Author Topic: Spy Sherrif (Read 5121 times)

Mrs_Music · « **on:** December 15, 2005, 06:32:39 PM »

I see other topics on this but I don't know if it'll help repair my pc so I need some help lol. I already did a hijackthis scan.

Mrs_Music · « **Reply #1 on:** December 15, 2005, 07:29:52 PM »

Here's the hjt

Logfile of HijackThis v1.99.1
Scan saved at 5:20:39 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\kernels64.exe
C:\winstall.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\qvxgamet4.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypiqq.exe reg_run
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab\' target=\'_blank\' rel=\'nofollow\'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.168.22.5/webinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rsvpmsg927a.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\kt6sl7j71.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\iuss.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

guestolo · « **Reply #2 on:** December 15, 2005, 07:46:43 PM »

Let's see what we can find. and you do have a few different problems

Can you open Hijackthis>>Open Misc tools section>>Open Uninstaller Manager
Click the SAVE LIST button
Save this list to desktop then copy and paste back here the Whole contents please

Could you also do the following
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Mrs_Music · « **Reply #3 on:** December 15, 2005, 08:07:04 PM »

Nope it's just that, well that I know of, but lemme do that

guestolo · « **Reply #4 on:** December 15, 2005, 08:09:55 PM »

Nope, you have more than just that problem, I can see it in your log

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
We'll need a few different tools to make sure we get you clean
Go ahead and post the logs when ready

Mrs_Music · « **Reply #5 on:** December 15, 2005, 08:30:56 PM »

Here's the results from the hjt scan

AC3Filter (remove only)
Adobe Reader 6.0.1
AOL Instant Messenger
B-H Toolbar
Broadcom Advanced Control Suite
Clean Access Agent
CleanUp!
Codec Pack - All In 1 6.0.2.8
Conexant SmartHSFi V92 56K DF PCI Modem
Dell ResourceCD
Digital Line Detect
DivX
DivX Player
Easy CD Creator 5 Basic
FL Studio 5
Free Internet TV v4.5
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB893357)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Intel® Extreme Graphics Driver
iPod for Windows 2005-06-26
iTunes
LiveUpdate 2.0 (Symantec Corporation)
Media Library Management Wizard
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
QuickTime
RealPlayer
RealRhapsody
SBC Self Support Tool
SBC Yahoo! Applications
Screwlab
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SoundCapture
SoundMAX
Symantec AntiVirus
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.2
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Office 11

I don't see this
l2mfix.bat in the l2mfix folder

guestolo · « **Reply #6 on:** December 15, 2005, 08:33:57 PM »

Do you see the L2Mfix folder?
Did you double click on L2mfix.exe and click the install button?

That should place the L2Mfix folder on your desktop
Do you see anything similiar to L2Mfix.bat in the L2Mfix folder? It should be an icon that has a sprocket in it

Mrs_Music · « **Reply #7 on:** December 15, 2005, 08:58:15 PM »

[quote name=\'guestolo\' post=\'77289\' date=\'Dec 15 2005, 07:33 PM\']Do you see the L2Mfix folder?
Did you double click on L2mfix.exe and click the install button?

That should place the L2Mfix folder on your desktop
Do you see anything similiar to L2Mfix.bat in the L2Mfix folder? It should be an icon that has a sprocket in it[/quote]

I see it now. I think it's doin the scan because the hourglass keeps popping up by the cursor.

Mrs_Music · « **Reply #8 on:** December 15, 2005, 09:16:13 PM »

L2MFIX find log 121205
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt6sl7j71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iuss.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{054A7D06-397A-314B-22BE-857814F780FE}"=""
"YPC 3.2.0"="Yahoo! Parental Controls"

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A97B1750-D844-46E6-A4D7-3804EB6214FB}"=""
"{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}"=""
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{83587047-71D2-4AF9-94B4-771BBC28F995}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}"=""
"{A0906CB6-C457-4264-A6B0-D324960078EA}"=""
"{33042924-C3A0-42EA-9E42-8D0795F0DF63}"=""
"{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}"=""
"{FE2E1812-471E-445F-AD57-CB98B00224B3}"=""
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A97B1750-D844-46E6-A4D7-3804EB6214FB}]

[HKEY_CLASSES_ROOT\CLSID\{A97B1750-D844-46E6-A4D7-3804EB6214FB}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}]

[HKEY_CLASSES_ROOT\CLSID\{19ED0577-73C1-4F56-BE1C-1CEE029CB1C5}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{83587047-71D2-4AF9-94B4-771BBC28F995}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83587047-71D2-4AF9-94B4-771BBC28F995}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83587047-71D2-4AF9-94B4-771BBC28F995}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83587047-71D2-4AF9-94B4-771BBC28F995}\InprocServer32]
@="C:\\WINDOWS\\system32\\ksdcr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EC7C68A-4D6B-4E96-95D6-A0AC1660B3C8}\InprocServer32]
@="C:\\WINDOWS\\system32\\nqdsbcli.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0906CB6-C457-4264-A6B0-D324960078EA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33042924-C3A0-42EA-9E42-8D0795F0DF63}\InprocServer32]
@="C:\\WINDOWS\\system32\\nldll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E430B5-10C3-40C8-A1CB-18C94B3DD3A5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE2E1812-471E-445F-AD57-CB98B00224B3}\InprocServer32]
@="C:\\WINDOWS\\system32\\mfacm32.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:
Locate .tmp files:
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is FC8B-72C2

Directory of C:\WINDOWS\System32

12/15/2005 04:55 PM <DIR> dllcache
07/27/2005 11:50 PM 233,376 fpr2039oe.dll
05/11/2005 06:32 PM 234,272 aza4lglq16qe.dll
05/11/2005 02:24 PM 234,272 mnidntld.dll
05/11/2005 02:00 PM 0 kt6sl7j71.dll
05/11/2005 02:00 PM 234,272 mldsrv32.dll
05/11/2005 01:58 PM 233,376 fhsrch.dll
05/10/2005 10:24 PM 234,272 en4ml1h11.dll
05/10/2005 04:05 PM 233,376 h40qled51h0.dll
05/10/2005 04:04 PM 234,878 h20qlcd51f0.dll
05/10/2005 04:02 PM 233,376 DNLCDF32.dll
05/10/2005 01:26 PM 235,331 jt4o07h3e.dll
05/10/2005 01:46 AM 233,376 j8l4li3q18.dll
05/07/2005 01:07 PM 233,376 slnsapi.dll
05/04/2005 02:06 PM 233,376 kwdhe.dll
05/03/2005 05:39 PM 233,376 uwdmxfrm.dll
05/03/2005 03:15 PM 233,376 BXelList.dll
05/03/2005 03:11 PM 235,042 o666lgjs16o6.dll
05/03/2005 03:10 PM 233,376 irv6mon.dll
05/02/2005 09:29 PM 232,920 i6600gjme6oa0.dll
05/01/2005 09:54 PM 233,376 pprfproc.dll
05/01/2005 06:32 PM 236,243 o684lglq16qe.dll
05/01/2005 03:13 PM 235,170 wdadmod.dll
05/01/2005 03:10 PM 235,170 g4jo0e13eh.dll
05/01/2005 02:01 PM 234,071 n46qlej51ho.dll
04/30/2005 05:53 PM 235,170 rXsmans.dll
04/30/2005 02:24 PM 235,170 cidial32.dll
04/30/2005 02:10 PM 234,071 ihq.dll
04/30/2005 02:10 PM 235,932 en68l1ju1.dll
04/30/2005 01:15 AM 234,071 ksdmac.dll
04/30/2005 01:15 AM 235,245 k4pmle711h.dll
04/30/2005 01:02 AM 234,073 c2000cdmef0a0.dll
04/30/2005 12:46 AM 234,071 r86u0ij9e8o.dll
04/30/2005 12:38 AM 234,071 ir2ul5f91.dll
04/30/2005 12:37 AM 236,008 ktlul7391.dll
04/30/2005 12:33 AM 234,071 sqreamci.dll
04/29/2005 09:51 PM 235,026 n26q0cj5efo.dll
04/28/2005 04:49 PM 234,071 dDdim700.dll
04/26/2005 10:47 PM 234,071 k4pm0e71eh.dll
04/26/2005 10:24 PM 234,071 jtl2073oe.dll
04/26/2005 05:17 PM 234,071 azaslef71h2.dll
04/26/2005 02:51 PM 234,071 f6l0lg3m16.dll
04/25/2005 08:44 PM 234,071 elcapi.dll
04/24/2005 06:21 PM 234,071 oabccp32.dll
04/23/2005 03:38 PM 233,066 i2lolc331f.dll
04/22/2005 08:41 PM 233,066 nqdsbcli.dll
04/20/2005 12:36 AM 235,428 o6ro0g93e6.dll
04/20/2005 12:10 AM 235,428 mrdemui.dll
04/20/2005 12:10 AM 235,526 l8r00i9me8.dll
04/20/2005 12:08 AM 235,428 DVLIX.dll
04/20/2005 12:08 AM 235,510 k2800clmefqa0.dll
04/20/2005 12:06 AM 235,428 uqpnpmgr.dll
04/20/2005 12:06 AM 232,671 hrr8059ue.dll
04/20/2005 12:04 AM 235,428 prchdprf.dll
04/20/2005 12:04 AM 235,885 jtn4075qe.dll
04/15/2005 12:40 AM 235,428 mgdsrv32.dll
04/15/2005 12:40 AM 233,133 l8j8li1u18.dll
04/13/2005 08:10 PM 235,428 iifxress.dll
04/13/2005 08:10 PM 233,212 aza6l1js1.dll
04/13/2005 04:05 PM 235,428 mdl_hp.dll
04/13/2005 04:05 PM 233,203 q8nuli5918.dll
04/13/2005 02:27 AM 235,428 cpmrepl.dll
04/13/2005 12:51 AM 235,428 mvrql9951.dll
04/12/2005 06:59 PM 235,428 irr0l59m1.dll
04/12/2005 03:14 PM 235,790 mvp8l97u1.dll
04/11/2005 02:00 PM 235,428 jcdw400.dll
04/10/2005 01:23 AM 235,148 en4sl1h71.dll
04/09/2005 04:43 PM 234,325 f00o0ad3ed0.dll
04/07/2005 01:57 PM 234,467 fp4403hqe.dll
04/02/2005 10:02 PM 234,467 jt8u07l9e.dll
04/02/2005 08:21 PM 234,467 m482lelo1hqc.dll
04/02/2005 01:34 AM 234,467 fppu0379e.dll
04/01/2005 10:08 PM 234,467 mvpol9731.dll
04/01/2005 08:30 PM 234,467 kldit142.dll
03/31/2005 07:53 PM 234,467 c6002gdmg60a2.dll
03/31/2005 12:24 PM 234,467 i8jq0i15e8.dll
03/30/2005 09:15 PM 234,467 gp46l3hs1.dll
03/30/2005 03:28 PM 234,467 k4lq0e35eh.dll
03/30/2005 02:13 PM 234,467 n8n60i5se8.dll
03/30/2005 02:03 PM 234,467 fp0q03d5e.dll
03/30/2005 12:22 AM 232,711 n0l8la3u1d.dll
03/28/2005 02:46 PM 236,121 n4l8le3u1h.dll
03/24/2005 10:56 PM 235,460 e0202afmgd2a2.dll
03/24/2005 10:37 PM 235,460 l42slef71h2.dll
03/24/2005 09:50 PM 233,211 aza8lg9u16.dll
03/23/2005 10:36 PM 235,460 soc.dll
03/23/2005 06:48 PM 236,162 gprml3911.dll
03/22/2005 03:47 PM 233,995 ksdcr.dll
03/22/2005 01:51 PM 235,357 l26olcj31fo.dll
03/22/2005 12:01 AM 233,193 SE2EVNT1.DLL
03/17/2005 11:57 PM 234,597 mycsubs.dll
03/17/2005 08:30 PM 234,612 l0l6la3s1d.dll
03/17/2005 08:27 PM 234,612 mmperf.dll
03/17/2005 08:11 PM 235,930 g8joli1318.dll
03/17/2005 01:16 AM 233,248 jkt.dll
03/17/2005 01:09 AM 233,248 muiole16.dll
03/17/2005 01:03 AM 233,248 mfvcirt.dll
03/17/2005 12:57 AM 233,248 pgofmap.dll
03/17/2005 12:39 AM 233,248 camsnap.dll
03/17/2005 12:39 AM 233,248 cgpbk32.dll
03/16/2005 11:32 PM 233,248 iqnathlp.dll
03/16/2005 11:25 PM 233,248 jisd400.dll
03/16/2005 11:25 PM 233,248 iosso.dll
03/16/2005 10:37 PM 233,248 swscrap.dll
03/16/2005 10:31 PM 233,248 wknfax.dll
03/16/2005 10:25 PM 233,248 almlib.dll
03/16/2005 10:25 PM 233,248 abicap.dll
03/16/2005 09:25 PM 233,248 ibmp.dll
03/16/2005 09:25 PM 233,248 iewphbk.dll
03/16/2005 08:25 PM 233,248 moawt.dll
03/16/2005 08:25 PM 233,248 mgutil.dll
03/16/2005 07:25 PM 233,248 iYssdo.dll
03/16/2005 07:25 PM 233,248 HEFCI004.dll
03/16/2005 06:25 PM 233,248 modimap.dll
03/16/2005 06:25 PM 233,248 MWCANS32.DLL
03/16/2005 05:25 PM 233,248 otbccu32.dll
03/16/2005 05:25 PM 233,248 njprovau.dll
03/16/2005 04:25 PM 233,248 mqimtf.dll
03/16/2005 04:25 PM 233,248 mgjava.dll
03/16/2005 03:16 PM 233,248 kfdmaori.dll
03/16/2005 03:16 PM 233,248 kodes.dll
03/16/2005 03:08 PM 235,697 doconfig.dll
03/15/2005 09:06 AM 235,697 jt4807hue.dll
03/14/2005 08:32 AM 235,697 en66l1js1.dll
03/13/2005 06:55 PM 235,697 en20l1fm1.dll
03/13/2005 06:27 PM 235,697 lvls0937e.dll
03/13/2005 03:21 PM 234,964 o6rolg9316.dll
03/12/2005 05:49 PM 234,964 WADMPS.dll
03/12/2005 05:34 PM 233,161 certc.dll
03/12/2005 04:58 PM 234,964 nvdeapi.dll
03/12/2005 04:48 PM 233,082 aotodisc.dll
03/12/2005 04:46 PM 235,890 rivpperf.dll
03/12/2005 04:44 PM 235,517 mqoert2.dll
03/12/2005 04:43 PM 234,597 jqsh400.dll
03/12/2005 04:21 PM 233,160 dhmsadsn.dll
03/12/2005 03:57 PM 233,037 iiign32.dll
03/12/2005 03:47 PM 233,241 wnhnetbs.dll
03/12/2005 03:44 PM 233,037 maiseq.dll
03/12/2005 03:42 PM 233,037 hkactivex.dll
03/12/2005 03:42 PM 234,317 m082lalo1dqc.dll
03/12/2005 03:37 PM 234,718 mqrddm.dll
03/12/2005 03:05 PM 233,037 ijfxpph.dll
03/12/2005 03:00 PM 234,718 mdapsspc.dll
03/12/2005 02:39 PM 234,718 mftrig.dll
03/12/2005 02:37 PM 234,718 lvpm0971e.dll
03/12/2005 12:25 PM 234,718 cktdll.dll
03/11/2005 08:33 PM 233,172 t6r8lg9u16.dll
03/11/2005 06:14 PM 234,718 uxdmxfrm.dll
03/11/2005 06:14 PM 235,338 k0260afsed260.dll
03/11/2005 01:42 AM 235,473 hrns0557e.dll
01/06/2005 01:38 AM 249,855 dhl.sys
01/06/2005 01:38 AM 652,667 wo8ux.dll
01/06/2005 01:38 AM 244,055 tbirq.exe
06/21/2004 06:10 PM <DIR> Microsoft
152 File(s) 35,819,735 bytes
2 Dir(s) 11,458,555,904 bytes free

guestolo · « **Reply #9 on:** December 15, 2005, 09:55:32 PM »

You have a few different problems which means you are going to have to follow what I ask
very closely

We're going to leave L2Mfix for now, we will need it later

Can you please do the following

Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Next: Download and Install Webroot's trial version of SpySweeper
From This Link
Click the Download Now link and save the Installer to desktop
Double click to Install and follow the prompts

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

I need to see these 2 logs
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Mrs_Music · « **Reply #10 on:** December 15, 2005, 11:08:41 PM »

[quote name=\'guestolo\' post=\'77309\' date=\'Dec 15 2005, 08:55 PM\']You have a few different problems which means you are going to have to follow what I ask
very closely

We're going to leave L2Mfix for now, we will need it later

Can you please do the following

Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Next: Download and Install Webroot's trial version of SpySweeper
From This Link
Click the Download Now link and save the Installer to desktop
Double click to Install and follow the prompts

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

I need to see these 2 logs
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.[/quote]

Ok, I'm downloading spysweeper right now, 64%...

