After The Spies Are Removed Some Funny Things Happening With My Ie

Shaun · December 12, 2005

Hello I got help the other day to get rid of the L2mix or whatever spyware junk. everything is great as far as that goes but it seems now all banner ads don't load neither do the song players on myspace.com. any help would be great. thanks!

Dragon · December 12, 2005

what programs, if any, from the list of suggestions ,at the end of your computer cleaning, that therock247uk gave you did you install???

Shaun · December 12, 2005

what programs, if any, from the list of suggestions ,at the end of your computer cleaning, that therock247uk gave you did you install???

I am currently running AVG, Spy Sweeper, Spyware Guard, and i was running Ewido. i have since uninstalled Ewido. in my spy sweeper shield options the common ad shield was unticked. so i dont think it was spy sweeper. I have to go and check if uninstalling Ewido fixed the problem. I defragged last night and went to bed and never checked my laptop this morning and just went to work. so i dont know if it fixed the problem. I will post in a little bit. thanks

Shaun · December 12, 2005

So i checked and still the same...banner ads dont load which isnt a bad thing persay but on myspace none of the music players load. I'm only running spysweeper...any help?

Dragon · December 12, 2005

if you can please run SpySweeper and post the log from it. I'll know more after I see that.

Shaun · December 13, 2005

if you can please run SpySweeper and post the log from it. I'll know more after I see that.

********

8:59 PM: | Start of Session, Monday, December 12, 2005 |

8:59 PM: Spy Sweeper started

8:59 PM: Sweep initiated using definitions version 582

8:59 PM: Starting Memory Sweep

9:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:50

9:02 PM: Starting Registry Sweep

9:02 PM: Registry Sweep Complete, Elapsed Time:00:00:18

9:02 PM: Starting Cookie Sweep

9:02 PM: Found Spy Cookie: websponsors cookie

9:02 PM: [email protected][2].txt (ID = 3665)

9:02 PM: Found Spy Cookie: adserver cookie

9:02 PM: brandi@adserver[1].txt (ID = 2141)

9:02 PM: Found Spy Cookie: atwola cookie

9:02 PM: [email protected][1].txt (ID = 2256)

9:02 PM: brandi@atwola[1].txt (ID = 2255)

9:02 PM: Found Spy Cookie: go.com cookie

9:02 PM: brandi@go[2].txt (ID = 2728)

9:02 PM: Found Spy Cookie: franklinsurveys cookie

9:02 PM: [email protected][2].txt (ID = 2689)

9:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06

9:02 PM: Starting File Sweep

9:06 PM: Found Adware: wfgtech

9:06 PM: a0124671.exe (ID = 203674)

9:09 PM: Found Adware: dialerplatform

9:09 PM: a0124667.ico (ID = 58328)

9:11 PM: Found Adware: look2me

9:11 PM: a0124665.exe (ID = 65721)

9:11 PM: a0124664.exe (ID = 65722)

9:25 PM: Found Adware: targetsaver

9:25 PM: a0124668.exe (ID = 193501)

9:25 PM: a0124669.dll (ID = 203552)

9:41 PM: a0124670.dll (ID = 203553)

10:06 PM: a0124657.dll (ID = 159)

10:07 PM: a0124663.dll (ID = 159)

10:08 PM: a0124662.dll (ID = 159)

10:08 PM: a0124661.dll (ID = 163672)

10:09 PM: a0124660.dll (ID = 159)

10:11 PM: a0124659.dll (ID = 159)

10:11 PM: a0124658.dll (ID = 159)

10:18 PM: Found Adware: command

10:18 PM: a0124666.vbs (ID = 185675)

10:23 PM: Found System Monitor: potentially rootkit-masked files

10:23 PM: appevent.log (ID = 0)

10:23 PM: eventlog.log (ID = 0)

10:23 PM: coreevent.log (ID = 0)

