1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I've caught something bad

Discussion in 'Virus & Other Malware Removal' started by Marvy42, Aug 6, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    Every day when I log on, SpySweeper tells me that it's blocked something. While these things do repeat occasionally, each day it's a new name. Examples are: DELFINPROJECT.COM, DAILYFREEPICS.US, ADS.DELFINPROJECT.COM, 235.REGVISTA.COM, BINS.ELITEMEDIAGROUP.NET, BURGOSTAR.INFO, BANNERSERVER.GATOR.COM, and BASCOWATER.COM. These are not files that I can find. Nothing bad has happened yet, but I suppose it's only a matter of time. Any ideas what I've caught and how to slit it's little electronic throat?
     
  2. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    By the way, I should have mentioned that when I do a full scan with SpySweeper (as well as with Norton AV and Ewido) nothing is found.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    Please do this:

    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  4. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    One HijackThis! log file coming up. Thanks for your help.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:25:47 PM, on 8/7/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\WINNT\System32\svchost.exe
    E:\EwidoTrojanFinder\ewidoctrl.exe
    e:\GoBack\GBPoll.exe
    E:\Norton\Norton AntiVirus\navapsvc.exe
    E:\Norton\Norton AntiVirus\IWP\NPFMntor.exe
    E:\Norton\NORTON~1\NPROTECT.EXE
    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    E:\Norton\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    E:\WinPatrol\winpatrol.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\ZoneAlarm\zlclient.exe
    E:\SpySweeper\SpySweeperUI.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\Volumouse\volumouse.exe
    E:\MacroExpress3\MacExp.exe
    E:\BarEyes\bareyes.exe
    E:\PowerPro\powerpro.exe
    E:\GoBack\GBTray.exe
    E:\TotalCommander\TOTALCMD.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    E:\SpywareGuard\sgmain.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\SpywareGuard\sgbhp.exe
    E:\SpySweeper\SpySweeper.exe
    E:\Norton\Norton AntiVirus\SAVScan.exe
    E:\SpySweeper\SSU.EXE
    E:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/find
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/en/default.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marv's Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
    O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\system32\BhoCitUS.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\SpywareGuard\dlprotect.dll
    O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - E:\MacroExpress3\iCapture.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\FLASHGET\jccatch.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\FLASHGET\fgiebar.dll
    O4 - HKLM\..\Run: [WinPatrol] E:\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] "C:\Program Files\Common Files\Symantec Shared\SymTray.exe" SetReg
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpySweeper] "E:\SpySweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe"
    O4 - HKCU\..\Run: [TClockEx] E:\TClock\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [Cacheman] E:\Cacheman\Cacheman.exe
    O4 - HKCU\..\Run: [$Volumouse$] "E:\Volumouse\volumouse.exe" /nodlg
    O4 - Global Startup: Macro Express 3.lnk = E:\MacroExpress3\MacExp.exe
    O4 - Global Startup: bareyes.lnk = E:\BarEyes\bareyes.exe
    O4 - Global Startup: PowerPro.lnk = E:\PowerPro\powerpro.exe
    O4 - Global Startup: GoBack.lnk = E:\GoBack\GBTray.exe
    O4 - Global Startup: Commander.lnk = E:\TotalCommander\TOTALCMD.exe
    O4 - Global Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download All by FlashGet - E:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download all by Free Download Manager - file://E:\FreeDownloadManager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://E:\FreeDownloadManager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\FreeDownloadManager\dlselected.htm
    O8 - Extra context menu item: Download using FlashGet - E:\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\FreeDownloadManager\dlpage.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
    O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\WINNT\System32\shdocvw.dll
    O9 - Extra button: (no name) - {B72455AE-D3DE-492a-8FE0-0EA053B85277} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\FLASHGET\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\FLASHGET\flashget.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123539778625
    O20 - Winlogon Notify: sunotify - C:\WINNT\SYSTEM32\sunotify.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - E:\EwidoTrojanFinder\ewidoctrl.exe
    O23 - Service: GBPoll - Roxio, Inc. - e:\GoBack\GBPoll.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Norton\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Norton\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Norton\NORTON~1\NPROTECT.EXE
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
    O23 - Service: SAVScan - Symantec Corporation - E:\Norton\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - E:\Norton\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\SpySweeper\SpySweeper.exe
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    You have an older version of Ewido so unless it's the paid version, you should remove it and download the new one.

    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  6. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    Well. I hoped to have wonderful news, but neither Ewido nor Panda could find anything. Whatever it is, it's buried deep.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  8. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    Here's the WinPFind log. Thanks again for your efforts. By the way, as I was booting up today, I got a dialog box that said something to the effect that ZoneAlarm was initializing and would be up and running in a bit. Just click CANCEL to stop the initialization. They're getting cuter. Here's the log file:

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
    Internet Explorer Version: 6.0.2800.1106

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...
    UPX! 7/17/2006 4:45:16 PM 39424 C:\WINNT\zipinst.exe

