OK Ameteur, had a few problems so will list them first then post logs...
1. BFU.exe when going to
http://metallica.geekstogo.com/alcanshorty.bfu got "cannot find server" I tried on my system at home and same message so server was down so could't run it. Did run it next day and it was OK but out of sequence from list as this was last action now.
2. installed webroot spysweeper and configured it as stated and ran sweep. after about 1.5 hrs locked up on a system restore file C:\system volume information\_restore{ddeb55e-599c-4763-b3e7-b0d3854aa86c}a0034896.ini
left it for 1 hr no progress. Reboot system then started again, locked up again on a system restore file. Had to check the "Do not sweep Restore folder" it then ran through and I was able to clean the infections. ran Hyjack this again and here are the three logs requested.....
Logfile of HijackThis v1.99.1
Scan saved at 18:11:31, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hyjackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - blank (file missing)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -
res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE97A420-5821-4027-A895-C25E13EDA91C}: NameServer = 80.225.252.178 80.225.252.186
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Look2Me-Destroyer V1.0.11
Scanning for infected files.....
Scan started at 22/03/2006 09:03:05
Infected! C:\WINDOWS\system32\dnrs0197e.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll
Infected! C:\WINDOWS\system32\dnrs0197e.dll
Infected! C:\WINDOWS\system32\ktr6l79s1.dll
Infected! C:\WINDOWS\system32\lvl2093oe.dll
Infected! C:\WINDOWS\system32\mlvidc32.dll
Infected! C:\WINDOWS\system32\rPsdlg.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\dnrs0197e.dll
C:\WINDOWS\system32\dnrs0197e.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dnrs0197e.dll
C:\WINDOWS\system32\dnrs0197e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ktr6l79s1.dll
C:\WINDOWS\system32\ktr6l79s1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvl2093oe.dll
C:\WINDOWS\system32\lvl2093oe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mlvidc32.dll
C:\WINDOWS\system32\mlvidc32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\rPsdlg.dll
C:\WINDOWS\system32\rPsdlg.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{454F3E6E-409B-44FF-9493-5325E2AAA450}"
HKCR\Clsid\{454F3E6E-409B-44FF-9493-5325E2AAA450}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D78DF933-FB5E-45FB-BC37-46E3AB20A43F}"
HKCR\Clsid\{D78DF933-FB5E-45FB-BC37-46E3AB20A43F}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F6A31C8B-98DE-4572-B097-DA3AC309C118}"
HKCR\Clsid\{F6A31C8B-98DE-4572-B097-DA3AC309C118}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FE81359C-C5FA-4FF3-A224-CA1B5F30B50E}"
HKCR\Clsid\{FE81359C-C5FA-4FF3-A224-CA1B5F30B50E}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
********
12:26: | Start of Session, 23 March 2006 |
12:26: Spy Sweeper started
12:26: Sweep initiated using definitions version 638
12:26: Found Adware: zquest
12:26: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
12:26: DH.dll (ID = 1209096)
12:26: Starting Memory Sweep
12:28: Memory Sweep Complete, Elapsed Time: 00:01:39
12:28: Starting Registry Sweep
12:28: Found Adware: command
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
12:28: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
12:28: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
12:28: Found Adware: dollarrevenue
12:28: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
12:28: Found Adware: maxifiles
12:28: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
12:28: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
12:28: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
12:28: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
12:28: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
12:28: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
12:28: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
12:28: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
12:28: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
12:28: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
12:28: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
12:28: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
12:28: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
12:28: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
12:28: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
12:28: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
12:28: Found Adware: surfsidekick
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
12:28: Found Adware: findthewebsiteyouneed hijack
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
12:28: Registry Sweep Complete, Elapsed Time:00:00:09
12:28: Starting Cookie Sweep
12:28: Found Spy Cookie: 2o7.net cookie
12:28: robert@microsoftwga.112.2o7[1].txt (ID = 1958)
12:28: Cookie Sweep Complete, Elapsed Time: 00:00:02
12:28: Starting File Sweep
12:28: Found Trojan Horse: trojan downloader matcash