10:27 PM: File Sweep Complete, Elapsed Time: 01:24:05

10:27 PM: Full Sweep has completed. Elapsed time 01:27:31

10:27 PM: Traces Found: 24

10:35 PM: Removal process initiated

10:35 PM: Quarantining All Traces: look2me

10:35 PM: Quarantining All Traces: command

10:35 PM: Quarantining All Traces: dialerplatform

10:35 PM: Quarantining All Traces: targetsaver

10:35 PM: Quarantining All Traces: wfgtech

10:35 PM: Quarantining All Traces: adserver cookie

10:35 PM: Quarantining All Traces: atwola cookie

10:35 PM: Quarantining All Traces: franklinsurveys cookie

10:35 PM: Quarantining All Traces: go.com cookie

10:35 PM: Quarantining All Traces: websponsors cookie

10:35 PM: Removal process completed. Elapsed time 00:00:20

********

3:15 PM: | Start of Session, Friday, December 09, 2005 |

3:15 PM: Spy Sweeper started

3:15 PM: Sweep initiated using definitions version 582

3:15 PM: Starting Memory Sweep

3:16 PM: Found Adware: icannnews

3:16 PM: Detected running threat: C:\WINDOWS\system32\omesvr32.dll (ID = 83)

3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:16 PM: Detected running threat: C:\WINDOWS\system32\l2l60c3sef.dll (ID = 83)

3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:18 PM: Found Adware: wfgtech

3:18 PM: Detected running threat: C:\WINDOWS\system32\0ce80unc.dll (ID = 203552)

3:18 PM: Detected running threat: C:\WINDOWS\system32\0ce89y3o.dll (ID = 203553)

3:18 PM: Memory Sweep Complete, Elapsed Time: 00:02:38

3:18 PM: Starting Registry Sweep

3:18 PM: Found Adware: cws-aboutblank

3:18 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)

3:18 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)

3:18 PM: Found Adware: linkmaker

3:18 PM: HKLM\software\classes\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129743)

3:18 PM: HKCR\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129750)

3:18 PM: Found Adware: minigolf

3:18 PM: HKLM\software\minigolf\ (1 subtraces) (ID = 135062)

3:18 PM: Found Adware: websearch toolbar

3:18 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow.dll\ (2 subtraces) (ID = 146481)

3:18 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)

3:18 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)

3:18 PM: Found Adware: wildmedia

3:18 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)

3:18 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)

3:18 PM: Found Adware: quicklink search toolbar

3:18 PM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)

3:18 PM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)

3:18 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)

3:18 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)

3:18 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)

3:18 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)

3:18 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)

3:18 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)

3:18 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)

3:18 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)

3:18 PM: HKLM\software\ql\ (3 subtraces) (ID = 359458)

3:18 PM: Found Adware: findthewebsiteyouneed hijacker

3:18 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)

3:18 PM: Found Adware: clientman

3:18 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)

3:18 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)

3:18 PM: HKCR\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727328)

3:18 PM: HKLM\software\classes\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727357)

3:18 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)

3:18 PM: Found Adware: dollarrevenue

3:18 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)

3:18 PM: Found Adware: command

3:18 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)

3:18 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)

3:18 PM: Found Adware: bho_sep

3:18 PM: HKU\S-1-5-18\software\sep\ (8 subtraces) (ID = 141642)

3:18 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)

3:18 PM: Registry Sweep Complete, Elapsed Time:00:00:21

3:18 PM: Starting Cookie Sweep

3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:18 PM: Found Spy Cookie: abcsearch cookie

3:18 PM: brandi@abcsearch[2].txt (ID = 2033)

3:18 PM: Found Spy Cookie: adknowledge cookie

3:18 PM: brandi@adknowledge[1].txt (ID = 2072)

3:18 PM: Found Spy Cookie: hbmediapro cookie

3:18 PM: [email protected][2].txt (ID = 2768)

3:18 PM: Found Spy Cookie: adrevolver cookie

3:18 PM: brandi@adrevolver[2].txt (ID = 2088)

