Basically i have no idea what is happening, every time i go on the internet it sets my homepage to 'prosearching.com', but it appears as 'about:blank' in the address bar, i have windows XP with service pack 2, symantec antivirus 2005.

the following is my hijack this file

Logfile of HijackThis v1.99.1
Scan saved at 10:57:05, on 15/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\win565.tmp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.co.uk/SnapfishUKUpload.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ive now removed these

O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com


and i can see that a load of the internet explorer things in the regedit are set to prosearching.com, and http://www.2020search.com/search/9884/search.html (these are the same site), i know how to change them, but what should i change them to? (or should i delete them)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com

please, please, please help

From Ben

Please post a new hijackthis log so we can see what is still there. Thanks.

here it is, thanks for your time.

From Ben

Logfile of HijackThis v1.99.1
Scan saved at 09:39:33, on 17/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com - Attack of the mighty Ben!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145097808062
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for the new HJT log.


If you installed MessengerPlus 3 with sponsors please remove it via add/remove program, also remove Adware Alert a rogue program


Reboot if anything removed


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done


Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat


Please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file you downloaded and select install. This resets the trusted and restricted zones to defaults.

Note: if you have immunized with Spybot this takes those off. You will have to re-immunize with Spybot. If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both of those afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Reboot.


Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
Open Hoster.exe.
Then click on "Restore Original Hosts"
Close program when complete.


Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.


Disconnect from the internet...pull the plug, wire etc.


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Run hijackthis and click on scan button and put checks next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll

O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"--If you removed Messplus3 fix this also

O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot

O20 - AppInit_DLLs: MsgPlusLoader.dll--If you removed messplus3 fix this

O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll


Make sure nothing is open but hijackthis and click on fix checked


Now run CWShredder and click fix


Hunt for and delete if present:

C:\WINDOWS\sqldata1.exe < file
C:\Program Files\MessengerPlus!3--If you removed Messplus3 fix this also < folder
C:\Program Files\AdwareAlert < folder
C:\WINDOWS\SYSTEM32\winowl32.dll < file



Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter each time you type in "Y" until black box disappears.

Then:


Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start


Post a new HJT log for further review

thanks for that guide it would appear that it is gone, i couldn't delete this file though (in safe mode)
C:\WINDOWS\SYSTEM32\winowl32.dll

it just said access denied!

here is my latest HJT file

Logfile of HijackThis v1.99.1
Scan saved at 10:17:58, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com - Attack of the mighty Ben!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145097808062
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

thanks very much

From Ben

Looks much better, except that one file.


Let's try this and see if Spysweeper knocks it down:







Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

Hi again sorry it took so long.

thanks from ben

Logfile of HijackThis v1.99.1
Scan saved at 20:30:32, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com - Attack of the mighty Ben!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145097808062
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Did you run spysweeper? If you did, did you save the log? If not please run it again from safe mode this time, that file is still there.


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Now run spysweeper and post the log it makes. Thanks.

Sorry that its taken so long for me to reply, here is my latest hjt file and 2 spysweeper files.

Logfile of HijackThis v1.99.1
Scan saved at 18:18:13, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\TEMP\win8A9.tmp.exe
C:\WINDOWS\TEMP\win8AC.tmp.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com - Attack of the mighty Ben!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145097808062
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