12:28: c:\program files\common files\inetget (ID = -2147477182)
12:28: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
12:28: c:\program files\outlook (1 subtraces) (ID = -2147454834)
12:28: Found Adware: webhancer
12:28: c:\program files\whinstall (ID = -2147480064)
12:29: installer[1].exe (ID = 231664)
12:29: cmdinst.exe (ID = 231664)
12:30: ss1001.exe (ID = 216718)
12:31: autoit3.exe (ID = 185254)
12:31: basis.xml (ID = 244764)
12:31: Found Adware: look2me
12:31: installer.exe (ID = 168558)
12:31: atmtd.dll (ID = 166754)
12:32: atmtd.dll._ (ID = 166754)
12:33: sskknwrd.dll (ID = 77733)
12:37: ss1001[1].exe (ID = 216718)
12:37: uninstall_nmon.vbs (ID = 231442)
12:39: dr140306[1].exe (ID = 267188)
12:39: whcc2.exe (ID = 267157)
12:40: freeprodtb.exe (ID = 244762)
12:40: freeprodtb[1].exe (ID = 244762)
12:40: Found Adware: targetsaver
12:40: tsupdate2[1].ini (ID = 193498)
12:41: class-barrel (ID = 78229)
12:41: vocabulary (ID = 78283)
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0000:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0001:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0100:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0101:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0200:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0201:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.reph:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.repi:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.rept:kavichs". Access is denied
12:43: Found Trojan Horse: sdbot
12:43: adiras.ini (ID = 74768)
14:19: File Sweep Complete, Elapsed Time: 01:50:45
14:19: Full Sweep has completed. Elapsed time 01:52:46
14:19: Traces Found: 254
18:02: Removal process initiated
18:02: Quarantining All Traces: look2me
18:02: Quarantining All Traces: sdbot
18:02: Quarantining All Traces: trojan downloader matcash
18:02: Quarantining All Traces: dollarrevenue
18:02: Quarantining All Traces: maxifiles
18:02: Quarantining All Traces: surfsidekick
18:02: Quarantining All Traces: zquest
18:02: Quarantining All Traces: command
18:02: Quarantining All Traces: findthewebsiteyouneed hijack
18:02: Quarantining All Traces: targetsaver
18:02: Quarantining All Traces: webhancer
18:02: Quarantining All Traces: 2o7.net cookie
18:02: Removal process completed. Elapsed time 00:00:44
********
09:47: | Start of Session, 23 March 2006 |
09:47: Spy Sweeper started
09:47: Sweep initiated using definitions version 638
09:47: Found Adware: zquest
09:47: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
09:47: DH.dll (ID = 1209096)
09:47: Starting Memory Sweep
09:48: Memory Sweep Complete, Elapsed Time: 00:01:34
09:48: Starting Registry Sweep
09:49: Found Adware: command
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
09:49: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
09:49: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
09:49: Found Adware: dollarrevenue
09:49: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
09:49: Found Adware: maxifiles
09:49: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
09:49: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
09:49: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
09:49: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
09:49: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
09:49: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
09:49: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
09:49: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
09:49: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
09:49: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
09:49: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
09:49: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
09:49: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
09:49: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
09:49: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
09:49: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
09:49: Found Adware: surfsidekick
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
09:49: Found Adware: findthewebsiteyouneed hijack
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
09:49: Registry Sweep Complete, Elapsed Time:00:00:09
09:49: Starting Cookie Sweep
09:49: Found Spy Cookie: 2o7.net cookie
09:49: robert@microsoftwga.112.2o7[1].txt (ID = 1958)
09:49: Cookie Sweep Complete, Elapsed Time: 00:00:02
09:49: Starting File Sweep
09:49: Found Trojan Horse: trojan downloader matcash
09:49: c:\program files\outlook (1 subtraces) (ID = -2147454834)
09:49: c:\program files\common files\inetget (ID = -2147477182)
09:49: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
09:49: Found Adware: webhancer
09:49: c:\program files\whinstall (ID = -2147480064)
09:49: installer[1].exe (ID = 231664)
09:49: a0042406.vbs (ID = 231442)
09:49: cmdinst.exe (ID = 231664)
09:49: a0029454.exe (ID = 184143)
09:49: a0029511.dll (ID = 144945)
09:49: a0029474.exe (ID = 216718)
09:50: whcc2.exe (ID = 267157)
09:50: a0043233.exe (ID = 267188)