    Checking %System% folder...
    aspack 7/6/2006 9:21:46 PM 6757792 C:\WINNT\SYSTEM32\MRT.exe
    winsync 7/26/2000 12:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
    PTech 7/12/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll
    Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
    WinShutDown 2/2/1998 10:00:00 PM 72192 C:\WINNT\SYSTEM32\WPAUTO8.DLL
    WinShutDown 2/2/1998 10:00:00 PM 64000 C:\WINNT\SYSTEM32\PFAUTO8.DLL

    Checking %System%\Drivers folder and sub-folders...
    qoologic 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp
    PTech 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp
    SAHAgent 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp
    abetterinternet.com 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp
    web-nex 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp
    ad-w-a-r-e.com 7/19/2006 1:07:08 PM R 468602 C:\WINNT\SYSTEM32\drivers\etc\HOSTS.bkp

    Items found in C:\WINNT\SYSTEM32\drivers\etc\HOSTS
    127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
    127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
    127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
    127.0.0.1 ax.web-nexus.net #[TROJ_QOOLAID.R]
    127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
    127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
    127.0.0.1 stech.web-nexus.net #[Trojan-Downloader.Win32.Qoologic.p]
    127.0.0.1 stech.web-nexus.net #[Trojan-Downloader.Win32.Qoologic.p]
    127.0.0.1 www.web-nexus.net
    127.0.0.1 agentq.vpptechnologies.com
    127.0.0.1 js.vpptechnologies.com
    127.0.0.1 media-0.vpptechnologies.com
    127.0.0.1 media-1.vpptechnologies.com
    127.0.0.1 media-2.vpptechnologies.com #[SiteAdvisor.fish-screensaver.com]
    127.0.0.1 media-4.vpptechnologies.com
    127.0.0.1 media-5.vpptechnologies.com
    127.0.0.1 media-6.vpptechnologies.com
    127.0.0.1 media-8.vpptechnologies.com #[SiteAdvisor.fish-screensaver.com]
    127.0.0.1 media-a.vpptechnologies.com #[a599.x.akamai.net]
    127.0.0.1 media-b.vpptechnologies.com
    127.0.0.1 media-c.vpptechnologies.com #[a1332.x.akamai.net]
    127.0.0.1 media-d.vpptechnologies.com
    127.0.0.1 media-e.vpptechnologies.com
    127.0.0.1 media-f.vpptechnologies.com
    127.0.0.1 msxml.vpptechnologies.com
    127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
    127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
    127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede][Troj/Dloader-IG]
    127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
    127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
    127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
    127.0.0.1 st.abetterinternet.com
    127.0.0.1 static.abetterinternet.com
    127.0.0.1 thinstall.abetterinternet.com
    127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    8/7/2006 9:43:42 PM H 710462 C:\WINNT\ShellIconCache
    7/23/2006 9:09:58 AM H 4212 C:\WINNT\system32\zllictbl.dat
    8/8/2006 12:36:40 PM H 48877 C:\WINNT\system32\vsconfig.xml
    8/8/2006 12:47:50 PM H 1024 C:\WINNT\system32\config\software.LOG
    8/7/2006 9:54:58 PM H 1024 C:\WINNT\system32\config\default.LOG
    8/8/2006 12:43:26 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
    8/8/2006 12:45:18 PM H 1024 C:\WINNT\system32\config\SAM.LOG
    7/24/2006 9:33:52 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
    7/24/2006 9:33:52 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\55f4f85c-84cf-40a1-b9aa-91a876912f09
    6/18/2006 2:39:50 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    6/18/2006 2:39:50 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\b0e44c4d-d147-4df5-830f-1cd3290bf344
    8/8/2006 12:39:28 PM H 6 C:\WINNT\Tasks\SA.DAT
    8/6/2006 6:41:40 AM S 64 C:\WINNT\CSC\csc1.tmp
    8/8/2006 12:39:26 PM S 64 C:\WINNT\CSC\00000001
    8/8/2006 12:33:04 PM S 64 C:\WINNT\CSC\00000002

    Checking for CPL files...
    Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
    Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
    Microsoft Corporation 7/26/2000 12:00:00 PM 31504 C:\WINNT\SYSTEM32\fax.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
    Dale Nurden 3/9/2000 1:15:54 AM 55808 C:\WINNT\SYSTEM32\TCLOCKEX.CPL
    Microsoft Corporation 7/26/2000 12:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
    Sun Microsystems 3/4/2005 8:01:12 PM 61555 C:\WINNT\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
    Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
    Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
    Microsoft Corporation 7/26/2000 12:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 6/19/2003 12:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 10/30/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 67344 C:\WINNT\SYSTEM32\access.cpl
    Creative Technology Ltd. 8/30/1999 1:55:00 AM 228352 C:\WINNT\SYSTEM32\CTDetect.cpl
    11/19/1999 1:54:12 PM 155648 C:\WINNT\SYSTEM32\PPPoEService.cpl
    Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
    SiSoftware 3/10/2001 7:43:26 PM 53248 C:\WINNT\SYSTEM32\SanCpl.cpl
    ATI Technologies Inc. 12/19/2000 5:37:24 PM 40960 C:\WINNT\SYSTEM32\MMCpl.cpl
    Microsoft Corporation 6/18/2000 2:03:10 PM 106544 C:\WINNT\SYSTEM32\TWEAKUI.CPL
    Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
    Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
    Microsoft Corporation 7/26/2000 12:00:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
    Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
    IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    4/2/2006 9:56:28 AM 282 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bareyes.lnk
    4/2/2006 9:56:34 AM 277 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Commander.lnk
    4/2/2006 9:56:32 AM 363 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GoBack.lnk
    4/2/2006 9:56:20 AM 305 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Macro Express 3.lnk
    4/2/2006 9:56:30 AM 283 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPro.lnk
    4/2/2006 9:56:36 AM 269 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpywareGuard.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...

