cc214142[2].txt (ID = 2367)
9:47 PM: ashley@ads.pointroll[2].txt (ID = 3148)
9:47 PM: Found Spy Cookie: x10 cookie
9:47 PM: ashley@ads.x10[1].txt (ID = 3712)
9:47 PM: Found Spy Cookie: adtech cookie
9:47 PM: ashley@adtech[1].txt (ID = 2155)
9:47 PM: ashley@advertising[1].txt (ID = 2175)
9:47 PM: ashley@africanhistory.about[1].txt (ID = 2038)
9:47 PM: ashley@ancienthistory.about[2].txt (ID = 2038)
9:47 PM: ashley@apmebf[1].txt (ID = 2229)
9:47 PM: ashley@apsc.disney.go[1].txt (ID = 2729)
9:47 PM: ashley@as-eu.falkag[1].txt (ID = 2650)
9:47 PM: ashley@as-us.falkag[2].txt (ID = 2650)
9:47 PM: ashley@as1.falkag[2].txt (ID = 2650)
9:47 PM: ashley@ask[1].txt (ID = 2245)
9:47 PM: ashley@atdmt[2].txt (ID = 2253)
9:47 PM: Found Spy Cookie: belnk cookie
9:47 PM: ashley@ath.belnk[1].txt (ID = 2293)
9:47 PM: ashley@atwola[2].txt (ID = 2255)
9:47 PM: ashley@azjmp[1].txt (ID = 2270)
9:47 PM: Found Spy Cookie: banner cookie
9:47 PM: ashley@banner[2].txt (ID = 2276)
9:47 PM: ashley@belnk[2].txt (ID = 2292)
9:47 PM: ashley@bluestreak[1].txt (ID = 2314)
9:47 PM: Found Spy Cookie: bravenet cookie
9:47 PM: ashley@bravenet[1].txt (ID = 2322)
9:47 PM: ashley@bs.serving-sys[1].txt (ID = 2330)
9:47 PM: ashley@bscapps.cards.go[1].txt (ID = 2729)
9:47 PM: ashley@burstnet[1].txt (ID = 2336)
9:47 PM: ashley@bvhequiz.go[1].txt (ID = 2729)
9:47 PM: Found Spy Cookie: gostats cookie
9:47 PM: ashley@c3.gostats[2].txt (ID = 2748)
9:47 PM: Found Spy Cookie: cardomain cookie
9:47 PM: ashley@cardomain[1].txt (ID = 2350)
9:47 PM: ashley@casalemedia[1].txt (ID = 2354)
9:47 PM: ashley@casalemedia[2].txt (ID = 2354)
9:47 PM: ashley@centrport[2].txt (ID = 2374)
9:47 PM: ashley@classmates[2].txt (ID = 2384)
9:47 PM: Found Spy Cookie: clickagents cookie
9:47 PM: ashley@clickagents[2].txt (ID = 2394)
9:47 PM: ashley@commission-junction[1].txt (ID = 2455)
9:47 PM: ashley@cookie.tickle[1].txt (ID = 3530)
9:47 PM: Found Spy Cookie: coremetrics cookie
9:47 PM: ashley@data.coremetrics[2].txt (ID = 2472)
9:47 PM: ashley@data1.perf.overture[1].txt (ID = 3106)
9:47 PM: ashley@disney.go[2].txt (ID = 2729)
9:47 PM: ashley@disney.store.go[2].txt (ID = 2729)
9:47 PM: ashley@disneyvideos.disney.go[1].txt (ID = 2729)
9:47 PM: ashley@dist.belnk[1].txt (ID = 2293)
9:47 PM: Found Spy Cookie: domain sponsor cookie
9:47 PM: ashley@domainsponsor[2].txt (ID = 2533)
9:47 PM: ashley@edge.ru4[2].txt (ID = 3269)
9:47 PM: Found Spy Cookie: multipops cookie
9:47 PM: ashley@emode[1].txt (ID = 2603)
9:47 PM: ashley@entrepreneur.122.2o7[1].txt (ID = 1958)
9:47 PM: Found Spy Cookie: euniverseads cookie
9:47 PM: ashley@euniverseads[2].txt (ID = 2629)
9:47 PM: ashley@exitexchange[1].txt (ID = 2633)
9:47 PM: ashley@fastclick[2].txt (ID = 2651)
9:47 PM: ashley@findwhat[1].txt (ID = 2674)
9:47 PM: ashley@fortunecity[2].txt (ID = 2686)
9:47 PM: Found Spy Cookie: gamespy cookie
9:47 PM: ashley@gamespy[1].txt (ID = 2719)
9:47 PM: ashley@gocaribbean.about[1].txt (ID = 2038)
9:47 PM: ashley@gostats[2].txt (ID = 2747)
9:47 PM: ashley@go[1].txt (ID = 2728)
9:47 PM: Found Spy Cookie: starware.com cookie
9:47 PM: ashley@h.starware[1].txt (ID = 3442)
9:47 PM: ashley@hits.clickandtrack[1].txt (ID = 2397)
9:47 PM: ashley@hotbar[2].txt (ID = 2797)
9:47 PM: Found Spy Cookie: hotlog cookie
9:47 PM: ashley@hotlog[1].txt (ID = 2801)
9:47 PM: Found Spy Cookie: hypertracker.com cookie
9:47 PM: ashley@hypertracker[2].txt (ID = 2817)
9:47 PM: Found Spy Cookie: screensavers.com cookie
9:47 PM: ashley@i.screensavers[1].txt (ID = 3298)
9:47 PM: Found Spy Cookie: zango cookie
9:47 PM: ashley@infinity.zango[1].txt (ID = 3761)
9:47 PM: Found Spy Cookie: domainsponsor cookie
9:47 PM: ashley@landing.domainsponsor[2].txt (ID = 2535)
9:47 PM: ashley@maxserving[2].txt (ID = 2966)
9:47 PM: ashley@media.fastclick[1].txt (ID = 2652)
9:47 PM: ashley@mediatrack.revenue[2].txt (ID = 3258)
9:47 PM: Found Spy Cookie: metareward.com cookie
9:47 PM: ashley@metareward[2].txt (ID = 2990)
9:47 PM: ashley@newnet.qsrch[1].txt (ID = 3216)
9:47 PM: Found Spy Cookie: offeroptimizer cookie
9:47 PM: ashley@offeroptimizer[1].txt (ID = 3087)
9:47 PM: ashley@overture[1].txt (ID = 3105)
9:47 PM: ashley@partygaming.122.2o7[1].txt (ID = 1958)
9:47 PM: ashley@partypoker[1].txt (ID = 3111)
9:47 PM: Found Spy Cookie: paypopup cookie
9:47 PM: ashley@paypopup[1].txt (ID = 3119)
9:47 PM: Found Spy Cookie: netster cookie
9:47 PM: ashley@pecidc09.netster[1].txt (ID = 3072)
9:47 PM: ashley@perf.overture[1].txt (ID = 3106)
9:47 PM: ashley@popunder.paypopup[1].txt (ID = 3120)
9:47 PM: Found Spy Cookie: valuead cookie
9:47 PM: ashley@premiumnetworkrocks.valuead[1].txt (ID = 3627)
9:47 PM: ashley@psc.disney.go[2].txt (ID = 2729)
9:47 PM: ashley@qksrv[2].txt (ID = 3213)
9:47 PM: ashley@qsrch[1].txt (ID = 3215)
9:47 PM: ashley@questionmarket[1].txt (ID = 3217)
9:47 PM: ashley@radio.disney.go[1].txt (ID = 2729)
9:47 PM: ashley@realmedia[2].txt (ID = 3235)
9:47 PM: Found Spy Cookie: rednova cookie
9:47 PM: ashley@rednova[1].txt (ID = 3245)
9:47 PM: ashley@register.go[1].txt (ID = 2729)
9:47 PM: Found Spy Cookie: reunion cookie
