surf sidekick
- Thread starter markus212
- Start date
Rawe
Security Expert-Emeritus
Go ahead and uninstall/delete the programs/files we've used this far for the cleaning process.. 
Please print these instructions out, or write them down, as you can't read them during the fix.
Before going to the Avenger..
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.
Next,
Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your C:\ drive (to your Local Disk).
Do NOT do anything with it yet!
==
Next:
1. Please download The Avenger by Swandog46 to your Desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Please print these instructions out, or write them down, as you can't read them during the fix.
Before going to the Avenger..
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Next,
Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your C:\ drive (to your Local Disk).
Do NOT do anything with it yet!
==
Next:
1. Please download The Avenger by Swandog46 to your Desktop.
- Click on Avenger.zip to open the file
- Extract Avenger.exe to your desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to the notepad file into this window
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it briefly opens a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- You should get an request for the Registry modification, Please allow it by hitting YES.
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
avenger.txt
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\grpdojxa
*******************
Script file located at: \??\C:\WINDOWS\mjlrrewd.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\SYSTEM32\ad.html deleted successfully.
File C:\WINDOWS\SYSTEM32\atmtd.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\f3PSSavr.scr deleted successfully.
File C:\WINDOWS\SYSTEM32\favico.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\paydial.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tibs.exe deleted successfully.
File C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX6_0001_N69M1503NetInstaller.exe deleted successfully.
File C:\drsmartload1.exe deleted successfully.
File C:\WINDOWS\azesearch.bmp deleted successfully.
File C:\WINDOWS\tool.exe deleted successfully.
File C:\WINDOWS\ubber60.ini deleted successfully.
Error: C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn is a folder, not a file!
Deletion of file C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn failed!
Could not process line:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Status: 0xc00000ba
File C:\WINDOWS\Downloaded Program Files\gba1735.exe deleted successfully.
File C:\WINDOWS\sec.chm deleted successfully.
File C:\WINDOWS\system32\dr.exe deleted successfully.
File C:\WINDOWS\system32\f3PSSavr.scr not found!
Deletion of file C:\WINDOWS\system32\f3PSSavr.scr failed!
Could not process line:
C:\WINDOWS\system32\f3PSSavr.scr
Status: 0xc0000034
File C:\WINDOWS\uninstall_nmon.vbs deleted successfully.
File C:\WINDOWS\system32\in10thinInstDSTU43s.dll deleted successfully.
File C:\WINDOWS\system32\lybhav-1.0.0.dll deleted successfully.
Folder C:\WINDOWS\TWFyayBUaGUgS2lsbGVy deleted successfully.
Folder C:\PROGRAM FILES\FunWebProducts deleted successfully.
Folder C:\PROGRAM FILES\NDW deleted successfully.
Folder C:\PROGRAM FILES\Spyware Stormer deleted successfully.
Folder C:\PROGRAM FILES\COMMON FILES\InetGet deleted successfully.
Folder C:\WINDOWS\SYSTEM32\SBUtils deleted successfully.
Folder C:\Program Files\MyWebSearch deleted successfully.
Program C:\Fixit.reg successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\grpdojxa
*******************
Script file located at: \??\C:\WINDOWS\mjlrrewd.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\SYSTEM32\ad.html deleted successfully.
File C:\WINDOWS\SYSTEM32\atmtd.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\f3PSSavr.scr deleted successfully.
File C:\WINDOWS\SYSTEM32\favico.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\paydial.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tibs.exe deleted successfully.
File C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX6_0001_N69M1503NetInstaller.exe deleted successfully.
File C:\drsmartload1.exe deleted successfully.
File C:\WINDOWS\azesearch.bmp deleted successfully.
File C:\WINDOWS\tool.exe deleted successfully.
File C:\WINDOWS\ubber60.ini deleted successfully.
Error: C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn is a folder, not a file!
Deletion of file C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn failed!
Could not process line:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Status: 0xc00000ba
File C:\WINDOWS\Downloaded Program Files\gba1735.exe deleted successfully.
File C:\WINDOWS\sec.chm deleted successfully.
File C:\WINDOWS\system32\dr.exe deleted successfully.
File C:\WINDOWS\system32\f3PSSavr.scr not found!
Deletion of file C:\WINDOWS\system32\f3PSSavr.scr failed!
Could not process line:
C:\WINDOWS\system32\f3PSSavr.scr
Status: 0xc0000034
File C:\WINDOWS\uninstall_nmon.vbs deleted successfully.
File C:\WINDOWS\system32\in10thinInstDSTU43s.dll deleted successfully.
File C:\WINDOWS\system32\lybhav-1.0.0.dll deleted successfully.
Folder C:\WINDOWS\TWFyayBUaGUgS2lsbGVy deleted successfully.
Folder C:\PROGRAM FILES\FunWebProducts deleted successfully.
Folder C:\PROGRAM FILES\NDW deleted successfully.
Folder C:\PROGRAM FILES\Spyware Stormer deleted successfully.
Folder C:\PROGRAM FILES\COMMON FILES\InetGet deleted successfully.
Folder C:\WINDOWS\SYSTEM32\SBUtils deleted successfully.
Folder C:\Program Files\MyWebSearch deleted successfully.
Program C:\Fixit.reg successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
by the way, is add reply the same thing as post reply? I notice you've written it twice, I dont often post in forums
here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:34:25, on 05/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:34:25, on 05/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Rawe
Security Expert-Emeritus
Yes, Post reply is the same as AddReply (I'm using "Canned Speeches" for some programs, and don't sometimes remember to edit them accordingly)
Please delete this file:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Other than that, how's the system running at the moment?