spysweeper file 1





********
17:24: | Start of Session, 29 April 2006 |
17:24: Spy Sweeper started
17:24: Sweep initiated using definitions version 668
17:24: Found Adware: coolwebsearch (cws)
17:24: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\inprocserver32\ (2 subtraces) (ID = 1183061)
17:24: winres.dll (ID = 1183061)
17:24: Starting Memory Sweep
17:24: Detected running threat: C:\WINDOWS\winres.dll (ID = 282896)
17:26: Found Trojan Horse: trojan-downloader-aux
17:26: Detected running threat: C:\WINDOWS\Temp\win57.tmp.exe (ID = 280087)
17:27: Memory Sweep Complete, Elapsed Time: 00:02:18
17:27: Starting Registry Sweep
17:27: Found Adware: apropos
17:27: HKLM\software\envolo\ (9 subtraces) (ID = 103775)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\autoupdate\ (1 subtraces) (ID = 103819)
17:27: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (11 subtraces) (ID = 107171)
17:27: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (11 subtraces) (ID = 108560)
17:27: HKLM\software\classes\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 109797)
17:27: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808)
17:27: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809)
17:27: HKLM\software\microsoft\windows\currentversion\exp lorer\browser helper objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (1 subtraces) (ID = 111216)
17:27: HKCR\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 112503)
17:27: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518)
17:27: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519)
17:27: Found Adware: ist software
17:27: HKCR\clsid\{5f1abcdb-a875-46c1-8345-b72a4567e486}\ (2 subtraces) (ID = 127191)
17:27: Found Adware: internetoptimizer
17:27: HKLM\software\avenue media\ (18 subtraces) (ID = 128888)
17:27: HKLM\software\microsoft\windows\currentversion\pol icies\ameopt\ (ID = 128912)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\internet optimizer\ (2 subtraces) (ID = 128921)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\kapabout\ (2 subtraces) (ID = 128924)
17:27: HKLM\software\policies\avenue media\ (ID = 128929)
17:27: Found Adware: ist istbar
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\istbaristbar\ (ID = 129182)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\dyfuca\ (ID = 135214)
17:27: Found Adware: ist powerscan
17:27: HKLM\software\powerscan\ (1 subtraces) (ID = 136824)
17:27: Found Adware: ist sidefind
17:27: HKCR\clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (2 subtraces) (ID = 141763)
17:27: HKCR\interface\{339d8aff-0b42-4260-ad82-78ce605a9543}\ (8 subtraces) (ID = 141765)
17:27: HKCR\interface\{a36a5936-cfd9-4b41-86bd-319a1931887f}\ (8 subtraces) (ID = 141766)
17:27: HKLM\software\classes\clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (2 subtraces) (ID = 141770)
17:27: HKLM\software\classes\interface\{339d8aff-0b42-4260-ad82-78ce605a9543}\ (8 subtraces) (ID = 141772)
17:27: HKLM\software\classes\interface\{a36a5936-cfd9-4b41-86bd-319a1931887f}\ (8 subtraces) (ID = 141773)
17:27: HKLM\software\classes\typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}\ (9 subtraces) (ID = 141775)
17:27: HKLM\software\classes\typelib\{d0288a41-9855-4a9b-8316-babe243648da}\ (9 subtraces) (ID = 141776)
17:27: HKLM\software\microsoft\sidefind\ (2 subtraces) (ID = 141780)
17:27: HKCR\typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}\ (9 subtraces) (ID = 141784)
17:27: HKCR\typelib\{d0288a41-9855-4a9b-8316-babe243648da}\ (9 subtraces) (ID = 141785)
17:27: HKLM\software\classes\clsid\{5f1abcdb-a875-46c1-8345-b72a4567e486}\ (2 subtraces) (ID = 141834)
17:27: Found Adware: targetsoft
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\tsl installer\ (1 subtraces) (ID = 143608)
17:27: Found Adware: targetsaver
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\tsl installer\ (1 subtraces) (ID = 143608)
17:27: HKLM\software\avenue media\internet optimizer\ (17 subtraces) (ID = 394594)
17:27: Found Trojan Horse: trojan agent winlogonhook
17:27: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101)
17:27: Found Adware: prosearch.com hijack
17:27: HKLM\software\microsoft\internet explorer\main\ || search page_bak (ID = 1250789)
17:27: Found Adware: cws-aboutblank
17:27: HKU\S-1-5-21-1901535262-2597964862-3539572679-1010\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\S-1-5-21-1901535262-2597964862-3539572679-1010\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\avenue media\ (ID = 128887)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\ist\ (4 subtraces) (ID = 129108)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\istbar\ (ID = 129109)
17:27: Found Adware: 180search assistant/zango
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\saap\ (3 subtraces) (ID = 135784)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\sais\ (16 subtraces) (ID = 135790)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\avenue media\ (ID = 128887)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\ist\ (1 subtraces) (ID = 129108)
17:27: Found Adware: prosearching hijacker
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page (ID = 134071)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\sais\ (12 subtraces) (ID = 135790)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: Found Adware: 2020search hijack
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search bar (ID = 1192307)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\search\ || searchassistant (ID = 1192311)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page (ID = 134071)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search bar (ID = 1192307)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\search\ || searchassistant (ID = 1192311)
17:27: Registry Sweep Complete, Elapsed Time:00:00:11
17:27: Starting Cookie Sweep
17:27: Found Spy Cookie: 2o7.net cookie
17:27: benjamin@2o7[2].txt (ID = 1957)
17:27: benjamin@partygaming.122.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: partypoker cookie
17:27: benjamin@partypoker[1].txt (ID = 3111)
17:27: Found Spy Cookie: server.iad.liveperson cookie
17:27: benjamin@server.iad.liveperson[2].txt (ID = 3341)
17:27: Found Spy Cookie: sandboxer cookie