9:47 PM: ashley@reunion[1].txt (ID = 3255)
9:47 PM: ashley@revenue[2].txt (ID = 3257)
9:47 PM: Found Spy Cookie: rightmedia cookie
9:47 PM: ashley@rightmedia[1].txt (ID = 3259)
9:47 PM: ashley@server.iad.liveperson[2].txt (ID = 3341)
9:47 PM: ashley@serving-sys[1].txt (ID = 3343)
9:47 PM: Found Spy Cookie: servlet cookie
9:47 PM: ashley@servlet[1].txt (ID = 3345)
9:47 PM: Found Spy Cookie: uproar cookie
9:47 PM: ashley@sp.uproar[1].txt (ID = 3613)
9:47 PM: Found Spy Cookie: spylog cookie
9:47 PM: ashley@spylog[2].txt (ID = 3415)
9:47 PM: Found Spy Cookie: spywarestormer cookie
9:47 PM: ashley@spywarestormer[1].txt (ID = 3417)
9:47 PM: ashley@starware[2].txt (ID = 3441)
9:47 PM: Found Spy Cookie: statcounter cookie
9:47 PM: ashley@statcounter[2].txt (ID = 3447)
9:47 PM: ashley@statse.webtrendslive[1].txt (ID = 3667)
9:47 PM: Found Spy Cookie: targetnet cookie
9:47 PM: ashley@targetnet[1].txt (ID = 3489)
9:47 PM: ashley@tickle[2].txt (ID = 3529)
9:47 PM: Found Spy Cookie: tradedoubler cookie
9:47 PM: ashley@tradedoubler[2].txt (ID = 3575)
9:47 PM: ashley@trafficmp[1].txt (ID = 3581)
9:47 PM: ashley@tribalfusion[2].txt (ID = 3589)
9:47 PM: ashley@tripod[2].txt (ID = 3591)
9:47 PM: ashley@web2.realtracker[2].txt (ID = 3242)
9:47 PM: Found Spy Cookie: 1st blaze cookie
9:47 PM: ashley@www.1stblaze[1].txt (ID = 1938)
9:47 PM: ashley@www.burstbeacon[2].txt (ID = 2335)
9:47 PM: ashley@www.burstnet[1].txt (ID = 2337)
9:47 PM: ashley@www.disney.go[2].txt (ID = 2729)
9:47 PM: Found Spy Cookie: epilot cookie
9:47 PM: ashley@www.epilot[1].txt (ID = 2622)
9:47 PM: Found Spy Cookie: findthewebsiteyouneed cookie
9:47 PM: ashley@www.findthewebsiteyouneed[2].txt (ID = 2673)
9:47 PM: ashley@www.screensavers[1].txt (ID = 3298)
9:47 PM: Found Spy Cookie: xzoomy cookie
9:47 PM: ashley@www.xzoomy[1].txt (ID = 3742)
9:47 PM: ashley@www1.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www10.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www2.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www3.paypopup[1].txt (ID = 3120)
9:47 PM: ashley@www4.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www5.paypopup[1].txt (ID = 3120)
9:47 PM: ashley@www6.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www7.paypopup[2].txt (ID = 3120)
9:47 PM: ashley@www8.paypopup[1].txt (ID = 3120)
9:47 PM: ashley@yieldmanager[1].txt (ID = 3749)
9:47 PM: ashley@z1.adserver[1].txt (ID = 2142)
9:47 PM: ashley@zedo[1].txt (ID = 3762)
9:47 PM: michele@2o7[1].txt (ID = 1957)
9:47 PM: Found Spy Cookie: 7search cookie
9:47 PM: michele@7search[2].txt (ID = 2011)
9:47 PM: michele@abc.go[2].txt (ID = 2729)
9:47 PM: michele@abcnews.go[1].txt (ID = 2729)
9:47 PM: michele@abcsearch[1].txt (ID = 2033)
9:47 PM: michele@about[1].txt (ID = 2037)
9:47 PM: michele@ad.yieldmanager[2].txt (ID = 3751)
9:47 PM: michele@ads.pointroll[1].txt (ID = 3148)
9:47 PM: michele@app.abc.go[1].txt (ID = 2729)
9:47 PM: michele@atwola[1].txt (ID = 2255)
9:47 PM: michele@bs.serving-sys[1].txt (ID = 2330)
9:47 PM: Found Spy Cookie: 360i cookie
9:47 PM: michele@ct.360i[2].txt (ID = 1962)
9:47 PM: michele@dcs8ir0f010000oyioyaka1kl_8j7n[1].txt (ID = 3673)
9:47 PM: michele@disney.go[1].txt (ID = 2729)
9:47 PM: michele@disneyworld.disney.go[1].txt (ID = 2729)
9:47 PM: michele@domainsponsor[1].txt (ID = 2533)
9:47 PM: michele@edge.ru4[1].txt (ID = 3269)
9:47 PM: michele@go[1].txt (ID = 2728)
9:47 PM: michele@hotels.about[2].txt (ID = 2038)
9:47 PM: michele@i.screensavers[1].txt (ID = 3298)
9:47 PM: michele@landing.domainsponsor[2].txt (ID = 2535)
9:47 PM: michele@lb3.netster[1].txt (ID = 3072)
9:47 PM: michele@maxserving[2].txt (ID = 2966)
9:47 PM: michele@msnportal.112.2o7[1].txt (ID = 1958)
9:47 PM: Found Spy Cookie: nextag cookie
9:47 PM: michele@nextag[2].txt (ID = 5014)
9:47 PM: michele@overture[1].txt (ID = 3105)
9:47 PM: michele@questionmarket[1].txt (ID = 3217)
9:47 PM: michele@realmedia[2].txt (ID = 3235)
9:47 PM: michele@revenue[1].txt (ID = 3257)
9:47 PM: michele@rsi.abc.go[1].txt (ID = 2729)
9:47 PM: michele@rsi.abcnews.go[1].txt (ID = 2729)
9:47 PM: michele@search.disney.go[2].txt (ID = 2729)
9:47 PM: michele@serving-sys[1].txt (ID = 3343)
9:47 PM: michele@starware[2].txt (ID = 3441)
9:47 PM: Found Spy Cookie: tmpad cookie
9:47 PM: michele@tmpad[2].txt (ID = 3545)
9:47 PM: michele@trafficmp[2].txt (ID = 3581)
9:47 PM: michele@tribalfusion[2].txt (ID = 3589)
9:47 PM: michele@www.screensavers[1].txt (ID = 3298)
9:47 PM: michele@zedo[2].txt (ID = 3762)
9:47 PM: fred@abcsearch[1].txt (ID = 2033)
9:47 PM: fred@about[2].txt (ID = 2037)
9:47 PM: fred@ad.yieldmanager[2].txt (ID = 3751)
9:47 PM: fred@adecn[1].txt (ID = 2063)
9:47 PM: fred@adknowledge[2].txt (ID = 2072)
9:47 PM: fred@adrevolver[1].txt (ID = 2088)
9:47 PM: fred@adrevolver[2].txt (ID = 2088)
9:47 PM: fred@apmebf[2].txt (ID = 2229)
9:47 PM: fred@as-eu.falkag[1].txt (ID = 2650)
9:47 PM: fred@ask[2].txt (ID = 2245)
9:47 PM: fred@belnk[1].txt (ID = 2292)
9:47 PM: fred@bs.serving-sys[2].txt (ID = 2330)
9:47 PM: fred@burstnet[2].txt (ID = 2336)