Please delete this file:
C:\Documents and Settings\Mark The Killer\Favorites\Free Hardcore Porn
Other than that, how's the system running at the moment?
yeah the system is running much smoother now, there's the occasional harassment from winfixer 2006, some days it pops almost every 10 seconds, somedays it doesn't pop up at all,
thanks for all your help though, especially with that horrible surf side kick thing, I'm glad to see the back of it :bigthumb:
thanks for all your help though, especially with that horrible surf side kick thing, I'm glad to see the back of it :bigthumb:
Rawe
Security Expert-Emeritus
You can go ahead and delete/uninstall all the programs/files we used this far with the cleaning process.
==
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
==
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
- Click Download Now to download the program.
- Install it. Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
- Once the definitions are installed, click Options on the left side.
- Click the Sweep Options tab.
- Under What to Sweep please put a check next to the following:
- [*]Sweep Memory
[*]Sweep Registry
[*]Sweep Cookies
[*]Sweep All User Accounts
[*]Enable Direct Disk Sweeping
[*]Sweep Contents of Compressed Files
[*]Sweep for Rootkits - Please UNCHECK Do not Sweep System Restore Folder.
- [*]Sweep Memory
- Click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply.
here is the spy sweeper session log:
Part 1
********
15:09: | Start of Session, 09 April 2006 |
15:09: Spy Sweeper started
15:09: Sweep initiated using definitions version 652
15:09: Starting Memory Sweep
15:17: Memory Sweep Complete, Elapsed Time: 00:07:36
15:17: Starting Registry Sweep
15:17: Found Adware: blazefind
15:17: HKCR\admilliservx.installer\ (3 subtraces) (ID = 104436)
15:17: HKLM\software\classes\admilliservx.installer\ (3 subtraces) (ID = 104466)
15:17: HKLM\software\classes\winservadx.installer\ (3 subtraces) (ID = 104512)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/admilliservx.dll\ (2 subtraces) (ID = 104525)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\admilliservx.dll (ID = 104540)
15:17: HKCR\winservadx.installer\ (3 subtraces) (ID = 104577)
15:17: Found Adware: blazefind_adstat
15:17: HKLM\software\classes\winformx.installer\ (3 subtraces) (ID = 104587)
15:17: HKCR\winformx.installer\ (3 subtraces) (ID = 104593)
15:17: Found Adware: elitemediagroup-mediamotor
15:17: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/m67m.ocx\ (2 subtraces) (ID = 140170)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\m67m.ocx (ID = 140199)
15:17: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
15:17: Found Trojan Horse: topconverting downloader
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\loader2.ocx (ID = 143829)
15:17: Found Trojan Horse: trojan_backdoor_retro64
15:17: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
15:17: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
15:17: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
15:17: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
15:17: Found Adware: winad
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
15:17: Found Adware: command
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
15:17: Found Adware: dollarrevenue
15:17: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
15:17: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
15:17: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1023385)
15:17: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023387)
15:17: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023399)
15:17: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
15:17: HKCR\appid\activex.dll\ || appid (ID = 1049592)
15:17: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1049593)
15:17: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
15:17: Found Adware: zquest
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
15:17: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
15:17: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
15:17: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
15:17: Found Adware: winantispyware 2005
15:17: HKCR\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1136990)
15:17: HKLM\software\classes\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1137248)
15:17: Found Adware: maxifiles
15:17: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
15:17: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
15:17: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
15:17: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
15:17: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
15:17: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
15:17: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
15:17: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
15:17: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
15:17: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
15:17: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
15:17: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
15:17: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
15:17: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
15:17: Found Adware: topsearch
15:17: HKLM\software\topmoxie\topsearch\ (2 subtraces) (ID = 1180367)