17:27: joshua@0[1].txt (ID = 3282)
17:27: joshua@0[2].txt (ID = 3282)
17:27: joshua@0[4].txt (ID = 3282)
17:27: joshua@122.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: 247realmedia cookie
17:27: joshua@247realmedia[2].txt (ID = 1953)
17:27: joshua@2o7[1].txt (ID = 1957)
17:27: Found Spy Cookie: 888 cookie
17:27: joshua@888[1].txt (ID = 2019)
17:27: Found Spy Cookie: websponsors cookie
17:27: joshua@a.websponsors[2].txt (ID = 3665)
17:27: Found Spy Cookie: about cookie
17:27: joshua@about[1].txt (ID = 2037)
17:27: Found Spy Cookie: ad-rotator cookie
17:27: joshua@ad-rotator[1].txt (ID = 2051)
17:27: Found Spy Cookie: yieldmanager cookie
17:27: joshua@ad.yieldmanager[2].txt (ID = 3751)
17:27: Found Spy Cookie: adrevolver cookie
17:27: joshua@adrevolver[1].txt (ID = 2088)
17:27: joshua@adrevolver[3].txt (ID = 2088)
17:27: Found Spy Cookie: pointroll cookie
17:27: joshua@ads.pointroll[1].txt (ID = 3148)
17:27: Found Spy Cookie: bpath cookie
17:27: joshua@ads18.bpath[1].txt (ID = 2321)
17:27: Found Spy Cookie: adreactor cookie
17:27: joshua@adserver.adreactor[1].txt (ID = 2087)
17:27: Found Spy Cookie: adtech cookie
17:27: joshua@adtech[1].txt (ID = 2155)
17:27: Found Spy Cookie: advertising cookie
17:27: joshua@advertising[2].txt (ID = 2175)
17:27: Found Spy Cookie: adviva cookie
17:27: joshua@adviva[2].txt (ID = 2177)
17:27: Found Spy Cookie: apmebf cookie
17:27: joshua@apmebf[1].txt (ID = 2229)
17:27: Found Spy Cookie: falkag cookie
17:27: joshua@as-eu.falkag[2].txt (ID = 2650)
17:27: joshua@as-us.falkag[2].txt (ID = 2650)
17:27: joshua@as1.falkag[1].txt (ID = 2650)
17:27: Found Spy Cookie: ask cookie
17:27: joshua@ask[1].txt (ID = 2245)
17:27: Found Spy Cookie: atlas dmt cookie
17:27: joshua@atdmt[2].txt (ID = 2253)
17:27: Found Spy Cookie: atwola cookie
17:27: joshua@atwola[2].txt (ID = 2255)
17:27: Found Spy Cookie: a cookie
17:27: joshua@a[2].txt (ID = 2027)
17:27: Found Spy Cookie: belnk cookie
17:27: joshua@belnk[1].txt (ID = 2292)
17:27: Found Spy Cookie: bluestreak cookie
17:27: joshua@bluestreak[2].txt (ID = 2314)
17:27: Found Spy Cookie: bravenet cookie
17:27: joshua@bravenet[1].txt (ID = 2322)
17:27: Found Spy Cookie: bs.serving-sys cookie
17:27: joshua@bs.serving-sys[1].txt (ID = 2330)
17:27: Found Spy Cookie: touchclarity cookie
17:27: joshua@btow.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: burstnet cookie
17:27: joshua@burstnet[1].txt (ID = 2336)
17:27: Found Spy Cookie: casalemedia cookie
17:27: joshua@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: cassava cookie
17:27: joshua@cassava[1].txt (ID = 2362)
17:27: Found Spy Cookie: overture cookie
17:27: joshua@data4.perf.overture[1].txt (ID = 3106)
17:27: Found Spy Cookie: did-it cookie
17:27: joshua@did-it[1].txt (ID = 2523)
17:27: joshua@dist.belnk[2].txt (ID = 2293)
17:27: Found Spy Cookie: adbureau cookie
17:27: joshua@etype.adbureau[1].txt (ID = 2060)
17:27: joshua@europeanhistory.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: fastclick cookie
17:27: joshua@fastclick[1].txt (ID = 2651)
17:27: joshua@ford.touchclarity[1].txt (ID = 3566)
17:27: joshua@freebies.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: go.com cookie
17:27: joshua@go[1].txt (ID = 2728)
17:27: Found Spy Cookie: tripod cookie
17:27: joshua@htmlgear.tripod[1].txt (ID = 3592)
17:27: Found Spy Cookie: infospace cookie
17:27: joshua@infospace[1].txt (ID = 2865)
17:27: Found Spy Cookie: netster cookie
17:27: joshua@lb1.netster[1].txt (ID = 3072)
17:27: Found Spy Cookie: mediaplex cookie
17:27: joshua@mediaplex[1].txt (ID = 6442)
17:27: joshua@msn.touchclarity[1].txt (ID = 3566)
17:27: joshua@msnportal.112.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: netvenda cookie
17:27: joshua@netvenda[1].txt (ID = 3073)
17:27: Found Spy Cookie: offeroptimizer cookie
17:27: joshua@offeroptimizer[2].txt (ID = 3087)
17:27: joshua@overture[2].txt (ID = 3105)
17:27: joshua@perf.overture[1].txt (ID = 3106)
17:27: Found Spy Cookie: pokerroom cookie
17:27: joshua@pokerroom[1].txt (ID = 3149)
17:27: Found Spy Cookie: prosearching cookie
17:27: joshua@prosearching[1].txt (ID = 3201)
17:27: joshua@psa.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: qksrv cookie
17:27: joshua@qksrv[1].txt (ID = 3213)
17:27: Found Spy Cookie: questionmarket cookie
17:27: joshua@questionmarket[1].txt (ID = 3217)
17:27: Found Spy Cookie: realmedia cookie
17:27: joshua@realmedia[2].txt (ID = 3235)
17:27: Found Spy Cookie: revenue.net cookie
17:27: joshua@revenue[2].txt (ID = 3257)
17:27: joshua@sel.as-eu.falkag[1].txt (ID = 2650)
17:27: joshua@sel.as-us.falkag[2].txt (ID = 2650)
17:27: joshua@server.iad.liveperson[1].txt (ID = 3341)
17:27: Found Spy Cookie: serving-sys cookie
17:27: joshua@serving-sys[1].txt (ID = 3343)
17:27: Found Spy Cookie: servlet cookie
17:27: joshua@servlet[1].txt (ID = 3345)
17:27: Found Spy Cookie: spylog cookie
17:27: joshua@spylog[1].txt (ID = 3415)
17:27: Found Spy Cookie: onestat.com cookie
17:27: joshua@stat.onestat[2].txt (ID = 3098)
17:27: Found Spy Cookie: statcounter cookie
17:27: joshua@statcounter[1].txt (ID = 3447)
17:27: Found Spy Cookie: webtrendslive cookie
17:27: joshua@statse.webtrendslive[2].txt (ID = 3667)
17:27: Found Spy Cookie: tacoda cookie
17:27: joshua@tacoda[2].txt (ID = 6444)
17:27: Found Spy Cookie: tickle cookie
17:27: joshua@tickle[1].txt (ID = 3529)
17:27: Found Spy Cookie: tradedoubler cookie
17:27: joshua@tradedoubler[2].txt (ID = 3575)
17:27: Found Spy Cookie: tribalfusion cookie
17:27: joshua@tribalfusion[2].txt (ID = 3589)
17:27: joshua@tripod[1].txt (ID = 3591)
17:27: joshua@vodafone.122.2o7[1].txt (ID = 1958)
17:27: joshua@www.888[1].txt (ID = 2020)
17:27: Found Spy Cookie: affiliatefuel.com cookie
17:27: joshua@www.affiliatefuel[1].txt (ID = 2202)
17:27: Found Spy Cookie: angelfire cookie
17:27: joshua@www.angelfire[1].txt (ID = 2222)
17:27: joshua@www.netvenda[2].txt (ID = 3074)
17:27: Found Spy Cookie: sidefind cookie
17:27: joshua@www.sidefind[2].txt (ID = 3374)
17:27: Found Spy Cookie: yadro cookie
17:27: joshua@yadro[1].txt (ID = 3743)
17:27: Found Spy Cookie: adserver cookie
17:27: joshua@z1.adserver[1].txt (ID = 2142)
17:27: mandy@112.2o7[1].txt (ID = 1958)
17:27: mandy@247realmedia[1].txt (ID = 1953)
17:27: mandy@2o7[2].txt (ID = 1957)