9:47 PM: fred@casalemedia[2].txt (ID = 2354)
9:47 PM: Found Spy Cookie: ccbill cookie
9:47 PM: fred@ccbill[2].txt (ID = 2369)
9:47 PM: Found Spy Cookie: clickbank cookie
9:47 PM: fred@clickbank[1].txt (ID = 2398)
9:47 PM: Found Spy Cookie: did-it cookie
9:47 PM: fred@did-it[1].txt (ID = 2523)
9:47 PM: fred@dist.belnk[2].txt (ID = 2293)
9:47 PM: fred@geography.about[1].txt (ID = 2038)
9:47 PM: fred@hits.clickandtrack[1].txt (ID = 2397)
9:47 PM: Found Spy Cookie: homestore cookie
9:47 PM: fred@homestore[1].txt (ID = 2793)
9:47 PM: fred@i.screensavers[2].txt (ID = 3298)
9:47 PM: Found Spy Cookie: kmpads cookie
9:47 PM: fred@kmpads[1].txt (ID = 2909)
9:47 PM: fred@lb3.netster[1].txt (ID = 3072)
9:47 PM: fred@maxserving[2].txt (ID = 2966)
9:47 PM: fred@media.homestore[1].txt (ID = 2794)
9:47 PM: fred@nextag[2].txt (ID = 5014)
9:47 PM: Found Spy Cookie: pro-market cookie
9:47 PM: fred@pro-market[2].txt (ID = 3197)
9:47 PM: fred@realmedia[1].txt (ID = 3235)
9:47 PM: fred@revenue[2].txt (ID = 3257)
9:47 PM: Found Spy Cookie: adjuggler cookie
9:47 PM: fred@rotator.dex.adjuggler[2].txt (ID = 2070)
9:47 PM: fred@server.iad.liveperson[2].txt (ID = 3341)
9:47 PM: fred@serving-sys[2].txt (ID = 3343)
9:47 PM: fred@starware[2].txt (ID = 3441)
9:47 PM: fred@statcounter[2].txt (ID = 3447)
9:47 PM: Found Spy Cookie: toplist cookie
9:47 PM: fred@toplist[1].txt (ID = 3557)
9:47 PM: Found Spy Cookie: videodome cookie
9:47 PM: fred@videodome[1].txt (ID = 3638)
9:47 PM: fred@www.burstbeacon[2].txt (ID = 2335)
9:47 PM: Found Spy Cookie: stopzilla cookie
9:47 PM: fred@www.stopzilla[1].txt (ID = 3466)
9:47 PM: fred@yieldmanager[2].txt (ID = 3749)
9:47 PM: fred@zedo[2].txt (ID = 3762)
9:47 PM: system@abcsearch[1].txt (ID = 2033)
9:47 PM: system@apmebf[2].txt (ID = 2229)
9:47 PM: Found Spy Cookie: enhance cookie
9:47 PM: system@c.enhance[1].txt (ID = 2614)
9:47 PM: Found Spy Cookie: goclick cookie
9:47 PM: system@c.goclick[2].txt (ID = 2733)
9:47 PM: system@findwhat[1].txt (ID = 2674)
9:47 PM: system@overture[1].txt (ID = 3105)
9:47 PM: system@qksrv[2].txt (ID = 3213)
9:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:22
9:47 PM: Starting File Sweep
9:48 PM: c:\documents and settings\krystle\application data\hotbar (143 subtraces) (ID = -2147480877)
9:48 PM: c:\documents and settings\all users\application data\delfin (12 subtraces) (ID = -2147481138)
9:48 PM: c:\program files\common files\wintools (1 subtraces) (ID = -2147480046)
9:48 PM: c:\documents and settings\fred\local settings\temp\coolcache (2 subtraces) (ID = -2147481212)
9:48 PM: c:\documents and settings\all users\start menu\programs\delfin media viewer (3 subtraces) (ID = -2147481130)
9:49 PM: a0000016.exe (ID = 91696)
9:49 PM: a0000035.dll (ID = 203553)
9:49 PM: delfinlo.ebd (ID = 57688)
9:49 PM: delfinad.ebd (ID = 57676)
9:49 PM: piggy.cgd (ID = 53867)
9:51 PM: a0001417.exe (ID = 200300)
9:51 PM: Found Adware: targetsaver
9:51 PM: tsupdate2[1].ini (ID = 193498)
9:57 PM: a0001410.exe (ID = 195128)
9:58 PM: iexploreskins.exe (ID = 84899)
10:00 PM: d_icons_buttons_bbar1.xip (ID = 114354)
10:00 PM: a0000018.exe (ID = 193501)
10:03 PM: progress.res (ID = 62367)
10:03 PM: tsd_bg.res (ID = 62382)
10:03 PM: tsd_bg.xip (ID = 62383)
10:03 PM: d_icons_weather.xip (ID = 121860)
10:06 PM: d_icons_buttons_bbar1.res (ID = 121825)
10:07 PM: d_icons_buttons_3000.xip (ID = 62282)
10:07 PM: d_icons_buttons_x.xip (ID = 121859)
10:09 PM: d_icons_weather.res (ID = 121840)
10:20 PM: Found Adware: lopdotcom
10:20 PM: comver.dll (ID = 111424)
10:20 PM: d_icons_buttons_2000.xip (ID = 62280)
10:21 PM: d_icons_buttons_3000.res (ID = 62281)
10:23 PM: Found Adware: apropos
10:23 PM: a0001629.exe (ID = 203610)
10:23 PM: d_icons_buttons_1000.xip (ID = 62278)
10:24 PM: d_icons_buttons_1000.res (ID = 62277)
10:26 PM: krofp.exe (ID = 195132)
10:27 PM: Found Adware: adtech
10:27 PM: a0002436.exe (ID = 209133)
10:29 PM: atmtd.dll._ (ID = 166754)
10:30 PM: a0000155.dll (ID = 166754)
10:32 PM: a0001630.exe (ID = 73255)
10:35 PM: btiein.dll (ID = 84616)
10:36 PM: timessquare[1].exe (ID = 194150)
10:36 PM: d_icons_buttons_2000.res (ID = 62279)
10:37 PM: inst_0004[1].exe (ID = 203674)
10:38 PM: d_icons_buttons_x.res (ID = 121839)
10:41 PM: ltndload[1].dll (ID = 203552)
10:42 PM: ltndmain[1].dll (ID = 203553)
10:42 PM: 0ce80c5c.dll (ID = 203552)
10:42 PM: pgws.exe (ID = 200314)
10:43 PM: command.exe (ID = 144946)
10:43 PM: igps.exe (ID = 200311)
10:43 PM: timessquare.exe (ID = 194150)
10:43 PM: asappsrv.dll (ID = 144945)
10:43 PM: qlink32.dll (ID = 200308)
10:43 PM: 0ce8rglo.dll (ID = 209436)
10:43 PM: atmtd.dll (ID = 166754)
10:43 PM: uninstall.exe (ID = 200309)
10:43 PM: a0001631.exe (ID = 203611)
10:43 PM: 9400[1].cab (ID = 200301)
10:43 PM: e2d10c7.tmp (ID = 200301)
10:43 PM: inst_0004.exe (ID = 203674)
10:44 PM: krofa.exe (ID = 195128)
10:44 PM: krofc.dll (ID = 195129)
10:44 PM: vocabulary (ID = 78283)
10:44 PM: class-barrel (ID = 78229)
10:44 PM: krofl.exe (ID = 195130)
10:44 PM: a0001633.exe (ID = 195131)
10:44 PM: a0001632.exe (ID = 185985)
10:44 PM: a0001634.exe (ID = 193995)