3:18 PM: brandi@adrevolver[3].txt (ID = 2088)

3:18 PM: Found Spy Cookie: apmebf cookie

3:18 PM: brandi@apmebf[2].txt (ID = 2229)

3:18 PM: Found Spy Cookie: ask cookie

3:18 PM: brandi@ask[1].txt (ID = 2245)

3:18 PM: Found Spy Cookie: atlas dmt cookie

3:18 PM: brandi@atdmt[1].txt (ID = 2253)

3:18 PM: Found Spy Cookie: belnk cookie

3:18 PM: [email protected][2].txt (ID = 2293)

3:18 PM: Found Spy Cookie: atwola cookie

3:18 PM: brandi@atwola[1].txt (ID = 2255)

3:18 PM: Found Spy Cookie: azjmp cookie

3:18 PM: brandi@azjmp[2].txt (ID = 2270)

3:18 PM: Found Spy Cookie: banner cookie

3:18 PM: brandi@banner[1].txt (ID = 2276)

3:18 PM: brandi@belnk[2].txt (ID = 2292)

3:18 PM: Found Spy Cookie: casalemedia cookie

3:18 PM: brandi@casalemedia[1].txt (ID = 2354)

3:18 PM: [email protected][1].txt (ID = 2293)

3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:18 PM: Found Spy Cookie: exitexchange cookie

3:18 PM: brandi@exitexchange[1].txt (ID = 2633)

3:18 PM: Found Spy Cookie: findwhat cookie

3:18 PM: brandi@findwhat[1].txt (ID = 2674)

3:18 PM: Found Spy Cookie: go.com cookie

3:18 PM: brandi@go[1].txt (ID = 2728)

3:18 PM: brandi@go[2].txt (ID = 2728)

3:18 PM: brandi@go[3].txt (ID = 2728)

3:18 PM: Found Spy Cookie: clickandtrack cookie

3:18 PM: [email protected][2].txt (ID = 2397)

3:18 PM: Found Spy Cookie: epilot cookie

3:18 PM: [email protected][2].txt (ID = 2622)

3:18 PM: Found Spy Cookie: maxserving cookie

3:18 PM: brandi@maxserving[1].txt (ID = 2966)

3:18 PM: Found Spy Cookie: nextag cookie

3:18 PM: brandi@nextag[2].txt (ID = 5014)

3:18 PM: Found Spy Cookie: paypopup cookie

3:18 PM: brandi@paypopup[2].txt (ID = 3119)

3:18 PM: Found Spy Cookie: overture cookie

3:18 PM: [email protected][1].txt (ID = 3106)

3:18 PM: Found Spy Cookie: realmedia cookie

3:18 PM: brandi@realmedia[1].txt (ID = 3235)

3:18 PM: Found Spy Cookie: reliablestats cookie

3:18 PM: [email protected][1].txt (ID = 3254)

3:18 PM: Found Spy Cookie: tradedoubler cookie

3:18 PM: brandi@tradedoubler[2].txt (ID = 3575)

3:18 PM: Found Spy Cookie: videodome cookie

3:18 PM: brandi@videodome[1].txt (ID = 3638)

3:18 PM: Found Spy Cookie: upspiral cookie

3:18 PM: [email protected][2].txt (ID = 3615)

3:18 PM: Found Spy Cookie: winantiviruspro cookie

3:18 PM: [email protected][2].txt (ID = 3690)

3:18 PM: Found Spy Cookie: xiti cookie

3:18 PM: brandi@xiti[1].txt (ID = 3717)

3:18 PM: Found Spy Cookie: zedo cookie

3:18 PM: brandi@zedo[2].txt (ID = 3762)

3:18 PM: system@go[1].txt (ID = 2728)

3:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03

3:18 PM: Starting File Sweep

3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:19 PM: Found Adware: 180search assistant/zango

3:19 PM: c:\windows\system32\fleok (ID = -2147480556)