17:27: mandy@about[1].txt (ID = 2037)
17:27: mandy@adtech[2].txt (ID = 2155)
17:27: mandy@advertising[2].txt (ID = 2175)
17:27: mandy@adviva[1].txt (ID = 2177)
17:27: Found Spy Cookie: anm.co.uk cookie
17:27: mandy@anm.co[2].txt (ID = 2223)
17:27: mandy@apmebf[2].txt (ID = 2229)
17:27: mandy@as-eu.falkag[1].txt (ID = 2650)
17:27: mandy@as-us.falkag[1].txt (ID = 2650)
17:27: mandy@as1.falkag[2].txt (ID = 2650)
17:27: mandy@ask[1].txt (ID = 2245)
17:27: mandy@atdmt[2].txt (ID = 2253)
17:27: mandy@atwola[1].txt (ID = 2255)
17:27: mandy@a[1].txt (ID = 2027)
17:27: mandy@belnk[1].txt (ID = 2292)
17:27: mandy@bluestreak[1].txt (ID = 2314)
17:27: mandy@burstnet[2].txt (ID = 2336)
17:27: mandy@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: commission junction cookie
17:27: mandy@commission-junction[2].txt (ID = 2455)
17:27: Found Spy Cookie: hitslink cookie
17:27: mandy@counter.hitslink[1].txt (ID = 2790)
17:27: mandy@counter2.hitslink[2].txt (ID = 2790)
17:27: mandy@did-it[2].txt (ID = 2523)
17:27: mandy@dist.belnk[2].txt (ID = 2293)
17:27: mandy@easyjet.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: ru4 cookie
17:27: mandy@edge.ru4[1].txt (ID = 3269)
17:27: mandy@etype.adbureau[2].txt (ID = 2060)
17:27: mandy@fastclick[2].txt (ID = 2651)
17:27: Found Spy Cookie: firstchoice cookie
17:27: mandy@firstchoice[1].txt (ID = 2678)
17:27: Found Spy Cookie: humanclick cookie
17:27: mandy@hc2.humanclick[1].txt (ID = 2810)
17:27: Found Spy Cookie: maxserving cookie
17:27: mandy@maxserving[1].txt (ID = 2966)
17:27: mandy@media.fastclick[1].txt (ID = 2652)
17:27: mandy@mediaplex[1].txt (ID = 6442)
17:27: mandy@msnportal.112.2o7[1].txt (ID = 1958)
17:27: mandy@netvenda[1].txt (ID = 3073)
17:27: mandy@overture[2].txt (ID = 3105)
17:27: mandy@pediatrics.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: pro-market cookie
17:27: mandy@pro-market[1].txt (ID = 3197)
17:27: mandy@questionmarket[1].txt (ID = 3217)
17:27: mandy@sel.as-eu.falkag[2].txt (ID = 2650)
17:27: mandy@sel.as-us.falkag[1].txt (ID = 2650)
17:27: mandy@server.iad.liveperson[1].txt (ID = 3341)
17:27: mandy@statcounter[2].txt (ID = 3447)
17:27: mandy@statse.webtrendslive[1].txt (ID = 3667)
17:27: mandy@tacoda[1].txt (ID = 6444)
17:27: mandy@tradedoubler[2].txt (ID = 3575)
17:27: mandy@web.uk.ask[1].txt (ID = 2246)
17:27: mandy@www.netvenda[1].txt (ID = 3074)
17:27: Found Spy Cookie: xiti cookie
17:27: mandy@xiti[1].txt (ID = 3717)
17:27: martin@122.2o7[1].txt (ID = 1958)
17:27: martin@247realmedia[1].txt (ID = 1953)
17:27: martin@2o7[2].txt (ID = 1957)
17:27: martin@ad.yieldmanager[2].txt (ID = 3751)
17:27: martin@adrevolver[2].txt (ID = 2088)
17:27: martin@adrevolver[3].txt (ID = 2088)
17:27: martin@ads.pointroll[2].txt (ID = 3148)
17:27: martin@adtech[2].txt (ID = 2155)
17:27: martin@advertising[1].txt (ID = 2175)
17:27: martin@adviva[2].txt (ID = 2177)
17:27: martin@apmebf[1].txt (ID = 2229)
17:27: martin@as1.falkag[2].txt (ID = 2650)
17:27: martin@atdmt[2].txt (ID = 2253)
17:27: martin@atwola[1].txt (ID = 2255)
17:27: martin@a[1].txt (ID = 2027)
17:27: martin@bbcww.adbureau[2].txt (ID = 2060)
17:27: martin@belnk[1].txt (ID = 2292)
17:27: martin@bluestreak[1].txt (ID = 2314)
17:27: martin@bravenet[1].txt (ID = 2322)
17:27: martin@btow.touchclarity[1].txt (ID = 3566)
17:27: martin@burstnet[2].txt (ID = 2336)
17:27: Found Spy Cookie: zedo cookie
17:27: martin@c5.zedo[2].txt (ID = 3763)
17:27: martin@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: centrport net cookie
17:27: martin@centrport[1].txt (ID = 2374)
17:27: martin@cnn.122.2o7[1].txt (ID = 1958)
17:27: martin@counter2.hitslink[2].txt (ID = 2790)
17:27: Found Spy Cookie: customer cookie
17:27: martin@customer[1].txt (ID = 2481)
17:27: martin@dist.belnk[2].txt (ID = 2293)
17:27: martin@fastclick[2].txt (ID = 2651)
17:27: martin@ford.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: ic-live cookie
17:27: martin@ic-live[1].txt (ID = 2821)
17:27: Found Spy Cookie: l2m.net cookie
17:27: martin@l2m[1].txt (ID = 2913)
17:27: Found Spy Cookie: webtrends cookie
17:27: martin@m.webtrends[1].txt (ID = 3669)
17:27: martin@maxserving[2].txt (ID = 2966)
17:27: martin@mediaplex[1].txt (ID = 6442)
17:27: martin@microsofteup.112.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: nextag cookie
17:27: martin@nextag[2].txt (ID = 5014)
17:27: martin@overture[1].txt (ID = 3105)
17:27: martin@qksrv[1].txt (ID = 3213)
17:27: martin@questionmarket[1].txt (ID = 3217)
17:27: martin@realmedia[2].txt (ID = 3235)
17:27: martin@server.iad.liveperson[1].txt (ID = 3341)
17:27: martin@serving-sys[2].txt (ID = 3343)
17:27: martin@statse.webtrendslive[1].txt (ID = 3667)
17:27: martin@tacoda[1].txt (ID = 6444)
17:27: Found Spy Cookie: targetnet cookie
17:27: martin@targetnet[1].txt (ID = 3489)
17:27: martin@tickle[2].txt (ID = 3529)
17:27: martin@tradedoubler[2].txt (ID = 3575)
17:27: Found Spy Cookie: trafficmp cookie
17:27: martin@trafficmp[2].txt (ID = 3581)
17:27: martin@tribalfusion[1].txt (ID = 3589)
17:27: martin@xiti[1].txt (ID = 3717)
17:27: martin@zedo[2].txt (ID = 3762)
17:27: Cookie Sweep Complete, Elapsed Time: 00:00:06
17:27: Starting File Sweep
17:27: c:\program files\autoupdate (1 subtraces) (ID = -2147481419)
17:27: c:\documents and settings\joshua\local settings\temp\atf (ID = -2147481416)
17:27: c:\documents and settings\mandy\local settings\temp\atf (ID = -2147481416)
17:27: backup-20060418-095958-425.dll (ID = 282896)
17:28: srvlqg[1].exe (ID = 280087)
17:28: srvpmn[1].exe (ID = 280087)
17:28: srvtxg[1].exe (ID = 280087)
17:30: srvlbin5[1].exe (ID = 280087)
17:30: wina33.tmp.exe (ID = 280087)
17:30: winres.dll (ID = 282896)
17:33: srvzci[1].exe (ID = 280087)
17:33: srvpzu[1].exe (ID = 280087)
17:34: srvuof[1].exe (ID = 280087)
17:35: Found Trojan Horse: trojan-downloader-errlook
17:35: wizp32[1].exe (ID = 283245)
17:36: wina38.tmp.exe (ID = 283245)
17:37: Found Trojan Horse: trojan_backdoor_retro64
17:37: backup-20060415-121813-437.dll (ID = 81258)
17:39: srvetb[1].exe (ID = 280087)
17:40: wind0.tmp.exe (ID = 280087)
17:40: wind6.tmp.exe (ID = 282640)
17:41: win15.tmp.exe (ID = 280087)
17:41: win2e4.tmp.exe (ID = 280087)
17:41: win57.tmp.exe (ID = 280087)
17:41: win6e.tmp.exe (ID = 280087)