10:44 PM: tsinstall_4_0_4_0_b4.exe (ID = 193496)
10:46 PM: Found Adware: gain - common components
10:46 PM: bundle.inf (ID = 61287)
10:46 PM: delfinco.edx (ID = 57680)
10:46 PM: delfinbd.edx (ID = 57680)
10:46 PM: delfinld.edx (ID = 57680)
10:46 PM: delfined.edx (ID = 57680)
10:46 PM: delfinid.edx (ID = 57684)
10:46 PM: delfindl.edx (ID = 57680)
10:46 PM: delfinaf.edx (ID = 57679)
10:46 PM: linkpathlegal.xip (ID = 121866)
10:46 PM: linkpathlegal.txt (ID = 121849)
10:46 PM: d_icons_buttons_logos.xip (ID = 62294)
10:46 PM: d_icons_buttons_logos.res (ID = 62283)
10:46 PM: d_icons_buttons_other.xip (ID = 62294)
10:46 PM: d_icons_buttons_other.res (ID = 62283)
10:46 PM: progress.xip (ID = 62368)
10:46 PM: d_icons_buttons_bar.xip (ID = 62294)
10:46 PM: d_icons_buttons_bar.res (ID = 62283)
10:46 PM: d_icons_buttons_bbar6.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar6.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar7.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar7.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar8.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar8.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar9.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar9.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar10.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar10.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar11.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar11.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar12.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar12.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar13.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar13.res (ID = 121829)
10:46 PM: d_icons_buttons_bbar14.xip (ID = 114341)
10:46 PM: d_icons_buttons_bbar14.res (ID = 121829)
10:46 PM: business_promo.xip (ID = 121856)
10:48 PM: ads.xip (ID = 121855)
10:48 PM: ads.cdf (ID = 121815)
10:48 PM: lbl5tf1gu3iqwj40mo4.vbs (ID = 185675)
10:48 PM: donotdelete[1].html (ID = 198788)
10:48 PM: drsmartload.dat (ID = 198788)
10:48 PM: Found System Monitor: potentially rootkit-masked files
10:48 PM: 00001693. (ID = 0)
10:48 PM: 00001695. (ID = 0)
10:48 PM: 00001694. (ID = 0)
10:48 PM: 00001696. (ID = 0)
10:48 PM: 00001682. (ID = 0)
10:48 PM: 00001697. (ID = 0)
10:48 PM: 00307225. (ID = 0)
10:48 PM: 00307979. (ID = 0)
10:48 PM: 00324388. (ID = 0)
10:48 PM: 00307938. (ID = 0)
10:48 PM: 00001639. (ID = 0)
10:48 PM: 00001656. (ID = 0)
10:48 PM: 00324327. (ID = 0)
10:48 PM: 00307851. (ID = 0)
10:48 PM: 00001017. (ID = 0)
10:48 PM: 00324315. (ID = 0)
10:48 PM: 00001772. (ID = 0)
10:48 PM: 00308059. (ID = 0)
10:48 PM: 00001700. (ID = 0)
10:48 PM: 00001786. (ID = 0)
10:48 PM: 00000989. (ID = 0)
10:48 PM: 00001670. (ID = 0)
10:48 PM: 00001698. (ID = 0)
10:48 PM: 00001750. (ID = 0)
10:48 PM: 00001759. (ID = 0)
10:48 PM: 00001657. (ID = 0)
10:48 PM: 00001721. (ID = 0)
10:48 PM: 00001744. (ID = 0)
10:48 PM: 00001719. (ID = 0)
10:48 PM: 00001685. (ID = 0)
10:48 PM: 00001672. (ID = 0)
10:48 PM: 00001686. (ID = 0)
10:48 PM: 00001012. (ID = 0)
10:48 PM: 00001787. (ID = 0)
10:48 PM: 00001687. (ID = 0)
10:48 PM: 00001635. (ID = 0)
10:48 PM: 00001689. (ID = 0)
10:48 PM: 00001784. (ID = 0)
10:48 PM: 00001783. (ID = 0)
10:48 PM: 00307229. (ID = 0)
10:48 PM: 00001733. (ID = 0)
10:48 PM: 00001688. (ID = 0)
10:48 PM: 00001634. (ID = 0)
10:48 PM: 00001013. (ID = 0)
10:48 PM: 00001720. (ID = 0)
10:48 PM: 00001690. (ID = 0)
10:48 PM: 00001785. (ID = 0)
10:48 PM: 00001014. (ID = 0)
10:48 PM: 00001651. (ID = 0)
10:48 PM: 00001662. (ID = 0)
10:48 PM: 00001664. (ID = 0)
10:48 PM: 00001760. (ID = 0)
10:48 PM: 00324273. (ID = 0)
10:48 PM: 00307214. (ID = 0)
10:48 PM: 00001713. (ID = 0)
10:48 PM: 00307866. (ID = 0)
10:48 PM: 00001788. (ID = 0)
10:48 PM: 00001015. (ID = 0)
10:48 PM: 00001761. (ID = 0)
10:48 PM: 00001636. (ID = 0)
10:48 PM: 00307915. (ID = 0)
10:48 PM: 00001768. (ID = 0)
10:48 PM: 00307931. (ID = 0)
10:48 PM: 00001723. (ID = 0)
10:48 PM: 00001769. (ID = 0)
10:48 PM: 00001758. (ID = 0)
10:48 PM: 00307896. (ID = 0)
10:48 PM: 00001711. (ID = 0)
10:48 PM: 00001016. (ID = 0)
10:48 PM: 00307852. (ID = 0)
10:48 PM: 00001741. (ID = 0)
10:48 PM: 00001732. (ID = 0)
10:48 PM: 00001018. (ID = 0)
10:48 PM: 00001763. (ID = 0)
10:48 PM: 00001638. (ID = 0)
10:48 PM: 00324295. (ID = 0)
10:48 PM: 00001717. (ID = 0)
10:48 PM: 00324144. (ID = 0)
10:48 PM: 00324344. (ID = 0)
10:48 PM: 00001728. (ID = 0)
10:48 PM: 00000997. (ID = 0)
10:48 PM: 00001775. (ID = 0)
10:48 PM: 00001782. (ID = 0)
10:48 PM: 00307976. (ID = 0)
10:48 PM: 00000991. (ID = 0)
10:48 PM: 00000998. (ID = 0)
10:48 PM: 00001790. (ID = 0)
10:48 PM: 00001706. (ID = 0)
10:48 PM: 00001704. (ID = 0)
10:48 PM: 00001708. (ID = 0)
10:48 PM: 00307878. (ID = 0)
10:48 PM: 00001791. (ID = 0)
10:48 PM: 00001767. (ID = 0)
10:48 PM: 00001671. (ID = 0)
10:48 PM: 00001709. (ID = 0)
10:48 PM: 00324243. (ID = 0)
10:48 PM: 00001000. (ID = 0)
10:48 PM: 00001677. (ID = 0)
10:48 PM: 00308031. (ID = 0)
10:48 PM: 00001641. (ID = 0)
10:48 PM: 00324236. (ID = 0)