    Checking files in %USERPROFILE%\Startup folder...

    Checking files in %USERPROFILE%\Application Data folder...

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    Avant Browser [avantbrowser.com] =
    MyIE2 = IEAK

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
    {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = E:\EwidoTrojanFinder\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GoBack
    {6809e580-a3a7-11d1-9a00-00a0c945b006} = e:\GoBack\ShellExt.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = E:\Norton\Norton AntiVirus\NavShExt.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
    = shellwp.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IconLayout
    {19F500E0-9964-11cf-B63D-08002B317C03} = Layout.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
    {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = E:\SpySweeper\SSCtxMnu.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = E:\Norton\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = E:\EwidoTrojanFinder\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
    {E0D79304-84BE-11CE-9641-444553540000} = E:\WINZIP\WZSHLSTB.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\shell32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\shell32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\shell32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = C:\WINNT\System32\docprop2.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
    = %SystemRoot%\system32\faxshell.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
    = C:\WINNT\System32\docprop2.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{387EDF53-1CF2-4523-BC2F-13462651BE8C}
    CitiUSBrowserHelper Class = C:\WINNT\system32\BhoCitUS.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
    SpywareGuardDLBLOCK.CBrowserHelper = E:\SpywareGuard\dlprotect.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}
    Watch for Browser Events = E:\MacroExpress3\iCapture.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = E:\Spybot\SDHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}
    IeCatch2 Class = E:\FLASHGET\jccatch.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
    CNavExtBho Class = E:\Norton\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : E:\Norton\Norton AntiVirus\NavShExt.dll
    {E0E899AB-F487-11D5-8D29-0050BA6940E3} = FlashGet Bar : E:\FLASHGET\fgiebar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console : C:\WINNT\System32\msjava.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4C730913-3961-439b-83D5-F4E445520422}
    ButtonText = Citi : C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8BD5271D-69C9-4467-882D-5139952D7754}
    ButtonText = Instant Source :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B72455AE-D3DE-492a-8FE0-0EA053B85277}
    MenuText = :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
    ButtonText = FlashGet : E:\FLASHGET\flashget.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    Search Band = %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    Media Band = %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : E:\Norton\Norton AntiVirus\NavShExt.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    WinPatrol E:\WinPatrol\winpatrol.exe
    SymTray - Norton SystemWorks "C:\Program Files\Common Files\Symantec Shared\SymTray.exe" SetReg
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Synchronization Manager mobsync.exe /logon
    Symantec NetDriver Monitor "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    Tweak UI "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
    Zone Labs Client "E:\ZoneAlarm\zlclient.exe"
    SpySweeper "E:\SpySweeper\SpySweeperUI.exe" /startintray
    POINTER point32.exe
    !ewido "E:\EwidoTrojanFinder\ewido.exe" /minimized

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    SymTray - Norton SystemWorks "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    TClockEx E:\TClock\TCLOCKEX.EXE
    $Volumouse$ "E:\Volumouse\volumouse.exe" /nodlg

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
    NoChangingWallpaper 0
    NoComponents 0
    NoAddingComponents 0
    NoDeletingComponents 0
    NoEditingComponents 0
    NoCloseDragDropBands 0
    NoMovingBands 0
    NoHTMLWallPaper

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
    NoBackButton 0
    NoFileMru 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 149
    NoAddPrinter 0
    NoClose 0
    NoDeletePrinter 0
    NoDesktop 0
    NoFavoritesMenu 0
    NoFind 0
    NoLogOff 0
    NoNetHood 1
    NoRecentDocsMenu 1
    NoRun 0
    NoSaveSetting 0
    NoSetFolders 0
    NoSetTaskbar 0
    NoStartBanner 0
    NoViewContextMenu 0
    RestrictRun 0
    NoDrives 0
    NoNoDeletePrinter 0
    NoActiveDesktop 1
    NoSetActiveDesktop 0
    NoChangeStartMenu 0
    NoCommonGroups 0
    NoFileMenu 0
    NoFolderOptions 0
    NoInternetIcon 0
    NoPrinterTabs 0
    NoSaveSettings 0
    NoTrayContextMenu 0
    NoWindowsUpdate 0
    NoNetConnectDisconnect 0
    NoWinKeys 
    CDRAutoRun 0
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
    NoEntireNetwork 0
    NoFileSharingControl 0
    NoNetSetupConfigPage 0
    NoNetSetupIDPage 0
    NoNetSetupSecurityPage 0
    NoPrintSharingControl 0
    NoWorkgroupContents 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Security
    PLC9900 731349
    PLC9901 731350

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0
    DisableTaskMgr 0
    NoAdminPage 0
    NoConfigPage 0
    NoDispAppearancePage 0
    NoDispBackgroundPage 0
    NoDispCPL 0
    NoDispScrSavPage 0
    NoDispSettingsPage 0
    NoDispSpinDown 0
    NoFileSysPage 0
    NoProfilePage 0
    NoPwdPage 0
    NoSecCPL 0
    NoVirtMemPage 0
    NoDevMgrPage 0

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
    Disabled 0
    NoRealMode 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sunotify
    = sunotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
    = wzcdlg.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 8/8/2006 12:53:48 PM
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    I'm not seeing anything except for some policies in the WinpFind log.