17:41: wina3.tmp.exe (ID = 280087)
17:41: File Sweep Complete, Elapsed Time: 00:14:22
17:41: Full Sweep has completed. Elapsed time 00:17:03
17:41: Traces Found: 522
17:45: Removal process initiated
17:45: Quarantining All Traces: 180search assistant/zango
17:45: Quarantining All Traces: cws-aboutblank
17:45: Quarantining All Traces: ist istbar
17:45: Quarantining All Traces: apropos
17:45: Quarantining All Traces: coolwebsearch (cws)
17:45: coolwebsearch (cws) is in use. It will be removed on reboot.
17:45: winres.dll is in use. It will be removed on reboot.
17:45: winres.dll is in use. It will be removed on reboot.
17:45: Quarantining All Traces: internetoptimizer
17:45: Quarantining All Traces: trojan agent winlogonhook
17:45: Quarantining All Traces: trojan_backdoor_retro64
17:45: Quarantining All Traces: trojan-downloader-aux
17:45: trojan-downloader-aux is in use. It will be removed on reboot.
17:45: win57.tmp.exe is in use. It will be removed on reboot.
17:45: win6e.tmp.exe is in use. It will be removed on reboot.
17:45: Quarantining All Traces: trojan-downloader-errlook
17:45: Quarantining All Traces: 2020search hijack
17:45: Quarantining All Traces: ist powerscan
17:45: Quarantining All Traces: ist sidefind
17:45: Quarantining All Traces: ist software
17:45: Quarantining All Traces: prosearch.com hijack
17:45: Quarantining All Traces: prosearching hijacker
17:45: Quarantining All Traces: targetsaver
17:45: Quarantining All Traces: targetsoft
17:45: Quarantining All Traces: 247realmedia cookie
17:45: Quarantining All Traces: 2o7.net cookie
17:45: Quarantining All Traces: 888 cookie
17:45: Quarantining All Traces: a cookie
17:45: Quarantining All Traces: about cookie
17:45: Quarantining All Traces: adbureau cookie
17:45: Quarantining All Traces: adreactor cookie
17:45: Quarantining All Traces: adrevolver cookie
17:45: Quarantining All Traces: ad-rotator cookie
17:46: Quarantining All Traces: adserver cookie
17:46: Quarantining All Traces: adtech cookie
17:46: Quarantining All Traces: advertising cookie
17:46: Quarantining All Traces: adviva cookie
17:46: Quarantining All Traces: affiliatefuel.com cookie
17:46: Quarantining All Traces: angelfire cookie
17:46: Quarantining All Traces: anm.co.uk cookie
17:46: Quarantining All Traces: apmebf cookie
17:46: Quarantining All Traces: ask cookie
17:46: Quarantining All Traces: atlas dmt cookie
17:46: Quarantining All Traces: atwola cookie
17:46: Quarantining All Traces: belnk cookie
17:46: Quarantining All Traces: bluestreak cookie
17:46: Quarantining All Traces: bpath cookie
17:46: Quarantining All Traces: bravenet cookie
17:46: Quarantining All Traces: bs.serving-sys cookie
17:46: Quarantining All Traces: burstnet cookie
17:46: Quarantining All Traces: casalemedia cookie
17:46: Quarantining All Traces: cassava cookie
17:46: Quarantining All Traces: centrport net cookie
17:46: Quarantining All Traces: commission junction cookie
17:46: Quarantining All Traces: customer cookie
17:46: Quarantining All Traces: did-it cookie
17:46: Quarantining All Traces: falkag cookie
17:46: Quarantining All Traces: fastclick cookie
17:46: Quarantining All Traces: firstchoice cookie
17:46: Quarantining All Traces: go.com cookie
17:46: Quarantining All Traces: hitslink cookie
17:46: Quarantining All Traces: humanclick cookie
17:46: Quarantining All Traces: ic-live cookie
17:46: Quarantining All Traces: infospace cookie
17:46: Quarantining All Traces: l2m.net cookie
17:46: Quarantining All Traces: maxserving cookie
17:46: Quarantining All Traces: mediaplex cookie
17:46: Quarantining All Traces: netster cookie
17:46: Quarantining All Traces: netvenda cookie
17:46: Quarantining All Traces: nextag cookie
17:46: Quarantining All Traces: offeroptimizer cookie
17:46: Quarantining All Traces: onestat.com cookie
17:46: Quarantining All Traces: overture cookie
17:46: Quarantining All Traces: partypoker cookie
17:46: Quarantining All Traces: pointroll cookie
17:46: Quarantining All Traces: pokerroom cookie
17:46: Quarantining All Traces: pro-market cookie
17:46: Quarantining All Traces: prosearching cookie
17:46: Quarantining All Traces: qksrv cookie
17:46: Quarantining All Traces: questionmarket cookie
17:46: Quarantining All Traces: realmedia cookie
17:46: Quarantining All Traces: revenue.net cookie
17:46: Quarantining All Traces: ru4 cookie
17:46: Quarantining All Traces: sandboxer cookie
17:46: Quarantining All Traces: server.iad.liveperson cookie
17:46: Quarantining All Traces: serving-sys cookie
17:46: Quarantining All Traces: servlet cookie
17:46: Quarantining All Traces: sidefind cookie
17:46: Quarantining All Traces: spylog cookie
17:46: Quarantining All Traces: statcounter cookie
17:46: Quarantining All Traces: tacoda cookie
17:46: Quarantining All Traces: targetnet cookie
17:46: Quarantining All Traces: tickle cookie
17:46: Quarantining All Traces: touchclarity cookie
17:46: Quarantining All Traces: tradedoubler cookie
17:46: Quarantining All Traces: trafficmp cookie
17:46: Quarantining All Traces: tribalfusion cookie
17:46: Quarantining All Traces: tripod cookie
17:46: Quarantining All Traces: websponsors cookie
17:46: Quarantining All Traces: webtrends cookie
17:46: Quarantining All Traces: webtrendslive cookie
17:46: Quarantining All Traces: xiti cookie
17:46: Quarantining All Traces: yadro cookie
17:46: Quarantining All Traces: yieldmanager cookie
17:46: Quarantining All Traces: zedo cookie
17:46: Preparing to restart your computer. Please wait...
17:46: Removal process completed. Elapsed time 00:01:23
********
17:22: | Start of Session, 29 April 2006 |
17:22: Spy Sweeper started
17:22: Sweep initiated using definitions version 668
17:22: Found Adware: coolwebsearch (cws)
17:22: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\inprocserver32\ (2 subtraces) (ID = 1183061)
17:22: winres.dll (ID = 1183061)
17:22: Starting Memory Sweep
17:22: Detected running threat: C:\WINDOWS\winres.dll (ID = 282896)
17:24: Sweep Canceled
17:24: Memory Sweep Complete, Elapsed Time: 00:02:17
17:24: Traces Found: 5
17:24: | End of Session, 29 April 2006 |
********
17:20: | Start of Session, 29 April 2006 |
17:20: Spy Sweeper started
17 Your spyware definitions have been updated.
17:22: | End of Session, 29 April 2006 |