09:51: a0029737.exe (ID = 267157)
09:51: ss1001.exe (ID = 216718)
09:51: a0029442.exe (ID = 246327)
09:52: autoit3.exe (ID = 185254)
09:52: basis.xml (ID = 244764)
09:53: a0029008.dll (ID = 244763)
09:53: Found Adware: look2me
09:53: installer.exe (ID = 168558)
09:53: atmtd.dll (ID = 166754)
09:53: a0029318.exe (ID = 144946)
09:54: atmtd.dll._ (ID = 166754)
09:54: a0029452.exe (ID = 185254)
09:54: a0029080.dll (ID = 144945)
09:55: sskknwrd.dll (ID = 77733)
09:55: a0029645.exe (ID = 244762)
09:55: a0028644.exe (ID = 212828)
09:56: a0029835.exe (ID = 212828)
09:56: a0032170.exe (ID = 184143)
09:58: a0029929.exe (ID = 231443)
09:59: a0029503.exe (ID = 267188)
10:00: a0029510.exe (ID = 144946)
10:00: ss1001[1].exe (ID = 216718)
10:00: a0030049.config (ID = 212361)
10:01: uninstall_nmon.vbs (ID = 231442)
10:03: a0032168.exe (ID = 185254)
10:03: a0028649.exe (ID = 212830)
10:03: a0030790.dll (ID = 244763)
10:04: a0030046.exe (ID = 212831)
10:05: a0029840.exe (ID = 212830)
10:05: a0029473.exe (ID = 168558)
10:05: dr140306[1].exe (ID = 267188)
10:05: a0029349.dll (ID = 144945)
10:07: a0036833.exe (ID = 168558)
10:07: a0039269.dll (ID = 166754)
10:07: a0042827.exe (ID = 212830)
10:08: a0029451.config (ID = 212361)
10:08: a0029450.exe (ID = 212831)
10:09: freeprodtb[1].exe (ID = 244762)
10:09: freeprodtb.exe (ID = 244762)
10:09: Found Adware: targetsaver
10:09: tsupdate2[1].ini (ID = 193498)
10:10: class-barrel (ID = 78229)
10:10: vocabulary (ID = 78283)
10:11: a0029477.dll (ID = 166754)
10:12: a0029059.exe (ID = 144946)
10:14: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\sfdb.dat:kavichs". Access is denied
10:16: Found Trojan Horse: sdbot
10:16: adiras.ini (ID = 74768)
10:16: a0029447.bat (ID = 212353)
10:16: a0029449.config (ID = 212358)
10:16: a0030043.bat (ID = 212353)
10:16: a0030045.config (ID = 212358)
10:16: a0034896.ini (ID = 74768)
********
11:45: | Start of Session, 22 March 2006 |
11:45: Spy Sweeper started
11:45: Sweep initiated using definitions version 638
11:45: Found Adware: zquest
11:45: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
11:45: DH.dll (ID = 1209096)
11:45: Starting Memory Sweep
11:47: Memory Sweep Complete, Elapsed Time: 00:01:39
11:47: Starting Registry Sweep
11:47: Found Adware: command
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
11:47: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
11:47: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
11:47: Found Adware: dollarrevenue
11:47: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
11:47: Found Adware: maxifiles
11:47: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
11:47: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
11:47: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
11:47: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
11:47: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
11:47: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
11:47: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
11:47: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
11:47: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
11:47: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
11:47: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
11:47: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
11:47: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
11:47: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
11:47: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
11:47: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
11:47: Found Adware: surfsidekick
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
11:47: Found Adware: findthewebsiteyouneed hijack
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
11:47: Registry Sweep Complete, Elapsed Time:00:00:09
11:47: Starting Cookie Sweep
11:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:47: Starting File Sweep
11:47: Found Trojan Horse: trojan downloader matcash
11:47: c:\program files\outlook (1 subtraces) (ID = -2147454834)
11:47: c:\program files\common files\inetget (ID = -2147477182)
11:47: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
11:47: Found Adware: webhancer
11:47: c:\program files\whinstall (ID = -2147480064)
11:47: installer[1].exe (ID = 231664)
11:47: a0042406.vbs (ID = 231442)
11:47: cmdinst.exe (ID = 231664)
11:47: a0029454.exe (ID = 184143)
11:47: a0029511.dll (ID = 144945)
11:47: a0029474.exe (ID = 216718)
11:48: whcc2.exe (ID = 267157)
11:48: a0043233.exe (ID = 267188)
11:49: a0029737.exe (ID = 267157)
11:49: ss1001.exe (ID = 216718)
11:49: a0029442.exe (ID = 246327)
11:50: autoit3.exe (ID = 185254)
11:50: basis.xml (ID = 244764)
11:51: a0029008.dll (ID = 244763)
11:51: Found Adware: look2me
11:51: installer.exe (ID = 168558)
11:51: atmtd.dll (ID = 166754)
11:51: a0029318.exe (ID = 144946)
11:52: atmtd.dll._ (ID = 166754)
11:52: a0029452.exe (ID = 185254)
11:52: a0029080.dll (ID = 144945)
11:53: sskknwrd.dll (ID = 77733)
11:53: a0029645.exe (ID = 244762)
11:54: a0028644.exe (ID = 212828)