    Is this a company computer?

    Can you post a log from SpySweeper so I can see what it reports?


    Also, please do this:

    Go to Start - Run - type in regedit and click OK to open the registry editor.

    Expand the following keys by clicking on the + sign to their left:

    + HKEY_CURRENT_USER
    + SOFTWARE
    + Microsoft
    + Windows
    + CurrentVersion
    + policies


    Right click on Security and select "export". Name the file and save it to your desktop. Right click the file you saved to your desktop and select "open with" and choose Notepad then copy and paste the contents here please.
     
  10. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    This is a home computer. By the way, the SpySweeper directory has 65000 0-length .tmp files that were all created yesterday when I was running the Panda scan. The system won't let me erase any of them.


    Here's the registry item:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Security]
    "PLC9900"=dword:000b28d5
    "PLC9901"=dword:000b28d6


    And here's a bunch of lines from the Spy Sweeper Log:

    Operation: File Access
    Target:
    Source: E:\TOTALCOMMANDER\TOTALCMD.EXE
    4:22 PM: Tamper Detection
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    4:07 PM: The Spy Communication shield has blocked access to: ETIGHTSTRINGS.NET
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    4:07 PM: The Spy Communication shield has blocked access to: ETIGHTSTRINGS.NET
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:07 PM: Shield States
    4:07 PM: Spyware Definitions: 735
    4:06 PM: Spy Sweeper 5.0.5.1286 started
    1:12 PM: Your spyware definitions have been updated.
    1:12 PM: Automated check for program update in progress.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    1:05 PM: The Spy Communication shield has blocked access to: GOPORN.US
    Hosts File Shield: On
    Spy Communication Shield: On
    1:05 PM: The Spy Communication shield has blocked access to: GOPORN.US
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    1:04 PM: Shield States
    1:04 PM: Spyware Definitions: 734
    1:04 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    12:35 PM: The Spy Communication shield has blocked access to: HITSCOUNT.NET
    Hosts File Shield: On
    Spy Communication Shield: On
    12:35 PM: The Spy Communication shield has blocked access to: HITSCOUNT.NET
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    12:34 PM: Shield States
    12:34 PM: Spyware Definitions: 734
    12:34 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    9:48 PM: The Spy Communication shield has blocked access to: INCREDIFIND.COM
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    9:48 PM: The Spy Communication shield has blocked access to: INCREDIFIND.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:48 PM: Shield States
    9:47 PM: Spyware Definitions: 734
    9:47 PM: Spy Sweeper 5.0.5.1286 started
    5:32 PM: Access to Hosts file blocked for C:\WINNT\EXPLORER.EXE
    5:32 PM: Access to Hosts file blocked for C:\WINNT\EXPLORER.EXE
    Operation: File Access
    Target:
    Source: C:\WINNT\EXPLORER.EXE
    5:30 PM: Tamper Detection
    5:15 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    5:15 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    5:12 PM: Shield States
    5:12 PM: Spyware Definitions: 734
    5:12 PM: Spy Sweeper 5.0.5.1286 started
    Operation: File Access
    Target:
    Source: E:\INSTALLFILES\EWIDO\EWIDO-SETUP_4.0.0.172C.EXE
    4:23 PM: Tamper Detection
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    4:16 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    4:16 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    ActiveX Shield: On
    4:16 PM: Warning: The handle is invalid
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:16 PM: Shield States
    4:16 PM: Spyware Definitions: 734
    4:15 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    3:58 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    3:58 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    3:58 PM: Shield States
    3:58 PM: Spyware Definitions: 734
    3:58 PM: Spy Sweeper 5.0.5.1286 started
    12:27 PM: Your definitions are up to date.
    12:27 PM: Automated check for program update in progress.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    12:08 PM: The Spy Communication shield has blocked access to: 235.REGVISTA.COM
    12:08 PM: The Spy Communication shield has blocked access to: 235.REGVISTA.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    12:08 PM: Shield States
    12:08 PM: Spyware Definitions: 734
    12:06 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    9:50 PM: The Spy Communication shield has blocked access to: BEEHAPPYY.BIZ
    9:50 PM: The Spy Communication shield has blocked access to: BEEHAPPYY.BIZ
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:50 PM: Shield States
    9:50 PM: Spyware Definitions: 734
    9:50 PM: Spy Sweeper 5.0.5.1286 started
    Operation: File Access
    Target:
    Source: E:\TOTALCOMMANDER\TOTALCMD.EXE
    6:13 PM: Tamper Detection
    Operation: File Access
    Target:
    Source: E:\KEDITW\KEDITW32.EXE
    6:12 PM: Tamper Detection
    6:09 PM: The Spy Communication shield has blocked access to: DELFINPROJECT.COM
    6:09 PM: The Spy Communication shield has blocked access to: DELFINPROJECT.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    6:09 PM: The Spy Communication shield has blocked access to: DAILYFREEPICS.US
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    6:09 PM: Shield States
    6:09 PM: Spyware Definitions: 734
    6:08 PM: Spy Sweeper 5.0.5.1286 started
    7:51 AM: Your definitions are up to date.
    7:51 AM: Automated check for program update in progress.
    7:21 AM: None
    7:21 AM: Traces Found: 0
    7:21 AM: Full Sweep has completed. Elapsed time 00:22:09
    7:21 AM: File Sweep Complete, Elapsed Time: 00:18:24
    7:18 AM: Warning: Failed to open file "e:\spysweeper\settings.dat". The process cannot access the file because it is being used by another process
    7:11 AM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
    7:09 AM: Warning: Failed to open file "c:\documents and settings\marv goldberg\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
    7:09 AM: Warning: Failed to open file "c:\documents and settings\marv goldberg\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
    7:09 AM: Warning: Failed to open file "c:\documents and settings\marv goldberg\ntuser.dat". The process cannot access the file because it is being used by another process
    7:09 AM: Warning: Failed to open file "c:\documents and settings\marv goldberg\ntuser.dat.log". The process cannot access the file because it is being used by another process
    7:07 AM: Warning: Failed to open file "c:\winnt\temp\zlt05048.tmp". The process cannot access the file because it is being used by another process
    7:07 AM: Warning: Failed to open file "c:\winnt\temp\zlt05041.tmp". The process cannot access the file because it is being used by another process
    7:05 AM: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
    7:05 AM: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\system.alt". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
    7:04 AM: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
    7:02 AM: Starting File Sweep
    7:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    7:02 AM: Starting Cookie Sweep
    7:02 AM: Registry Sweep Complete, Elapsed Time:00:00:21
    7:02 AM: Starting Registry Sweep
    7:02 AM: Memory Sweep Complete, Elapsed Time: 00:03:18
    6:59 AM: Starting Memory Sweep
    6:59 AM: Sweep initiated using definitions version 734
    6:59 AM: Spy Sweeper 5.0.5.1286 started
    6:59 AM: | Start of Session, Sunday, August 06, 2006 |
    ********
    6:59 AM: | End of Session, Sunday, August 06, 2006 |
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    Run Kaspersky online virus scan here.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!
     