10:48 PM: 00324159. (ID = 0)
10:48 PM: 00001718. (ID = 0)
10:48 PM: 00001666. (ID = 0)
10:48 PM: 00000992. (ID = 0)
10:48 PM: 00308032. (ID = 0)
10:48 PM: 00307228. (ID = 0)
10:48 PM: 00307953. (ID = 0)
10:48 PM: 00307939. (ID = 0)
10:48 PM: 00001642. (ID = 0)
10:48 PM: 00001707. (ID = 0)
10:48 PM: 00001646. (ID = 0)
10:48 PM: 00324351. (ID = 0)
10:48 PM: 00324330. (ID = 0)
10:48 PM: 00001637. (ID = 0)
10:48 PM: 00001640. (ID = 0)
10:48 PM: 00324337. (ID = 0)
10:48 PM: 00307872. (ID = 0)
10:48 PM: 00001757. (ID = 0)
10:48 PM: 00001659. (ID = 0)
10:48 PM: 00001748. (ID = 0)
10:48 PM: 00001749. (ID = 0)
10:48 PM: 00308064. (ID = 0)
10:48 PM: 00001778. (ID = 0)
10:48 PM: 00001738. (ID = 0)
10:48 PM: 00001673. (ID = 0)
10:48 PM: 00001724. (ID = 0)
10:48 PM: 00307205. (ID = 0)
10:48 PM: 00001745. (ID = 0)
10:48 PM: 00000993. (ID = 0)
10:48 PM: 00001726. (ID = 0)
10:48 PM: 00001762. (ID = 0)
10:48 PM: 00001776. (ID = 0)
10:48 PM: 00001755. (ID = 0)
10:48 PM: 00001699. (ID = 0)
10:48 PM: 00324145. (ID = 0)
10:48 PM: 00001647. (ID = 0)
10:48 PM: 00001643. (ID = 0)
10:48 PM: 00307902. (ID = 0)
10:48 PM: 00001746. (ID = 0)
10:48 PM: 00001005. (ID = 0)
10:48 PM: 00307860. (ID = 0)
10:48 PM: 00324170. (ID = 0)
10:48 PM: 00307222. (ID = 0)
10:48 PM: 00001007. (ID = 0)
10:48 PM: 00000994. (ID = 0)
10:48 PM: 00324268. (ID = 0)
10:48 PM: 00307889. (ID = 0)
10:48 PM: 00324362. (ID = 0)
10:48 PM: 00001701. (ID = 0)
10:48 PM: 00307967. (ID = 0)
10:48 PM: 00307204. (ID = 0)
10:48 PM: 00308055. (ID = 0)
10:48 PM: 00307215. (ID = 0)
10:48 PM: 00324370. (ID = 0)
10:48 PM: 00307867. (ID = 0)
10:48 PM: 00308048. (ID = 0)
10:48 PM: 00307997. (ID = 0)
10:48 PM: 00324260. (ID = 0)
10:48 PM: 00324309. (ID = 0)
10:48 PM: 00307230. (ID = 0)
10:48 PM: 00307954. (ID = 0)
10:48 PM: 00307855. (ID = 0)
10:48 PM: 00001009. (ID = 0)
10:48 PM: 00001684. (ID = 0)
10:48 PM: 00324269. (ID = 0)
10:48 PM: 00307220. (ID = 0)
10:48 PM: 00000995. (ID = 0)
10:48 PM: 00324302. (ID = 0)
10:48 PM: 00001683. (ID = 0)
10:48 PM: 00324223. (ID = 0)
10:48 PM: 00308025. (ID = 0)
10:48 PM: 00324378. (ID = 0)
10:48 PM: 00308082. (ID = 0)
10:48 PM: 00001644. (ID = 0)
10:48 PM: 00001752. (ID = 0)
10:48 PM: 00001739. (ID = 0)
10:48 PM: 00001742. (ID = 0)
10:48 PM: 00001727. (ID = 0)
10:48 PM: 00001777. (ID = 0)
10:48 PM: 00001729. (ID = 0)
10:48 PM: 00001645. (ID = 0)
10:48 PM: 00001743. (ID = 0)
10:48 PM: 00324141. (ID = 0)
10:48 PM: 00307890. (ID = 0)
10:48 PM: 00324202. (ID = 0)
10:48 PM: 00324252. (ID = 0)
10:48 PM: 00309558. (ID = 0)
10:48 PM: 00307929. (ID = 0)
10:48 PM: 00307986. (ID = 0)
10:48 PM: 00324205. (ID = 0)
10:48 PM: 00324372. (ID = 0)
10:48 PM: 00324342. (ID = 0)
10:48 PM: 00324324. (ID = 0)
10:48 PM: 00308043. (ID = 0)
10:48 PM: 00324214. (ID = 0)
10:48 PM: 00307845. (ID = 0)
10:48 PM: 00324287. (ID = 0)
10:48 PM: 00308072. (ID = 0)
10:48 PM: 00307951. (ID = 0)
10:48 PM: 00308094. (ID = 0)
10:48 PM: 00001010. (ID = 0)
10:48 PM: 00000996. (ID = 0)
10:48 PM: 00325368. (ID = 0)
10:48 PM: 00001764. (ID = 0)
10:48 PM: 00324160. (ID = 0)
10:48 PM: 00324301. (ID = 0)
10:48 PM: 00324231. (ID = 0)
10:48 PM: 00324275. (ID = 0)
10:48 PM: 00324250. (ID = 0)
10:48 PM: 00308052. (ID = 0)
10:48 PM: 00001730. (ID = 0)
10:48 PM: 00307918. (ID = 0)
10:48 PM: 00324374. (ID = 0)
10:48 PM: 00324232. (ID = 0)
10:48 PM: 00000990. (ID = 0)
10:48 PM: 00324182. (ID = 0)
10:48 PM: 00307871. (ID = 0)
10:48 PM: 00324296. (ID = 0)
10:48 PM: 00308054. (ID = 0)
10:48 PM: 00309563. (ID = 0)
10:48 PM: 00001714. (ID = 0)
10:48 PM: 00307924. (ID = 0)
10:48 PM: 00001011. (ID = 0)
10:48 PM: 00001725. (ID = 0)
10:48 PM: 00000999. (ID = 0)
10:48 PM: 00001001. (ID = 0)
10:48 PM: 00001770. (ID = 0)
10:48 PM: 00307873. (ID = 0)
10:48 PM: 00324313. (ID = 0)
10:48 PM: 00324280. (ID = 0)
10:48 PM: 00001654. (ID = 0)
10:48 PM: 00001649. (ID = 0)
10:48 PM: 00324177. (ID = 0)
10:48 PM: 00001731. (ID = 0)
10:48 PM: 00324224. (ID = 0)
10:48 PM: 00308057. (ID = 0)
10:48 PM: 00001002. (ID = 0)
10:48 PM: 00324261. (ID = 0)
10:48 PM: 00001019. (ID = 0)
10:48 PM: 00308035. (ID = 0)
10:48 PM: 00001765. (ID = 0)
10:48 PM: 00324246. (ID = 0)
10:48 PM: 00324188. (ID = 0)
10:48 PM: 00324321. (ID = 0)
10:48 PM: 00308023. (ID = 0)
10:48 PM: 00324207. (ID = 0)
10:48 PM: 00001655. (ID = 0)
10:48 PM: 00324375. (ID = 0)
10:48 PM: 00001702. (ID = 0)
10:48 PM: 00307861. (ID = 0)
10:48 PM: 00324389. (ID = 0)
10:48 PM: 00308056. (ID = 0)
10:48 PM: 00001735. (ID = 0)
10:48 PM: 00324225. (ID = 0)
10:48 PM: 00001003. (ID = 0)
10:48 PM: 00308026. (ID = 0)
10:48 PM: 00324331. (ID = 0)
10:48 PM: 00001675. (ID = 0)
10:48 PM: 00324253. (ID = 0)
10:48 PM: 00324183. (ID = 0)
10:48 PM: 00307880. (ID = 0)
10:48 PM: 00324328. (ID = 0)
10:48 PM: 00307206. (ID = 0)
10:48 PM: 00308065. (ID = 0)
10:48 PM: 00001736. (ID = 0)
10:48 PM: 00324298. (ID = 0)
10:48 PM: 00001004. (ID = 0)
10:48 PM: 00309559. (ID = 0)
10:48 PM: 00308061. (ID = 0)
10:48 PM: 00307207. (ID = 0)
10:48 PM: 00307218. (ID = 0)
10:48 PM: 00307874. (ID = 0)
10:48 PM: 00001665. (ID = 0)
10:48 PM: 00001661. (ID = 0)