Mrs_Music · « **Reply #11 on:** December 16, 2005, 01:38:49 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:36:49 AM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\winstall.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\qvxgamet4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypiqq.exe reg_run
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab\' target=\'_blank\' rel=\'nofollow\'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.168.22.5/webinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rsvpmsg927a.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\kt6sl7j71.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\iuss.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

********
11:12 PM: | Start of Session, Thursday, December 15, 2005 |
11:12 PM: Spy Sweeper started
11:12 PM: Sweep initiated using definitions version 586
11:12 PM: Starting Memory Sweep
11:15 PM: Found Adware: clkoptimizer
11:15 PM: Detected running threat: C:\WINDOWS\system32\wuauclt.dll (ID = 143665)
11:16 PM: Found Adware: delfin
11:16 PM: Detected running threat: C:\WINDOWS\system32\picsvr\picsvr.exe (ID = 57768)
11:16 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || picsvr (ID = 0)
11:28 PM: Memory Sweep Complete, Elapsed Time: 00:15:57
11:28 PM: Starting Registry Sweep
11:28 PM: Found Adware: 7adpower
11:28 PM: HKLM\software\classes\interface\{12e919bc-c70f-432b-b831-1180de734505}\ (8 subtraces) (ID = 102195)
11:28 PM: Found Adware: aksoft
11:28 PM: HKLM\software\aksoft\.support\ (10 subtraces) (ID = 103365)
11:28 PM: HKLM\software\aksoft\.target\ (80 subtraces) (ID = 103366)
11:28 PM: HKCR\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 105953)
11:28 PM: HKCR\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106021)
11:28 PM: HKLM\software\classes\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 106049)
11:28 PM: HKLM\software\classes\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106116)
11:28 PM: HKLM\software\microsoft\windows\currentversion\run\ || picsvr (ID = 124872)
11:28 PM: HKLM\software\mvu\ (6 subtraces) (ID = 124885)
11:28 PM: HKLM\software\nsvcin\ (ID = 124886)
11:28 PM: HKLM\software\picsvr\ (2 subtraces) (ID = 124891)
11:28 PM: Found Adware: ezula ilookup
11:28 PM: HKCR\appid\atlbrowser.exe\ (1 subtraces) (ID = 126121)
11:28 PM: HKCR\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126127)
11:28 PM: HKLM\software\classes\appid\atlbrowser.exe\ (1 subtraces) (ID = 126207)
11:28 PM: HKLM\software\classes\atlbrcon.atlbrcon.1\ (3 subtraces) (ID = 126213)
11:28 PM: HKLM\software\classes\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126214)
11:28 PM: Found Adware: ieplugin
11:28 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
11:29 PM: Found Adware: look2me
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || tsvcin (ID = 129953)
11:29 PM: HKLM\software\tsvcin\ (2 subtraces) (ID = 129976)
11:29 PM: HKLM\software\tsvcin\ || a (ID = 129977)
11:29 PM: Found Trojan Horse: rasmin
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || windowsupdate (ID = 144085)
11:29 PM: Found Trojan Horse: trojan-backdoor-dimenoc
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || windowsupdate (ID = 144085)
11:29 PM: Found Trojan Horse: vesbiz downloader
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || system (ID = 145542)
11:29 PM: Found Adware: directrevenue-abetterinternet
11:29 PM: HKCR\interface\{c08175c6-b2b2-47fc-af1a-32f77a6cb673}\ (8 subtraces) (ID = 145809)
11:29 PM: HKLM\software\classes\interface\{c08175c6-b2b2-47fc-af1a-32f77a6cb673}\ (8 subtraces) (ID = 145886)
11:29 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{000fa346-d004-45e1-bc4c-9408d6cd4128}\ (1 subtraces) (ID = 146124)
11:29 PM: Found Adware: websearch toolbar
11:29 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
11:29 PM: Found Adware: winad
11:29 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
11:29 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
11:29 PM: Found Adware: virtualbouncer
11:29 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
11:29 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
11:29 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
11:29 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
11:29 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
11:29 PM: Found Adware: letsroll911.org hijacker
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || system (ID = 594251)
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
11:29 PM: Found Adware: dealhelper
11:29 PM: HKLM\software\ddate\ (1 subtraces) (ID = 636618)
11:29 PM: HKLM\software\aksoft\ (34293 subtraces) (ID = 639132)
11:29 PM: Found Adware: clientman
11:29 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)
11:29 PM: HKCR\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701480)
11:29 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)
11:29 PM: HKLM\software\classes\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701496)
11:29 PM: HKLM\software\microsoft\internet explorer\extensions\{9e248641-0e24-4ddb-9a1f-705087832ad6}\ (2 subtraces) (ID = 753449)
11:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
11:29 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
11:29 PM: HKCR\searchrep.searchreppp\ (5 subtraces) (ID = 770179)
11:29 PM: HKCR\searchrep.searchreppp.1\ (3 subtraces) (ID = 770185)
11:29 PM: HKCR\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770203)
11:29 PM: HKLM\software\classes\searchrep.searchreppp\ (5 subtraces) (ID = 770217)
11:29 PM: HKLM\software\classes\searchrep.searchreppp.1\ (3 subtraces) (ID = 770223)
11:29 PM: HKLM\software\classes\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770241)
11:29 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (8 subtraces) (ID = 815132)
11:29 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (8 subtraces) (ID = 815145)
11:29 PM: Found Trojan Horse: xcp rootkit
11:29 PM: HKLM\system\currentcontrolset\services\$sys$aries\ (11 subtraces) (ID = 976072)
11:29 PM: Found Adware: cws sp.html hijack
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\search\ || searchassistant_bak (ID = 123751)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\mvu\ (5 subtraces) (ID = 124884)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\picsvr\ (1 subtraces) (ID = 124890)
11:29 PM: Found Adware: effective-i toolbar
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668)
11:29 PM: Found Adware: spysheriff
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\ahexe\ (30 subtraces) (ID = 145821)
11:29 PM: Found Trojan Horse: trojan-backdoor-securemulti
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 484139)
11:29 PM: Found Adware: navexcel navhelper
11:29 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
11:29 PM: HKU\S-1-5-18\software\navexcel ltd\ (9 subtraces) (ID = 135548)
11:29 PM: Found Adware: twain-tech
11:29 PM: HKU\S-1-5-18\software\mxtarget\ (5 subtraces) (ID = 145343)
11:29 PM: Registry Sweep Complete, Elapsed Time:00:01:08
11:29 PM: Starting Cookie Sweep
11:29 PM: Found Spy Cookie: go.com cookie
11:29 PM: [email protected][2].txt (ID = 2729)
11:29 PM: Found Spy Cookie: yieldmanager cookie
11:29 PM: [email protected][2].txt (ID = 3751)
11:29 PM: Found Spy Cookie: adknowledge cookie
11:29 PM: administrator@adknowledge[2].txt (ID = 2072)
11:29 PM: Found Spy Cookie: hbmediapro cookie
11:29 PM: [email protected][2].txt (ID = 2768)
11:29 PM: Found Spy Cookie: specificclick.com cookie
11:29 PM: [email protected][2].txt (ID = 3400)
11:29 PM: Found Spy Cookie: belointeractive cookie
11:29 PM: [email protected][1].txt (ID = 2295)
11:29 PM: Found Spy Cookie: pointroll cookie
11:29 PM: [email protected][2].txt (ID = 3148)
11:29 PM: administrator@belointeractive[1].txt (ID = 2294)
11:29 PM: Found Spy Cookie: zedo cookie
11:29 PM: [email protected][1].txt (ID = 3763)
11:29 PM: Found Spy Cookie: exitexchange cookie
11:29 PM: administrator@exitexchange[1].txt (ID = 2633)
11:29 PM: administrator@go[1].txt (ID = 2728)
11:29 PM: Found Spy Cookie: clickandtrack cookie
11:29 PM: [email protected][2].txt (ID = 2397)
11:29 PM: Found Spy Cookie: questionmarket cookie
11:29 PM: administrator@questionmarket[1].txt (ID = 3217)
11:29 PM: Found Spy Cookie: serving-sys cookie
11:29 PM: administrator@serving-sys[2].txt (ID = 3343)
11:29 PM: Found Spy Cookie: statcounter cookie
11:29 PM: administrator@statcounter[1].txt (ID = 3447)
11:29 PM: Found Spy Cookie: trafficmp cookie
11:29 PM: administrator@trafficmp[1].txt (ID = 3581)
11:29 PM: Found Spy Cookie: tribalfusion cookie
11:29 PM: administrator@tribalfusion[1].txt (ID = 3589)
11:29 PM: Found Spy Cookie: adserver cookie
11:29 PM: [email protected][1].txt (ID = 2142)
11:29 PM: administrator@zedo[1].txt (ID = 3762)
11:29 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:29 PM: Starting File Sweep
11:29 PM: c:\program files\spysheriff (2 subtraces) (ID = -2147476679)
11:29 PM: c:\windows\inst (ID = -2147480086)
11:29 PM: c:\documents and settings\all users\application data\picsvr (2 subtraces) (ID = -2147481134)
11:29 PM: c:\documents and settings\all users\application data\wsxs (1 subtraces) (ID = -2147481131)
11:29 PM: c:\windows\system32\nsvsvc (2 subtraces) (ID = -2147481119)
11:29 PM: c:\documents and settings\all users\application data\nsv (18 subtraces) (ID = -2147481136)
11:29 PM: c:\windows\system32\picsvr (1 subtraces) (ID = -2147481118)
11:30 PM: 655c4132-8b7d-42e1-bbbf-d2a792 (ID = 53202)
11:30 PM: 15c170b3-efd2-45cd-b42a-e00978 (ID = 53202)
11:30 PM: Found Adware: e2g
11:30 PM: ei51.exe (ID = 59384)
11:30 PM: ds3.dll (ID = 65767)
11:31 PM: 731cff7b-cee2-4499-ad6d-ee78bc (ID = 53184)
11:32 PM: Found Trojan Horse: trojan-downloader-moneymind
11:32 PM: moneyspj.exe (ID = 80826)
11:32 PM: bc39ba07-5de8-4ffb-973c-0b8b72 (ID = 53202)
11:33 PM: 31e6e23d-adfc-4e9c-89b5-88d989.asq (ID = 116897)
11:33 PM: Found Adware: shopathomeselect
11:33 PM: shagentnew.dll (ID = 75942)
11:33 PM: 35cf20f8-a4fb-44f7-a144-3d0555.asq (ID = 53205)
11:34 PM: Found Adware: exact cashback/bargain buddy
11:34 PM: installer_mediawhiz8.exe (ID = 50696)
11:34 PM: l26olcj31fo.dll (ID = 159)
11:34 PM: 0e3486fb-498b-4ef1-9e90-48684f.asq (ID = 116897)
11:34 PM: 85709154-ff64-48ca-99e5-d8b894.asq (ID = 53205)
11:34 PM: n0l8la3u1d.dll (ID = 159)
11:35 PM: hkactivex.dll (ID = 159)
11:35 PM: rivpperf.dll (ID = 159)
11:35 PM: f4aced25-39a3-4467-8548-87ceb6.asq (ID = 120384)
11:35 PM: n4l8le3u1h.dll (ID = 159)
11:36 PM: lvpm0971e.dll (ID = 159)
11:36 PM: 5f83d443-a077-4995-b519-d01e60.asq (ID = 120384)
11:36 PM: cktdll.dll (ID = 159)
11:36 PM: wadmps.dll (ID = 159)
11:36 PM: nykuff.execommon startup (ID = 53184)
11:36 PM: 37c2b1d0-38c9-43f6-a168-670190.asq (ID = 120384)
11:36 PM: mdapsspc.dll (ID = 159)
11:36 PM: downloader.exe (ID = 164938)
11:36 PM: 1ad34ac3-420a-49dc-b80d-a2071d.asq (ID = 116897)
11:36 PM: afd7b4f4-f740-4c82-a260-ce0922.asq (ID = 120384)
11:36 PM: 97daa5f1-bc2d-4df9-97eb-6bf71e.asq (ID = 120384)
11:36 PM: 6f44139c-9a99-4447-9c37-3bd06e.asq (ID = 53205)
11:36 PM: ijfxpph.dll (ID = 159)
11:36 PM: mftrig.dll (ID = 159)
11:36 PM: n26q0cj5efo.dll (ID = 159)
11:36 PM: f8da9bf6-2798-4ceb-b8d7-202396 (ID = 53202)
11:36 PM: 7a7eb7b3-bf4f-482c-b31b-ffbef2.asq (ID = 120384)
11:36 PM: 71cb85e5-4266-4572-95e1-2de3e7.asq (ID = 116897)
11:36 PM: dc28ad81-8736-459a-8fc0-ca3ad3.asq (ID = 120384)
11:36 PM: 0feebe07-0642-45a2-849c-65240d.asq (ID = 116897)
11:36 PM: d6e73193-608d-40c8-b383-c0bda7.asq (ID = 116897)
11:36 PM: 78896054-1fac-44ec-b1d1-f20b45.asq (ID = 120384)
11:36 PM: 62de0de2-ea94-46ca-b7e2-e0da6c.asq (ID = 53205)
11:37 PM: iiign32.dll (ID = 159)
11:37 PM: mwcans32.dll (ID = 65904)
11:37 PM: 1db068e1-0139-44e1-bcd9-2ffb12.asq (ID = 120384)
11:37 PM: wdadmod.dll (ID = 159)
11:37 PM: 39de90a8-a03f-4693-a6f1-486374.asq (ID = 120384)
11:37 PM: 8b14b74f-92a7-4ef5-9e9c-ecef7d.asq (ID = 120384)
11:37 PM: m082lalo1dqc.dll (ID = 159)
11:37 PM: nvdeapi.dll (ID = 159)
11:37 PM: certc.dll (ID = 159)
11:37 PM: mvpol9731.dll (ID = 159)
11:37 PM: 6227a65c-8051-4289-a658-4cbeef.asq (ID = 120384)
11:37 PM: iconu.exe (ID = 65721)
11:37 PM: 7e08e58e-6ad5-4475-89b5-c693ba.asq (ID = 120384)
11:37 PM: 8f5c433e-63a7-49f2-8f48-1b8361.asq (ID = 53205)
11:37 PM: 6d038d48-4fa5-40d0-a71e-c56b6e.asq (ID = 116897)
11:37 PM: aimvffk.xml (ID = 57646)
11:37 PM: hefci004.dll (ID = 65904)
11:38 PM: b65c6a83-9fbd-4efe-9c15-f38711.asq (ID = 53205)
11:38 PM: 8e82c065-1951-4c53-9245-1e080a.asq (ID = 116897)
11:38 PM: 78257d6c-9e64-4488-a221-53ba8e.asq (ID = 53205)
11:38 PM: en4sl1h71.dll (ID = 159)
11:38 PM: ktlul7391.dll (ID = 159)
11:38 PM: r86u0ij9e8o.dll (ID = 159)
11:38 PM: 80291133-d7c6-41e9-acf2-177260.asq (ID = 53205)
11:38 PM: n8n60i5se8.dll (ID = 159)
11:38 PM: cpmrepl.dll (ID = 159)
11:38 PM: 02e6bfda-1832-465d-9c0d-b1a9f7.asq (ID = 120384)