  12. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    Nothing:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, August 09, 2006 12:26:58 AM
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 9/08/2006
    Kaspersky Anti-Virus database records: 213434
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    K:\
    L:\
    M:\
    N:\
    O:\
    P:\
    Q:\
    R:\

    Scan Statistics:
    Total number of scanned objects: 92540
    Number of viruses found: 0
    Number of infected objects: 0 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 02:49:49

    Infected Object Name / Virus Name / Last Action
    C:\WINNT\system32\config\software.LOG Object is locked skipped
    C:\WINNT\system32\config\default.LOG Object is locked skipped
    C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
    C:\WINNT\system32\config\SAM.LOG Object is locked skipped
    C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\SECURITY Object is locked skipped
    C:\WINNT\system32\config\SOFTWARE Object is locked skipped
    C:\WINNT\system32\config\SYSTEM Object is locked skipped
    C:\WINNT\system32\config\DEFAULT Object is locked skipped
    C:\WINNT\system32\config\SAM Object is locked skipped
    C:\WINNT\Temp\ZLT054ed.TMP Object is locked skipped
    C:\WINNT\Temp\ZLT05521.TMP Object is locked skipped
    C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
    C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINNT\Internet Logs\UNCAMARVY.ldb Object is locked skipped
    C:\WINNT\SchedLgU.Txt Object is locked skipped
    C:\WINNT\CSC\00000001 Object is locked skipped
    C:\WINNT\Sti_Trace.log Object is locked skipped
    C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINNT\WindowsUpdate.log Object is locked skipped
    C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCF26F5BA-9257-4323-86C0-D2D73EB6F42E.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D161C7C-EE0A-4AFB-AF03-C4EB99C6F546.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9C3C7A00-3A32-407F-ACE3-65CFDED44519.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBDC5B44-E6DC-400D-956B-16C2EACBC5C4.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS339EA135-4A41-4A68-BAC9-404639891065.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS7DEF0CFD-02A3-4E34-A7B2-DA1AD0C7360A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8FEFD45-95C6-4455-B52D-25172B902191.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD75AFFDB-DF9D-46DB-BBB4-426D8F739AAD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E679A65-AE70-4E6E-BF12-F2BFB54652A3.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS90CD0B19-694B-4377-AFD4-6BCF097C2EC7.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC2F5BC4B-71FC-4CD3-A7AB-0C330460D9AB.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS33A0C0B7-3368-4C84-90E5-AC736A940DBE.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS53CC6089-1DD3-4B9C-8E48-FE3CFB522CC9.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3DAF404-219E-41A1-8560-D48B35989CC7.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5358E2FB-85AE-43BA-8EA2-ECB1D029304A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS66F70874-677F-4736-BEF0-C9132E32C0E2.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS43AAC560-ECBE-451A-A5BE-3D66EDBAAC9D.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC5258E0C-56E0-4DAC-A929-0A3982C91583.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS783BB4DC-4193-443A-BAB9-DFF9E8D1DABB.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E550210-3E26-4411-9309-AC6F4786DAD0.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0F30D72-543C-47D3-AFD3-3B3C350C2DB4.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB772E5FC-359F-41F0-8966-DE7DE395F8C4.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD783296A-22D5-4742-866B-328F88FB087B.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCAF23C81-247B-47BB-940E-A8DEFF3FC963.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFABCD8D-0738-46DF-9986-32280C198CBD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSDD11705E-1446-430D-B18A-A18C1B26743A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSAA14BC47-E5B5-4B1E-95A9-03A8423A0F5D.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5F277E45-3FE5-4B5C-A567-87D8E362EA0F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS934A50C5-76B7-4DCA-A365-D2D9ED1423BD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE740561E-8334-4B36-A1F4-8F8D20BB4E89.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBBC84DF2-C7A8-4E5B-9C3F-1CE2B1421569.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS52F378A8-BB66-45C2-8040-65E5ABF8B906.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD4DB323A-7114-49B9-AF03-78208E84F470.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS108E24C8-4BB8-47F1-B340-3CA23F3A59B7.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS9EFAB068-42C7-4FAE-9588-106270C918C1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4AAF54A6-90DF-4F00-B936-B9669A45F74F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS3FD392F8-5334-4595-9E2F-EFA3F0070F5B.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS252D9FFE-D9DD-4921-AC0F-F88978436B19.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS8A633AB3-9B70-4AEA-A82E-DC8D352607B0.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4304BA59-5464-49B1-A944-6610C3EF96C7.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5242694B-8439-4B78-8272-65C8C36A03FD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSD07108F4-CE0F-4023-9AA4-EE4FC861FD01.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS58B4CAA5-BFCA-4799-B31C-C289910EBAB8.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS742A0A14-BEB3-4520-A2DA-A8BA61B130FC.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS72E4C675-398A-4115-88E4-CE7D5B54C0A6.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA3515241-CB8E-452A-BC3B-42B0CE357562.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE5225509-5CEC-4942-80EA-9041EC3ABBD7.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC88C9E03-E614-4206-8B3D-44926DC08A33.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF675477-CBB7-4B9B-B267-471DDD437158.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF50E32CE-5B74-4CD5-BEAE-F4E6A2632996.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS910CAAF8-536F-4D3C-B11E-9A18412C1BA3.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS421D8AAF-21EF-4F1F-85E2-9A2CF4693B0B.