11:54: a0029835.exe (ID = 212828)
11:54: a0032170.exe (ID = 184143)
11:56: a0029929.exe (ID = 231443)
11:57: a0029503.exe (ID = 267188)
11:58: a0029510.exe (ID = 144946)
11:59: ss1001[1].exe (ID = 216718)
11:59: a0030049.config (ID = 212361)
11:59: uninstall_nmon.vbs (ID = 231442)
12:00: a0032168.exe (ID = 185254)
12:01: a0028649.exe (ID = 212830)
12:01: a0030790.dll (ID = 244763)
12:01: a0030046.exe (ID = 212831)
12:01: a0029840.exe (ID = 212830)
12:01: a0029473.exe (ID = 168558)
12:02: dr140306[1].exe (ID = 267188)
12:02: a0029349.dll (ID = 144945)
12:02: a0036833.exe (ID = 168558)
12:02: a0039269.dll (ID = 166754)
12:03: a0042827.exe (ID = 212830)
12:03: a0029451.config (ID = 212361)
12:03: a0029450.exe (ID = 212831)
12:03: freeprodtb[1].exe (ID = 244762)
12:03: freeprodtb.exe (ID = 244762)
12:04: Found Adware: targetsaver
12:04: tsupdate2[1].ini (ID = 193498)
12:05: class-barrel (ID = 78229)
12:05: vocabulary (ID = 78283)
12:06: a0029477.dll (ID = 166754)
12:06: a0029059.exe (ID = 144946)
12:11: Found Trojan Horse: sdbot
12:11: adiras.ini (ID = 74768)
12:11: a0029447.bat (ID = 212353)
12:11: a0029449.config (ID = 212358)
12:11: a0030043.bat (ID = 212353)
12:11: a0030045.config (ID = 212358)
12:11: a0034896.ini (ID = 74768)
22:12: Sweep Canceled
********
09:15: | Start of Session, 22 March 2006 |
09:15: Spy Sweeper started
09:15: Sweep initiated using definitions version 638
09:15: Found Adware: zquest
09:15: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
09:15: DH.dll (ID = 1209096)
09:15: Starting Memory Sweep
09:17: Memory Sweep Complete, Elapsed Time: 00:01:41
09:17: Starting Registry Sweep
09:17: Found Adware: command
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
09:17: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
09:17: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
09:17: Found Adware: dollarrevenue
09:17: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
09:17: Found Adware: maxifiles
09:17: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
09:17: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
09:17: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
09:17: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
09:17: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
09:17: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
09:17: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
09:17: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
09:17: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
09:17: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
09:17: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
09:17: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
09:17: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
09:17: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
09:17: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
09:17: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
09:17: Found Adware: surfsidekick
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
09:17: Found Adware: findthewebsiteyouneed hijack
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
09:17: Registry Sweep Complete, Elapsed Time:00:00:10
09:17: Starting Cookie Sweep
09:17: Cookie Sweep Complete, Elapsed Time: 00:00:00
09:17: Starting File Sweep
09:17: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
09:17: Found Trojan Horse: trojan downloader matcash
09:17: c:\program files\common files\inetget (ID = -2147477182)
09:17: c:\program files\outlook (1 subtraces) (ID = -2147454834)
09:17: Found Adware: webhancer
09:17: c:\program files\whinstall (ID = -2147480064)
09:17: installer[1].exe (ID = 231664)
09:17: a0042406.vbs (ID = 231442)
09:17: cmdinst.exe (ID = 231664)
09:17: a0029454.exe (ID = 184143)
09:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030583.exe". The operation completed successfully
09:18: a0029511.dll (ID = 144945)
09:18: a0029474.exe (ID = 216718)
09:18: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030569.exe". The operation completed successfully
09:19: a0029504.exe (ID = 190798)
09:19: whcc2.exe (ID = 267157)
09:19: a0043233.exe (ID = 267188)
09:20: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0042608.exe". The operation completed successfully
09:21: a0029737.exe (ID = 267157)
09:21: ss1001.exe (ID = 216718)
09:21: a0029442.exe (ID = 246327)
09:23: autoit3.exe (ID = 185254)
09:24: basis.xml (ID = 244764)
09:24: a0028919.exe (ID = 268082)
09:25: a0029008.dll (ID = 244763)
09:25: Found Adware: look2me
09:25: installer.exe (ID = 168558)
09:25: atmtd.dll (ID = 166754)
09:25: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030420.exe". The operation completed successfully
09:26: a0029318.exe (ID = 144946)
09:27: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030449.exe". The operation completed successfully
09:28: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030589.exe". The operation completed successfully
09:28: atmtd.dll._ (ID = 166754)
09:28: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030539.exe". The operation completed successfully