10:48 PM: 00324262. (ID = 0)
10:48 PM: 00324233. (ID = 0)
10:48 PM: 00307946. (ID = 0)
10:48 PM: 00000984. (ID = 0)
10:48 PM: 00001658. (ID = 0)
10:48 PM: 00307881. (ID = 0)
10:48 PM: 00308088. (ID = 0)
10:48 PM: 00307919. (ID = 0)
10:48 PM: 00001766. (ID = 0)
10:48 PM: 00001663. (ID = 0)
10:48 PM: 00324338. (ID = 0)
10:48 PM: 00308063. (ID = 0)
10:48 PM: 00324208. (ID = 0)
10:48 PM: 00001020. (ID = 0)
10:48 PM: 00308012. (ID = 0)
10:48 PM: 00307935. (ID = 0)
10:48 PM: 00001652. (ID = 0)
10:48 PM: 00001753. (ID = 0)
10:48 PM: 00307856. (ID = 0)
10:48 PM: 00308066. (ID = 0)
10:48 PM: 00324390. (ID = 0)
10:48 PM: 00001667. (ID = 0)
10:48 PM: 00001653. (ID = 0)
10:48 PM: 00000988. (ID = 0)
10:48 PM: 00000987. (ID = 0)
10:48 PM: 00000986. (ID = 0)
10:48 PM: 00000985. (ID = 0)
10:48 PM: 00001712. (ID = 0)
10:48 PM: 00307925. (ID = 0)
10:48 PM: 00001747. (ID = 0)
10:48 PM: 00001779. (ID = 0)
10:48 PM: 00324189. (ID = 0)
10:48 PM: 00308001. (ID = 0)
10:48 PM: 00001006. (ID = 0)
10:48 PM: 00001734. (ID = 0)
10:48 PM: 00324137. (ID = 0)
10:48 PM: 00324263. (ID = 0)
10:48 PM: 00324217. (ID = 0)
10:48 PM: 00307947. (ID = 0)
10:48 PM: 00308069. (ID = 0)
10:48 PM: 00001740. (ID = 0)
10:48 PM: 00324329. (ID = 0)
10:48 PM: 00307875. (ID = 0)
10:48 PM: 00001008. (ID = 0)
10:48 PM: 00324251. (ID = 0)
10:48 PM: 00307224. (ID = 0)
10:48 PM: 00001660. (ID = 0)
10:48 PM: 00001680. (ID = 0)
10:48 PM: 00324211. (ID = 0)
10:48 PM: 00324364. (ID = 0)
10:48 PM: 00308008. (ID = 0)
10:48 PM: 00324325. (ID = 0)
10:48 PM: 00307956. (ID = 0)
10:48 PM: 00307930. (ID = 0)
10:48 PM: 00307998. (ID = 0)
10:48 PM: 00324281. (ID = 0)
10:48 PM: 00324266. (ID = 0)
10:48 PM: 00307882. (ID = 0)
10:49 PM: 00308091. (ID = 0)
10:49 PM: 00308058. (ID = 0)
10:49 PM: 00324335. (ID = 0)
10:49 PM: 00324361. (ID = 0)
10:49 PM: 00308075. (ID = 0)
10:49 PM: 00324212. (ID = 0)
10:49 PM: 00324282. (ID = 0)
10:49 PM: 00001751. (ID = 0)
10:49 PM: 00001681. (ID = 0)
10:49 PM: 00001722. (ID = 0)
10:49 PM: 00001674. (ID = 0)
10:49 PM: 00001650. (ID = 0)
10:49 PM: 00001754. (ID = 0)
10:49 PM: 00307208. (ID = 0)
10:49 PM: 00324203. (ID = 0)
10:49 PM: 00308029. (ID = 0)
10:49 PM: 00307927. (ID = 0)
10:49 PM: 00307217. (ID = 0)
10:49 PM: 00308074. (ID = 0)
10:49 PM: 00001789. (ID = 0)
10:49 PM: 00307936. (ID = 0)
10:49 PM: 00001710. (ID = 0)
10:49 PM: 00324278. (ID = 0)
10:49 PM: 00324197. (ID = 0)
10:49 PM: 00001691. (ID = 0)
10:49 PM: 00324254. (ID = 0)
10:49 PM: 00307883. (ID = 0)
10:49 PM: 00324153. (ID = 0)
10:49 PM: 00307857. (ID = 0)
10:49 PM: 00307209. (ID = 0)
10:49 PM: 00324276. (ID = 0)
10:49 PM: 00001668. (ID = 0)
10:49 PM: 00001669. (ID = 0)
10:49 PM: 00001773. (ID = 0)
10:49 PM: 00001692. (ID = 0)
10:49 PM: 00307893. (ID = 0)
10:49 PM: 00324198. (ID = 0)
10:49 PM: 00324154. (ID = 0)
10:49 PM: 00324383. (ID = 0)
10:49 PM: 00308067. (ID = 0)
10:49 PM: 00324167. (ID = 0)
10:49 PM: 00307994. (ID = 0)
10:49 PM: 00001715. (ID = 0)
10:49 PM: 00308076. (ID = 0)
10:49 PM: 00307226. (ID = 0)
10:49 PM: 00324255. (ID = 0)
10:49 PM: 00308050. (ID = 0)
10:49 PM: 00308041. (ID = 0)
10:49 PM: 00001756. (ID = 0)
10:49 PM: 00001703. (ID = 0)
10:49 PM: 00307908. (ID = 0)
10:49 PM: 00001737. (ID = 0)
10:49 PM: 00324190. (ID = 0)
10:49 PM: 00324368. (ID = 0)
10:49 PM: 00324304. (ID = 0)
10:49 PM: 00307965. (ID = 0)
10:49 PM: 00001774. (ID = 0)
10:49 PM: 00001678. (ID = 0)
10:49 PM: 00324310. (ID = 0)
10:49 PM: 00324234. (ID = 0)
10:49 PM: 00001676. (ID = 0)
10:49 PM: 00307212. (ID = 0)
10:49 PM: 00308089. (ID = 0)
10:49 PM: 00001716. (ID = 0)
10:49 PM: 00324271. (ID = 0)
10:49 PM: 00307847. (ID = 0)
10:49 PM: 00324191. (ID = 0)
10:49 PM: 00308049. (ID = 0)
10:49 PM: 00307909. (ID = 0)
10:49 PM: 00307864. (ID = 0)
10:49 PM: 00307203. (ID = 0)
10:49 PM: 00324175. (ID = 0)
10:49 PM: 00324384. (ID = 0)
10:49 PM: 00016707. (ID = 0)
10:49 PM: 00307221. (ID = 0)
10:49 PM: 00324272. (ID = 0)
10:49 PM: 00324376. (ID = 0)
10:49 PM: 00307948. (ID = 0)
10:49 PM: 00308014. (ID = 0)
10:49 PM: 00324290. (ID = 0)
10:49 PM: 00324359. (ID = 0)
10:49 PM: 00307957. (ID = 0)
10:49 PM: 00324274. (ID = 0)
10:49 PM: 00324293. (ID = 0)
10:49 PM: 00324311. (ID = 0)
10:49 PM: 00324294. (ID = 0)
10:49 PM: 00324306. (ID = 0)
10:49 PM: 00324240. (ID = 0)
10:49 PM: 00308016. (ID = 0)
10:49 PM: 00001780. (ID = 0)
10:49 PM: 00308090. (ID = 0)
10:49 PM: 00324176. (ID = 0)
10:49 PM: 00324185. (ID = 0)
10:49 PM: 00324192. (ID = 0)
10:49 PM: 00001781. (ID = 0)
10:49 PM: 00324241. (ID = 0)
10:49 PM: 00324297. (ID = 0)
10:49 PM: 00307211. (ID = 0)
10:49 PM: 00308062. (ID = 0)
10:49 PM: 00307973. (ID = 0)
10:49 PM: 00308021. (ID = 0)
10:49 PM: 00307937. (ID = 0)
10:49 PM: 00307910. (ID = 0)
10:49 PM: 00307877. (ID = 0)
10:49 PM: 00324249. (ID = 0)
10:49 PM: 00308009. (ID = 0)
10:49 PM: 00307219. (ID = 0)
10:49 PM: 00324318. (ID = 0)
10:49 PM: 00324235. (ID = 0)
10:49 PM: 00307928. (ID = 0)
10:49 PM: 00001679. (ID = 0)
10:49 PM: 00324387. (ID = 0)
10:49 PM: 00307903. (ID = 0)
10:49 PM: 00001771. (ID = 0)
10:49 PM: 00001648. (ID = 0)
10:49 PM: 00324161. (ID = 0)