11:38 PM: Found Adware: gain - common components
11:38 PM: hdplugin1101.dll (ID = 61477)
11:39 PM: k4lq0e35eh.dll (ID = 159)
11:39 PM: d3aa59c8-7620-4a47-ac19-651c52.asq (ID = 53205)
11:39 PM: vgactl.cpl (ID = 143664)
11:39 PM: e2024ec4-4e1e-40bf-a85c-b16ade.asq (ID = 53205)
11:39 PM: BHO Shield: found: -- BHO installation allowed at user request
11:39 PM: c6002gdmg60a2.dll (ID = 159)
11:39 PM: l88m0il1e8q.dll (ID = 159)
11:40 PM: 0b97a2ff-09d5-4e9e-b5a0-13b482.asq (ID = 116897)
11:40 PM: c7912df4-17ea-493e-86db-447219 (ID = 53202)
11:40 PM: Found Trojan Horse: trojan-downloader-infectedhost
11:40 PM: svchost.dll (ID = 201334)
11:40 PM: maiseq.dll (ID = 159)
11:41 PM: hrns0557e.dll (ID = 159)
11:41 PM: wknfax.dll (ID = 65904)
11:41 PM: lvls0937e.dll (ID = 159)
11:41 PM: 702d8767-b3a0-45f1-966b-311991.asq (ID = 53205)
11:41 PM: mvp8l97u1.dll (ID = 159)
11:41 PM: q8nuli5918.dll (ID = 159)
11:41 PM: 25ccf445-aa76-41dd-8483-fd07e7.asq (ID = 116897)
11:41 PM: a3db4b29-781e-44b8-b62b-31d9da (ID = 53202)
11:41 PM: wnhnetbs.dll (ID = 159)
11:42 PM: en66l1js1.dll (ID = 159)
11:42 PM: hdplugin1101.dll (ID = 61477)
11:42 PM: c2000cdmef0a0.dll (ID = 159)
11:42 PM: 5db4cee8-06c7-4111-ad17-e7ec72.asq (ID = 53134)
11:42 PM: 3ef150a0-4cfb-4073-8189-d7e9e4.asq (ID = 53205)
11:42 PM: hdplugin1101.inf (ID = 61480)
11:42 PM: 2ffa856a-8a3e-49bc-a1b7-e364ab.asq (ID = 116897)
11:42 PM: jt4807hue.dll (ID = 159)
11:42 PM: Found Adware: 180search assistant/zango
11:42 PM: sain_kyf.dat (ID = 70616)
11:42 PM: sainau.dat (ID = 70615)
11:42 PM: Found Trojan Horse: trojan-backdoor-core.psyche-evolution.com
11:42 PM: vxt2.game (ID = 197844)
11:42 PM: k0260afsed260.dll (ID = 159)
11:42 PM: gprml3911.dll (ID = 159)
11:42 PM: j8l4li3q18.dll (ID = 159)
11:43 PM: l8j8li1u18.dll (ID = 159)
11:43 PM: h40qled51h0.dll (ID = 159)
11:43 PM: hrr8059ue.dll (ID = 159)
11:43 PM: mdl_hp.dll (ID = 159)
11:43 PM: mgutil.dll (ID = 65904)
11:44 PM: uxdmxfrm.dll (ID = 159)
11:44 PM: Found Adware: wildmedia
11:44 PM: standard.exe (ID = 88774)
11:44 PM: l0l6la3s1d.dll (ID = 159)
11:44 PM: k4pmle711h.dll (ID = 159)
11:45 PM: ksdmac.dll (ID = 159)
11:45 PM: 1449cb15-7b22-4e23-bcff-1ff4ae.asq (ID = 116897)
11:45 PM: iifxress.dll (ID = 159)
11:46 PM: a6d6ca4a-182d-40a1-a531-114bf3 (ID = 53202)
11:46 PM: kodes.dll (ID = 65904)
11:46 PM: desktop.html (ID = 178574)
11:46 PM: Found Adware: isearch desktop search
11:46 PM: d62c81b6-a7d5-4667-a689-bc9585 (ID = 64334)
11:47 PM: hdplugin1019.inf (ID = 61473)
11:47 PM: hdplugin1101.inf (ID = 61480)
11:47 PM: vxgamet2.exe (ID = 197844)
11:47 PM: Found Trojan Horse: trojan-downloader-asdbiz.biz
11:47 PM: qvxgamet2.exe (ID = 80237)
11:47 PM: vxgame6.exe (ID = 80237)
11:47 PM: svchost.exe (ID = 203593)
11:47 PM: wuauclt.dll (ID = 143665)
11:47 PM: 98491621-2257-4896-888f-bc5e76 (ID = 143665)
11:47 PM: 02709b22-b3e3-4e1e-a9a8-ec2c1c (ID = 143665)
11:47 PM: sstray.exe (ID = 203593)
11:47 PM: b02f321b-1261-4a76-af1f-1cf114 (ID = 143665)
11:47 PM: bd24d720-8ad3-4549-ae61-e79193 (ID = 53202)
11:47 PM: picsvr.exe (ID = 57768)
11:47 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || picsvr (ID = 0)
11:47 PM: 825f7002-68f6-4d5d-a3b3-6e234c (ID = 143665)
11:47 PM: uninstall.exe (ID = 198832)
11:47 PM: b998b4c0-b3b8-41a7-83f5-e86902 (ID = 53202)
11:47 PM: 2d67b064-bd98-46f5-b871-9d257e (ID = 143665)
11:48 PM: 3ab15aa8-846e-4d18-9be6-336bee.asq (ID = 53205)
11:48 PM: 80afb4ec-a2b0-4239-ae7a-ab0c5a (ID = 143665)
11:48 PM: 511f5974-e921-45d2-a790-d917e8 (ID = 143665)
11:48 PM: bf3dd05d-684e-43bc-b282-6bd453 (ID = 53202)
11:48 PM: en20l1fm1.dll (ID = 159)
11:48 PM: irox.exe (ID = 70642)
11:48 PM: fppu0379e.dll (ID = 159)
11:48 PM: jt8u07l9e.dll (ID = 159)
11:48 PM: mmperf.dll (ID = 159)
11:48 PM: f00o0ad3ed0.dll (ID = 159)
11:49 PM: ksdcr.dll (ID = 159)
11:49 PM: cgpbk32.dll (ID = 65904)
11:49 PM: mfvcirt.dll (ID = 65904)
11:49 PM: i2lolc331f.dll (ID = 159)
11:49 PM: mvrql9951.dll (ID = 159)
11:49 PM: mycsubs.dll (ID = 159)
11:49 PM: Found Adware: couponage
11:49 PM: casync.dll (ID = 54700)
11:49 PM: slnsapi.dll (ID = 159)
11:49 PM: cacore.dll (ID = 54694)
11:49 PM: f0ab681d-3eb9-422d-adb1-fa2391.asq (ID = 116897)
11:49 PM: f6l0lg3m16.dll (ID = 159)
11:49 PM: 175fd306-019c-4ddf-97a4-f93cd7 (ID = 120129)
11:49 PM: ir2ul5f91.dll (ID = 159)
11:49 PM: aza6l1js1.dll (ID = 159)
11:49 PM: 9590c27d-dd15-4df9-a141-d72f81 (ID = 120129)
11:50 PM: i6600gjme6oa0.dll (ID = 159)
11:50 PM: akrules.dll (ID = 49674)
11:50 PM: oabccp32.dll (ID = 159)
11:50 PM: abicap.dll (ID = 65904)
11:50 PM: wmv1215.dbd (ID = 57687)
11:50 PM: carules.dll (ID = 54699)
11:50 PM: iyssdo.dll (ID = 65904)
11:51 PM: akupd.dll (ID = 49673)
11:51 PM: akcore.dll (ID = 49676)
11:51 PM: c95e3617-fc77-4e24-a8a4-ca5866 (ID = 53193)
11:51 PM: mgjava.dll (ID = 65904)
11:51 PM: ibmp.dll (ID = 65904)
11:51 PM: aza8lg9u16.dll (ID = 159)
11:51 PM: soc.dll (ID = 159)
11:51 PM: almlib.dll (ID = 65904)
11:51 PM: otbccu32.dll (ID = 65904)
11:51 PM: mqimtf.dll (ID = 65904)
11:51 PM: h20qlcd51f0.dll (ID = 159)
11:51 PM: modimap.dll (ID = 65904)
11:51 PM: moawt.dll (ID = 65904)
11:51 PM: kfdmaori.dll (ID = 65904)
11:51 PM: aotodisc.dll (ID = 159)
11:51 PM: kldit142.dll (ID = 159)
11:51 PM: m482lelo1hqc.dll (ID = 159)
11:51 PM: aimvffk2.xml (ID = 57648)
11:52 PM: jqsh400.dll (ID = 159)
11:52 PM: fhsrch.dll (ID = 159)
11:52 PM: aimvffk1.xml (ID = 57647)
11:52 PM: gp46l3hs1.dll (ID = 159)
11:52 PM: se2evnt1.dll (ID = 159)
11:52 PM: fp0q03d5e.dll (ID = 159)
11:52 PM: fp4403hqe.dll (ID = 159)
11:52 PM: fpr2039oe.dll (ID = 159)
11:52 PM: pprfproc.dll (ID = 159)
11:52 PM: l42slef71h2.dll (ID = 159)
11:52 PM: i8jq0i15e8.dll (ID = 159)
11:53 PM: dddim700.dll (ID = 159)
11:53 PM: g4jo0e13eh.dll (ID = 159)
11:53 PM: g8joli1318.dll (ID = 159)
11:53 PM: dnlcdf32.dll (ID = 159)
11:53 PM: ac9a9236-8df6-4925-9eea-83eb9d.asq (ID = 53205)
11:53 PM: doconfig.dll (ID = 159)
11:53 PM: 8a9b4acc-651c-4d74-a337-874d4f.asq (ID = 116897)
11:53 PM: dvlix.dll (ID = 159)
11:53 PM: dhmsadsn.dll (ID = 159)
11:53 PM: e0202afmgd2a2.dll (ID = 159)
11:53 PM: en4ml1h11.dll (ID = 65730)
11:53 PM: patchme.exe (ID = 57767)
11:53 PM: mldsrv32.dll (ID = 65730)
11:54 PM: mqoert2.dll (ID = 159)
11:54 PM: cidial32.dll (ID = 159)
11:54 PM: nsvs.dll (ID = 57751)
11:54 PM: mqrddm.dll (ID = 159)
11:54 PM: mrdemui.dll (ID = 159)
11:54 PM: mnidntld.dll (ID = 65730)
11:54 PM: 13ab9051-b05e-4015-890e-7e739b.asq (ID = 53134)
11:54 PM: jisd400.dll (ID = 65904)
11:54 PM: iewphbk.dll (ID = 65904)
11:54 PM: azaslef71h2.dll (ID = 159)
11:54 PM: sqreamci.dll (ID = 159)
11:54 PM: 7165fd9b-4e9e-4db6-abcf-bc995a.asq (ID = 116897)
11:54 PM: iqnathlp.dll (ID = 65904)
11:54 PM: 5c6c72ba-fac9-402c-bd63-fe6979.asq (ID = 116897)
11:55 PM: en68l1ju1.dll (ID = 159)
11:55 PM: swscrap.dll (ID = 65904)
11:55 PM: t6r8lg9u16.dll (ID = 159)
11:55 PM: 28475f37-2db1-40a7-902a-f53c83.asq (ID = 53134)
11:55 PM: vx6.game (ID = 80237)
11:55 PM: qvxt2.game (ID = 80237)
11:55 PM: o666lgjs16o6.dll (ID = 159)
11:55 PM: 9bcc5f81-34b4-4fe1-89bc-1e9502.asq (ID = 116897)
11:55 PM: o684lglq16qe.dll (ID = 159)
11:55 PM: o6ro0g93e6.dll (ID = 159)
11:55 PM: o6rolg9316.dll (ID = 159)
11:56 PM: camsnap.dll (ID = 65904)
11:56 PM: Found Adware: nvdialer
11:56 PM: games.exe (ID = 137596)
11:56 PM: wmv1920.dbd (ID = 57692)
11:56 PM: wmv2007.dbd (ID = 57693)
11:56 PM: ihq.dll (ID = 159)
11:57 PM: kwdhe.dll (ID = 159)
11:58 PM: rxsmans.dll (ID = 159)
11:58 PM: f7e52304-e85c-47b4-960a-5f3141.asq (ID = 53205)
11:58 PM: kwv2.dat (ID = 63356)
11:59 PM: irr0l59m1.dll (ID = 159)
11:59 PM: mgdsrv32.dll (ID = 159)
11:59 PM: 46363592-a020-463e-b011-ccfcce.asq (ID = 116897)
11:59 PM: feb60e17-234a-40ee-891d-fa220a.asq (ID = 116897)
11:59 PM: aza4lglq16qe.dll (ID = 65730)
11:59 PM: jcdw400.dll (ID = 159)
12:00 AM: pgofmap.dll (ID = 65904)
12:00 AM: nqdsbcli.dll (ID = 159)
12:00 AM: gpsieer.dll (ID = 53179)
12:01 AM: jtn4075qe.dll (ID = 159)
12:01 AM: prchdprf.dll (ID = 159)
12:02 AM: irv6mon.dll (ID = 159)
12:02 AM: k4pm0e71eh.dll (ID = 159)
12:02 AM: bxellist.dll (ID = 159)
12:03 AM: uqpnpmgr.dll (ID = 159)
12:03 AM: e8166481-cce9-4edb-8cbd-06c493.asq (ID = 116897)
12:03 AM: n46qlej51ho.dll (ID = 159)
12:03 AM: k2800clmefqa0.dll (ID = 159)
12:03 AM: elcapi.dll (ID = 159)
12:03 AM: Found Trojan Horse: 2nd-thought
12:03 AM: dgi.exe (ID = 48210)
12:05 AM: l8r00i9me8.dll (ID = 159)
12:05 AM: muiole16.dll (ID = 65904)
12:05 AM: 3daa44b9-00a3-48a9-a544-b0751f.asq (ID = 116897)
12:08 AM: jkt.dll (ID = 65904)
12:10 AM: hdplugin1101.inf (ID = 61480)
12:11 AM: jt4o07h3e.dll (ID = 159)
12:12 AM: Found Trojan Horse: trojan-downloader-delf
12:12 AM: moneyspm.exe (ID = 80426)
12:13 AM: iosso.dll (ID = 65904)
12:13 AM: uwdmxfrm.dll (ID = 159)
12:13 AM: jtl2073oe.dll (ID = 159)
12:13 AM: njprovau.dll (ID = 65904)
12:15 AM: wmv0204.ddx (ID = 57686)
12:15 AM: wmv0504.ddx (ID = 57686)
12:15 AM: wmv0904.ddx (ID = 57691)
12:15 AM: wmv0412.ddx (ID = 57686)
12:15 AM: wmv0106.ddx (ID = 57679)
12:15 AM: wmv0315.ddx (ID = 57686)
12:16 AM: setup.inf (ID = 50863)
12:16 AM: wmv1204.ddx (ID = 57686)
12:16 AM: deskbar.ini (ID = 64321)
12:16 AM: wmv1909.ddx (ID = 57691)
12:16 AM: wmv1125.ddx (ID = 57685)
12:16 AM: Found System Monitor: potentially rootkit-masked files
12:16 AM: $sys$cor.sys (ID = 0)
12:16 AM: $sys$drmserver.exe (ID = 0)
12:16 AM: $sys$caj.dll (ID = 0)
12:16 AM: $sys$upgtool.exe (ID = 0)
12:16 AM: $sys$parking (ID = 0)
12:16 AM: 20050911164137.zip (ID = 57796)
12:17 AM: File Sweep Complete, Elapsed Time: 00:47:37
12:17 AM: Full Sweep has completed. Elapsed time 01:04:52
12:17 AM: Traces Found: 35040
12:25 AM: Removal process initiated
12:26 AM: Quarantining All Traces: 180search assistant/zango
12:26 AM: Quarantining All Traces: 2nd-thought
12:26 AM: Quarantining All Traces: clkoptimizer
12:27 AM: clkoptimizer is in use. It will be removed on reboot.
12:27 AM: wuauclt.dll is in use. It will be removed on reboot.
12:27 AM: C:\WINDOWS\system32\wuauclt.dll is in use. It will be removed on reboot.
12:27 AM: Quarantining All Traces: directrevenue-abetterinternet
12:27 AM: Quarantining All Traces: isearch desktop search
12:27 AM: Quarantining All Traces: look2me
12:28 AM: The Spy Communication shield has blocked access to: mm.delfinproject.com
12:28 AM: The Spy Communication shield has blocked access to: mm.delfinproject.com
12:29 AM: Quarantining All Traces: potentially rootkit-masked files
12:29 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
12:29 AM: $sys$drmserver.exe is in use. It will be removed on reboot.
12:29 AM: Quarantining All Traces: spysheriff
12:29 AM: Quarantining All Traces: trojan-backdoor-securemulti
12:29 AM: Quarantining All Traces: trojan-downloader-moneymind
12:29 AM: Quarantining All Traces: websearch toolbar
12:29 AM: Quarantining All Traces: wildmedia
12:29 AM: Quarantining All Traces: delfin
12:29 AM: delfin is in use. It will be removed on reboot.
12:29 AM: picsvr.exe is in use. It will be removed on reboot.
12:29 AM: Quarantining All Traces: letsroll911.org hijacker
12:29 AM: Quarantining All Traces: rasmin
12:29 AM: Quarantining All Traces: trojan-backdoor-core.psyche-evolution.com
12:29 AM: Quarantining All Traces: trojan-backdoor-dimenoc
12:29 AM: Quarantining All Traces: trojan-downloader-asdbiz.biz
12:29 AM: Quarantining All Traces: trojan-downloader-delf
12:29 AM: Quarantining All Traces: trojan-downloader-infectedhost
12:29 AM: Quarantining All Traces: vesbiz downloader
12:29 AM: Quarantining All Traces: winad
12:29 AM: Quarantining All Traces: xcp rootkit
12:29 AM: Quarantining All Traces: 7adpower
12:29 AM: Quarantining All Traces: aksoft
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:35 AM: Deletion from quarantine initiated
12:35 AM: Processing: 180search assistant/zango
12:35 AM: Processing: 2nd-thought
12:35 AM: Processing: 7adpower
12:35 AM: Processing: aksoft
12:35 AM: Processing: clkoptimizer
12:35 AM: Processing: delfin
12:35 AM: Processing: directrevenue-abetterinternet
12:35 AM: Processing: isearch desktop search
12:35 AM: Processing: letsroll911.org hijacker
12:35 AM: Processing: look2me
12:35 AM: Processing: potentially rootkit-masked files
12:35 AM: Processing: rasmin
12:35 AM: Processing: spysheriff
12:35 AM: Processing: trojan-backdoor-core.psyche-evolution.com
12:35 AM: Processing: trojan-downloader-asdbiz.biz
12:35 AM: Processing: trojan-downloader-delf
12:35 AM: Processing: trojan-downloader-infectedhost
12:35 AM: Processing: trojan-downloader-moneymind
12:35 AM: Processing: websearch toolbar
12:35 AM: Processing: wildmedia
12:35 AM: Processing: winad
12:35 AM: Processing: xcp rootkit
12:35 AM: Deletion from quarantine completed. Elapsed time 00:00:01
********
11:10 PM: | Start of Session, Thursday, December 15, 2005 |
11:10 PM: Spy Sweeper started
11:11 PM: Your spyware definitions have been updated.
11:12 PM: | End of Session, Thursday, December 15, 2005 |