3:19 PM: inst_0004[1].exe (ID = 203674)

3:19 PM: Found Adware: look2me

3:19 PM: appwrap[1].exe (ID = 65721)

3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:20 PM: bw2.com (ID = 65721)

3:20 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp444\a0124490.exe". Access is denied

3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:21 PM: Found Adware: delfin

3:21 PM: 4df33016-45ef-4fe2-b7de-af8a87 (ID = 57725)

3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:22 PM: 52d86398-96cb-4ce7-b76e-a73936 (ID = 57716)

3:23 PM: inst_0004.exe (ID = 203674)

3:23 PM: ltndload[1].dll (ID = 203552)

3:23 PM: 0ce80unc.dll (ID = 203552)

3:23 PM: Found Adware: targetsaver

3:23 PM: tsinstall_4_0_4_0_b4.exe (ID = 193496)

3:23 PM: ltndmain[1].dll (ID = 203553)

3:23 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp444\a0124518.exe". Access is denied

3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:24 PM: 3d28b6d3-34d7-4ad1-b81f-919a27 (ID = 57781)

3:24 PM: mfex-16.dat (ID = 144945)

3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:25 PM: e4962307-cf35-4a28-99dc-361c44 (ID = 57718)

3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:25 PM: Found Adware: dialerplatform

3:25 PM: sportsinteraction.ico (ID = 58328)

3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:25 PM: Found Adware: purityscan

3:25 PM: a0124578.exe (ID = 73267)

3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:26 PM: a7ab5c0d-dad3-44a0-a165-6b36fe (ID = 57692)

3:26 PM: 42860d3a-a13a-42f4-b2c9-dce72f (ID = 57693)

3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:26 PM: Found Adware: ezula ilookup

3:26 PM: a0124580.exe (ID = 60560)

3:26 PM: 11c54bd5-143e-4c32-b0e2-728fa3 (ID = 87579)

3:27 PM: a0124565.exe (ID = 195128)

3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:27 PM: a0124567.exe (ID = 195131)

3:28 PM: a0124568.exe (ID = 195132)

3:28 PM: iconu.exe (ID = 65721)

3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:28 PM: a0124521.exe (ID = 200314)

3:28 PM: icont.exe (ID = 65722)

3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:29 PM: a0124563.exe (ID = 185985)

3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:30 PM: a0124573.exe (ID = 203611)

3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:33 PM: a0124564.exe (ID = 193995)

3:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:35 PM: a0124566.exe (ID = 195130)

3:36 PM: Found Adware: addestroyer

3:36 PM: inneradinstall.log (ID = 49035)

3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:38 PM: 0ce89y3o.dll (ID = 203553)

3:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:38 PM: appwrap[1].exe (ID = 65739)

3:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:40 PM: a0124549.dll (ID = 159)

3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:40 PM: a0124533.dll (ID = 163672)

3:40 PM: a0124644.dll (ID = 159)

3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:40 PM: a0124552.dll (ID = 163672)

3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:41 PM: 5be6719c-fb86-4119-893e-60fefd (ID = 87579)

3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:43 PM: mfex-23.dat (ID = 144945)

3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:43 PM: Found Adware: keenvalue/perfectnav

3:43 PM: a0124512.exe (ID = 64892)

3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:44 PM: Found Adware: whenu searchbar/pricebandit

3:44 PM: d2bd9f9d-a9f6-4552-868c-5577cf (ID = 129801)

3:44 PM: mfex-17.dat (ID = 144945)

3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:46 PM: a0124587.dll (ID = 200308)

3:46 PM: c10699a5-b9b0-42a5-9cc8-d28d96 (ID = 129770)

3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:51 PM: appwrap[1].exe (ID = 65722)

3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:52 PM: a0124527.dll (ID = 163672)

3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:52 PM: mfex-24.dat (ID = 144945)

3:53 PM: a0124583.dll (ID = 163672)

3:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:53 PM: mfex-37.dat (ID = 144945)

3:54 PM: a0124586.dll (ID = 159)

3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:54 PM: mfex-2.dat (ID = 144945)

3:54 PM: Found Adware: adtech

3:54 PM: a0124517.exe (ID = 203582)

3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:55 PM: mfex-18.dat (ID = 144945)

3:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:58 PM: mfex-3.dat (ID = 144945)

3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:59 PM: a0124604.dll (ID = 159)

3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

3:59 PM: m4nqle551h.dll (ID = 159)

3:59 PM: a0124588.dll (ID = 159)

3:59 PM: a0124589.dll (ID = 163672)

4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:00 PM: a0124520.exe (ID = 200311)

4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:00 PM: omesvr32.dll (ID = 159)

4:00 PM: a0124645.dll (ID = 159)

4:01 PM: mfex-4.dat (ID = 144945)

4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:01 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp402\a0118452.exe". Access is denied

4:01 PM: tsuninst.exe (ID = 193501)

4:01 PM: class-barrel (ID = 78229)

4:01 PM: a0124576.dll (ID = 195129)

4:01 PM: vocabulary (ID = 78283)

4:01 PM: a0124574.exe (ID = 200300)

4:01 PM: Found Adware: apropos

4:01 PM: a0124572.exe (ID = 203610)

4:01 PM: a0124577.exe (ID = 200309)

4:01 PM: a0124575.exe (ID = 168558)

4:01 PM: mfex-5.dat (ID = 144945)

4:01 PM: mfex-1.dat (ID = 144946)

4:01 PM: f22m0cf1ef2.dll (ID = 159)

4:01 PM: mfex-6.dat (ID = 144945)

4:01 PM: mfex-7.dat (ID = 144945)

4:01 PM: mfex-19.dat (ID = 144945)

4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:02 PM: mv06l9ds1.dll (ID = 159)

4:02 PM: _s02786_.tmp.dll (ID = 163672)

4:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:02 PM: eanclass.dll (ID = 159)

4:02 PM: a0124526.dll (ID = 144945)

4:02 PM: mfex-20.dat (ID = 144945)

4:03 PM: mfex-21.dat (ID = 144945)

4:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:03 PM: g422lefo1h2c.dll (ID = 159)

4:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:03 PM: f83213e9-cce7-4bed-be48-d8c0f4 (ID = 161460)

4:03 PM: 8e63125c-4582-40e2-aed2-c80f54 (ID = 129805)

4:03 PM: ccusapi.dll (ID = 159)

4:03 PM: mfex-38.dat (ID = 144946)

4:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:03 PM: mfex-8.dat (ID = 144945)

4:04 PM: a0124525.exe (ID = 144946)

4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:06 PM: mfex-9.dat (ID = 144945)

4:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:07 PM: mfex-10.dat (ID = 144945)

4:07 PM: mfex-11.dat (ID = 144945)

4:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:07 PM: mfex-22.dat (ID = 144945)

4:07 PM: mfex-12.dat (ID = 144945)

4:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:10 PM: mfex-13.dat (ID = 144945)

4:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:10 PM: 9400[1].cab (ID = 200301)

4:10 PM: mfex-14.dat (ID = 144945)

4:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:11 PM: 782e8e34-2fa5-4547-9f93-93352b (ID = 129799)

4:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

4:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

4:12 PM: The Spy

Dragon · December 14, 2005

well it appears that something on your system is still trying to contact a-d-w-a-r-e.com

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Shaun · December 15, 2005

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600

Internet Explorer Version: 6.0.2800.1106

Checking %SystemDrive% folder...

qoologic 12/8/2005 6:21:08 PM 11975885 C:\AVG7QT.DAT

urllogic 12/8/2005 6:21:08 PM 11975885 C:\AVG7QT.DAT

UPX! 7/2/2004 7:27:38 AM HS 518901760 C:\hiberfil.sys

FSG! 7/2/2004 7:27:38 AM HS 518901760 C:\hiberfil.sys

Umonitor 7/2/2004 7:27:38 AM HS 518901760 C:\hiberfil.sys

SAHAgent 7/2/2004 7:27:38 AM HS 518901760 C:\hiberfil.sys

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...

PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

PEC2 8/9/2005 5:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll

PECompact2 8/9/2005 5:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll

abetterinternet.com 4/30/2004 2:29:10 PM H 12154 C:\WINDOWS\SYSTEM32\fiz0

PTech 4/30/2004 1:00:38 PM H 3066522 C:\WINDOWS\SYSTEM32\kyf.dat

PTech 8/3/2005 9:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com

abetterinternet.com 4/30/2004 2:35:34 PM H 236445 C:\WINDOWS\SYSTEM32\log.bak.txt

PECompact2 9/8/2005 8:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 9/8/2005 8:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe

UPX! 8/22/2001 7:00:00 PM 86030 C:\WINDOWS\SYSTEM32\msdjgk.dll

Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll

UPX! 1/20/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe

WinShutDown 12/9/2005 2:32:12 PM 341 C:\WINDOWS\SYSTEM32\test.txt

winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\_002644_.tmp.dll

Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\_002795_.tmp.dll

Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\_002855_.tmp.dll

Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\_004990_.tmp.dll

Checking %System%\Drivers folder and sub-folders...

UPX! 12/8/2005 6:16:00 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

FSG! 12/8/2005 6:16:00 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

PEC2 12/8/2005 6:16:00 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

aspack 12/8/2005 6:16:00 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

127.0.0.1 www.qoologic.com

127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

12/14/2005 11:02:32 PM S 2048 C:\WINDOWS\bootstat.dat

12/12/2005 11:49:34 PM H 54156 C:\WINDOWS\QTFont.qfn

10/25/2005 10:20:42 PM H 59556 C:\WINDOWS\Downloaded Program Files\Doremi.ttf

12/14/2005 11:02:42 PM H 12288 C:\WINDOWS\system32\config\default.LOG

12/14/2005 11:02:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG

12/14/2005 11:02:36 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG

12/14/2005 11:04:04 PM H 118784 C:\WINDOWS\system32\config\software.LOG

12/14/2005 11:03:00 PM H 1323008 C:\WINDOWS\system32\config\system.LOG

10/24/2005 6:09:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49UZ8PIZ\desktop.ini

10/24/2005 6:09:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8167S9Q3\desktop.ini

10/24/2005 6:09:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G9YFO1IR\desktop.ini

10/24/2005 6:09:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UFMB6VUH\desktop.ini

11/29/2005 7:58:38 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\81c63a88-2e4f-4c3a-b036-f3d6c453ea2b

11/29/2005 7:58:38 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

12/14/2005 11:01:22 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...

Microsoft Corporation 8/29/2002 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

TOSHIBA Corp. 4/1/2003 8:17:14 PM 503808 C:\WINDOWS\SYSTEM32\HWSETUP.CPL

Intel Corporation 4/7/2003 2:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 2/20/2003 8:39:50 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Microsoft Corporation 8/29/2002 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl

TOSHIBA Corporation 1/22/2003 2:12:34 PM 884736 C:\WINDOWS\SYSTEM32\TPWRSAVE.CPL

Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 8/29/2002 5:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

Intel Corporation 4/7/2003 2:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\igfxcpl.cpl

Checking files in %ALLUSERSPROFILE%\Startup folder...

12/3/2005 10:45:24 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

4/29/2003 12:08:10 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...

4/29/2003 4:58:02 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

12/28/2004 8:48:34 PM 766 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

9/23/2005 10:41:20 AM 3365 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...