spysweeper file 2

********
17:52: | Start of Session, 29 April 2006 |
17:52: Spy Sweeper started
17:52: Sweep initiated using definitions version 668
17:52: Starting Memory Sweep
17:53: Found Trojan Horse: trojan-downloader-aux
17:53: Detected running threat: C:\WINDOWS\Temp\win8B9.tmp.exe (ID = 282640)
17:54: Detected running threat: C:\WINDOWS\Temp\win8BF.tmp.exe (ID = 280087)
17:55: Memory Sweep Complete, Elapsed Time: 00:03:21
17:55: Starting Registry Sweep
17:55: Found Adware: coolwebsearch (cws)
17:55: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 107171)
17:55: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (10 subtraces) (ID = 108560)
17:55: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808)
17:55: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809)
17:55: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518)
17:55: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519)
17 Found Trojan Horse: trojan agent winlogonhook
17 HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101)
17 Registry Sweep Complete, Elapsed Time:00:00:11
17 Starting Cookie Sweep
17 Found Spy Cookie: a cookie
17 benjamin@a[1].txt (ID = 2027)
17 Found Spy Cookie: 2o7.net cookie
17 benjamin@msnportal.112.2o7[1].txt (ID = 1958)
17 Cookie Sweep Complete, Elapsed Time: 00:00:04
17 Starting File Sweep
18:04: mulbin1[1].exe (ID = 282640)
18:04: win8b9.tmp.exe (ID = 282640)
18:06: srvlbin5[1].exe (ID = 280087)
18:06: win8bf.tmp.exe (ID = 280087)
18:06: Found Trojan Horse: trojan-downloader-errlook
18:06: wizp32[1].exe (ID = 283245)
18:06: win8c7.tmp.exe (ID = 283245)
18:09: winres.dll (ID = 282896)
18:10: File Sweep Complete, Elapsed Time: 00:14:37
18:10: Full Sweep has completed. Elapsed time 00:18:16
18:10: Traces Found: 67
18:11: Removal process initiated
18:11: Quarantining All Traces: coolwebsearch (cws)
18:11: Quarantining All Traces: trojan agent winlogonhook
18:11: Quarantining All Traces: trojan-downloader-aux
18:11: trojan-downloader-aux is in use. It will be removed on reboot.
18:11: win8b9.tmp.exe is in use. It will be removed on reboot.
18:11: win8bf.tmp.exe is in use. It will be removed on reboot.
18:11: Quarantining All Traces: trojan-downloader-errlook
18:11: Quarantining All Traces: 2o7.net cookie
18:11: Quarantining All Traces: a cookie
18:11: Preparing to restart your computer. Please wait...
18:11: Removal process completed. Elapsed time 00:00:16
********
17:24: | Start of Session, 29 April 2006 |
17:24: Spy Sweeper started
17:24: Sweep initiated using definitions version 668
17:24: Found Adware: coolwebsearch (cws)
17:24: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\inprocserver32\ (2 subtraces) (ID = 1183061)
17:24: winres.dll (ID = 1183061)
17:24: Starting Memory Sweep
17:24: Detected running threat: C:\WINDOWS\winres.dll (ID = 282896)
17:26: Found Trojan Horse: trojan-downloader-aux
17:26: Detected running threat: C:\WINDOWS\Temp\win57.tmp.exe (ID = 280087)
17:27: Memory Sweep Complete, Elapsed Time: 00:02:18
17:27: Starting Registry Sweep
17:27: Found Adware: apropos
17:27: HKLM\software\envolo\ (9 subtraces) (ID = 103775)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\autoupdate\ (1 subtraces) (ID = 103819)
17:27: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (11 subtraces) (ID = 107171)
17:27: HKLM\software\classes\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (11 subtraces) (ID = 108560)
17:27: HKLM\software\classes\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 109797)
17:27: HKLM\software\classes\winres.windowsresources.1\ (3 subtraces) (ID = 109808)
17:27: HKLM\software\classes\winres.windowsresources\ (5 subtraces) (ID = 109809)
17:27: HKLM\software\microsoft\windows\currentversion\exp lorer\browser helper objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\ (1 subtraces) (ID = 111216)
17:27: HKCR\typelib\{344ee577-2027-4714-82ff-0d7538488547}\ (9 subtraces) (ID = 112503)
17:27: HKCR\winres.windowsresources.1\ (3 subtraces) (ID = 112518)
17:27: HKCR\winres.windowsresources\ (5 subtraces) (ID = 112519)
17:27: Found Adware: ist software
17:27: HKCR\clsid\{5f1abcdb-a875-46c1-8345-b72a4567e486}\ (2 subtraces) (ID = 127191)
17:27: Found Adware: internetoptimizer
17:27: HKLM\software\avenue media\ (18 subtraces) (ID = 128888)
17:27: HKLM\software\microsoft\windows\currentversion\pol icies\ameopt\ (ID = 128912)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\internet optimizer\ (2 subtraces) (ID = 128921)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\kapabout\ (2 subtraces) (ID = 128924)
17:27: HKLM\software\policies\avenue media\ (ID = 128929)
17:27: Found Adware: ist istbar
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\istbaristbar\ (ID = 129182)
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\dyfuca\ (ID = 135214)
17:27: Found Adware: ist powerscan
17:27: HKLM\software\powerscan\ (1 subtraces) (ID = 136824)
17:27: Found Adware: ist sidefind
17:27: HKCR\clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (2 subtraces) (ID = 141763)
17:27: HKCR\interface\{339d8aff-0b42-4260-ad82-78ce605a9543}\ (8 subtraces) (ID = 141765)
17:27: HKCR\interface\{a36a5936-cfd9-4b41-86bd-319a1931887f}\ (8 subtraces) (ID = 141766)
17:27: HKLM\software\classes\clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (2 subtraces) (ID = 141770)
17:27: HKLM\software\classes\interface\{339d8aff-0b42-4260-ad82-78ce605a9543}\ (8 subtraces) (ID = 141772)
17:27: HKLM\software\classes\interface\{a36a5936-cfd9-4b41-86bd-319a1931887f}\ (8 subtraces) (ID = 141773)
17:27: HKLM\software\classes\typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}\ (9 subtraces) (ID = 141775)
17:27: HKLM\software\classes\typelib\{d0288a41-9855-4a9b-8316-babe243648da}\ (9 subtraces) (ID = 141776)
17:27: HKLM\software\microsoft\sidefind\ (2 subtraces) (ID = 141780)
17:27: HKCR\typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}\ (9 subtraces) (ID = 141784)
17:27: HKCR\typelib\{d0288a41-9855-4a9b-8316-babe243648da}\ (9 subtraces) (ID = 141785)
17:27: HKLM\software\classes\clsid\{5f1abcdb-a875-46c1-8345-b72a4567e486}\ (2 subtraces) (ID = 141834)
17:27: Found Adware: targetsoft
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\tsl installer\ (1 subtraces) (ID = 143608)
17:27: Found Adware: targetsaver
17:27: HKLM\software\microsoft\windows\currentversion\uni nstall\tsl installer\ (1 subtraces) (ID = 143608)
17:27: HKLM\software\avenue media\internet optimizer\ (17 subtraces) (ID = 394594)
17:27: Found Trojan Horse: trojan agent winlogonhook
17:27: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101)
17:27: Found Adware: prosearch.com hijack
17:27: HKLM\software\microsoft\internet explorer\main\ || search page_bak (ID = 1250789)
17:27: Found Adware: cws-aboutblank