15:17: HKLM\software\winfixer_free\ (ID = 1201404)
15:17: Found Adware: internetoptimizer
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\avenue media\ (7 subtraces) (ID = 128887)
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 818746)
15:17: Found Adware: cws-aboutblank
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
15:17: Found Adware: freshbar
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\vd\ (ID = 126699)
15:17: Found Adware: findthewebsiteyouneed hijack
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\xbtb04715\ (71 subtraces) (ID = 1156401)
15:17: HKU\S-1-5-18\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: Registry Sweep Complete, Elapsed Time:00:00:41
15:17: Starting Cookie Sweep
15:17: Found Spy Cookie: a cookie
15:17: miyoko@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: touchclarity cookie
15:17: miyoko@barclays.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: delfinproject cookie
15:17: miyoko@delfinproject[1].txt (ID = 2509)
15:17: Found Spy Cookie: exitexchange cookie
15:17: miyoko@exitexchange[1].txt (ID = 2633)
15:17: miyoko@msn.touchclarity[1].txt (ID = 3566)
15:17: miyoko@theaa.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: 247realmedia cookie
15:17: mark the killer@247realmedia[2].txt (ID = 1953)
15:17: Found Spy Cookie: 2o7.net cookie
15:17: mark the killer@2o7[2].txt (ID = 1957)
15:17: Found Spy Cookie: about cookie
15:17: mark the killer@about[1].txt (ID = 2037)
15:17: Found Spy Cookie: yieldmanager cookie
15:17: mark the killer@ad.yieldmanager[2].txt (ID = 3751)
15:17: Found Spy Cookie: adrevolver cookie
15:17: mark the killer@adrevolver[1].txt (ID = 2088)
15:17: mark the killer@adrevolver[2].txt (ID = 2088)
15:17: Found Spy Cookie: adtech cookie
15:17: mark the killer@adtech[2].txt (ID = 2155)
15:17: Found Spy Cookie: advertising cookie
15:17: mark the killer@advertising[1].txt (ID = 2175)
15:17: Found Spy Cookie: adviva cookie
15:17: mark the killer@adviva[2].txt (ID = 2177)
15:17: Found Spy Cookie: apmebf cookie
15:17: mark the killer@apmebf[1].txt (ID = 2229)
15:17: Found Spy Cookie: atwola cookie
15:17: mark the killer@ar.atwola[1].txt (ID = 2256)
15:17: Found Spy Cookie: atlas dmt cookie
15:17: mark the killer@atdmt[2].txt (ID = 2253)
15:17: mark the killer@atwola[1].txt (ID = 2255)
15:17: mark the killer@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: bluestreak cookie
15:17: mark the killer@bluestreak[1].txt (ID = 2314)
15:17: Found Spy Cookie: bs.serving-sys cookie
15:17: mark the killer@bs.serving-sys[2].txt (ID = 2330)
15:17: Found Spy Cookie: casalemedia cookie
15:17: mark the killer@casalemedia[2].txt (ID = 2354)
15:17: mark the killer@compsimgames.about[2].txt (ID = 2038)
15:17: Found Spy Cookie: fastclick cookie
15:17: mark the killer@fastclick[2].txt (ID = 2651)
15:17: Found Spy Cookie: maxserving cookie
15:17: mark the killer@maxserving[1].txt (ID = 2966)
15:17: Found Spy Cookie: mediaplex cookie
15:17: mark the killer@mediaplex[1].txt (ID = 6442)
15:17: Found Spy Cookie: questionmarket cookie
15:17: mark the killer@questionmarket[1].txt (ID = 3217)
15:17: Found Spy Cookie: realmedia cookie
15:17: mark the killer@realmedia[2].txt (ID = 3235)
15:17: Found Spy Cookie: serving-sys cookie
15:17: mark the killer@serving-sys[2].txt (ID = 3343)
15:17: Found Spy Cookie: statcounter cookie
15:17: mark the killer@statcounter[1].txt (ID = 3447)
15:17: Found Spy Cookie: tradedoubler cookie
15:17: mark the killer@tradedoubler[1].txt (ID = 3575)
15:17: Found Spy Cookie: tribalfusion cookie
15:17: mark the killer@tribalfusion[1].txt (ID = 3589)
15:17: Found Spy Cookie: top-banners cookie
15:17: system@media.top-banners[1].txt (ID = 3548)
15:17: Cookie Sweep Complete, Elapsed Time: 00:00:07
15:17: Starting File Sweep
15:18: c:\program files\common files\winfixer 2006 (ID = -2147458863)
15:18: c:\program files\winfixer_2006 (ID = -2147458870)
15:19: a0157335.exe (ID = 275855)
15:19: a0157337.exe (ID = 275854)
15:19: a0141630.exe (ID = 133210)
15:19: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:19: Found Adware: effective-i toolbar
15:19: a0141624.exe (ID = 59853)
15:20: Found Trojan Horse: rbot
15:20: a0158872.exe (ID = 269648)
15:20: Found Adware: surfsidekick
15:20: a0141932.dll (ID = 242398)
15:20: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:21: a0157509.dll (ID = 273539)
15:21: a0160269.exe (ID = 244762)
15:21: a0150862.vbs (ID = 231442)
15:21: Found Adware: 180search assistant/zango
15:21: saap.log (ID = 70593)
15:21: saap_gdf.dat (ID = 70595)
15:22: Found Adware: delfin
15:22: a0146566.exe (ID = 164938)
15:22: a0158869.exe (ID = 231443)
15:22: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: Found Adware: look2me
15:23: a0141934.dll (ID = 163672)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: a0146565.ocx (ID = 194608)
15:24: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:25: Found Trojan Horse: trojan downloader matcash
15:25: a0157852.exe (ID = 246327)
15:26: a0146505.dll (ID = 208494)
15:27: a0157853.exe (ID = 246327)
15:27: a0157336.exe (ID = 275853)
15:29: aa765b4f-9aea-4b69-8ea3-6cf20f (ID = 244763)
15:31: winfixer2006freeinstall[1].cab (ID = 269737)
15:32: winfixer2006freeinstall[3].cab (ID = 269737)