09:29: a0029452.exe (ID = 185254)
09:29: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030761.exe". The operation completed successfully
09:30: a0029080.dll (ID = 144945)
09:30: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030473.exe". The operation completed successfully
09:31: a0028659.exe (ID = 190798)
09:31: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030451.exe". The operation completed successfully
09:32: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030659.exe". The operation completed successfully
09:33: sskknwrd.dll (ID = 77733)
09:34: a0029645.exe (ID = 244762)
09:35: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030728.exe". The operation completed successfully
09:35: a0028644.exe (ID = 212828)
09:35: a0028916.exe (ID = 268081)
09:36: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030675.exe". The operation completed successfully
09:36: a0029835.exe (ID = 212828)
09:36: a0032170.exe (ID = 184143)
09:36: a0029436.exe (ID = 185985)
09:37: Warning: Failed to read file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0029505.exe". The operation completed successfully
09:38: a0028920.exe (ID = 268083)
09:38: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030484.exe". The operation completed successfully
09:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030545.exe". The operation completed successfully
09:40: a0029173.exe (ID = 268083)
09:41: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030573.exe". The operation completed successfully
09:43: a0029929.exe (ID = 231443)
09:44: a0029503.exe (ID = 267188)
09:44: a0029170.exe (ID = 268081)
09:47: a0029510.exe (ID = 144946)
09:48: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030424.exe". The operation completed successfully
09:48: ss1001[1].exe (ID = 216718)
09:48: a0030049.config (ID = 212361)
09:49: uninstall_nmon.vbs (ID = 231442)
09:50: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030486.exe". The operation completed successfully
09:52: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030393.exe". The operation completed successfully
09:53: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030527.exe". The operation completed successfully
09:53: a0032168.exe (ID = 185254)
09:54: a0028649.exe (ID = 212830)
09:55: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030711.exe". The operation completed successfully
09:56: a0030790.dll (ID = 244763)
09:57: Warning: Failed to read file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0029172.exe". The operation completed successfully
09:57: a0030046.exe (ID = 212831)
09:58: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030694.exe". The operation completed successfully
09:59: a0029840.exe (ID = 212830)
09:59: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030688.exe". The operation completed successfully
10:00: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030751.exe". The operation completed successfully
10:00: a0029473.exe (ID = 168558)
10:01: dr140306[1].exe (ID = 267188)
10:01: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030233.exe". The operation completed successfully
10:01: a0029349.dll (ID = 144945)
10:03: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030302.exe". The operation completed successfully
10:03: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030663.exe". The operation completed successfully
10:04: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030733.exe". The operation completed successfully
10:04: a0036833.exe (ID = 168558)
10:05: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030778.exe". The operation completed successfully
10:06: a0039269.dll (ID = 166754)
10:07: Found Adware: targetsaver
10:07: a0029435.exe (ID = 193995)
10:07: a0042827.exe (ID = 212830)
10:08: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030491.exe". The operation completed successfully
10:09: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030665.exe". The operation completed successfully
10:12: a0029451.config (ID = 212361)
10:12: a0029450.exe (ID = 212831)
10:12: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030575.exe". The operation completed successfully
10:12: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030338.exe". The operation completed successfully
10:13: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030283.exe". The operation completed successfully
10:14: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030713.exe". The operation completed successfully
10:15: freeprodtb[1].exe (ID = 244762)
10:15: freeprodtb.exe (ID = 244762)
10:15: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030754.exe". The operation completed successfully
10:16: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030621.exe". The operation completed successfully
10:16: tsupdate2[1].ini (ID = 193498)
10:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030679.exe". The operation completed successfully
10:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030623.exe". The operation completed successfully