17:27: HKU\S-1-5-21-1901535262-2597964862-3539572679-1010\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\S-1-5-21-1901535262-2597964862-3539572679-1010\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\avenue media\ (ID = 128887)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\ist\ (4 subtraces) (ID = 129108)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\istbar\ (ID = 129109)
17:27: Found Adware: 180search assistant/zango
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\saap\ (3 subtraces) (ID = 135784)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\sais\ (16 subtraces) (ID = 135790)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\avenue media\ (ID = 128887)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\ist\ (1 subtraces) (ID = 129108)
17:27: Found Adware: prosearching hijacker
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page (ID = 134071)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\sais\ (12 subtraces) (ID = 135790)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: Found Adware: 2020search hijack
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\main\ || search bar (ID = 1192307)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1006\software\microsoft\internet explorer\search\ || searchassistant (ID = 1192311)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page (ID = 134071)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\main\ || search bar (ID = 1192307)
17:27: HKU\WRSS_Profile_S-1-5-21-1901535262-2597964862-3539572679-1005\software\microsoft\internet explorer\search\ || searchassistant (ID = 1192311)
17:27: Registry Sweep Complete, Elapsed Time:00:00:11
17:27: Starting Cookie Sweep
17:27: Found Spy Cookie: 2o7.net cookie
17:27: benjamin@2o7[2].txt (ID = 1957)
17:27: benjamin@partygaming.122.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: partypoker cookie
17:27: benjamin@partypoker[1].txt (ID = 3111)
17:27: Found Spy Cookie: server.iad.liveperson cookie
17:27: benjamin@server.iad.liveperson[2].txt (ID = 3341)
17:27: Found Spy Cookie: sandboxer cookie
17:27: joshua@0[1].txt (ID = 3282)
17:27: joshua@0[2].txt (ID = 3282)
17:27: joshua@0[4].txt (ID = 3282)
17:27: joshua@122.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: 247realmedia cookie
17:27: joshua@247realmedia[2].txt (ID = 1953)
17:27: joshua@2o7[1].txt (ID = 1957)
17:27: Found Spy Cookie: 888 cookie
17:27: joshua@888[1].txt (ID = 2019)
17:27: Found Spy Cookie: websponsors cookie
17:27: joshua@a.websponsors[2].txt (ID = 3665)
17:27: Found Spy Cookie: about cookie
17:27: joshua@about[1].txt (ID = 2037)
17:27: Found Spy Cookie: ad-rotator cookie
17:27: joshua@ad-rotator[1].txt (ID = 2051)
17:27: Found Spy Cookie: yieldmanager cookie
17:27: joshua@ad.yieldmanager[2].txt (ID = 3751)
17:27: Found Spy Cookie: adrevolver cookie
17:27: joshua@adrevolver[1].txt (ID = 2088)
17:27: joshua@adrevolver[3].txt (ID = 2088)
17:27: Found Spy Cookie: pointroll cookie
17:27: joshua@ads.pointroll[1].txt (ID = 3148)
17:27: Found Spy Cookie: bpath cookie
17:27: joshua@ads18.bpath[1].txt (ID = 2321)
17:27: Found Spy Cookie: adreactor cookie
17:27: joshua@adserver.adreactor[1].txt (ID = 2087)
17:27: Found Spy Cookie: adtech cookie
17:27: joshua@adtech[1].txt (ID = 2155)
17:27: Found Spy Cookie: advertising cookie
17:27: joshua@advertising[2].txt (ID = 2175)
17:27: Found Spy Cookie: adviva cookie
17:27: joshua@adviva[2].txt (ID = 2177)
17:27: Found Spy Cookie: apmebf cookie
17:27: joshua@apmebf[1].txt (ID = 2229)
17:27: Found Spy Cookie: falkag cookie
17:27: joshua@as-eu.falkag[2].txt (ID = 2650)
17:27: joshua@as-us.falkag[2].txt (ID = 2650)
17:27: joshua@as1.falkag[1].txt (ID = 2650)
17:27: Found Spy Cookie: ask cookie
17:27: joshua@ask[1].txt (ID = 2245)
17:27: Found Spy Cookie: atlas dmt cookie
17:27: joshua@atdmt[2].txt (ID = 2253)
17:27: Found Spy Cookie: atwola cookie
17:27: joshua@atwola[2].txt (ID = 2255)
17:27: Found Spy Cookie: a cookie
17:27: joshua@a[2].txt (ID = 2027)
17:27: Found Spy Cookie: belnk cookie
17:27: joshua@belnk[1].txt (ID = 2292)
17:27: Found Spy Cookie: bluestreak cookie
17:27: joshua@bluestreak[2].txt (ID = 2314)
17:27: Found Spy Cookie: bravenet cookie
17:27: joshua@bravenet[1].txt (ID = 2322)
17:27: Found Spy Cookie: bs.serving-sys cookie
17:27: joshua@bs.serving-sys[1].txt (ID = 2330)
17:27: Found Spy Cookie: touchclarity cookie
17:27: joshua@btow.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: burstnet cookie
17:27: joshua@burstnet[1].txt (ID = 2336)
17:27: Found Spy Cookie: casalemedia cookie
17:27: joshua@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: cassava cookie
17:27: joshua@cassava[1].txt (ID = 2362)
17:27: Found Spy Cookie: overture cookie
17:27: joshua@data4.perf.overture[1].txt (ID = 3106)
17:27: Found Spy Cookie: did-it cookie
17:27: joshua@did-it[1].txt (ID = 2523)
17:27: joshua@dist.belnk[2].txt (ID = 2293)
17:27: Found Spy Cookie: adbureau cookie
17:27: joshua@etype.adbureau[1].txt (ID = 2060)
17:27: joshua@europeanhistory.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: fastclick cookie
17:27: joshua@fastclick[1].txt (ID = 2651)
17:27: joshua@ford.touchclarity[1].txt (ID = 3566)
17:27: joshua@freebies.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: go.com cookie
17:27: joshua@go[1].txt (ID = 2728)
17:27: Found Spy Cookie: tripod cookie
17:27: joshua@htmlgear.tripod[1].txt (ID = 3592)
17:27: Found Spy Cookie: infospace cookie
17:27: joshua@infospace[1].txt (ID = 2865)
17:27: Found Spy Cookie: netster cookie
17:27: joshua@lb1.netster[1].txt (ID = 3072)
17:27: Found Spy Cookie: mediaplex cookie
17:27: joshua@mediaplex[1].txt (ID = 6442)
17:27: joshua@msn.touchclarity[1].txt (ID = 3566)
17:27: joshua@msnportal.112.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: netvenda cookie
17:27: joshua@netvenda[1].txt (ID = 3073)
17:27: Found Spy Cookie: offeroptimizer cookie
17:27: joshua@offeroptimizer[2].txt (ID = 3087)
17:27: joshua@overture[2].txt (ID = 3105)
17:27: joshua@perf.overture[1].txt (ID = 3106)
17:27: Found Spy Cookie: pokerroom cookie
17:27: joshua@pokerroom[1].txt (ID = 3149)
17:27: Found Spy Cookie: prosearching cookie
17:27: joshua@prosearching[1].txt (ID = 3201)
17:27: joshua@psa.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: qksrv cookie
17:27: joshua@qksrv[1].txt (ID = 3213)
17:27: Found Spy Cookie: questionmarket cookie
17:27: joshua@questionmarket[1].txt (ID = 3217)
17:27: Found Spy Cookie: realmedia cookie
17:27: joshua@realmedia[2].txt (ID = 3235)
17:27: Found Spy Cookie: revenue.net cookie
17:27: joshua@revenue[2].txt (ID = 3257)
17:27: joshua@sel.as-eu.falkag[1].txt (ID = 2650)
17:27: joshua@sel.as-us.falkag[2].txt (ID = 2650)
17:27: joshua@server.iad.liveperson[1].txt (ID = 3341)
17:27: Found Spy Cookie: serving-sys cookie
17:27: joshua@serving-sys[1].txt (ID = 3343)
17:27: Found Spy Cookie: servlet cookie
17:27: joshua@servlet[1].txt (ID = 3345)
17:27: Found Spy Cookie: spylog cookie
17:27: joshua@spylog[1].txt (ID = 3415)
17:27: Found Spy Cookie: onestat.com cookie
17:27: joshua@stat.onestat[2].txt (ID = 3098)