15:35: newname7[1].exe (ID = 275855)
15:35: a0160336.vbs (ID = 231442)
15:39: a0157508.exe (ID = 273538)
15:39: a0146480.dll (ID = 242398)
15:39: winfixer2006freeinstall[2].cab (ID = 269737)
15:40: a0150861.exe (ID = 231443)
15:40: a0146477.exe (ID = 242428)
15:41: winfixer2006freeinstall[4].cab (ID = 269737)
15:42: a0141979.dll (ID = 163672)
15:43: a0146507.exe (ID = 208497)
15:43: a0144435.exe (ID = 194610)
15:45: a0146563.dll (ID = 194609)
15:46: a0144453.dll (ID = 159)
15:46: saapau.dat (ID = 70594)
15:46: a0155305.dll (ID = 159)
15:46: a0157517.dll (ID = 273831)
15:46: Found Adware: deskwizz
15:46: a0157854.exe (ID = 240959)
15:46: a0142129.dll (ID = 159)
15:47: a0144151.dll (ID = 159)
15:47: a0146481.dll (ID = 242399)
15:47: a0141930.dll (ID = 163672)
15:48: salm_kyf_update.dat (ID = 93790)
15:48: backup-20060403-164846-717.dll (ID = 244763)
15:48: a0155303.dll (ID = 163672)
15:48: a0157851.exe (ID = 269649)
15:48: a0153087.sys (ID = 238540)
15:49: Found Adware: whenu savenow
15:49: a0153088.exe (ID = 74460)
15:49: a0144434.dll (ID = 159)
15:49: a0146585.dll (ID = 159)
15:49: a0155304.dll (ID = 163672)
15:50: Found Adware: webhancer
15:50: a0157340.exe (ID = 267157)
15:50: a0157770.exe (ID = 185254)
15:50: a0157772.exe (ID = 244762)
15:50: a0160334.exe (ID = 144946)
15:51: a0146587.dll (ID = 159)
15:52: a0153086.dll (ID = 238551)
15:52: a0159908.dll (ID = 244763)
15:52: a0141622.exe (ID = 216718)
15:52: a0141931.exe (ID = 242428)
15:52: a0158867.exe (ID = 269649)
15:52: Found Adware: whenu save
15:52: a0153021.dll (ID = 182873)
15:52: Found Adware: purityscan
15:52: a0158868.exe (ID = 271320)
15:53: a0160270.dll (ID = 159)
15:54: a0155292.dll (ID = 163672)
15:54: a0141593.exe (ID = 185254)
15:55: a0148691.exe (ID = 238538)
15:55: a0144401.dll (ID = 159)
15:56: a0141626.dll (ID = 166754)
15:56: Found Adware: mirar webband
15:56: a0141625.exe (ID = 133208)
15:56: a0141629.dll (ID = 133227)
15:57: saap_kyf.dat (ID = 70596)
15:57: a0141617.exe (ID = 168558)
15:57: Found Adware: wildmedia
15:57: update10[1].xml (ID = 88967)
15:58: a0150191.exe (ID = 252966)
15:59: a0141634.exe (ID = 212831)
15:59: a0146586.dll (ID = 159)
16:00: a0146561.dll (ID = 159)
16:00: a0144422.dll (ID = 159)
16:00: a0141631.exe (ID = 212828)
16:00: a0141633.exe (ID = 212830)
Part 1
********
15:09: | Start of Session, 09 April 2006 |
15:09: Spy Sweeper started
15:09: Sweep initiated using definitions version 652
15:09: Starting Memory Sweep
15:17: Memory Sweep Complete, Elapsed Time: 00:07:36
15:17: Starting Registry Sweep
15:17: Found Adware: blazefind
15:17: HKCR\admilliservx.installer\ (3 subtraces) (ID = 104436)
15:17: HKLM\software\classes\admilliservx.installer\ (3 subtraces) (ID = 104466)
15:17: HKLM\software\classes\winservadx.installer\ (3 subtraces) (ID = 104512)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/admilliservx.dll\ (2 subtraces) (ID = 104525)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\admilliservx.dll (ID = 104540)
15:17: HKCR\winservadx.installer\ (3 subtraces) (ID = 104577)
15:17: Found Adware: blazefind_adstat
15:17: HKLM\software\classes\winformx.installer\ (3 subtraces) (ID = 104587)
15:17: HKCR\winformx.installer\ (3 subtraces) (ID = 104593)
15:17: Found Adware: elitemediagroup-mediamotor
15:17: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140131)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/m67m.ocx\ (2 subtraces) (ID = 140170)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\m67m.ocx (ID = 140199)
15:17: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (9 subtraces) (ID = 140223)
15:17: Found Trojan Horse: topconverting downloader
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\loader2.ocx (ID = 143829)
15:17: Found Trojan Horse: trojan_backdoor_retro64
15:17: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
15:17: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
15:17: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
15:17: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
15:17: Found Adware: winad
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
15:17: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
15:17: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
15:17: Found Adware: command
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
15:17: Found Adware: dollarrevenue
15:17: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
15:17: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
15:17: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1023385)
15:17: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023387)
15:17: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (9 subtraces) (ID = 1023399)
15:17: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
15:17: HKCR\appid\activex.dll\ || appid (ID = 1049592)
15:17: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (1 subtraces) (ID = 1049593)
15:17: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
15:17: Found Adware: zquest
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
15:17: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
15:17: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
15:17: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
15:17: Found Adware: winantispyware 2005
15:17: HKCR\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1136990)