guestolo · « **Reply #12 on:** December 17, 2005, 04:42:49 AM »

Sorry for the delayed reply
And thanks for running SpySweeper

Can I get you to do the following please
L2Mfix has been updated since you last downloaded it
Delete L2mfix.exe and the folder on your desktop right now please

After you have done that
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!![/color]
If after the reboot the log does not open double click on it in the l2mfix folder.

We'll still have a bit more work to do, but the above is a very important step in getting you clean again

Mrs_Music · « **Reply #13 on:** December 24, 2005, 12:19:42 AM »

Thanks for your help and sorry it took so long

here are my L2mfix results

L2mfix Beta 121605
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
updating: backregs/notibac.reg (140 bytes security) (deflated 88%)

Here are the hijackthis results

Logfile of HijackThis v1.99.1
Scan saved at 11:14:20 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\inet20001\services.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\kernels64.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\batserv2.exe
C:\winstall.exe
C:\WINDOWS\system32\sywsvcs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\vxh8jkdq6.exe
C:\WINDOWS\system32\vxh8jkdq7.exe
C:\WINDOWS\system32\maxd64.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypiqq.exe reg_run
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135391434\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab\' target=\'_blank\' rel=\'nofollow\'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.168.22.5/webinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rsvpmsg927a.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\kt6sl7j71.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\iuss.dll (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Mrs_Music · « **Reply #14 on:** December 26, 2005, 12:28:06 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #15 on:** December 26, 2005, 02:11:03 PM »

We'll come back to L2Mfix
Can you do the following please

Follow along closely, I need you to do everything if possible
and you have to make sure you disabled Microsoft Anti-spyware protections

==Please disable SpySweeper realtime protections, as it may hinder the removal of some entries.
To disable SpySweeper: uncheck any of the below that apply

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

After you have done that can you check for updates for definitions
Close it out after you have updated

==Download DelDomains.inf
Right click on the link and choose Save Target As or Save Link As
Depending if you use IE or Mozilla
Save it to your desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need it later

==Download and Install this small program
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit

Download SmitRem.exe by Noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe
and save it too your desktop or folder

Please Save the rest of these instructions too notepad
Go to start>>run>>type in notepad
Hit Ok, save this too your desktop for easy reference
I need you to do this for instructions you will need in safe mode

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
If the system restarts back to Normal mode you will have to do it again

Start Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste entry below in bold

C:\WINDOWS\system32\kernels64.exe

Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages

Carry on with the same instructions with the rest of these

C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\kernels64.exe
C:\winstall.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\qvxgamet4.exe
C:\WINDOWS\system32\n20050308.EXE
C:\WINDOWS\system32\kypiqq.exe
C:\WINDOWS\inet20001\services.exe
C:\WINDOWS\SYSTEM32\msupdate32.dll
C:\WINDOWS\System32\rsvpmsg927a.dll
C:\WINDOWS\system32\kt6sl7j71.dll

When that's done, exit Killbox

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypiqq.exe reg_run
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe

O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\services.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe

O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://192.168.22.5/webinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rsvpmsg927a.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\kt6sl7j71.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\iuss.dll (file missing)
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\guard.tmp (file missing)

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Do the following again with Spysweeper
In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Reboot back to Normal mode

Back in Windows
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Visit Microsoft's link Click HERE
Download and save too your desktop
Windows Malicious Software Removal Tool
Close down all other windows and double click to run the tool
Follow the prompts
Reboot your computer afterwards

Back in Windows
From my signature below, please run an Online Virus scan at Panda's
Use Internet Explorer please to run the scan
It's safe to supply email address and other info
Choose to scan "Local Disks"
When it's done please save a report to desktop
and the come back here

1. Post the report from Panda's
2. Post the Report from Ewido's
3. Post a new Hijackthis log
4. Post the log made from SmitRem located here C:\Smitfiles.txt

Mrs_Music · « **Reply #16 on:** December 26, 2005, 09:22:14 PM »

Panda
An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

Ewido
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         6:38:05 PM, 12/26/2005
+ Report-Checksum:      65E48DA4

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Desktop\LicenseStores -> Spyware.MidAddle : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-448539723-920026266-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
   C:\!KillBox\kernels64.exe -> Downloader.Tibs.p : Cleaned with backup
   C:\!KillBox\kypiqq.exe -> Downloader.Qoologic.ba : Cleaned with backup
   C:\!KillBox\qvxgamet4.exe -> Downloader.Small.cap : Cleaned with backup
   C:\!KillBox\services.exe -> Downloader.CWS.r : Cleaned with backup
   C:\!KillBox\vxh8jkdq2.exe -> Hijacker.Spywad.n : Cleaned with backup
   C:\!KillBox\winstall.exe -> Hijacker.Spywad.n : Cleaned with backup
   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipoh.exe -> Downloader.Qoologic.ba : Cleaned with backup
   C:\WINDOWS\dhl.sys -> Trojan.Delf.cf : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.10\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.11\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.12\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.13\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.14\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.15\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.16\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.17\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.18\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.19\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.20\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.21\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.22\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.23\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.24\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.25\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.26\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.27\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.5\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.6\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.8\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.9\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\rdgUS10.exe -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
   C:\WINDOWS\inet20001\3.00.12.dll -> Spyware.Ihbo : Cleaned with backup
   C:\WINDOWS\inet20001\alg.exe -> Worm.Delf.i : Cleaned with backup
   C:\WINDOWS\inet20001\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
   C:\WINDOWS\inet20001\mm4.exe -> Proxy.Delf.an : Cleaned with backup
   C:\WINDOWS\inet20001\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
   C:\WINDOWS\inet20001\winlogon.exe -> Downloader.CWS.r : Cleaned with backup
   C:\WINDOWS\system\svchost.dll -> Downloader.Agent.zi : Cleaned with backup
   C:\WINDOWS\system\svchost.exe -> Dropper.Agent.aax : Cleaned with backup
   C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\aqiossn.dll -> Downloader.Qoologic.ba : Cleaned with backup
   C:\WINDOWS\system32\bre.dll -> Downloader.Small.ajp : Cleaned with backup
   C:\WINDOWS\system32\dhl.sys -> Trojan.Delf.cf : Cleaned with backup
   C:\WINDOWS\system32\lgkeq.dll -> Downloader.Qoologic.ba : Cleaned with backup
   C:\WINDOWS\system32\maxd64.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\WINDOWS\system32\msbb321.dll -> Spyware.180Solutions : Cleaned with backup
   C:\WINDOWS\system32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
   C:\WINDOWS\system32\msnimk.gif -> Spyware.Ipend : Cleaned with backup
   C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
   C:\WINDOWS\system32\paradise.raw.exe -> Proxy.Lager.f : Cleaned with backup
   C:\WINDOWS\system32\qvxgamet2.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\WINDOWS\system32\qvxgamet3.exe -> Dropper.Small.wp : Cleaned with backup
   C:\WINDOWS\system32\split1.exe -> Downloader.Small.aux : Cleaned with backup
   C:\WINDOWS\system32\sywsvcs.exe -> Proxy.Lager.f : Cleaned with backup
   C:\WINDOWS\system32\tbirq.exe -> Trojan.Delf.cf : Cleaned with backup
   C:\WINDOWS\system32\trf32.dll -> Downloader.Small.avw : Cleaned with backup
   C:\WINDOWS\system32\twwxn.dll -> Spyware.Adstart : Cleaned with backup
   C:\WINDOWS\system32\vqwag.dat -> Downloader.Qoologic.ba : Cleaned with backup
   C:\WINDOWS\system32\vxgame6.exe -> Downloader.CWS.r : Cleaned with backup
   C:\WINDOWS\system32\vxgamet2.exe -> Downloader.Small.bxc : Cleaned with backup
   C:\WINDOWS\system32\vxgamet3.exe -> Dropper.Agent.abu : Cleaned with backup
   C:\WINDOWS\system32\vxgamet4.exe -> Downloader.Small.bpz : Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq5.exe -> Downloader.Tibs.p : Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq7.exe -> Downloader.Tibs.p : Cleaned with backup
   C:\WINDOWS\system32\wo8ux.dll -> Trojan.Delf.cf : Cleaned with backup

::Report End

Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 8:18:35 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLHOS~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\113539~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: B-H toolbar - {00b8fd76-519d-4889-95b3-d55dce8f003d} - C:\Program Files\B-H\tbB-H.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135391434\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: WMP10ctrl - http://www.cinemanow.com/WMP10ctrl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab\' target=\'_blank\' rel=\'nofollow\'>http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...463/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB704F3-7900-4C1C-B0FD-4A079AB8748F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