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB333809B-87C0-4860-B47F-19ECD69FE8AD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE8A1123-0AA7-4559-8C56-0B1118B3835D.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB2218EB5-53A2-4DEE-8A2C-4D6F6A75ED5B.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCF4D55D7-4EF5-4840-8F2C-2BB00ABCCD58.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6935F47B-650E-4711-AB4A-0A47C901DD10.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEFFDC1F4-3B04-473F-9E83-245DC34DEF05.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS3CE89163-57A9-40A3-9C41-F381F1F15E7F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS293A26D0-F633-4CE5-AD63-0F0E94C30B72.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFDC5FE35-A976-4BB3-8EB0-E23DEFDAD00F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS650DB324-3FA5-4BF1-95E4-32748B06BB29.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFB66F8C8-52C7-4FE4-AB58-7FBCC0D02A46.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E5AC098-F8A6-4D74-9783-EFCA861877B2.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE9BB8C79-BE98-49F4-8D55-B7577E9D0B69.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCAE9611D-1755-416D-9BDD-95358B8B870B.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSCEBCF4B1-00BF-44A9-B883-1AB9CA5F7DA2.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC6C8A9F-5855-4D1A-A68F-7A65DEB97947.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS86C66681-EB41-4634-83FD-078F0D65C5BF.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C79C262-BFE0-4A7D-9006-FC27325FF1F2.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA0BE5E9D-0D13-45A7-94D8-9D0A6492EC89.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB2DC6DFB-6BA6-4D0A-8713-1D2A738B7507.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC2ACA6AB-349C-499B-BBAC-D805C25D5209.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA13EC194-DB38-43F2-A18A-634F27600D33.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE945A44-7824-4DF1-B0EB-C79BE262A48F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS85D84A90-3B87-43FC-83A9-4C0E090292D1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSC40E94DC-D46C-479E-9D4C-0C85409713FF.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSFF22166F-BA74-410D-B087-B3D3B462596A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A35186C-F939-4AB5-9076-48F88EC05BDA.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSEC6CCC1D-5D9A-44A0-B803-477EDA04933F.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B2C7113-2902-4A06-BB99-658482D661A4.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS645A3925-D223-4A53-9513-0C7B9C5A2FE6.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2C2B3E3A-5A8F-4BA3-8629-EBDDA7B745D0.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF21E6ADE-1525-4808-8FAF-65B373F36BF6.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6FBBD6DC-A970-4956-97AF-468152210FB3.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF620ABF9-8C61-42D0-ABF6-03FD33E23D4A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS65FE6FE5-DF6F-4C23-BF48-F2B64E7E43BD.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS28B9B1D0-765C-4975-AF73-C0BC7DB339EB.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS779F204B-F2BF-4E5C-B1A0-00772F9CBA02.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSBCF29133-A747-4E14-8123-BD168CC6A673.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EBA0DB4-6977-4FC3-A681-B5ACEE81804A.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF7477C3F-AD3F-4C70-861E-919767AEEC43.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS5DB89C93-135F-491B-80F5-26CD017A1B19.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS22337FA8-E9CC-4B91-8780-049CD287BD07.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS71B167D3-CB3C-4F11-BFE8-4A9E3B3B84C1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS275FE2C7-5591-416F-876F-569F1587A41D.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E9BF7FF-79EE-4047-AFC5-71BC336DC2E6.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSA7D9DF12-6548-4FA9-9A4C-5EA25D9455A2.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS562701F0-88E3-4D3E-ABF8-0E3968A425C4.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F69A0BE-C31B-4798-9234-E3B92320F52E.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSF3D7D06A-6A9B-4F72-844E-98C12ED1D3F8.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS224C1BBF-4CC1-4438-A7A5-DA17FA2140FC.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS6FD0ACF8-53E9-4E29-8D58-43F9F93F6B34.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CCDA795-084C-4ED2-9FBB-4BD9F4B3C57C.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS58576A4A-A2CC-48B3-A974-EDE99331EE72.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSE63BAF18-FF22-4C56-8880-27A6937542F9.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS05A826CA-94F9-4044-AE03-D6D30C6ADFEE.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCSB1359BCC-B58E-48B8-A567-8A740F26D6A8.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\Temp\SSCS31F6F138-0DC5-45AC-92DC-1DDDC6A202DC.tmp Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Temp\~DFE4EC.tmp Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Temp\~DF1A2B.tmp Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Local Settings\Temp\~DFF4D2.tmp Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Application Data\Webroot\Spy Sweeper\Logs\060806065916.ses Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Application Data\MailWasherPro\tmpLog.txt Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Application Data\MailWasherPro\Trash.rot135 Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Application Data\MailWasherPro\Training\Training archive - junk.rot135 Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\Application Data\MailWasherPro\Training\Training archive - legitimate.rot135 Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Marv Goldberg\ntuser.dat Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
    E:\Norton\Norton AntiVirus\AVVirus.log Object is locked skipped
    E:\Norton\Norton AntiVirus\AVApp.log Object is locked skipped
    E:\Norton\Norton AntiVirus\AVError.log Object is locked skipped
    E:\SpySweeper\settings.dat Object is locked skipped
    E:\SpySweeper\Masters\masters.mst Object is locked skipped
    E:\SpySweeper\Masters\masters.bak Object is locked skipped
    E:\SpySweeper\Masters\Masters.const Object is locked skipped
    E:\SpySweeper\Masters.base Object is locked skipped