4/29/2003 12:08:10 PM HS 84 C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

12/3/2005 10:40:08 PM 1228 C:\Documents and Settings\Brandi\Application Data\AdobeDLM.log

4/29/2003 4:58:02 AM HS 62 C:\Documents and Settings\Brandi\Application Data\desktop.ini

12/3/2005 10:40:08 PM 0 C:\Documents and Settings\Brandi\Application Data\dm.ini

2/19/2004 8:23:14 AM 53464 C:\Documents and Settings\Brandi\Application Data\GDIPFONTCACHEV1.DAT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

{9ACDDC9B-79DD-453B-8FCF-E1090BB7BD84} = C:\WINDOWS\system32\_Z02656_.tmp.dll

{4ACBA77A-F129-45DC-A257-200666863E5F} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu

{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu

{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper

{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{53F6FCCD-9E22-4d71-86EA-6E43136192AB}

MenuText = PC Confidential :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{925DAB62-F9AC-4221-806A-057BFB1014AA}

ButtonText = PC Confidential : "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}

ButtonText = Research :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

ButtonText = AIM : C:\Program Files\AIM\aim.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

ButtonText = Real.com :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

Media Band = %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

=

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}

=

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

00THotkey C:\WINDOWS\System32\00THotkey.exe

IgfxTray C:\WINDOWS\System32\igfxtray.exe

HotKeysCmds C:\WINDOWS\System32\hkcmd.exe

PmProxy C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

TouchED C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

Pinger c:\toshiba\ivp\ism\pinger.exe /run

Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe

TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HP Software Update C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

AIM C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe

item HP Digital Imaging Monitor

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe

item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s

item HP Image Zone Fast Start

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s

item HP Image Zone Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

item MyWebSearch Email Plugin

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Brandi^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

location Startup

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

item MyWebSearch Email Plugin

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk

backup C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

location Startup

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

item MyWebSearch Email Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Brandi^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk

backup C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup

location Startup

command C:\PROGRA~1\KAI'SP~1\EREG\US\REMIND32.EXE

item reminder-ScanSoft Product Registration

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk

backup C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup

location Startup

command C:\PROGRA~1\KAI'SP~1\EREG\US\REMIND32.EXE

item reminder-ScanSoft Product Registration

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Brandi^Start Menu^Programs^Startup^Virtual Bouncer.lnk

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\Virtual Bouncer.lnk

backup C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

location Startup

command C:\Program Files\VBouncer\VirtualBouncer.exe

item Virtual Bouncer

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\Virtual Bouncer.lnk

backup C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

location Startup

command C:\Program Files\VBouncer\VirtualBouncer.exe

item Virtual Bouncer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Brandi^Start Menu^Programs^Startup^Webshots.lnk

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\Webshots.lnk

backup C:\WINDOWS\pss\Webshots.lnkStartup

location Startup

command C:\Program Files\Webshots\Launcher.exe /t

item Webshots

path C:\Documents and Settings\Brandi\Start Menu\Programs\Startup\Webshots.lnk

backup C:\WINDOWS\pss\Webshots.lnkStartup

location Startup

command C:\Program Files\Webshots\Launcher.exe /t

item Webshots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\000StTHK

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item 000StTHK

hkey HKLM

command 000StTHK.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item 000StTHK

hkey HKLM

command 000StTHK.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\2ZQLKP#2WLSCTL

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Mun8s0W

hkey HKLM

command C:\WINDOWS\System32\Mun8s0W.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Mun8s0W

hkey HKLM

command C:\WINDOWS\System32\Mun8s0W.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item AGRSMMSG

hkey HKLM

command AGRSMMSG.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item AGRSMMSG

hkey HKLM

command AGRSMMSG.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item aim

hkey HKCU

command C:\Program Files\AIM\aim.exe -cnetwait.odl

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item aim

hkey HKCU

command C:\Program Files\AIM\aim.exe -cnetwait.odl

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Apoint

hkey HKLM

command C:\Program Files\Apoint2K\Apoint.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Apoint

hkey HKLM

command C:\Program Files\Apoint2K\Apoint.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dsi