SmitRem
********
6:50 PM: | Start of Session, Monday, December 26, 2005 |
6:50 PM: Spy Sweeper started
6:50 PM: Sweep initiated using definitions version 589
6:50 PM: Starting Memory Sweep
6:52 PM: Memory Sweep Complete, Elapsed Time: 00:01:14
6:52 PM: Starting Registry Sweep
6:52 PM: Found Adware: searchomatic
6:52 PM: HKLM\software\microsoft\windows\currentversion\run\ || spoolsvv (ID = 141269)
6:52 PM: Found Adware: troyanov hijacker
6:52 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0bc9bc01-54d4-4cce-2b7d-955164314cd4} (ID = 359539)
6:52 PM: Found Trojan Horse: trojan-downloader-silly
6:52 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {203b1c4d9-bc71-8916-38ad-9dea5d213614} (ID = 867140)
6:52 PM: Found Trojan Horse: trojan-downloader-hebeeaac
6:52 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || systemtools (ID = 1062017)
6:52 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || systemtools (ID = 1062378)
6:52 PM: Found Adware: coolwebsearch (cws)
6:52 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\sites\ (2 subtraces) (ID = 109822)
6:52 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\classes\clsid\{203b1c4d9-bc71-8916-38ad-9dea5d213614}\ (3 subtraces) (ID = 144755)
6:52 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\classes\clsid\{0bc9bc01-54d4-4cce-2b7d-955164314cd4}\ (3 subtraces) (ID = 359538)
6:52 PM: Found Trojan Horse: trojan-backdoor-satellite
6:52 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\moviemaker\recordsettings\captureset\ (1 subtraces) (ID = 1021450)
6:52 PM: HKU\S-1-5-18\software\microsoft\moviemaker\recordsettings\captureset\ (1 subtraces) (ID = 1021450)
6:52 PM: Registry Sweep Complete, Elapsed Time:00:00:15
6:52 PM: Starting Cookie Sweep
6:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:52 PM: Starting File Sweep
7:02 PM: Found Adware: nvdialer
7:02 PM: games.exe (ID = 137596)
7:03 PM: Found Adware: dealhelper
7:03 PM: aimvffk2.xml (ID = 57648)
7:03 PM: aimvffk1.xml (ID = 57647)
7:06 PM: Found Adware: ieplugin
7:06 PM: kwv2.dat (ID = 63356)
7:09 PM: Found Adware: gain - common components
7:09 PM: hdplugin1101.inf (ID = 61480)
7:12 PM: bre32.dll (ID = 199801)
7:12 PM: Found Adware: allstar search hijacker
7:12 PM: mscnf.dll (ID = 107173)
7:12 PM: Found Adware: exact cashback/bargain buddy
7:12 PM: setup.inf (ID = 50863)
7:13 PM: File Sweep Complete, Elapsed Time: 00:20:42
7:13 PM: Full Sweep has completed. Elapsed time 00:22:20
7:13 PM: Traces Found: 28
7:26 PM: Removal process initiated
7:26 PM: Quarantining All Traces: trojan-backdoor-satellite
7:26 PM: Quarantining All Traces: trojan-downloader-hebeeaac
7:26 PM: Quarantining All Traces: coolwebsearch (cws)
7:26 PM: Quarantining All Traces: searchomatic
7:26 PM: Quarantining All Traces: trojan-downloader-silly
7:26 PM: Quarantining All Traces: allstar search hijacker
7:26 PM: Quarantining All Traces: dealhelper
7:26 PM: Quarantining All Traces: exact cashback/bargain buddy
7:26 PM: Quarantining All Traces: ieplugin
7:26 PM: Quarantining All Traces: nvdialer
7:26 PM: Quarantining All Traces: troyanov hijacker
7:26 PM: Quarantining All Traces: gain - common components
7:26 PM: Removal process completed. Elapsed time 00:00:21
********
11:13 PM: | Start of Session, Wednesday, December 21, 2005 |
11:13 PM: Spy Sweeper started
11:13 PM: Sweep initiated using definitions version 586
11:13 PM: Starting Memory Sweep
11:16 PM: Memory Sweep Complete, Elapsed Time: 00:02:56
11:16 PM: Starting Registry Sweep
11:17 PM: Registry Sweep Complete, Elapsed Time:00:00:35
11:17 PM: Starting Cookie Sweep
11:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:17 PM: Starting File Sweep
11:33 PM: Found Adware: dealhelper
11:33 PM: aimvffk2.xml (ID = 57648)
11:33 PM: aimvffk1.xml (ID = 57647)
11:37 PM: Found Adware: nvdialer
11:37 PM: games.exe (ID = 137596)
11:38 PM: Sweep Canceled
8:37 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:37 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:37 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:37 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:37 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:37 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:38 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:38 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: The Spy Communication shield has blocked access to: evko.biz
8:46 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
8:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
8:46 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-asdbiz.biz, version 1.0.0.0 -- Execution Denied
8:46 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
8:49 PM: The Spy Communication shield has blocked access to: maxysearch.info
8:49 PM: The Spy Communication shield has blocked access to: maxysearch.info
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:51 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:56 PM: The Spy Communication shield has blocked access to: evko.biz
8:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
8:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
8:58 PM: The Spy Communication shield has blocked access to: 5sec.biz
8:58 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:03 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
9:03 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
9:04 PM: The Spy Communication shield has blocked access to: maxysearch.info
9:04 PM: The Spy Communication shield has blocked access to: maxysearch.info
9:07 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-asdbiz.biz, version 1.0.0.0 -- Execution Denied
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: The Spy Communication shield has blocked access to: evko.biz
9:07 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
9:07 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:12 PM: The Spy Communication shield has blocked access to: evko.biz
9:15 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:15 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:16 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:16 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:17 PM: The Spy Communication shield has blocked access to: evko.biz
9:19 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:19 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:19 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:19 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:21 PM: BHO Shield: found: -- BHO installation allowed at user request
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:22 PM: The Spy Communication shield has blocked access to: evko.biz
9:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:27 PM: The Spy Communication shield has blocked access to: evko.biz
9:29 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:29 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:29 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:29 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:32 PM: The Spy Communication shield has blocked access to: evko.biz
9:36 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:36 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:36 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:36 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:37 PM: The Spy Communication shield has blocked access to: evko.biz
9:40 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:40 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:40 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:40 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:42 PM: The Spy Communication shield has blocked access to: evko.biz
9:46 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:46 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:46 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:46 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:47 PM: The Spy Communication shield has blocked access to: evko.biz
9:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:52 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:57 PM: The Spy Communication shield has blocked access to: 5sec.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
9:57 PM: The Spy Communication shield has blocked access to: evko.biz
10:00 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:00 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:01 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:01 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:02 PM: The Spy Communication shield has blocked access to: evko.biz
10:04 PM: The Spy Communication shield has blocked access to: maxysearch.info
10:04 PM: The Spy Communication shield has blocked access to: maxysearch.info
10:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: evko.biz
10:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:12 PM: The Spy Communication shield has blocked access to: evko.biz
10:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
10:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
10:24 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:24 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:24 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:24 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:27 PM: The Spy Communication shield has blocked access to: maxysearch.info
10:27 PM: The Spy Communication shield has blocked access to: maxysearch.info
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: The Spy Communication shield has blocked access to: evko.biz
10:28 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
10:28 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
10:28 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-asdbiz.biz, version 1.0.0.0 -- Execution Denied
10:56 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
10:56 PM: The Spy Communication shield has blocked access to: maxysearch.info
10:56 PM: The Spy Communication shield has blocked access to: maxysearch.info
11:01 PM: The Spy Communication shield has blocked access to: evko.biz
11:01 PM: The Spy Communication shield has blocked access to: evko.biz
11:01 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: The Spy Communication shield has blocked access to: evko.biz
11:02 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
11:02 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
11:02 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-asdbiz.biz, version 1.0.0.0 -- Execution Denied
11:04 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:04 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:05 PM: The Spy Communication shield has blocked access to: musah.info
11:05 PM: The Spy Communication shield has blocked access to: musah.info
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: evko.biz
11:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:07 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:10 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:11 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:15 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:15 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:16 PM: The Spy Communication shield has blocked access to: maxysearch.info
11:16 PM: The Spy Communication shield has blocked access to: maxysearch.info
11:16 PM: Spy Installation Shield: found: Trojan Horse: trojan-downloader-asdbiz.biz, version 1.0.0.0 -- Execution Denied
11:16 PM: The Spy Communication shield has blocked access to: musah.info
11:16 PM: The Spy Communication shield has blocked access to: musah.info
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:18 PM: The Spy Communication shield has blocked access to: evko.biz
11:19 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
11:19 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
11:20 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:20 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:21 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:23 PM: The Spy Communication shield has blocked access to: evko.biz
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:24 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:26 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:27 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:27 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:28 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:33 PM: The Spy Communication shield has blocked access to: evko.biz
11:37 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:37 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:37 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:37 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:38 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:38 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:38 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:38 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:38 PM: The Spy Communication shield has blocked access to: evko.biz
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:39 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:40 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:40 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:40 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:40 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:43 PM: The Spy Communication shield has blocked access to: evko.biz
11:43 PM: The Spy Communication shield has blocked access to: evko.biz
11:43 PM: The Spy Communication shield has blocked access to: evko.biz
11:43 PM: The Spy Communication shield has blocked access to: evko.biz
11:44 PM: The Spy Communication shield has blocked access to: evko.biz
11:44 PM: The Spy Communication shield has blocked access to: evko.biz
11:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:46 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
11:48 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:48 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:48 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:48 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: evko.biz
11:49 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:49 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:49 PM: The Spy Communication shield has

guestolo · « **Reply #17 on:** December 26, 2005, 10:32:49 PM »

Can you do the following please
I want to check on a couple things
Also, I take it you have a Sony music disc possibly with Copywrite protection label on it
It has installed the Sony Rootkit infection
You may have heard of it, we'll deal with it later

Download Trackqoo.zip
Save it to the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post

Also, Download Find-Qoologic.zip and save it to your Desktop.

UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

NOTE: you didn't post the bottom part of the SpySweeper log, but it looks like it cleaned a lot

Addtionally, I would still like to see the log from SmitRem
It is located here
C:\Smitfiles.txt
Please post this log, thanks

Do you know what the B-H Toolbar is?

Mrs_Music · « **Reply #18 on:** December 26, 2005, 11:17:54 PM »

Yeah, I have a lot of SonyBMG cds and the B-H Toolbar is something I installed from the website-http://bhorizons.invisionplus.net/ a while ago that doesn't work...

Sorry, here's the rest of the Spysweeper log...
11:49 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:49 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:49 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:49 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:49 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:49 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: evko.biz
11:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:50 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:53 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:53 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:53 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:53 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: evko.biz
11:55 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:55 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:55 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:55 PM: The Spy Communication shield has blocked access to: 5sec.biz
11:59 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:59 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:59 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
11:59 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: evko.biz
12:00 AM: The Spy Communication shield has blocked access to: 5sec.biz
12:00 AM: The Spy Communication shield has blocked access to: 5sec.biz
12:01 AM: The Spy Communication shield has blocked access to: 5sec.biz
12:01 AM: The Spy Communication shield has blocked access to: 5sec.biz
12:03 AM: The Spy Communication shield has blocked access to: jupitersatellites.biz
12:03 AM: The Spy Communication shield has blocked access to: jupitersatellites.biz
12:03 AM: The Spy Communication shield has blocked access to: jupitersatellites.biz
12:03 AM: The Spy Communication shield has blocked access to: jupitersatellites.biz
12:04 AM: Spy Installation Shield: found: Adware: members area dialer, version 1.0.0.0 -- Execution Denied
12:04 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:04 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:04 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:04 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
12:05 AM: The Spy Communication shield has blocked access to: evko.biz
2:31 PM: Processing Startup Alerts
2:31 PM: Removed Startup entry: aupd
2:31 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:31 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:33 PM: The Spy Communication shield has blocked access to: traff-store.com
2:33 PM: The Spy Communication shield has blocked access to: traff-store.com
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:33 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:34 PM: BHO Shield: found: -- BHO installation denied at user request
2:35 PM: BHO Shield: found: -- BHO installation denied at user request
2:35 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: The Spy Communication shield has blocked access to: evko.biz
2:35 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
2:35 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:35 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:35 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:35 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:35 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-securemulti, version 1.0.0.0 -- Execution allowed at user request
2:36 PM: BHO Shield: found: -- BHO installation denied at user request
2:36 PM: BHO Shield: found: -- BHO installation denied at user request
2:38 PM: BHO Shield: found: -- BHO installation denied at user request
2:38 PM: BHO Shield: found: -- BHO installation denied at user request
2:44 PM: Memory Shield: Found: Memory-resident threat trojan-backdoor-securemulti, version 1.0.0.0
2:44 PM: Ignored memory-resident threat: trojan-backdoor-securemulti
2:52 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-hebeeaac, version 1.0.0.0
2:52 PM: Detected running threat: trojan-downloader-hebeeaac
2:52 PM: Ignored memory-resident threat: trojan-downloader-hebeeaac
2:54 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:54 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
2:54 PM: The Spy Communication shield has blocked access to: traff-store.com
2:54 PM: The Spy Communication shield has blocked access to: traff-store.com
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:55 PM: The Spy Communication shield has blocked access to: maxysearch.info
2:56 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:56 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:56 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:56 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:57 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
2:57 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: evko.biz
2:57 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:57 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:57 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:57 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
2:57 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-securemulti, version 1.0.0.0 -- Execution allowed at user request
3:01 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:01 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:01 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:01 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:02 PM: The Spy Communication shield has blocked access to: evko.biz
3:03 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:03 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:06 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:06 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:06 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:06 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:07 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:07 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:07 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:07 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:07 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
3:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
3:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
3:12 PM: The Spy Communication shield has blocked access to: 5sec.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: evko.biz
3:12 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:12 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:18 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:18 PM: The Spy Communication shield has blocked access to: stech.web-nexus.net
3:18 PM: The Spy Communication shield has blocked access to: traff-store.com
3:18 PM: The Spy Communication shield has blocked access to: traff-store.com
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:19 PM: The Spy Communication shield has blocked access to: maxysearch.info
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-core.psyche-evolution.com, version 1.0.0.0 -- Execution Denied
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: The Spy Communication shield has blocked access to: evko.biz
3:20 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-haxdoor, version 1.0.0.0 -- Execution Denied
3:20 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:20 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:20 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:20 PM: The Spy Communication shield has blocked access to: jupitersatellites.biz
3:20 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-securemulti, version 1.0.0.0 -- Execution allowed at user request
********
10:41 PM: | Start of Session, Wednesday, December 21, 2005 |
10:41 PM: Spy Sweeper started
10:41 PM: Sweep initiated using definitions version 586
10:41 PM: Starting Memory Sweep
10:45 PM: Memory Sweep Complete, Elapsed Time: 00:04:11
10:45 PM: Starting Registry Sweep
10:45 PM: Found Adware: aksoft
10:45 PM: HKLM\software\aksoft\.support\ (10 subtraces) (ID = 103365)
10:45 PM: HKLM\software\aksoft\.target\ (80 subtraces) (ID = 103366)
10:46 PM: Found Adware: ezula ilookup
10:46 PM: HKCR\appid\atlbrowser.exe\ (1 subtraces) (ID = 126121)
10:46 PM: HKCR\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126127)
10:46 PM: HKLM\software\classes\appid\atlbrowser.exe\ (1 subtraces) (ID = 126207)
10:46 PM: HKLM\software\classes\atlbrcon.atlbrcon.1\ (3 subtraces) (ID = 126213)
10:46 PM: HKLM\software\classes\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126214)
10:46 PM: Found Adware: ieplugin
10:46 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
10:46 PM: Found Adware: virtualbouncer
10:46 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
10:46 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
10:46 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
10:46 PM: Found Adware: dealhelper
10:46 PM: HKLM\software\ddate\ (1 subtraces) (ID = 636618)
10:46 PM: HKLM\software\aksoft\ (34293 subtraces) (ID = 639132)
10:46 PM: Found Adware: clientman
10:46 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)
10:46 PM: HKCR\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701480)
10:46 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)
10:46 PM: HKLM\software\classes\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701496)
10:46 PM: HKCR\searchrep.searchreppp\ (5 subtraces) (ID = 770179)
10:46 PM: HKCR\searchrep.searchreppp.1\ (3 subtraces) (ID = 770185)
10:46 PM: HKCR\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770203)
10:46 PM: HKLM\software\classes\searchrep.searchreppp\ (5 subtraces) (ID = 770217)
10:46 PM: HKLM\software\classes\searchrep.searchreppp.1\ (3 subtraces) (ID = 770223)
10:46 PM: HKLM\software\classes\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770241)
10:47 PM: Found Adware: cws sp.html hijack
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\search\ || searchassistant_bak (ID = 123751)
10:47 PM: Found Adware: delfin
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\mvu\ (5 subtraces) (ID = 124884)
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\picsvr\ (1 subtraces) (ID = 124890)
10:47 PM: Found Adware: effective-i toolbar
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668)
10:47 PM: Found Adware: spysheriff
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)
10:47 PM: Found Adware: directrevenue-abetterinternet
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\ahexe\ (30 subtraces) (ID = 145821)
10:47 PM: Found Trojan Horse: trojan-backdoor-securemulti
10:47 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 484139)
10:47 PM: Found Adware: navexcel navhelper
10:47 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
10:47 PM: HKU\S-1-5-18\software\navexcel ltd\ (9 subtraces) (ID = 135548)
10:47 PM: Found Adware: twain-tech
10:47 PM: HKU\S-1-5-18\software\mxtarget\ (5 subtraces) (ID = 145343)
10:47 PM: Registry Sweep Complete, Elapsed Time:00:01:38
10:47 PM: Starting Cookie Sweep
10:47 PM: Found Spy Cookie: 2o7.net cookie
10:47 PM: administrator@2o7[2].txt (ID = 1957)
10:47 PM: Found Spy Cookie: go.com cookie
10:47 PM: [email protected][2].txt (ID = 2729)
10:47 PM: Found Spy Cookie: yieldmanager cookie
10:47 PM: [email protected][2].txt (ID = 3751)
10:47 PM: Found Spy Cookie: adknowledge cookie
10:47 PM: administrator@adknowledge[2].txt (ID = 2072)
10:47 PM: Found Spy Cookie: hbmediapro cookie
10:47 PM: [email protected][2].txt (ID = 2768)
10:47 PM: Found Spy Cookie: specificclick.com cookie
10:47 PM: [email protected][2].txt (ID = 3400)
10:47 PM: Found Spy Cookie: belointeractive cookie
10:47 PM: [email protected][1].txt (ID = 2295)
10:47 PM: Found Spy Cookie: pointroll cookie
10:47 PM: [email protected][2].txt (ID = 3148)
10:47 PM: Found Spy Cookie: atwola cookie
10:47 PM: administrator@atwola[1].txt (ID = 2255)
10:47 PM: administrator@belointeractive[1].txt (ID = 2294)
10:47 PM: Found Spy Cookie: zedo cookie
10:47 PM: [email protected][1].txt (ID = 3763)
10:47 PM: Found Spy Cookie: exitexchange cookie
10:47 PM: administrator@exitexchange[1].txt (ID = 2633)
10:47 PM: administrator@go[1].txt (ID = 2728)
10:47 PM: Found Spy Cookie: clickandtrack cookie
10:47 PM: [email protected][2].txt (ID = 2397)
10:47 PM: Found Spy Cookie: questionmarket cookie
10:47 PM: administrator@questionmarket[1].txt (ID = 3217)
10:47 PM: Found Spy Cookie: serving-sys cookie
10:47 PM: administrator@serving-sys[2].txt (ID = 3343)
10:47 PM: Found Spy Cookie: statcounter cookie
10:47 PM: administrator@statcounter[1].txt (ID = 3447)
10:47 PM: Found Spy Cookie: trafficmp cookie
10:47 PM: administrator@trafficmp[1].txt (ID = 3581)
10:47 PM: Found Spy Cookie: tribalfusion cookie
10:47 PM: administrator@tribalfusion[1].txt (ID = 3589)
10:47 PM: Found Spy Cookie: adserver cookie
10:47 PM: [email protected][1].txt (ID = 2142)
10:47 PM: administrator@zedo[1].txt (ID = 3762)
10:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:47 PM: Starting File Sweep
10:48 PM: Found Adware: e2g
10:48 PM: ei51.exe (ID = 59384)
10:49 PM: Found Adware: shopathomeselect
10:49 PM: shagentnew.dll (ID = 75942)
10:50 PM: Found Adware: exact cashback/bargain buddy
10:50 PM: installer_mediawhiz8.exe (ID = 50696)
10:52 PM: aimvffk.xml (ID = 57646)
10:52 PM: Found Adware: gain - common components
10:52 PM: hdplugin1101.dll (ID = 61477)
10:53 PM: Found Trojan Horse: trojan-downloader-asdbiz.biz
10:53 PM: qvxt2.game (ID = 80237)
10:54 PM: hdplugin1101.dll (ID = 61477)
10:55 PM: hdplugin1101.inf (ID = 61480)
10:59 PM: Found Trojan Horse: trojan-backdoor-core.psyche-evolution.com
10:59 PM: vxgamet2.exe (ID = 197844)
10:59 PM: qvxgamet2.exe (ID = 80237)
10:59 PM: vxgame6.exe (ID = 80237)
10:59 PM: hdplugin1019.inf (ID = 61473)
10:59 PM: hdplugin1101.inf (ID = 61480)
11:01 PM: Found Adware: couponage
11:01 PM: casync.dll (ID = 54700)
11:01 PM: cacore.dll (ID = 54694)
11:02 PM: carules.dll (ID = 54699)
11:02 PM: Sweep Canceled
11:02 PM: File Sweep Complete, Elapsed Time: 00:15:28
11:02 PM: Traces Found: 34602
11:02 PM: Removal process initiated
11:03 PM: Quarantining All Traces: directrevenue-abetterinternet
11:03 PM: Quarantining All Traces: spysheriff
11:03 PM: Quarantining All Traces: trojan-backdoor-securemulti
11:03 PM: Quarantining All Traces: delfin
11:03 PM: Quarantining All Traces: trojan-backdoor-core.psyche-evolution.com
11:03 PM: Quarantining All Traces: trojan-downloader-asdbiz.biz
11:03 PM: Quarantining All Traces: aksoft
11:03 PM: Quarantining All Traces: clientman
11:03 PM: Quarantining All Traces: couponage
11:03 PM: Quarantining All Traces: cws sp.html hijack
11:03 PM: Quarantining All Traces: dealhelper
11:03 PM: Quarantining All Traces: e2g
11:03 PM: Quarantining All Traces: effective-i toolbar