10:49 PM: 00308017. (ID = 0)
10:49 PM: 00001705. (ID = 0)
10:49 PM: 00307992. (ID = 0)
10:49 PM: 00324178. (ID = 0)
10:49 PM: 00307213. (ID = 0)
10:49 PM: 00324369. (ID = 0)
10:49 PM: 00307858. (ID = 0)
10:49 PM: 00324371. (ID = 0)
10:49 PM: 00307988. (ID = 0)
10:49 PM: 00307904. (ID = 0)
10:49 PM: 00324139. (ID = 0)
10:49 PM: 00308086. (ID = 0)
10:49 PM: 00307895. (ID = 0)
10:49 PM: 00307216. (ID = 0)
10:49 PM: 00324156. (ID = 0)
10:49 PM: 00307210. (ID = 0)
10:49 PM: 00324386. (ID = 0)
10:49 PM: 00324319. (ID = 0)
10:49 PM: 00307227. (ID = 0)
10:49 PM: 00324204. (ID = 0)
10:49 PM: 00324213. (ID = 0)
10:49 PM: 00324291. (ID = 0)
10:49 PM: 00308042. (ID = 0)
10:49 PM: 00309557. (ID = 0)
10:49 PM: 00324140. (ID = 0)
10:49 PM: 00324336. (ID = 0)
10:49 PM: 00307223. (ID = 0)
10:49 PM: 00307993. (ID = 0)
10:49 PM: 00307888. (ID = 0)
10:49 PM: 00324150. (ID = 0)
10:49 PM: 00307995. (ID = 0)
10:49 PM: 00307974. (ID = 0)
10:49 PM: 00307966. (ID = 0)
10:49 PM: 00324196. (ID = 0)
10:49 PM: 00324259. (ID = 0)
10:49 PM: 04_22_200406_22_39.zip (ID = 91696)
10:49 PM: Found Adware: cydoor peer-to-peer dependency
10:49 PM: 04_21_200416_44_48.zip (ID = 57300)
10:50 PM: File Sweep Complete, Elapsed Time: 01:02:59
10:50 PM: Full Sweep has completed. Elapsed time 01:10:09
10:50 PM: Traces Found: 2487
10:55 PM: Removal process initiated
10:55 PM: Quarantining All Traces: cws-aboutblank
10:55 PM: Quarantining All Traces: lopdotcom
10:55 PM: Quarantining All Traces: potentially rootkit-masked files
11:04 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
11:04 PM: 00001693. is in use. It will be removed on reboot.
11:04 PM: 00001695. is in use. It will be removed on reboot.
11:04 PM: 00001694. is in use. It will be removed on reboot.
11:04 PM: 00001696. is in use. It will be removed on reboot.
11:04 PM: 00001682. is in use. It will be removed on reboot.
11:04 PM: 00001697. is in use. It will be removed on reboot.
11:04 PM: 00307225. is in use. It will be removed on reboot.
11:04 PM: 00307979. is in use. It will be removed on reboot.
11:04 PM: 00324388. is in use. It will be removed on reboot.
11:04 PM: 00307938. is in use. It will be removed on reboot.
11:04 PM: 00001639. is in use. It will be removed on reboot.
11:04 PM: 00001656. is in use. It will be removed on reboot.
11:04 PM: 00324327. is in use. It will be removed on reboot.
11:04 PM: 00307851. is in use. It will be removed on reboot.
11:04 PM: 00001017. is in use. It will be removed on reboot.
11:04 PM: 00324315. is in use. It will be removed on reboot.
11:04 PM: 00001772. is in use. It will be removed on reboot.
11:04 PM: 00308059. is in use. It will be removed on reboot.
11:04 PM: 00001700. is in use. It will be removed on reboot.
11:04 PM: 00001786. is in use. It will be removed on reboot.
11:04 PM: 00000989. is in use. It will be removed on reboot.
11:04 PM: 00001670. is in use. It will be removed on reboot.
11:04 PM: 00001698. is in use. It will be removed on reboot.
11:04 PM: 00001750. is in use. It will be removed on reboot.
11:04 PM: 00001759. is in use. It will be removed on reboot.
11:04 PM: 00001657. is in use. It will be removed on reboot.
11:04 PM: 00001721. is in use. It will be removed on reboot.
11:04 PM: 00001744. is in use. It will be removed on reboot.
11:04 PM: 00001719. is in use. It will be removed on reboot.
11:04 PM: 00001685. is in use. It will be removed on reboot.
11:04 PM: 00001672. is in use. It will be removed on reboot.
11:04 PM: 00001686. is in use. It will be removed on reboot.
11:04 PM: 00001012. is in use. It will be removed on reboot.
11:04 PM: 00001787. is in use. It will be removed on reboot.
11:04 PM: 00001687. is in use. It will be removed on reboot.
11:04 PM: 00001635. is in use. It will be removed on reboot.
11:04 PM: 00001689. is in use. It will be removed on reboot.
11:04 PM: 00001784. is in use. It will be removed on reboot.
11:04 PM: 00001783. is in use. It will be removed on reboot.
11:04 PM: 00307229. is in use. It will be removed on reboot.
11:04 PM: 00001733. is in use. It will be removed on reboot.
11:04 PM: 00001688. is in use. It will be removed on reboot.
11:04 PM: 00001634. is in use. It will be removed on reboot.
11:04 PM: 00001013. is in use. It will be removed on reboot.
11:04 PM: 00001720. is in use. It will be removed on reboot.
11:04 PM: 00001690. is in use. It will be removed on reboot.
11:04 PM: 00001785. is in use. It will be removed on reboot.
11:04 PM: 00001014. is in use. It will be removed on reboot.
11:04 PM: 00001651. is in use. It will be removed on reboot.
11:04 PM: 00001662. is in use. It will be removed on reboot.
11:04 PM: 00001664. is in use. It will be removed on reboot.
11:04 PM: 00001760. is in use. It will be removed on reboot.
11:04 PM: 00324273. is in use. It will be removed on reboot.
11:04 PM: 00307214. is in use. It will be removed on reboot.
11:04 PM: 00001713. is in use. It will be removed on reboot.
11:04 PM: 00307866. is in use. It will be removed on reboot.
11:04 PM: 00001788. is in use. It will be removed on reboot.
11:04 PM: 00001015. is in