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item dp-him

hkey HKLM

command C:\WINDOWS\System32\dp-him.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item dp-him

hkey HKLM

command C:\WINDOWS\System32\dp-him.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ezShieldProtector for Px

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ezSP_Px

hkey HKLM

command C:\WINDOWS\System32\ezSP_Px.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ezSP_Px

hkey HKLM

command C:\WINDOWS\System32\ezSP_Px.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fash

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item fash

hkey HKLM

command C:\WINDOWS\fash.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item fash

hkey HKLM

command C:\WINDOWS\fash.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hFbl5wuD

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item hFbl5wuD

hkey HKLM

command C:\documents and settings\brandi\local settings\temp\hFbl5wuD.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item hFbl5wuD

hkey HKLM

command C:\documents and settings\brandi\local settings\temp\hFbl5wuD.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item hpcmpmgr

hkey HKLM

command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item hpcmpmgr

hkey HKLM

command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item iTunesHelper

hkey HKLM

command C:\Program Files\iTunes\iTunesHelper.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item iTunesHelper

hkey HKLM

command C:\Program Files\iTunes\iTunesHelper.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyAgent

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Money Express

hkey HKCU

command "C:\Program Files\Microsoft Money\System\Money Express.exe"

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item Money Express

hkey HKCU

command "C:\Program Files\Microsoft Money\System\Money Express.exe"

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item MsnMsgr

hkey HKCU

command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item MsnMsgr

hkey HKCU

command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyWebSearch Email Plugin

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mwsoemon

hkey HKLM

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mwsoemon

hkey HKLM

command C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nyvxsc

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item nyvxsc

hkey HKLM

command C:\WINDOWS\System32\nyvxsc.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item nyvxsc

hkey HKLM

command C:\WINDOWS\System32\nyvxsc.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item qttask

hkey HKLM

command "C:\Program Files\QuickTime\qttask.exe" -atboottime

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item qttask

hkey HKLM

command "C:\Program Files\QuickTime\qttask.exe" -atboottime

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item RealPlay

hkey HKLM

command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item RealPlay

hkey HKLM

command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\stddgwkxyto

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item laesbpfl

hkey HKLM

command C:\WINDOWS\System32\laesbpfl.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item laesbpfl

hkey HKLM

command C:\WINDOWS\System32\laesbpfl.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item SNDMon

hkey HKLM

command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item SNDMon

hkey HKLM

command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TFNF5

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item TFNF5

hkey HKLM

command TFNF5.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item TFNF5

hkey HKLM

command TFNF5.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Tpwrtray

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item TPWRTRAY

hkey HKLM

command TPWRTRAY.EXE

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item TPWRTRAY

hkey HKLM

command TPWRTRAY.EXE

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\z

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item z

hkey HKLM

command C:\documents and settings\brandi\local settings\temp\z.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item z

hkey HKLM

command C:\documents and settings\brandi\local settings\temp\z.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 0

startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\System32\userinit.exe,

Shell = Explorer.exe

System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui

= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier

= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif

= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 12/15/2005 2:17:24 AM

Dragon · December 15, 2005

hi Shaun,

Well it seems that you may not have been totaly clean after all. Sometimes it's hard to figure out what kind of infections we are dealing with, because they can hide themselves well with other signs of infections.

Download the Hoster Here

Please do not use program yet

Unzip Hoster to your desktop

Next,

Please download LQfix.exe from one of the following locations:

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exeSave it to your desktop.
Double-Click LQfix.exe and click Next > Next > Install.
Leave the default settings, if you change them, the fix will Fail!
You need an active Internet Connection, so make sure your you're not blocking any connection now.
Now make sure the "Launch LQfix" box is checked.
Click the Finish button, after clicking the Finish button the fix will start.
Follow the on-screen prompts.
Your system will reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.

Open up the Hoster program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

Then reboot into safe mode and do a scan with WinPfind then post the new log by using Add Reply

Edited December 15, 2005 by Dragon

Shaun · December 16, 2005