10:19: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\wallace and gromit the curse of the were-rabbit (2005) ntsc dts .avi.exe". The operation completed successfully
10:20: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030340.exe". The operation completed successfully
10:22: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\the young punx - dance with someone else (vocal-edit).mp3.exe". The operation completed successfully
10:23: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\tiesto - just be.mp3.exe". The operation completed successfully
10:23: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030653.exe". The operation completed successfully
10:24: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030333.exe". The operation completed successfully
10:25: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030780.exe". The operation completed successfully
10:26: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030235.exe". The operation completed successfully
10:27: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030721.exe". The operation completed successfully
10:29: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030649.exe". The operation completed successfully
10:31: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030690.exe". The operation completed successfully
10:31: class-barrel (ID = 78229)
10:31: vocabulary (ID = 78283)
10:32: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030700.exe". The operation completed successfully
10:33: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030566.exe". The operation completed successfully
10:33: a0029477.dll (ID = 166754)
10:33: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030582.exe". The operation completed successfully
10:35: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030371.exe". The operation completed successfully
10:36: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030633.exe". The operation completed successfully
10:38: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030405.exe". The operation completed successfully
10:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030316.exe". The operation completed successfully
10:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030757.exe". The operation completed successfully
10:41: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030356.exe". The operation completed successfully
10:42: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030768.exe". The operation completed successfully
10:43: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030725.exe". The operation completed successfully
10:43: a0029059.exe (ID = 144946)
10:44: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030407.exe". The operation completed successfully
10:45: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030691.exe". The operation completed successfully
10:45: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030547.exe". The operation completed successfully
10:46: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030384.exe". The operation completed successfully
10:48: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030704.exe". The operation completed successfully
10:49: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030258.exe". The operation completed successfully
10:50: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030746.exe". The operation completed successfully
10:51: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030259.exe". The operation completed successfully
10:51: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030261.exe". The operation completed successfully
10:54: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030435.exe". The operation completed successfully
10:54: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030227.exe". The operation completed successfully
10:55: Warning: Failed to open file "c:\documents and settings\andre\shared\_\queen - princes of the universe.mp3.exe:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\policy\policy.dat:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\sfdb.dat:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\andre\shared\_\tiger trap - words and smiles.mp3.exe:kavichs". Access is denied
10:57: Warning: Failed to open file "c:\documents and settings\andre\shared\_\hot chip - crap kraft dinner.mp3.exe:kavichs". Access is denied
11:07: Found Trojan Horse: sdbot
11:07: adiras.ini (ID = 74768)
11:07: a0029447.bat (ID = 212353)
11:07: a0029449.config (ID = 212358)
11:07: a0030043.bat (ID = 212353)
11:07: a0030045.config (ID = 212358)
11:07: a0034896.ini (ID = 74768)
11:36: Sweep Canceled
11:43: Updating spyware definitions
11:43: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
11:45: | End of Session, 22 March 2006 |
********
09:11: | Start of Session, 22 March 2006 |
09:11: Spy Sweeper started
09:12: Updating spyware definitions
09:12: Your spyware definitions have been updated.
09:15: | End of Session, 22 March 2006 |