15:17: HKLM\software\classes\uwfx6pcheck.uwfx6pcheck.1\ (2 subtraces) (ID = 1137248)
15:17: Found Adware: maxifiles
15:17: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
15:17: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
15:17: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
15:17: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
15:17: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
15:17: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
15:17: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
15:17: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
15:17: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
15:17: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
15:17: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
15:17: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
15:17: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
15:17: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
15:17: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
15:17: Found Adware: topsearch
15:17: HKLM\software\topmoxie\topsearch\ (2 subtraces) (ID = 1180367)
15:17: HKLM\software\winfixer_free\ (ID = 1201404)
15:17: Found Adware: internetoptimizer
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\avenue media\ (7 subtraces) (ID = 128887)
15:17: HKU\WRSS_Profile_S-1-5-21-1292428093-789336058-682003330-1006\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 818746)
15:17: Found Adware: cws-aboutblank
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
15:17: Found Adware: freshbar
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\vd\ (ID = 126699)
15:17: Found Adware: findthewebsiteyouneed hijack
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: HKU\S-1-5-21-1292428093-789336058-682003330-1004\software\xbtb04715\ (71 subtraces) (ID = 1156401)
15:17: HKU\S-1-5-18\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
15:17: Registry Sweep Complete, Elapsed Time:00:00:41
15:17: Starting Cookie Sweep
15:17: Found Spy Cookie: a cookie
15:17: miyoko@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: touchclarity cookie
15:17: miyoko@barclays.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: delfinproject cookie
15:17: miyoko@delfinproject[1].txt (ID = 2509)
15:17: Found Spy Cookie: exitexchange cookie
15:17: miyoko@exitexchange[1].txt (ID = 2633)
15:17: miyoko@msn.touchclarity[1].txt (ID = 3566)
15:17: miyoko@theaa.touchclarity[1].txt (ID = 3566)
15:17: Found Spy Cookie: 247realmedia cookie
15:17: mark the killer@247realmedia[2].txt (ID = 1953)
15:17: Found Spy Cookie: 2o7.net cookie
15:17: mark the killer@2o7[2].txt (ID = 1957)
15:17: Found Spy Cookie: about cookie
15:17: mark the killer@about[1].txt (ID = 2037)
15:17: Found Spy Cookie: yieldmanager cookie
15:17: mark the killer@ad.yieldmanager[2].txt (ID = 3751)
15:17: Found Spy Cookie: adrevolver cookie
15:17: mark the killer@adrevolver[1].txt (ID = 2088)
15:17: mark the killer@adrevolver[2].txt (ID = 2088)
15:17: Found Spy Cookie: adtech cookie
15:17: mark the killer@adtech[2].txt (ID = 2155)
15:17: Found Spy Cookie: advertising cookie
15:17: mark the killer@advertising[1].txt (ID = 2175)
15:17: Found Spy Cookie: adviva cookie
15:17: mark the killer@adviva[2].txt (ID = 2177)
15:17: Found Spy Cookie: apmebf cookie
15:17: mark the killer@apmebf[1].txt (ID = 2229)
15:17: Found Spy Cookie: atwola cookie
15:17: mark the killer@ar.atwola[1].txt (ID = 2256)
15:17: Found Spy Cookie: atlas dmt cookie
15:17: mark the killer@atdmt[2].txt (ID = 2253)
15:17: mark the killer@atwola[1].txt (ID = 2255)
15:17: mark the killer@a[1].txt (ID = 2027)
15:17: Found Spy Cookie: bluestreak cookie
15:17: mark the killer@bluestreak[1].txt (ID = 2314)
15:17: Found Spy Cookie: bs.serving-sys cookie
15:17: mark the killer@bs.serving-sys[2].txt (ID = 2330)
15:17: Found Spy Cookie: casalemedia cookie
15:17: mark the killer@casalemedia[2].txt (ID = 2354)
15:17: mark the killer@compsimgames.about[2].txt (ID = 2038)
15:17: Found Spy Cookie: fastclick cookie
15:17: mark the killer@fastclick[2].txt (ID = 2651)
15:17: Found Spy Cookie: maxserving cookie
15:17: mark the killer@maxserving[1].txt (ID = 2966)
15:17: Found Spy Cookie: mediaplex cookie
15:17: mark the killer@mediaplex[1].txt (ID = 6442)
15:17: Found Spy Cookie: questionmarket cookie
15:17: mark the killer@questionmarket[1].txt (ID = 3217)
15:17: Found Spy Cookie: realmedia cookie
15:17: mark the killer@realmedia[2].txt (ID = 3235)
15:17: Found Spy Cookie: serving-sys cookie
15:17: mark the killer@serving-sys[2].txt (ID = 3343)
15:17: Found Spy Cookie: statcounter cookie
15:17: mark the killer@statcounter[1].txt (ID = 3447)
15:17: Found Spy Cookie: tradedoubler cookie
15:17: mark the killer@tradedoubler[1].txt (ID = 3575)
15:17: Found Spy Cookie: tribalfusion cookie
15:17: mark the killer@tribalfusion[1].txt (ID = 3589)
15:17: Found Spy Cookie: top-banners cookie
15:17: system@media.top-banners[1].txt (ID = 3548)
15:17: Cookie Sweep Complete, Elapsed Time: 00:00:07
15:17: Starting File Sweep
15:18: c:\program files\common files\winfixer 2006 (ID = -2147458863)
15:18: c:\program files\winfixer_2006 (ID = -2147458870)
15:19: a0157335.exe (ID = 275855)
15:19: a0157337.exe (ID = 275854)
15:19: a0141630.exe (ID = 133210)