    Scan process completed.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,057
    * Click here to download ATF Cleaner by Atribune and save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
      • If you use Firefox:
        • Click Firefox at the top and choose: Select All
        • Click the Empty Selected button.
        • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      • If you use Opera:
        • Click Opera at the top and choose: Select All
        • Click the Empty Selected button.

          [*]NOTE:
          If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.


    Reboot and run a scan with SpySweeper again and post the log please.
     
  14. Marvy42

    Marvy42 Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    40
    Once again, Spy Sweeper found nothing to write home about. Here's the log:

    5:16 PM: None
    5:16 PM: Traces Found: 0
    5:16 PM: Full Sweep has completed. Elapsed time 00:46:57
    5:16 PM: File Sweep Complete, Elapsed Time: 00:43:20
    5:14 PM: Warning: Failed to open file "l:\pagefile.sys". Access is denied
    5:02 PM: Warning: Failed to open file "h:\gobackio.bin". Access is denied
    4:57 PM: Warning: Failed to open file "e:\spysweeper\settings.dat". The process cannot access the file because it is being used by another process
    4:40 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
    4:39 PM: Warning: Failed to open file "c:\documents and settings\mg\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
    4:39 PM: Warning: Failed to open file "c:\documents and settings\mg\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
    4:39 PM: Warning: Failed to open file "c:\documents and settings\mg\ntuser.dat". The process cannot access the file because it is being used by another process
    4:39 PM: Warning: Failed to open file "c:\documents and settings\mg\ntuser.dat.log". The process cannot access the file because it is being used by another process
    4:37 PM: Warning: Failed to open file "c:\winnt\temp\zlt07a11.tmp". The process cannot access the file because it is being used by another process
    4:37 PM: Warning: Failed to open file "c:\winnt\temp\zlt079d6.tmp". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\system.alt". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
    4:35 PM: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
    4:33 PM: Starting File Sweep
    4:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    4:33 PM: Starting Cookie Sweep
    4:33 PM: Registry Sweep Complete, Elapsed Time:00:00:24
    4:33 PM: Starting Registry Sweep
    4:33 PM: Memory Sweep Complete, Elapsed Time: 00:03:08
    4:29 PM: Starting Memory Sweep
    4:29 PM: Sweep initiated using definitions version 735
    4:29 PM: Spy Sweeper 5.0.5.1286 started
    4:29 PM: | Start of Session, Wednesday, August 09, 2006 |
    ********
    4:29 PM: | End of Session, Wednesday, August 09, 2006 |
    4:28 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    4:28 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    4:28 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:27 PM: Shield States
    4:27 PM: Spyware Definitions: 735
    4:26 PM: Spy Sweeper 5.0.5.1286 started
    4:13 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    4:13 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    4:12 PM: Your definitions are up to date.
    4:12 PM: Automated check for program update in progress.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:11 PM: Shield States
    4:11 PM: Spyware Definitions: 735
    4:11 PM: Spy Sweeper 5.0.5.1286 started
    Operation: File Access
    Target:
    Source: C:\WINNT\EXPLORER.EXE
    10:05 PM: Tamper Detection
    8:09 PM: The Spy Communication shield has blocked access to: 2AWM.COM
    8:09 PM: The Spy Communication shield has blocked access to: 2AWM.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    8:09 PM: The Spy Communication shield has blocked access to: 235.REGVISTA.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    8:08 PM: Shield States
    8:08 PM: Spyware Definitions: 735
    8:07 PM: Spy Sweeper 5.0.5.1286 started
    Operation: File Access
    Target:
    Source: E:\TOTALCOMMANDER\TOTALCMD.EXE
    4:22 PM: Tamper Detection
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    4:07 PM: The Spy Communication shield has blocked access to: ETIGHTSTRINGS.NET