11:03 PM: Quarantining All Traces: exact cashback/bargain buddy
11:03 PM: Quarantining All Traces: ezula ilookup
11:03 PM: Quarantining All Traces: ieplugin
11:03 PM: Quarantining All Traces: navexcel navhelper
11:03 PM: Quarantining All Traces: shopathomeselect
11:03 PM: Quarantining All Traces: twain-tech
11:03 PM: Quarantining All Traces: virtualbouncer
11:03 PM: Quarantining All Traces: 2o7.net cookie
11:03 PM: Quarantining All Traces: adknowledge cookie
11:03 PM: Quarantining All Traces: adserver cookie
11:03 PM: Quarantining All Traces: atwola cookie
11:03 PM: Quarantining All Traces: belointeractive cookie
11:03 PM: Quarantining All Traces: clickandtrack cookie
11:03 PM: Quarantining All Traces: exitexchange cookie
11:03 PM: Quarantining All Traces: gain - common components
11:03 PM: Quarantining All Traces: go.com cookie
11:03 PM: Quarantining All Traces: hbmediapro cookie
11:03 PM: Quarantining All Traces: pointroll cookie
11:03 PM: Quarantining All Traces: questionmarket cookie
11:03 PM: Quarantining All Traces: serving-sys cookie
11:03 PM: Quarantining All Traces: specificclick.com cookie
11:03 PM: Quarantining All Traces: statcounter cookie
11:03 PM: Quarantining All Traces: trafficmp cookie
11:03 PM: Quarantining All Traces: tribalfusion cookie
11:03 PM: Quarantining All Traces: yieldmanager cookie
11:03 PM: Quarantining All Traces: zedo cookie
11:03 PM: Removal process completed. Elapsed time 00:00:44
11:04 PM: Deletion from quarantine initiated
11:04 PM: Processing: 2o7.net cookie
11:04 PM: Processing: adknowledge cookie
11:04 PM: Processing: adserver cookie
11:04 PM: Processing: aksoft
11:04 PM: Processing: atwola cookie
11:04 PM: Processing: belointeractive cookie
11:04 PM: Processing: clickandtrack cookie
11:04 PM: Processing: clientman
11:04 PM: Processing: couponage
11:04 PM: Processing: cws sp.html hijack
11:04 PM: Processing: dealhelper
11:04 PM: Processing: delfin
11:04 PM: Processing: directrevenue-abetterinternet
11:04 PM: Processing: e2g
11:04 PM: Processing: effective-i toolbar
11:04 PM: Processing: exact cashback/bargain buddy
11:04 PM: Processing: exitexchange cookie
11:04 PM: Processing: ezula ilookup
11:04 PM: Processing: gain - common components
11:04 PM: Processing: go.com cookie
11:04 PM: Processing: hbmediapro cookie
11:04 PM: Processing: ieplugin
11:04 PM: Processing: navexcel navhelper
11:04 PM: Processing: pointroll cookie
11:04 PM: Processing: questionmarket cookie
11:04 PM: Processing: serving-sys cookie
11:04 PM: Processing: shopathomeselect
11:04 PM: Processing: specificclick.com cookie
11:04 PM: Processing: spysheriff
11:04 PM: Processing: statcounter cookie
11:04 PM: Processing: trafficmp cookie
11:04 PM: Processing: tribalfusion cookie
11:04 PM: Processing: trojan-backdoor-core.psyche-evolution.com
11:04 PM: Processing: trojan-downloader-asdbiz.biz
11:04 PM: Processing: twain-tech
11:04 PM: Processing: virtualbouncer
11:04 PM: Processing: yieldmanager cookie
11:04 PM: Processing: zedo cookie
11:04 PM: Deletion from quarantine completed. Elapsed time 00:00:00
11:11 PM: Processing Startup Alerts
11:11 PM: Removed Startup entry: winsync
11:11 PM: Removed Startup entry: System
11:11 PM: Removed Startup entry: Windows installer
********
11:12 PM: | Start of Session, Thursday, December 15, 2005 |
11:12 PM: Spy Sweeper started
11:12 PM: Sweep initiated using definitions version 586
11:12 PM: Starting Memory Sweep
11:15 PM: Found Adware: clkoptimizer
11:15 PM: Detected running threat: C:\WINDOWS\system32\wuauclt.dll (ID = 143665)
11:16 PM: Found Adware: delfin
11:16 PM: Detected running threat: C:\WINDOWS\system32\picsvr\picsvr.exe (ID = 57768)
11:16 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || picsvr (ID = 0)
11:28 PM: Memory Sweep Complete, Elapsed Time: 00:15:57
11:28 PM: Starting Registry Sweep
11:28 PM: Found Adware: 7adpower
11:28 PM: HKLM\software\classes\interface\{12e919bc-c70f-432b-b831-1180de734505}\ (8 subtraces) (ID = 102195)
11:28 PM: Found Adware: aksoft
11:28 PM: HKLM\software\aksoft\.support\ (10 subtraces) (ID = 103365)
11:28 PM: HKLM\software\aksoft\.target\ (80 subtraces) (ID = 103366)
11:28 PM: HKCR\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 105953)
11:28 PM: HKCR\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106021)
11:28 PM: HKLM\software\classes\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 106049)
11:28 PM: HKLM\software\classes\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106116)
11:28 PM: HKLM\software\microsoft\windows\currentversion\run\ || picsvr (ID = 124872)
11:28 PM: HKLM\software\mvu\ (6 subtraces) (ID = 124885)
11:28 PM: HKLM\software\nsvcin\ (ID = 124886)
11:28 PM: HKLM\software\picsvr\ (2 subtraces) (ID = 124891)
11:28 PM: Found Adware: ezula ilookup
11:28 PM: HKCR\appid\atlbrowser.exe\ (1 subtraces) (ID = 126121)
11:28 PM: HKCR\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126127)
11:28 PM: HKLM\software\classes\appid\atlbrowser.exe\ (1 subtraces) (ID = 126207)
11:28 PM: HKLM\software\classes\atlbrcon.atlbrcon.1\ (3 subtraces) (ID = 126213)
11:28 PM: HKLM\software\classes\atlbrcon.atlbrcon\ (3 subtraces) (ID = 126214)
11:28 PM: Found Adware: ieplugin
11:28 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
11:29 PM: Found Adware: look2me
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || tsvcin (ID = 129953)
11:29 PM: HKLM\software\tsvcin\ (2 subtraces) (ID = 129976)
11:29 PM: HKLM\software\tsvcin\ || a (ID = 129977)
11:29 PM: Found Trojan Horse: rasmin
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || windowsupdate (ID = 144085)
11:29 PM: Found Trojan Horse: trojan-backdoor-dimenoc
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || windowsupdate (ID = 144085)
11:29 PM: Found Trojan Horse: vesbiz downloader
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || system (ID = 145542)
11:29 PM: Found Adware: directrevenue-abetterinternet
11:29 PM: HKCR\interface\{c08175c6-b2b2-47fc-af1a-32f77a6cb673}\ (8 subtraces) (ID = 145809)
11:29 PM: HKLM\software\classes\interface\{c08175c6-b2b2-47fc-af1a-32f77a6cb673}\ (8 subtraces) (ID = 145886)
11:29 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{000fa346-d004-45e1-bc4c-9408d6cd4128}\ (1 subtraces) (ID = 146124)
11:29 PM: Found Adware: websearch toolbar
11:29 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
11:29 PM: Found Adware: winad
11:29 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
11:29 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
11:29 PM: Found Adware: virtualbouncer
11:29 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
11:29 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
11:29 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
11:29 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
11:29 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
11:29 PM: Found Adware: letsroll911.org hijacker
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || system (ID = 594251)
11:29 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
11:29 PM: Found Adware: dealhelper
11:29 PM: HKLM\software\ddate\ (1 subtraces) (ID = 636618)
11:29 PM: HKLM\software\aksoft\ (34293 subtraces) (ID = 639132)
11:29 PM: Found Adware: clientman
11:29 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)
11:29 PM: HKCR\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701480)
11:29 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)
11:29 PM: HKLM\software\classes\typelib\{026e4b83-1bf7-41cb-8233-4af35341bc69}\ (9 subtraces) (ID = 701496)
11:29 PM: HKLM\software\microsoft\internet explorer\extensions\{9e248641-0e24-4ddb-9a1f-705087832ad6}\ (2 subtraces) (ID = 753449)
11:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
11:29 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
11:29 PM: HKCR\searchrep.searchreppp\ (5 subtraces) (ID = 770179)
11:29 PM: HKCR\searchrep.searchreppp.1\ (3 subtraces) (ID = 770185)
11:29 PM: HKCR\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770203)
11:29 PM: HKLM\software\classes\searchrep.searchreppp\ (5 subtraces) (ID = 770217)
11:29 PM: HKLM\software\classes\searchrep.searchreppp.1\ (3 subtraces) (ID = 770223)
11:29 PM: HKLM\software\classes\typelib\{8dbd1ce8-2720-4774-8cc6-32737958ac4b}\ (9 subtraces) (ID = 770241)
11:29 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (8 subtraces) (ID = 815132)
11:29 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (8 subtraces) (ID = 815145)
11:29 PM: Found Trojan Horse: xcp rootkit
11:29 PM: HKLM\system\currentcontrolset\services\$sys$aries\ (11 subtraces) (ID = 976072)
11:29 PM: Found Adware: cws sp.html hijack
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\search\ || searchassistant_bak (ID = 123751)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\mvu\ (5 subtraces) (ID = 124884)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\picsvr\ (1 subtraces) (ID = 124890)
11:29 PM: Found Adware: effective-i toolbar
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668)
11:29 PM: Found Adware: spysheriff
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\ahexe\ (30 subtraces) (ID = 145821)
11:29 PM: Found Trojan Horse: trojan-backdoor-securemulti
11:29 PM: HKU\S-1-5-21-448539723-920026266-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 484139)
11:29 PM: Found Adware: navexcel navhelper
11:29 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
11:29 PM: HKU\S-1-5-18\software\navexcel ltd\ (9 subtraces) (ID = 135548)
11:29 PM: Found Adware: twain-tech
11:29 PM: HKU\S-1-5-18\software\mxtarget\ (5 subtraces) (ID = 145343)
11:29 PM: Registry Sweep Complete, Elapsed Time:00:01:08
11:29 PM: Starting Cookie Sweep
11:29 PM: Found Spy Cookie: go.com cookie
11:29 PM: [email protected][2].txt (ID = 2729)
11:29 PM: Found Spy Cookie: yieldmanager cookie
11:29 PM: [email protected][2].txt (ID = 3751)
11:29 PM: Found Spy Cookie: adknowledge cookie
11:29 PM: administrator@adknowledge[2].txt (ID = 2072)
11:29 PM: Found Spy Cookie: hbmediapro cookie
11:29 PM: [email protected][2].txt (ID = 2768)
11:29 PM: Found Spy Cookie: specificclick.com cookie
11:29 PM: [email protected][2].txt (ID = 3400)
11:29 PM: Found Spy Cookie: belointeractive cookie
11:29 PM: [email protected][1].txt (ID = 2295)
11:29 PM: Found Spy Cookie: pointroll cookie
11:29 PM: [email protected][2].txt (ID = 3148)
11:29 PM: administrator@belointeractive[1].txt (ID = 2294)
11:29 PM: Found Spy Cookie: zedo cookie
11:29 PM: [email protected][1].txt (ID = 3763)
11:29 PM: Found Spy Cookie: exitexchange cookie
11:29 PM: administrator@exitexchange[1].txt (ID = 2633)
11:29 PM: administrator@go[1].txt (ID = 2728)
11:29 PM: Found Spy Cookie: clickandtrack cookie
11:29 PM: [email protected][2].txt (ID = 2397)
11:29 PM: Found Spy Cookie: questionmarket cookie
11:29 PM: administrator@questionmarket[1].txt (ID = 3217)
11:29 PM: Found Spy Cookie: serving-sys cookie
11:29 PM: administrator@serving-sys[2].txt (ID = 3343)
11:29 PM: Found Spy Cookie: statcounter cookie
11:29 PM: administrator@statcounter[1].txt (ID = 3447)
11:29 PM: Found Spy Cookie: trafficmp cookie
11:29 PM: administrator@trafficmp[1].txt (ID = 3581)
11:29 PM: Found Spy Cookie: tribalfusion cookie
11:29 PM: administrator@tribalfusion[1].txt (ID = 3589)
11:29 PM: Found Spy Cookie: adserver cookie
11:29 PM: [email protected][1].txt (ID = 2142)
11:29 PM: administrator@zedo[1].txt (ID = 3762)
11:29 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:29 PM: Starting File Sweep
11:29 PM: c:\program files\spysheriff (2 subtraces) (ID = -2147476679)
11:29 PM: c:\windows\inst (ID = -2147480086)
11:29 PM: c:\documents and settings\all users\application data\picsvr (2 subtraces) (ID = -2147481134)
11:29 PM: c:\documents and settings\all users\application data\wsxs (1 subtraces) (ID = -2147481131)
11:29 PM: c:\windows\system32\nsvsvc (2 subtraces) (ID = -2147481119)
11:29 PM: c:\documents and settings\all users\application data\nsv (18 subtraces) (ID = -2147481136)
11:29 PM: c:\windows\system32\picsvr (1 subtraces) (ID = -2147481118)
11:30 PM: 655c4132-8b7d-42e1-bbbf-d2a792 (ID = 53202)
11:30 PM: 15c170b3-efd2-45cd-b42a-e00978 (ID = 53202)
11:30 PM: Found Adware: e2g
11:30 PM: ei51.exe (ID = 59384)
11:30 PM: ds3.dll (ID = 65767)
11:31 PM: 731cff7b-cee2-4499-ad6d-ee78bc (ID = 53184)
11:32 PM: Found Trojan Horse: trojan-downloader-moneymind
11:32 PM: moneyspj.exe (ID = 80826)
11:32 PM: bc39ba07-5de8-4ffb-973c-0b8b72 (ID = 53202)
11:33 PM: 31e6e23d-adfc-4e9c-89b5-88d989.asq (ID = 116897)
11:33 PM: Found Adware: shopathomeselect
11:33 PM: shagentnew.dll (ID = 75942)
11:33 PM: 35cf20f8-a4fb-44f7-a144-3d0555.asq (ID = 53205)
11:34 PM: Found Adware: exact cashback/bargain buddy
11:34 PM: installer_mediawhiz8.exe (ID = 50696)
11:34 PM: l26olcj31fo.dll (ID = 159)
11:34 PM: 0e3486fb-498b-4ef1-9e90-48684f.asq (ID = 116897)
11:34 PM: 85709154-ff64-48ca-99e5-d8b894.asq (ID = 53205)
11:34 PM: n0l8la3u1d.dll (ID = 159)
11:35 PM: hkactivex.dll (ID = 159)
11:35 PM: rivpperf.dll (ID = 159)
11:35 PM: f4aced25-39a3-4467-8548-87ceb6.asq (ID = 120384)
11:35 PM: n4l8le3u1h.dll (ID = 159)
11:36 PM: lvpm0971e.dll (ID = 159)
11:36 PM: 5f83d443-a077-4995-b519-d01e60.asq (ID = 120384)
11:36 PM: cktdll.dll (ID = 159)
11:36 PM: wadmps.dll (ID = 159)
11:36 PM: nykuff.execommon startup (ID = 53184)
11:36 PM: 37c2b1d0-38c9-43f6-a168-670190.asq (ID = 120384)
11:36 PM: mdapsspc.dll (ID = 159)
11:36 PM: downloader.exe (ID = 164938)
11:36 PM: 1ad34ac3-420a-49dc-b80d-a2071d.asq (ID = 116897)
11:36 PM: afd7b4f4-f740-4c82-a260-ce0922.asq (ID = 120384)
11:36 PM: 97daa5f1-bc2d-4df9-97eb-6bf71e.asq (ID = 120384)
11:36 PM: 6f44139c-9a99-4447-9c37-3bd06e.asq (ID = 53205)
11:36 PM: ijfxpph.dll (ID = 159)
11:36 PM: mftrig.dll (ID = 159)
11:36 PM: n26q0cj5efo.dll (ID = 159)
11:36 PM: f8da9bf6-2798-4ceb-b8d7-202396 (ID = 53202)
11:36 PM: 7a7eb7b3-bf4f-482c-b31b-ffbef2.asq (ID = 120384)
11:36 PM: 71cb85e5-4266-4572-95e1-2de3e7.asq (ID = 116897)
11:36 PM: dc28ad81-8736-459a-8fc0-ca3ad3.asq (ID = 120384)
11:36 PM: 0feebe07-0642-45a2-849c-65240d.asq (ID = 116897)
11:36 PM: d6e73193-608d-40c8-b383-c0bda7.asq (ID = 116897)
11:36 PM: 78896054-1fac-44ec-b1d1-f20b45.asq (ID = 120384)
11:36 PM: 62de0de2-ea94-46ca-b7e2-e0da6c.asq (ID = 53205)
11:37 PM: iiign32.dll (ID = 159)
11:37 PM: mwcans32.dll (ID = 65904)
11:37 PM: 1db068e1-0139-44e1-bcd9-2ffb12.asq (ID = 120384)
11:37 PM: wdadmod.dll (ID = 159)
11:37 PM: 39de90a8-a03f-4693-a6f1-486374.asq (ID = 120384)
11:37 PM: 8b14b74f-92a7-4ef5-9e9c-ecef7d.asq (ID = 120384)
11:37 PM: m082lalo1dqc.dll (ID = 159)
11:37 PM: nvdeapi.dll (ID = 159)
11:37 PM: certc.dll (ID = 159)
11:37 PM: mvpol9731.dll (ID = 159)
11:37 PM: 6227a65c-8051-4289-a658-4cbeef.asq (ID = 120384)