15:19: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:19: Found Adware: effective-i toolbar
15:19: a0141624.exe (ID = 59853)
15:20: Found Trojan Horse: rbot
15:20: a0158872.exe (ID = 269648)
15:20: Found Adware: surfsidekick
15:20: a0141932.dll (ID = 242398)
15:20: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:21: a0157509.dll (ID = 273539)
15:21: a0160269.exe (ID = 244762)
15:21: a0150862.vbs (ID = 231442)
15:21: Found Adware: 180search assistant/zango
15:21: saap.log (ID = 70593)
15:21: saap_gdf.dat (ID = 70595)
15:22: Found Adware: delfin
15:22: a0146566.exe (ID = 164938)
15:22: a0158869.exe (ID = 231443)
15:22: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: Found Adware: look2me
15:23: a0141934.dll (ID = 163672)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:23: a0146565.ocx (ID = 194608)
15:24: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
15:25: Found Trojan Horse: trojan downloader matcash
15:25: a0157852.exe (ID = 246327)
15:26: a0146505.dll (ID = 208494)
15:27: a0157853.exe (ID = 246327)
15:27: a0157336.exe (ID = 275853)
15:29: aa765b4f-9aea-4b69-8ea3-6cf20f (ID = 244763)
15:31: winfixer2006freeinstall[1].cab (ID = 269737)
15:32: winfixer2006freeinstall[3].cab (ID = 269737)
15:35: newname7[1].exe (ID = 275855)
15:35: a0160336.vbs (ID = 231442)
15:39: a0157508.exe (ID = 273538)
15:39: a0146480.dll (ID = 242398)
15:39: winfixer2006freeinstall[2].cab (ID = 269737)
15:40: a0150861.exe (ID = 231443)
15:40: a0146477.exe (ID = 242428)
15:41: winfixer2006freeinstall[4].cab (ID = 269737)
15:42: a0141979.dll (ID = 163672)
15:43: a0146507.exe (ID = 208497)
15:43: a0144435.exe (ID = 194610)
15:45: a0146563.dll (ID = 194609)
15:46: a0144453.dll (ID = 159)
15:46: saapau.dat (ID = 70594)
15:46: a0155305.dll (ID = 159)
15:46: a0157517.dll (ID = 273831)
15:46: Found Adware: deskwizz
15:46: a0157854.exe (ID = 240959)
15:46: a0142129.dll (ID = 159)
15:47: a0144151.dll (ID = 159)
15:47: a0146481.dll (ID = 242399)
15:47: a0141930.dll (ID = 163672)
15:48: salm_kyf_update.dat (ID = 93790)
15:48: backup-20060403-164846-717.dll (ID = 244763)
15:48: a0155303.dll (ID = 163672)
15:48: a0157851.exe (ID = 269649)
15:48: a0153087.sys (ID = 238540)
15:49: Found Adware: whenu savenow
15:49: a0153088.exe (ID = 74460)
15:49: a0144434.dll (ID = 159)
15:49: a0146585.dll (ID = 159)
15:49: a0155304.dll (ID = 163672)
15:50: Found Adware: webhancer
15:50: a0157340.exe (ID = 267157)
15:50: a0157770.exe (ID = 185254)
15:50: a0157772.exe (ID = 244762)
15:50: a0160334.exe (ID = 144946)
15:51: a0146587.dll (ID = 159)
15:52: a0153086.dll (ID = 238551)
15:52: a0159908.dll (ID = 244763)
15:52: a0141622.exe (ID = 216718)
15:52: a0141931.exe (ID = 242428)
15:52: a0158867.exe (ID = 269649)
15:52: Found Adware: whenu save
15:52: a0153021.dll (ID = 182873)
15:52: Found Adware: purityscan
15:52: a0158868.exe (ID = 271320)
15:53: a0160270.dll (ID = 159)
15:54: a0155292.dll (ID = 163672)
15:54: a0141593.exe (ID = 185254)
15:55: a0148691.exe (ID = 238538)
15:55: a0144401.dll (ID = 159)
15:56: a0141626.dll (ID = 166754)
15:56: Found Adware: mirar webband
15:56: a0141625.exe (ID = 133208)
15:56: a0141629.dll (ID = 133227)
15:57: saap_kyf.dat (ID = 70596)
15:57: a0141617.exe (ID = 168558)
15:57: Found Adware: wildmedia
15:57: update10[1].xml (ID = 88967)
15:58: a0150191.exe (ID = 252966)
15:59: a0141634.exe (ID = 212831)
15:59: a0146586.dll (ID = 159)
16:00: a0146561.dll (ID = 159)
16:00: a0144422.dll (ID = 159)
16:00: a0141631.exe (ID = 212828)
16:00: a0141633.exe (ID = 212830)
part 2:
141947.exe (ID = 242377)
16:01: autoit3.exe (ID = 185254)
16:01: a0141953.dll (ID = 159)
16:02: a0141973.dll (ID = 159)
16:02: a0141978.exe (ID = 238554)
16:02: a0141933.dll (ID = 242399)
16:02: Found Adware: targetsaver
16:02: a0141628.exe (ID = 193501)
16:02: class-barrel (ID = 78229)
16:03: a0146557.dll (ID = 159)
16:03: a0141619.dll (ID = 195129)
16:03: a0153020.exe (ID = 233591)
16:03: vocabulary (ID = 78283)
16:03: a0141952.dll (ID = 242406)
16:04: a0141929.dll (ID = 144945)
16:04: a0157756.dll (ID = 244763)
16:04: a0141607.exe (ID = 144946)
16:04: a0141616.exe (ID = 215896)
16:06: a0159934.exe (ID = 275853)
16:06: m67m.inf (ID = 133213)
16:07: salm_gdf.dat (ID = 93789)
16:07: a0153022.exe (ID = 233592)
16:08: a0159933.exe (ID = 275854)
16:08: a0159932.exe (ID = 275855)
16:09: a0160332.dll (ID = 144945)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: a0144353.dll (ID = 159)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:10: a0146560.dll (ID = 159)
16:10: a0144433.dll (ID = 159)
16:11: a0160263.dll (ID = 166754)
16:11: atmtd.dll._ (ID = 166754)
16:11: a0141635.config (ID = 212361)
16:11: a0146558.dll (ID = 159)
16:12: a0142105.dll (ID = 159)
16:12: a0146559.dll (ID = 159)
16:14: salmau.dat (ID = 93788)
16:14: a0157667.ini (ID = 273524)
16:14: dh.ini (ID = 273524)
16:14: sk02[1].ini (ID = 273524)
16:14: a0160333.vbs (ID = 185675)
16:14: a0155265.ini (ID = 238253)
16:14: a0146577.vbs (ID = 185675)
16:15: Found Adware: azsearch toolbar
16:15: azesearch.inf (ID = 50327)
16:15: Found Adware: ist istbar
16:15: backup-20050501-191117-924.inf (ID = 64605)
16:15: Found Adware: wildflics
16:15: backup-20050501-191117-713.inf (ID = 122157)
16:15: a0141614.bat (ID = 212353)
16:15: a0141632.config (ID = 212358)