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    4:07 PM: The Spy Communication shield has blocked access to: ETIGHTSTRINGS.NET
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:07 PM: Shield States
    4:07 PM: Spyware Definitions: 735
    4:06 PM: Spy Sweeper 5.0.5.1286 started
    1:12 PM: Your spyware definitions have been updated.
    1:12 PM: Automated check for program update in progress.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    1:05 PM: The Spy Communication shield has blocked access to: GOPORN.US
    Hosts File Shield: On
    Spy Communication Shield: On
    1:05 PM: The Spy Communication shield has blocked access to: GOPORN.US
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    1:04 PM: Shield States
    1:04 PM: Spyware Definitions: 734
    1:04 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    12:35 PM: The Spy Communication shield has blocked access to: HITSCOUNT.NET
    Hosts File Shield: On
    Spy Communication Shield: On
    12:35 PM: The Spy Communication shield has blocked access to: HITSCOUNT.NET
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    12:34 PM: Shield States
    12:34 PM: Spyware Definitions: 734
    12:34 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    9:48 PM: The Spy Communication shield has blocked access to: INCREDIFIND.COM
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    9:48 PM: The Spy Communication shield has blocked access to: INCREDIFIND.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:48 PM: Shield States
    9:47 PM: Spyware Definitions: 734
    9:47 PM: Spy Sweeper 5.0.5.1286 started
    5:32 PM: Access to Hosts file blocked for C:\WINNT\EXPLORER.EXE
    5:32 PM: Access to Hosts file blocked for C:\WINNT\EXPLORER.EXE
    Operation: File Access
    Target:
    Source: C:\WINNT\EXPLORER.EXE
    5:30 PM: Tamper Detection
    5:15 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    5:15 PM: The Spy Communication shield has blocked access to: 1800-SEARCH.COM
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    5:12 PM: Shield States
    5:12 PM: Spyware Definitions: 734
    5:12 PM: Spy Sweeper 5.0.5.1286 started
    Operation: File Access
    Target:
    Source: E:\INSTALLFILES\EWIDO\EWIDO-SETUP_4.0.0.172C.EXE
    4:23 PM: Tamper Detection
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    4:16 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    4:16 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    ActiveX Shield: On
    4:16 PM: Warning: The handle is invalid
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    4:16 PM: Shield States
    4:16 PM: Spyware Definitions: 734
    4:15 PM: Spy Sweeper 5.0.5.1286 started
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    3:58 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    3:58 PM: The Spy Communication shield has blocked access to: BANNERSERVER.GATOR.COM
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    3:58 PM: Shield States
    3:58 PM: Spyware Definitions: 734
    3:58 PM: Spy Sweeper 5.0.5.1286 started
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    they are likely to be hidden connections from other websites tryinmg to install exploits via banner ads etc BUT there might be something on your computer still trying to connect

    lets see what these show
    download filesearch.bat to your desktop from http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item11

    double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully

    it will only pop up for a quick flash

    a file search.txt should pop up, save it to desktop as it makes it easier to find
    If it doesn't pop up then a copy will be in C:\filesearch.txt

    It will be too big to upload here so go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload there
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the file on your computer, when the file is listed in the windows press send to upload the files


    repeat with appdata.bat from http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item12

    and then repeat again with all user_appdata.bat http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item13

    so you will have 3 files to upload

    filesearch.txt
    appdata.txt
    au_appdata.txt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - I've caught something
  1. fasteddie
    Replies:
    5
    Views:
    1,132
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/490006

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice