- deleted all my system restore points while creating its own only restore point after infection
-constantly froze explorer in a loop of stopping and restarting itself
-changed my cookie setting in IE
-Modified several modules and services in windows and office
-also started in safe mode
Please excuse my noobness but this is the first time I have ever been infected by malware. But my question is if anyone could tell me everything this thing altered on my system so that I can undo it and prepare my system for a reformat after safely backing up my data. I have the infected file inside of a passworded .rar so if anyone would like to examine the file themselves I can upload it somewhere at their request. Any help would be appreciated. Thank you.
--------------------------------------------------------------------------------------------
ComboFix 08-04-22.5 - RAZOR 2008-04-24 7:28:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT -4:00]
Running from: C:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\CbIQWyay.ini
C:\WINDOWS\system32\CbIQWyay.ini2
C:\WINDOWS\system32\config\SAM.SAV
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 07:25 . 2008-04-24 07:25 1,774,233 --a------ C:\ComboFix.exe
2008-04-23 08:54 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-23 08:53 . 2008-04-23 08:54 <DIR> d-------- C:\Program Files\Java
2008-04-23 08:53 . 2008-04-23 08:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-23 07:20 . 2008-04-23 07:20 <DIR> d-------- C:\Program Files\UltraISO
2008-04-23 07:20 . 2008-04-23 07:20 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-23 04:42 . 2008-04-23 04:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 04:42 . 2008-04-23 04:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 02:40 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-04-23 02:40 . 2004-08-03 22:29 1,897,408 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-04-23 02:40 . 2001-08-23 08:00 68,608 --a--c--- C:\WINDOWS\system32\dllcache\plugin.ocx
2008-04-23 02:31 . 2004-08-03 22:29 56,623 --a--c--- C:\WINDOWS\system32\dllcache\ati1btxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 30,671 --a--c--- C:\WINDOWS\system32\dllcache\ati1raxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 12,047 --a--c--- C:\WINDOWS\system32\dllcache\ati1pdxx.sys
2008-04-23 02:31 . 2004-08-03 22:29 11,615 --a--c--- C:\WINDOWS\system32\dllcache\ati1mdxx.sys
2008-04-22 15:58 . 2008-02-22 17:20 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-22 15:46 . 2008-04-22 15:47 48,020 --a------ C:\Vundo Variant (bypass).rar
2008-04-22 14:27 . 2008-04-22 14:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 14:27 . 2008-04-22 14:27 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\SUPERAntiSpyware.com
2008-04-22 00:51 . 2008-04-22 00:51 <DIR> d-------- C:\Twisted Metal 2 PC (No In Game Movies Version)
2008-04-18 00:30 . 2008-04-18 00:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 00:30 . 2008-04-18 00:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 00:20 . 2008-04-18 00:24 <DIR> d-------- C:\Program Files\DirectX Happy Uninstall
2008-04-17 10:40 . 2008-04-17 10:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-16 22:57 . 2008-04-16 22:57 <DIR> d-------- C:\Program Files\Dragon UnPACKer 5
2008-04-14 02:46 . 2008-04-14 02:55 <DIR> d-------- C:\Program Files\Terminal Reality
2008-04-12 21:46 . 2008-04-18 05:41 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-12 21:46 . 2008-04-18 05:41 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 21:45 . 2008-04-12 21:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-12 21:45 . 2008-04-24 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 21:45 . 2008-04-24 07:32 20,428,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-12 21:45 . 2008-04-24 07:30 277,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-12 21:45 . 2008-04-24 07:30 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-12 21:45 . 2008-04-24 07:30 23,084 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-12 21:42 . 2008-04-12 21:42 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-12 21:41 . 2008-04-12 21:41 <DIR> d-------- C:\Program Files\QT Lite
2008-04-12 21:41 . 2008-04-12 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-12 21:41 . 2008-03-28 21:07 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-04-12 21:41 . 2008-03-28 21:07 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-04-12 03:50 . 2008-04-12 03:50 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\vlc
2008-04-10 04:06 . 2008-04-11 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-09 18:01 . 2008-04-09 18:02 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-09 18:00 . 2008-04-09 18:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-06 07:37 . 2008-04-06 07:43 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2008-04-06 02:35 . 2008-04-06 02:35 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-02 14:55 . 2008-04-02 14:57 439,296 --a------ C:\Documents and Settings\RAZOR\GoToAssist_phone__317_en.exe
2008-03-30 02:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-30 02:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-30 00:57 . 2008-04-09 17:58 <DIR> d-------- C:\Documents and Settings\RAZOR\Application Data\OfficeUpdate12
2008-03-30 00:56 . 2008-03-30 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-30 00:30 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-30 00:26 . 2008-03-30 00:26 <DIR> dr-h----- C:\MSOCache
2008-03-29 16:09 . 2008-03-29 16:09 635 --a------ C:\WINDOWS\Dc.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 10:58 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\uTorrent
2008-04-22 18:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 05:54 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\dvdcss
2008-04-16 04:41 --------- d-----w C:\Program Files\mIRC
2008-04-12 02:17 --------- d-----w C:\Documents and Settings\RAZOR\Application Data\Spycar
2008-04-06 08:18 --------- d-----w C:\Program Files\Debugging Tools for Windows
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 18:49 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-03-10 13:16 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-10 13:16 --------- d--h--r C:\Documents and Settings\RAZOR\Application Data\SecuROM
2008-03-10 10:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 06:25 --------- d-----w C:\Program Files\CDCheck
2008-03-09 13:20 --------- d-----w C:\Program Files\CAPCOM
2008-03-09 11:39 --------- d-----w C:\Program Files\Activision
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-11-05 17:31 42,408 ----a-w C:\Documents and Settings\RAZOR\Application Data\GDIPFONTCACHEV1.DAT
2007-05-26 07:17 24 ----a-w C:\Documents and Settings\RAZOR\mylist.dat
2005-04-01 04:00 619 ---ha-w C:\Documents and Settings\All Users\ASPI_Verify.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
2008-01-30 17:31 1199104 --a------ C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2005-03-18 12:50 589824]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-22 22:05 344064]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 13:12 144896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
"vidc.davc"= davcvfw.dll
"msacm.scg726"= scg726.acm
"SENTINEL"= snti386.dll
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
R0 C2NGOV21;C2NGOV21;C:\WINDOWS\system32\drivers\C2NGOV21.sys [2004-09-09 04:28]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys [2005-04-22 08:12]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 vdiskbus;Virtual Disk Bus;C:\WINDOWS\system32\DRIVERS\vdiskbus.sys [2005-01-13 10:06]
S1 atitray;atitray;C:\PROGRA~1\NGOATI~1\ATT\atitray.sys []
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 19:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 19:26]
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2004-07-26 13:54]
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2004-07-26 13:54]
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys []
S3 vnndev;VNN VNC Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vnnvnic.sys [2005-05-12 17:46]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net/
Rootkit scan 2008-04-24 07:31:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\C:\DOCUME~1\RAZOR\LOCALS~1\Temp\ASFWHide"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-24 7:33:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 11:33:31
Pre-Run: 55,821,217,792 bytes free
Post-Run: 55,744,593,920 bytes free
173
----------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:14 AM, on 04/24/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\RAZOR\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8411345593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6852696265
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
--
End of file - 4213 bytes
-----------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com/
Generated 04/22/2008 at 03:12 PM
Application Version : 4.0.1154
Core Rules Database Version : 3444
Trace Rules Database Version: 1404
Scan type : Custom Scan
Total Scan Time : 00:04:35
Memory items scanned : 300
Memory threats detected : 2
Registry items scanned : 5125
Registry threats detected : 10
File items scanned : 0
File threats detected : 3
Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\CBXPIGWV.DLL
C:\WINDOWS\SYSTEM32\CBXPIGWV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\InprocServer32
HKCR\CLSID\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F50B3F5E-856E-4757-9BB1-B35D46CA7719}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\cbXPiGwV
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\YAYWQIBC.DLL
C:\WINDOWS\SYSTEM32\YAYWQIBC.DLL
Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E674ADB-39B1-4F32-90F7-B715038B4799}
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}\InprocServer32
HKCR\CLSID\{3E674ADB-39B1-4F32-90F7-B715038B4799}\InprocServer32#ThreadingModel
Adware.Tracking Cookie
C:\Documents and Settings\RAZOR\Cookies\razor@server.iad.liveperson[2].txt
Admin edit: http://forums.spybot.info/showthread.php?t=27211