16:16: Warning: Unhandled Archive Type
16:21: Warning: Unhandled Archive Type
16:23: backup.zip (ID = 166754)
16:23: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:50: File Sweep Complete, Elapsed Time: 01:32:23
16:50: Full Sweep has completed. Elapsed time 01:40:55
16:50: Traces Found: 519
17:11: Removal process initiated
17:11: Quarantining All Traces: 180search assistant/zango
17:12: Quarantining All Traces: cws-aboutblank
17:12: Quarantining All Traces: ist istbar
17:12: Quarantining All Traces: look2me
17:12: Quarantining All Traces: purityscan
17:12: Quarantining All Traces: rbot
17:12: Quarantining All Traces: trojan downloader matcash
17:12: Quarantining All Traces: wildmedia
17:12: Quarantining All Traces: azsearch toolbar
17:12: Quarantining All Traces: blazefind
17:12: Quarantining All Traces: delfin
17:12: Quarantining All Traces: dollarrevenue
17:12: Quarantining All Traces: elitemediagroup-mediamotor
17:12: Quarantining All Traces: internetoptimizer
17:12: Quarantining All Traces: maxifiles
17:12: Quarantining All Traces: surfsidekick
17:13: Quarantining All Traces: topconverting downloader
17:13: Quarantining All Traces: trojan_backdoor_retro64
17:13: Quarantining All Traces: winad
17:13: Quarantining All Traces: zquest
17:13: Quarantining All Traces: blazefind_adstat
17:13: Quarantining All Traces: command
17:13: Quarantining All Traces: deskwizz
17:13: Quarantining All Traces: effective-i toolbar
17:13: Quarantining All Traces: findthewebsiteyouneed hijack
17:13: Quarantining All Traces: freshbar
17:13: Quarantining All Traces: mirar webband
17:13: Quarantining All Traces: targetsaver
17:14: Quarantining All Traces: topsearch
17:14: Quarantining All Traces: webhancer
17:14: Quarantining All Traces: wildflics
17:14: Quarantining All Traces: 247realmedia cookie
17:14: Quarantining All Traces: 2o7.net cookie
17:14: Quarantining All Traces: a cookie
17:14: Quarantining All Traces: about cookie
17:14: Quarantining All Traces: adrevolver cookie
17:14: Quarantining All Traces: adtech cookie
17:14: Quarantining All Traces: advertising cookie
17:14: Quarantining All Traces: adviva cookie
17:14: Quarantining All Traces: apmebf cookie
17:14: Quarantining All Traces: atlas dmt cookie
17:14: Quarantining All Traces: atwola cookie
17:14: Quarantining All Traces: bluestreak cookie
17:14: Quarantining All Traces: bs.serving-sys cookie
17:14: Quarantining All Traces: casalemedia cookie
17:14: Quarantining All Traces: delfinproject cookie
17:14: Quarantining All Traces: exitexchange cookie
17:14: Quarantining All Traces: fastclick cookie
17:14: Quarantining All Traces: maxserving cookie
17:14: Quarantining All Traces: mediaplex cookie
17:14: Quarantining All Traces: questionmarket cookie
17:14: Quarantining All Traces: realmedia cookie
17:14: Quarantining All Traces: serving-sys cookie
17:14: Quarantining All Traces: statcounter cookie
17:14: Quarantining All Traces: top-banners cookie
17:14: Quarantining All Traces: touchclarity cookie
17:14: Quarantining All Traces: tradedoubler cookie
17:14: Quarantining All Traces: tribalfusion cookie
17:14: Quarantining All Traces: whenu savenow
17:14: Quarantining All Traces: whenu save
17:14: Quarantining All Traces: winantispyware 2005
17:14: Quarantining All Traces: yieldmanager cookie
17:15: Removal process completed. Elapsed time 00:03:51
********
15:03: | Start of Session, 09 April 2006 |
15:03: Spy Sweeper started
15:07: Your spyware definitions have been updated.
15:09: | End of Session, 09 April 2006 |
141947.exe (ID = 242377)
16:01: autoit3.exe (ID = 185254)
16:01: a0141953.dll (ID = 159)
16:02: a0141973.dll (ID = 159)
16:02: a0141978.exe (ID = 238554)
16:02: a0141933.dll (ID = 242399)
16:02: Found Adware: targetsaver
16:02: a0141628.exe (ID = 193501)
16:02: class-barrel (ID = 78229)
16:03: a0146557.dll (ID = 159)
16:03: a0141619.dll (ID = 195129)
16:03: a0153020.exe (ID = 233591)
16:03: vocabulary (ID = 78283)
16:03: a0141952.dll (ID = 242406)
16:04: a0141929.dll (ID = 144945)
16:04: a0157756.dll (ID = 244763)
16:04: a0141607.exe (ID = 144946)
16:04: a0141616.exe (ID = 215896)
16:06: a0159934.exe (ID = 275853)
16:06: m67m.inf (ID = 133213)
16:07: salm_gdf.dat (ID = 93789)
16:07: a0153022.exe (ID = 233592)
16:08: a0159933.exe (ID = 275854)
16:08: a0159932.exe (ID = 275855)
16:09: a0160332.dll (ID = 144945)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: a0144353.dll (ID = 159)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:09: uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
16:10: a0146560.dll (ID = 159)
16:10: a0144433.dll (ID = 159)
16:11: a0160263.dll (ID = 166754)
16:11: atmtd.dll._ (ID = 166754)
16:11: a0141635.config (ID = 212361)
16:11: a0146558.dll (ID = 159)
16:12: a0142105.dll (ID = 159)
16:12: a0146559.dll (ID = 159)
16:14: salmau.dat (ID = 93788)
16:14: a0157667.ini (ID = 273524)
16:14: dh.ini (ID = 273524)
16:14: sk02[1].ini (ID = 273524)
16:14: a0160333.vbs (ID = 185675)
16:14: a0155265.ini (ID = 238253)
16:14: a0146577.vbs (ID = 185675)
16:15: Found Adware: azsearch toolbar
16:15: azesearch.inf (ID = 50327)
16:15: Found Adware: ist istbar
16:15: backup-20050501-191117-924.inf (ID = 64605)
16:15: Found Adware: wildflics
16:15: backup-20050501-191117-713.inf (ID = 122157)