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 December 2005 - 04:26 AM

Looks like SpySweeper was hard at work!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Panda

#5 fred.champy

fred.champy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 24 December 2005 - 12:05 PM

Went through all the steps, here are the log files.....Thanks for your help and happy holidays!!
Incident Status Location

Adware:Adware/Naupoint Not disinfected C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
Dialer:dialer.cge Not disinfected C:\WINDOWS\SYSTEM32\wininetd.log
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\teller2.chk
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Spyware:spyware/clipgenie Not disinfected Windows Registry
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Ashley\Local Settings\Temporary Internet Files\Content.IE5\C1CZWF4F\mtrslib2[1].js
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Ashley\Local Settings\Temporary Internet Files\Content.IE5\W9MBCD2F\browse[1].html
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Fred\Local Settings\Temp\temp.cab[toolbar.dll]
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Fred\Local Settings\Temp\toolbar.dll
Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E1OLQN6L\thanks[2].exe
Virus:Trj/Downloader.GSV Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IDC5AJUN\t4u[1].exe
Virus:Trj/Downloader.GSV Not disinfected C:\mt13u.exe
Adware:Adware/Naupoint Not disinfected C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll
Adware:Adware/WinTools Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SZIYTZHQ\toolbar[1].cab[toolbar.dll]
Adware:Adware/WinTools Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1EY8P2Y\tb_setup[1].cab[TB_setup.exe]
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\temp.cab[toolbar.dll]
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\toolbar.dll
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 12/8/2005 3:00:54 PM 8704 C:\mt13u.exe
PECompact2 12/8/2005 3:00:54 PM 8704 C:\mt13u.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 6/25/2002 4:37:22 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 8/11/2003 8:18:18 PM R 512 C:\WINDOWS\SYSTEM32\TFTP3280
UPX! 8/11/2003 9:11:14 PM R 512 C:\WINDOWS\SYSTEM32\TFTP3808
winsync 6/25/2002 4:49:36 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/24/2005 9:23:50 AM S 2048 C:\WINDOWS\bootstat.dat
12/13/2005 12:48:58 PM H 0 C:\WINDOWS\inf\oem28.inf
11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
12/24/2005 9:23:38 AM H 8192 C:\WINDOWS\system32\config\default.LOG
12/24/2005 9:26:34 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/24/2005 9:23:52 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/24/2005 9:26:36 AM H 94208 C:\WINDOWS\system32\config\software.LOG
12/24/2005 9:23:58 AM H 1003520 C:\WINDOWS\system32\config\system.LOG
12/16/2005 5:57:20 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
12/16/2005 5:54:58 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/16/2005 5:54:58 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/21/2005 4:59:16 PM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
12/16/2005 5:54:58 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/16/2005 5:54:58 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/21/2005 4:59:16 PM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
12/24/2005 9:22:46 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Creative Technology Ltd. 3/30/2001 5:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Creative Technology Ltd. 2/21/2002 4:00:00 AM 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 6/25/2002 4:40:12 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 6/25/2002 4:42:34 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 2:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 10/2/2002 12:01:34 PM 45171 C:\WINDOWS\SYSTEM32\plugincpl131_06.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft 3/2/1999 5:10:02 PM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 6/25/2002 4:48:02 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 6/25/2002 4:40:12 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 6/25/2002 4:42:34 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 6/25/2002 4:48:02 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 9/27/2002 2:38:00 PM 192512 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/5/2005 4:18:10 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
11/16/2002 3:35:24 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/19/2002 7:13:58 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
11/20/2002 5:02:18 PM 736 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
4/1/2005 1:24:18 PM 1684 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/16/2002 7:26:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/30/2004 6:17:40 PM 839 C:\Documents and Settings\Fred\Start Menu\Programs\Startup\Desktop Alert.lnk
11/16/2002 3:35:24 PM HS 84 C:\Documents and Settings\Fred\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/5/2005 4:16:00 PM 871 C:\Documents and Settings\Fred\Application Data\AdobeDLM.log
11/16/2002 7:26:28 AM HS 62 C:\Documents and Settings\Fred\Application Data\desktop.ini
1/5/2005 4:16:00 PM 0 C:\Documents and Settings\Fred\Application Data\dm.ini
5/23/2005 5:11:02 AM 69672 C:\Documents and Settings\Fred\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029CA12C-89C1-46a7-A3C7-82F2F98635CB}
ZIBho Class = C:\Program Files\Kontiki\bin\bh304181.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}
Verizon Broadband Toolbar = C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
= C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} = Verizon Broadband Toolbar : C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} = Verizon Broadband Toolbar : C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
UpdReg C:\WINDOWS\UpdReg.EXE
BCMSMMSG BCMSMMSG.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
MoneyStartUp10.0 "C:\Program Files\Microsoft Money\System\Activation.exe"
nwiz nwiz.exe /install
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
Motive SmartBridge C:\PROGRA~1\VERIZO~2\SMARTB~1\MotiveSB.exe
iRiver Updater \Updater.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
0ce80c5c.dll RUNDLL32.EXE 0ce80c5c.dll,b 1351252343
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"

NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
updateMgr C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
NoAdware4 "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun _

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/24/2005 9:34:52 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:01:33 PM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\VERIZO~2\SMARTB~1\MotiveSB.exe
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NoAdware4\NoAdware4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Desktop Alert\desktopalert_1666446.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Fred\LOCALS~1\Temp\Temporary Directory 3 for HijackThis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [0ce80c5c.dll] RUNDLL32.EXE 0ce80c5c.dll,b 1351252343
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1666446.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134415526296
O16 - DPF: {6EE8BB87-D9D6-423D-8ACE-F5F6D08308FB} (LiveChatApplet Class) - http://www.tastylive.com/apps/livechat.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://204.249.164.75/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 10:59 AM

Sorry for the delays,been a bit under the weather.

Download CleanUp
Install the program, dont run it yet, we will later.
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it!


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Fred\Local Settings\Temp\toolbar.dll
    C:\Documents and Settings\Fred\Local Settings\Temp\temp.cab
    C:\WINDOWS\SYSTEM32\wininetd.log
    C:\WINDOWS\SYSTEM32\TFTP3280
    C:\WINDOWS\SYSTEM32\TFTP3808
    C:\WINDOWS\system32\0ce80c5c.dll
    C:\WINDOWS\teller2.chk
    C:\mt13u.exe
    C:\Documents and Settings\Ashley\Local Settings\Temporary Internet Files\Content.IE5\C1CZWF4F\mtrslib2[1].js
    C:\Documents and Settings\Ashley\Local Settings\Temporary Internet Files\Content.IE5\W9MBCD2F\browse[1].html
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E1OLQN6L\thanks[2].exe
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IDC5AJUN\t4u[1].exe
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SZIYTZHQ\toolbar[1].cab
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1EY8P2Y\tb_setup[1].cab


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)


After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp


Locate and Delete this folder

C:\PROGRAM FILES\QL


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing)

O4 - HKLM\..\Run: [0ce80c5c.dll] RUNDLL32.EXE 0ce80c5c.dll,b 1351252343

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {6EE8BB87-D9D6-423D-8ACE-F5F6D08308FB} (LiveChatApplet Class) - http://www.tastylive.com/apps/livechat.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://204.249.164.75/activex/AxisCamControl.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.


Restart back in normal mode and update SpySweeper and Scan the System once more.

Please save the session log.

Finally,Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with the Session Log from SpySweeper.


#7 fred.champy

fred.champy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 December 2005 - 04:50 PM

Hello, I was able to get some help from geekstogo.com. It almost looks like that site and this one are one in the same? Looks like I am all set now, thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users