11:37 PM: iconu.exe (ID = 65721)
11:37 PM: 7e08e58e-6ad5-4475-89b5-c693ba.asq (ID = 120384)
11:37 PM: 8f5c433e-63a7-49f2-8f48-1b8361.asq (ID = 53205)
11:37 PM: 6d038d48-4fa5-40d0-a71e-c56b6e.asq (ID = 116897)
11:37 PM: aimvffk.xml (ID = 57646)
11:37 PM: hefci004.dll (ID = 65904)
11:38 PM: b65c6a83-9fbd-4efe-9c15-f38711.asq (ID = 53205)
11:38 PM: 8e82c065-1951-4c53-9245-1e080a.asq (ID = 116897)
11:38 PM: 78257d6c-9e64-4488-a221-53ba8e.asq (ID = 53205)
11:38 PM: en4sl1h71.dll (ID = 159)
11:38 PM: ktlul7391.dll (ID = 159)
11:38 PM: r86u0ij9e8o.dll (ID = 159)
11:38 PM: 80291133-d7c6-41e9-acf2-177260.asq (ID = 53205)
11:38 PM: n8n60i5se8.dll (ID = 159)
11:38 PM: cpmrepl.dll (ID = 159)
11:38 PM: 02e6bfda-1832-465d-9c0d-b1a9f7.asq (ID = 120384)
11:38 PM: Found Adware: gain - common components
11:38 PM: hdplugin1101.dll (ID = 61477)
11:39 PM: k4lq0e35eh.dll (ID = 159)
11:39 PM: d3aa59c8-7620-4a47-ac19-651c52.asq (ID = 53205)
11:39 PM: vgactl.cpl (ID = 143664)
11:39 PM: e2024ec4-4e1e-40bf-a85c-b16ade.asq (ID = 53205)
11:39 PM: BHO Shield: found: -- BHO installation allowed at user request
11:39 PM: c6002gdmg60a2.dll (ID = 159)
11:39 PM: l88m0il1e8q.dll (ID = 159)
11:40 PM: 0b97a2ff-09d5-4e9e-b5a0-13b482.asq (ID = 116897)
11:40 PM: c7912df4-17ea-493e-86db-447219 (ID = 53202)
11:40 PM: Found Trojan Horse: trojan-downloader-infectedhost
11:40 PM: svchost.dll (ID = 201334)
11:40 PM: maiseq.dll (ID = 159)
11:41 PM: hrns0557e.dll (ID = 159)
11:41 PM: wknfax.dll (ID = 65904)
11:41 PM: lvls0937e.dll (ID = 159)
11:41 PM: 702d8767-b3a0-45f1-966b-311991.asq (ID = 53205)
11:41 PM: mvp8l97u1.dll (ID = 159)
11:41 PM: q8nuli5918.dll (ID = 159)
11:41 PM: 25ccf445-aa76-41dd-8483-fd07e7.asq (ID = 116897)
11:41 PM: a3db4b29-781e-44b8-b62b-31d9da (ID = 53202)
11:41 PM: wnhnetbs.dll (ID = 159)
11:42 PM: en66l1js1.dll (ID = 159)
11:42 PM: hdplugin1101.dll (ID = 61477)
11:42 PM: c2000cdmef0a0.dll (ID = 159)
11:42 PM: 5db4cee8-06c7-4111-ad17-e7ec72.asq (ID = 53134)
11:42 PM: 3ef150a0-4cfb-4073-8189-d7e9e4.asq (ID = 53205)
11:42 PM: hdplugin1101.inf (ID = 61480)
11:42 PM: 2ffa856a-8a3e-49bc-a1b7-e364ab.asq (ID = 116897)
11:42 PM: jt4807hue.dll (ID = 159)
11:42 PM: Found Adware: 180search assistant/zango
11:42 PM: sain_kyf.dat (ID = 70616)
11:42 PM: sainau.dat (ID = 70615)
11:42 PM: Found Trojan Horse: trojan-backdoor-core.psyche-evolution.com
11:42 PM: vxt2.game (ID = 197844)
11:42 PM: k0260afsed260.dll (ID = 159)
11:42 PM: gprml3911.dll (ID = 159)
11:42 PM: j8l4li3q18.dll (ID = 159)
11:43 PM: l8j8li1u18.dll (ID = 159)
11:43 PM: h40qled51h0.dll (ID = 159)
11:43 PM: hrr8059ue.dll (ID = 159)
11:43 PM: mdl_hp.dll (ID = 159)
11:43 PM: mgutil.dll (ID = 65904)
11:44 PM: uxdmxfrm.dll (ID = 159)
11:44 PM: Found Adware: wildmedia
11:44 PM: standard.exe (ID = 88774)
11:44 PM: l0l6la3s1d.dll (ID = 159)
11:44 PM: k4pmle711h.dll (ID = 159)
11:45 PM: ksdmac.dll (ID = 159)
11:45 PM: 1449cb15-7b22-4e23-bcff-1ff4ae.asq (ID = 116897)
11:45 PM: iifxress.dll (ID = 159)
11:46 PM: a6d6ca4a-182d-40a1-a531-114bf3 (ID = 53202)
11:46 PM: kodes.dll (ID = 65904)
11:46 PM: desktop.html (ID = 178574)
11:46 PM: Found Adware: isearch desktop search
11:46 PM: d62c81b6-a7d5-4667-a689-bc9585 (ID = 64334)
11:47 PM: hdplugin1019.inf (ID = 61473)
11:47 PM: hdplugin1101.inf (ID = 61480)
11:47 PM: vxgamet2.exe (ID = 197844)
11:47 PM: Found Trojan Horse: trojan-downloader-asdbiz.biz
11:47 PM: qvxgamet2.exe (ID = 80237)
11:47 PM: vxgame6.exe (ID = 80237)
11:47 PM: svchost.exe (ID = 203593)
11:47 PM: wuauclt.dll (ID = 143665)
11:47 PM: 98491621-2257-4896-888f-bc5e76 (ID = 143665)
11:47 PM: 02709b22-b3e3-4e1e-a9a8-ec2c1c (ID = 143665)
11:47 PM: sstray.exe (ID = 203593)
11:47 PM: b02f321b-1261-4a76-af1f-1cf114 (ID = 143665)
11:47 PM: bd24d720-8ad3-4549-ae61-e79193 (ID = 53202)
11:47 PM: picsvr.exe (ID = 57768)
11:47 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || picsvr (ID = 0)
11:47 PM: 825f7002-68f6-4d5d-a3b3-6e234c (ID = 143665)
11:47 PM: uninstall.exe (ID = 198832)
11:47 PM: b998b4c0-b3b8-41a7-83f5-e86902 (ID = 53202)
11:47 PM: 2d67b064-bd98-46f5-b871-9d257e (ID = 143665)
11:48 PM: 3ab15aa8-846e-4d18-9be6-336bee.asq (ID = 53205)
11:48 PM: 80afb4ec-a2b0-4239-ae7a-ab0c5a (ID = 143665)
11:48 PM: 511f5974-e921-45d2-a790-d917e8 (ID = 143665)
11:48 PM: bf3dd05d-684e-43bc-b282-6bd453 (ID = 53202)
11:48 PM: en20l1fm1.dll (ID = 159)
11:48 PM: irox.exe (ID = 70642)
11:48 PM: fppu0379e.dll (ID = 159)
11:48 PM: jt8u07l9e.dll (ID = 159)
11:48 PM: mmperf.dll (ID = 159)
11:48 PM: f00o0ad3ed0.dll (ID = 159)
11:49 PM: ksdcr.dll (ID = 159)
11:49 PM: cgpbk32.dll (ID = 65904)
11:49 PM: mfvcirt.dll (ID = 65904)
11:49 PM: i2lolc331f.dll (ID = 159)
11:49 PM: mvrql9951.dll (ID = 159)
11:49 PM: mycsubs.dll (ID = 159)
11:49 PM: Found Adware: couponage
11:49 PM: casync.dll (ID = 54700)
11:49 PM: slnsapi.dll (ID = 159)
11:49 PM: cacore.dll (ID = 54694)
11:49 PM: f0ab681d-3eb9-422d-adb1-fa2391.asq (ID = 116897)
11:49 PM: f6l0lg3m16.dll (ID = 159)
11:49 PM: 175fd306-019c-4ddf-97a4-f93cd7 (ID = 120129)
11:49 PM: ir2ul5f91.dll (ID = 159)
11:49 PM: aza6l1js1.dll (ID = 159)
11:49 PM: 9590c27d-dd15-4df9-a141-d72f81 (ID = 120129)
11:50 PM: i6600gjme6oa0.dll (ID = 159)
11:50 PM: akrules.dll (ID = 49674)
11:50 PM: oabccp32.dll (ID = 159)
11:50 PM: abicap.dll (ID = 65904)
11:50 PM: wmv1215.dbd (ID = 57687)
11:50 PM: carules.dll (ID = 54699)
11:50 PM: iyssdo.dll (ID = 65904)
11:51 PM: akupd.dll (ID = 49673)
11:51 PM: akcore.dll (ID = 49676)
11:51 PM: c95e3617-fc77-4e24-a8a4-ca5866 (ID = 53193)
11:51 PM: mgjava.dll (ID = 65904)
11:51 PM: ibmp.dll (ID = 65904)
11:51 PM: aza8lg9u16.dll (ID = 159)
11:51 PM: soc.dll (ID = 159)
11:51 PM: almlib.dll (ID = 65904)
11:51 PM: otbccu32.dll (ID = 65904)
11:51 PM: mqimtf.dll (ID = 65904)
11:51 PM: h20qlcd51f0.dll (ID = 159)
11:51 PM: modimap.dll (ID = 65904)
11:51 PM: moawt.dll (ID = 65904)
11:51 PM: kfdmaori.dll (ID = 65904)
11:51 PM: aotodisc.dll (ID = 159)
11:51 PM: kldit142.dll (ID = 159)
11:51 PM: m482lelo1hqc.dll (ID = 159)
11:51 PM: aimvffk2.xml (ID = 57648)
11:52 PM: jqsh400.dll (ID = 159)
11:52 PM: fhsrch.dll (ID = 159)
11:52 PM: aimvffk1.xml (ID = 57647)
11:52 PM: gp46l3hs1.dll (ID = 159)
11:52 PM: se2evnt1.dll (ID = 159)
11:52 PM: fp0q03d5e.dll (ID = 159)
11:52 PM: fp4403hqe.dll (ID = 159)
11:52 PM: fpr2039oe.dll (ID = 159)
11:52 PM: pprfproc.dll (ID = 159)
11:52 PM: l42slef71h2.dll (ID = 159)
11:52 PM: i8jq0i15e8.dll (ID = 159)
11:53 PM: dddim700.dll (ID = 159)
11:53 PM: g4jo0e13eh.dll (ID = 159)
11:53 PM: g8joli1318.dll (ID = 159)
11:53 PM: dnlcdf32.dll (ID = 159)
11:53 PM: ac9a9236-8df6-4925-9eea-83eb9d.asq (ID = 53205)
11:53 PM: doconfig.dll (ID = 159)
11:53 PM: 8a9b4acc-651c-4d74-a337-874d4f.asq (ID = 116897)
11:53 PM: dvlix.dll (ID = 159)
11:53 PM: dhmsadsn.dll (ID = 159)
11:53 PM: e0202afmgd2a2.dll (ID = 159)
11:53 PM: en4ml1h11.dll (ID = 65730)
11:53 PM: patchme.exe (ID = 57767)
11:53 PM: mldsrv32.dll (ID = 65730)
11:54 PM: mqoert2.dll (ID = 159)
11:54 PM: cidial32.dll (ID = 159)
11:54 PM: nsvs.dll (ID = 57751)
11:54 PM: mqrddm.dll (ID = 159)
11:54 PM: mrdemui.dll (ID = 159)
11:54 PM: mnidntld.dll (ID = 65730)
11:54 PM: 13ab9051-b05e-4015-890e-7e739b.asq (ID = 53134)
11:54 PM: jisd400.dll (ID = 65904)
11:54 PM: iewphbk.dll (ID = 65904)
11:54 PM: azaslef71h2.dll (ID = 159)
11:54 PM: sqreamci.dll (ID = 159)
11:54 PM: 7165fd9b-4e9e-4db6-abcf-bc995a.asq (ID = 116897)
11:54 PM: iqnathlp.dll (ID = 65904)
11:54 PM: 5c6c72ba-fac9-402c-bd63-fe6979.asq (ID = 116897)
11:55 PM: en68l1ju1.dll (ID = 159)
11:55 PM: swscrap.dll (ID = 65904)
11:55 PM: t6r8lg9u16.dll (ID = 159)
11:55 PM: 28475f37-2db1-40a7-902a-f53c83.asq (ID = 53134)
11:55 PM: vx6.game (ID = 80237)
11:55 PM: qvxt2.game (ID = 80237)
11:55 PM: o666lgjs16o6.dll (ID = 159)
11:55 PM: 9bcc5f81-34b4-4fe1-89bc-1e9502.asq (ID = 116897)
11:55 PM: o684lglq16qe.dll (ID = 159)
11:55 PM: o6ro0g93e6.dll (ID = 159)
11:55 PM: o6rolg9316.dll (ID = 159)
11:56 PM: camsnap.dll (ID = 65904)
11:56 PM: Found Adware: nvdialer
11:56 PM: games.exe (ID = 137596)
11:56 PM: wmv1920.dbd (ID = 57692)
11:56 PM: wmv2007.dbd (ID = 57693)
11:56 PM: ihq.dll (ID = 159)
11:57 PM: kwdhe.dll (ID = 159)
11:58 PM: rxsmans.dll (ID = 159)
11:58 PM: f7e52304-e85c-47b4-960a-5f3141.asq (ID = 53205)
11:58 PM: kwv2.dat (ID = 63356)
11:59 PM: irr0l59m1.dll (ID = 159)
11:59 PM: mgdsrv32.dll (ID = 159)
11:59 PM: 46363592-a020-463e-b011-ccfcce.asq (ID = 116897)
11:59 PM: feb60e17-234a-40ee-891d-fa220a.asq (ID = 116897)
11:59 PM: aza4lglq16qe.dll (ID = 65730)
11:59 PM: jcdw400.dll (ID = 159)
12:00 AM: pgofmap.dll (ID = 65904)
12:00 AM: nqdsbcli.dll (ID = 159)
12:00 AM: gpsieer.dll (ID = 53179)
12:01 AM: jtn4075qe.dll (ID = 159)
12:01 AM: prchdprf.dll (ID = 159)
12:02 AM: irv6mon.dll (ID = 159)
12:02 AM: k4pm0e71eh.dll (ID = 159)
12:02 AM: bxellist.dll (ID = 159)
12:03 AM: uqpnpmgr.dll (ID = 159)
12:03 AM: e8166481-cce9-4edb-8cbd-06c493.asq (ID = 116897)
12:03 AM: n46qlej51ho.dll (ID = 159)
12:03 AM: k2800clmefqa0.dll (ID = 159)
12:03 AM: elcapi.dll (ID = 159)
12:03 AM: Found Trojan Horse: 2nd-thought
12:03 AM: dgi.exe (ID = 48210)
12:05 AM: l8r00i9me8.dll (ID = 159)
12:05 AM: muiole16.dll (ID = 65904)
12:05 AM: 3daa44b9-00a3-48a9-a544-b0751f.asq (ID = 116897)
12:08 AM: jkt.dll (ID = 65904)
12:10 AM: hdplugin1101.inf (ID = 61480)
12:11 AM: jt4o07h3e.dll (ID = 159)
12:12 AM: Found Trojan Horse: trojan-downloader-delf
12:12 AM: moneyspm.exe (ID = 80426)
12:13 AM: iosso.dll (ID = 65904)
12:13 AM: uwdmxfrm.dll (ID = 159)
12:13 AM: jtl2073oe.dll (ID = 159)
12:13 AM: njprovau.dll (ID = 65904)
12:15 AM: wmv0204.ddx (ID = 57686)
12:15 AM: wmv0504.ddx (ID = 57686)
12:15 AM: wmv0904.ddx (ID = 57691)
12:15 AM: wmv0412.ddx (ID = 57686)
12:15 AM: wmv0106.ddx (ID = 57679)
12:15 AM: wmv0315.ddx (ID = 57686)
12:16 AM: setup.inf (ID = 50863)
12:16 AM: wmv1204.ddx (ID = 57686)
12:16 AM: deskbar.ini (ID = 64321)
12:16 AM: wmv1909.ddx (ID = 57691)
12:16 AM: wmv1125.ddx (ID = 57685)
12:16 AM: Found System Monitor: potentially rootkit-masked files
12:16 AM: $sys$cor.sys (ID = 0)
12:16 AM: $sys$drmserver.exe (ID = 0)
12:16 AM: $sys$caj.dll (ID = 0)
12:16 AM: $sys$upgtool.exe (ID = 0)
12:16 AM: $sys$parking (ID = 0)
12:16 AM: 20050911164137.zip (ID = 57796)
12:17 AM: File Sweep Complete, Elapsed Time: 00:47:37
12:17 AM: Full Sweep has completed. Elapsed time 01:04:52
12:17 AM: Traces Found: 35040
12:25 AM: Removal process initiated
12:26 AM: Quarantining All Traces: 180search assistant/zango
12:26 AM: Quarantining All Traces: 2nd-thought
12:26 AM: Quarantining All Traces: clkoptimizer
12:27 AM: clkoptimizer is in use. It will be removed on reboot.
12:27 AM: wuauclt.dll is in use. It will be removed on reboot.
12:27 AM: C:\WINDOWS\system32\wuauclt.dll is in use. It will be removed on reboot.
12:27 AM: Quarantining All Traces: directrevenue-abetterinternet
12:27 AM: Quarantining All Traces: isearch desktop search
12:27 AM: Quarantining All Traces: look2me
12:28 AM: The Spy Communication shield has blocked access to: mm.delfinproject.com
12:28 AM: The Spy Communication shield has blocked access to: mm.delfinproject.com
12:29 AM: Quarantining All Traces: potentially rootkit-masked files
12:29 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
12:29 AM: $sys$drmserver.exe is in use. It will be removed on reboot.
12:29 AM: Quarantining All Traces: spysheriff
12:29 AM: Quarantining All Traces: trojan-backdoor-securemulti
12:29 AM: Quarantining All Traces: trojan-downloader-moneymind
12:29 AM: Quarantining All Traces: websearch toolbar
12:29 AM: Quarantining All Traces: wildmedia
12:29 AM: Quarantining All Traces: delfin
12:29 AM: delfin is in use. It will be removed on reboot.
12:29 AM: picsvr.exe is in use. It will be removed on reboot.
12:29 AM: Quarantining All Traces: letsroll911.org hijacker
12:29 AM: Quarantining All Traces: rasmin
12:29 AM: Quarantining All Traces: trojan-backdoor-core.psyche-evolution.com
12:29 AM: Quarantining All Traces: trojan-backdoor-dimenoc
12:29 AM: Quarantining All Traces: trojan-downloader-asdbiz.biz
12:29 AM: Quarantining All Traces: trojan-downloader-delf
12:29 AM: Quarantining All Traces: trojan-downloader-infectedhost
12:29 AM: Quarantining All Traces: vesbiz downloader
12:29 AM: Quarantining All Traces: winad
12:29 AM: Quarantining All Traces: xcp rootkit
12:29 AM: Quarantining All Traces: 7adpower
12:29 AM: Quarantining All Traces: aksoft
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:34 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:35 AM: Deletion from quarantine initiated
12:35 AM: Processing: 180search assistant/zango
12:35 AM: Processing: 2nd-thought
12:35 AM: Processing: 7adpower
12:35 AM: Processing: aksoft
12:35 AM: Processing: clkoptimizer
12:35 AM: Processing: delfin
12:35 AM: Processing: directrevenue-abetterinternet
12:35 AM: Processing: isearch desktop search
12:35 AM: Processing: letsroll911.org hijacker
12:35 AM: Processing: look2me
12:35 AM: Processing: potentially rootkit-masked files
12:35 AM: Processing: rasmin
12:35 AM: Processing: spysheriff
12:35 AM: Processing: trojan-backdoor-core.psyche-evolution.com
12:35 AM: Processing: trojan-downloader-asdbiz.biz
12:35 AM: Processing: trojan-downloader-delf
12:35 AM: Processing: trojan-downloader-infectedhost
12:35 AM: Processing: trojan-downloader-moneymind
12:35 AM: Processing: websearch toolbar
12:35 AM: Processing: wildmedia
12:35 AM: Processing: winad
12:35 AM: Processing: xcp rootkit
12:35 AM: Deletion from quarantine completed. Elapsed time 00:00:01
12:38 AM: Memory Shield: Found: Memory-resident threat trojan-downloader-infectedhost, version 1.0.0.0
12:38 AM: Detected running threat: trojan-downloader-infectedhost
12:38 AM: Ignored memory-resident threat: trojan-downloader-infectedhost
12:43 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:43 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:43 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:51 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
12:59 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: stech.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has blocked access to: dl.web-nexus.net
1:07 AM: The Spy Communication shield has bloc

guestolo · « **Reply #19 on:** December 26, 2005, 11:18:38 PM »

Thanks again for the SpySweeper log, I take it there's more but I need to see the following

Download Trackqoo.zip
Save it to the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post

Also, Download Find-Qoologic.zip and save it to your Desktop.

UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

Addtionally, I would still like to see the log from SmitRem
It is located here
C:\Smitfiles.txt
Please post this log, thanks

News:

Author Topic: Spy Sherrif (Read 5121 times)