16:15: a0141614.bat (ID = 212353)
16:15: a0141632.config (ID = 212358)
16:16: Warning: Unhandled Archive Type
16:21: Warning: Unhandled Archive Type
16:23: backup.zip (ID = 166754)
16:23: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:24: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Unhandled Archive Type
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:45: Warning: Invalid Stream
16:50: File Sweep Complete, Elapsed Time: 01:32:23
16:50: Full Sweep has completed. Elapsed time 01:40:55
16:50: Traces Found: 519
17:11: Removal process initiated
17:11: Quarantining All Traces: 180search assistant/zango
17:12: Quarantining All Traces: cws-aboutblank
17:12: Quarantining All Traces: ist istbar
17:12: Quarantining All Traces: look2me
17:12: Quarantining All Traces: purityscan
17:12: Quarantining All Traces: rbot
17:12: Quarantining All Traces: trojan downloader matcash
17:12: Quarantining All Traces: wildmedia
17:12: Quarantining All Traces: azsearch toolbar
17:12: Quarantining All Traces: blazefind
17:12: Quarantining All Traces: delfin
17:12: Quarantining All Traces: dollarrevenue
17:12: Quarantining All Traces: elitemediagroup-mediamotor
17:12: Quarantining All Traces: internetoptimizer
17:12: Quarantining All Traces: maxifiles
17:12: Quarantining All Traces: surfsidekick
17:13: Quarantining All Traces: topconverting downloader
17:13: Quarantining All Traces: trojan_backdoor_retro64
17:13: Quarantining All Traces: winad
17:13: Quarantining All Traces: zquest
17:13: Quarantining All Traces: blazefind_adstat
17:13: Quarantining All Traces: command
17:13: Quarantining All Traces: deskwizz
17:13: Quarantining All Traces: effective-i toolbar
17:13: Quarantining All Traces: findthewebsiteyouneed hijack
17:13: Quarantining All Traces: freshbar
17:13: Quarantining All Traces: mirar webband
17:13: Quarantining All Traces: targetsaver
17:14: Quarantining All Traces: topsearch
17:14: Quarantining All Traces: webhancer
17:14: Quarantining All Traces: wildflics
17:14: Quarantining All Traces: 247realmedia cookie
17:14: Quarantining All Traces: 2o7.net cookie
17:14: Quarantining All Traces: a cookie
17:14: Quarantining All Traces: about cookie
17:14: Quarantining All Traces: adrevolver cookie
17:14: Quarantining All Traces: adtech cookie
17:14: Quarantining All Traces: advertising cookie
17:14: Quarantining All Traces: adviva cookie
17:14: Quarantining All Traces: apmebf cookie
17:14: Quarantining All Traces: atlas dmt cookie
17:14: Quarantining All Traces: atwola cookie
17:14: Quarantining All Traces: bluestreak cookie
17:14: Quarantining All Traces: bs.serving-sys cookie
17:14: Quarantining All Traces: casalemedia cookie
17:14: Quarantining All Traces: delfinproject cookie
17:14: Quarantining All Traces: exitexchange cookie
17:14: Quarantining All Traces: fastclick cookie
17:14: Quarantining All Traces: maxserving cookie
17:14: Quarantining All Traces: mediaplex cookie
17:14: Quarantining All Traces: questionmarket cookie
17:14: Quarantining All Traces: realmedia cookie
17:14: Quarantining All Traces: serving-sys cookie
17:14: Quarantining All Traces: statcounter cookie
17:14: Quarantining All Traces: top-banners cookie
17:14: Quarantining All Traces: touchclarity cookie
17:14: Quarantining All Traces: tradedoubler cookie
17:14: Quarantining All Traces: tribalfusion cookie
17:14: Quarantining All Traces: whenu savenow
17:14: Quarantining All Traces: whenu save
17:14: Quarantining All Traces: winantispyware 2005
17:14: Quarantining All Traces: yieldmanager cookie
17:15: Removal process completed. Elapsed time 00:03:51
********
15:03: | Start of Session, 09 April 2006 |
15:03: Spy Sweeper started
15:07: Your spyware definitions have been updated.
15:09: | End of Session, 09 April 2006 |
here is the hijackthis log, and my system is doing well :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 19:26:17, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Logfile of HijackThis v1.99.1
Scan saved at 19:26:17, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\cpuidle.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark The Killer\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 69.50.166.14 yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [AutoUpdate] C:\Program Files\Serials3k\s3k_autoupdate.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139692815468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2728CAE1-1766-406B-A7ED-BC49E804556B}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Rawe
Security Expert-Emeritus
Thats looking clean. Glad I was able to help.
==
Please read here how to clear old restore points and create a new one.
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Here's some tips for future to prevent spyware;
Detect and Remove Programs:
So how did I get infected in the first place? (My favourite)
==
Please read here how to clear old restore points and create a new one.
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Here's some tips for future to prevent spyware;
Detect and Remove Programs:
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
- Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
- More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
So how did I get infected in the first place? (My favourite)