17:27: Found Spy Cookie: statcounter cookie
17:27: joshua@statcounter[1].txt (ID = 3447)
17:27: Found Spy Cookie: webtrendslive cookie
17:27: joshua@statse.webtrendslive[2].txt (ID = 3667)
17:27: Found Spy Cookie: tacoda cookie
17:27: joshua@tacoda[2].txt (ID = 6444)
17:27: Found Spy Cookie: tickle cookie
17:27: joshua@tickle[1].txt (ID = 3529)
17:27: Found Spy Cookie: tradedoubler cookie
17:27: joshua@tradedoubler[2].txt (ID = 3575)
17:27: Found Spy Cookie: tribalfusion cookie
17:27: joshua@tribalfusion[2].txt (ID = 3589)
17:27: joshua@tripod[1].txt (ID = 3591)
17:27: joshua@vodafone.122.2o7[1].txt (ID = 1958)
17:27: joshua@www.888[1].txt (ID = 2020)
17:27: Found Spy Cookie: affiliatefuel.com cookie
17:27: joshua@www.affiliatefuel[1].txt (ID = 2202)
17:27: Found Spy Cookie: angelfire cookie
17:27: joshua@www.angelfire[1].txt (ID = 2222)
17:27: joshua@www.netvenda[2].txt (ID = 3074)
17:27: Found Spy Cookie: sidefind cookie
17:27: joshua@www.sidefind[2].txt (ID = 3374)
17:27: Found Spy Cookie: yadro cookie
17:27: joshua@yadro[1].txt (ID = 3743)
17:27: Found Spy Cookie: adserver cookie
17:27: joshua@z1.adserver[1].txt (ID = 2142)
17:27: mandy@112.2o7[1].txt (ID = 1958)
17:27: mandy@247realmedia[1].txt (ID = 1953)
17:27: mandy@2o7[2].txt (ID = 1957)
17:27: mandy@about[1].txt (ID = 2037)
17:27: mandy@adtech[2].txt (ID = 2155)
17:27: mandy@advertising[2].txt (ID = 2175)
17:27: mandy@adviva[1].txt (ID = 2177)
17:27: Found Spy Cookie: anm.co.uk cookie
17:27: mandy@anm.co[2].txt (ID = 2223)
17:27: mandy@apmebf[2].txt (ID = 2229)
17:27: mandy@as-eu.falkag[1].txt (ID = 2650)
17:27: mandy@as-us.falkag[1].txt (ID = 2650)
17:27: mandy@as1.falkag[2].txt (ID = 2650)
17:27: mandy@ask[1].txt (ID = 2245)
17:27: mandy@atdmt[2].txt (ID = 2253)
17:27: mandy@atwola[1].txt (ID = 2255)
17:27: mandy@a[1].txt (ID = 2027)
17:27: mandy@belnk[1].txt (ID = 2292)
17:27: mandy@bluestreak[1].txt (ID = 2314)
17:27: mandy@burstnet[2].txt (ID = 2336)
17:27: mandy@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: commission junction cookie
17:27: mandy@commission-junction[2].txt (ID = 2455)
17:27: Found Spy Cookie: hitslink cookie
17:27: mandy@counter.hitslink[1].txt (ID = 2790)
17:27: mandy@counter2.hitslink[2].txt (ID = 2790)
17:27: mandy@did-it[2].txt (ID = 2523)
17:27: mandy@dist.belnk[2].txt (ID = 2293)
17:27: mandy@easyjet.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: ru4 cookie
17:27: mandy@edge.ru4[1].txt (ID = 3269)
17:27: mandy@etype.adbureau[2].txt (ID = 2060)
17:27: mandy@fastclick[2].txt (ID = 2651)
17:27: Found Spy Cookie: firstchoice cookie
17:27: mandy@firstchoice[1].txt (ID = 2678)
17:27: Found Spy Cookie: humanclick cookie
17:27: mandy@hc2.humanclick[1].txt (ID = 2810)
17:27: Found Spy Cookie: maxserving cookie
17:27: mandy@maxserving[1].txt (ID = 2966)
17:27: mandy@media.fastclick[1].txt (ID = 2652)
17:27: mandy@mediaplex[1].txt (ID = 6442)
17:27: mandy@msnportal.112.2o7[1].txt (ID = 1958)
17:27: mandy@netvenda[1].txt (ID = 3073)
17:27: mandy@overture[2].txt (ID = 3105)
17:27: mandy@pediatrics.about[1].txt (ID = 2038)
17:27: Found Spy Cookie: pro-market cookie
17:27: mandy@pro-market[1].txt (ID = 3197)
17:27: mandy@questionmarket[1].txt (ID = 3217)
17:27: mandy@sel.as-eu.falkag[2].txt (ID = 2650)
17:27: mandy@sel.as-us.falkag[1].txt (ID = 2650)
17:27: mandy@server.iad.liveperson[1].txt (ID = 3341)
17:27: mandy@statcounter[2].txt (ID = 3447)
17:27: mandy@statse.webtrendslive[1].txt (ID = 3667)
17:27: mandy@tacoda[1].txt (ID = 6444)
17:27: mandy@tradedoubler[2].txt (ID = 3575)
17:27: mandy@web.uk.ask[1].txt (ID = 2246)
17:27: mandy@www.netvenda[1].txt (ID = 3074)
17:27: Found Spy Cookie: xiti cookie
17:27: mandy@xiti[1].txt (ID = 3717)
17:27: martin@122.2o7[1].txt (ID = 1958)
17:27: martin@247realmedia[1].txt (ID = 1953)
17:27: martin@2o7[2].txt (ID = 1957)
17:27: martin@ad.yieldmanager[2].txt (ID = 3751)
17:27: martin@adrevolver[2].txt (ID = 2088)
17:27: martin@adrevolver[3].txt (ID = 2088)
17:27: martin@ads.pointroll[2].txt (ID = 3148)
17:27: martin@adtech[2].txt (ID = 2155)
17:27: martin@advertising[1].txt (ID = 2175)
17:27: martin@adviva[2].txt (ID = 2177)
17:27: martin@apmebf[1].txt (ID = 2229)
17:27: martin@as1.falkag[2].txt (ID = 2650)
17:27: martin@atdmt[2].txt (ID = 2253)
17:27: martin@atwola[1].txt (ID = 2255)
17:27: martin@a[1].txt (ID = 2027)
17:27: martin@bbcww.adbureau[2].txt (ID = 2060)
17:27: martin@belnk[1].txt (ID = 2292)
17:27: martin@bluestreak[1].txt (ID = 2314)
17:27: martin@bravenet[1].txt (ID = 2322)
17:27: martin@btow.touchclarity[1].txt (ID = 3566)
17:27: martin@burstnet[2].txt (ID = 2336)
17:27: Found Spy Cookie: zedo cookie
17:27: martin@c5.zedo[2].txt (ID = 3763)
17:27: martin@casalemedia[1].txt (ID = 2354)
17:27: Found Spy Cookie: centrport net cookie
17:27: martin@centrport[1].txt (ID = 2374)
17:27: martin@cnn.122.2o7[1].txt (ID = 1958)
17:27: martin@counter2.hitslink[2].txt (ID = 2790)
17:27: Found Spy Cookie: customer cookie
17:27: martin@customer[1].txt (ID = 2481)
17:27: martin@dist.belnk[2].txt (ID = 2293)
17:27: martin@fastclick[2].txt (ID = 2651)
17:27: martin@ford.touchclarity[1].txt (ID = 3566)
17:27: Found Spy Cookie: ic-live cookie
17:27: martin@ic-live[1].txt (ID = 2821)
17:27: Found Spy Cookie: l2m.net cookie
17:27: martin@l2m[1].txt (ID = 2913)
17:27: Found Spy Cookie: webtrends cookie
17:27: martin@m.webtrends[1].txt (ID = 3669)
17:27: martin@maxserving[2].txt (ID = 2966)
17:27: martin@mediaplex[1].txt (ID = 6442)
17:27: martin@microsofteup.112.2o7[1].txt (ID = 1958)
17:27: Found Spy Cookie: nextag cookie
17:27: martin@nextag[2].txt (ID = 5014)
17:27: martin@overture[1].txt (ID = 3105)
17:27: martin@qksrv[1].txt (ID = 3213)
17:27: martin@questionmarket[1].txt (ID = 3217)
17:27: martin@realmedia[2].txt (ID = 3235)
17:27: martin@server.iad.liveperson[1].txt (ID = 3341)
17:27: martin@serving-sys[2].txt (ID = 3343)
17:27: martin@statse.webtrendslive[1].txt (ID = 3667)
17:27: martin@tacoda[1].txt (ID = 6444)
17:27: Found Spy Cookie: targetnet cookie
17:27: martin@targetnet[1].txt (ID = 3489)
17:27: martin@tickle[2].txt (ID = 3529)
17:27: martin@tradedoubler[2].txt (ID = 3575)
17:27: Found Spy Cookie: trafficmp cookie
17:27: martin@trafficmp[2].txt (ID = 3581)
17:27: martin@tribalfusion[1].txt (ID = 3589)
17:27: martin@xiti[1].txt (ID = 3717)
17:27: martin@zedo[2].txt (ID = 3762)
17:27: Cookie Sweep Complete, Elapsed Time: 00:00:06
17:27: Starting File Sweep
17:27: c:\program files\autoupdate (1 subtraces) (ID = -2147481419)
17:27: c:\documents and settings\joshua\local settings\temp\atf (ID = -2147481416)
17:27: c:\documents and settings\mandy\local settings\temp\atf (ID = -2147481416)
17:27: backup-20060418-095958-425.dll (ID = 282896)
17:28: srvlqg[1].exe (ID = 280087)
17:28: srvpmn[1].exe (ID = 280087)
17:28: srvtxg[1].exe (ID = 280087)
17:30: srvlbin5[1].exe (ID = 280087)
17:30: wina33.tmp.exe (ID = 280087)
17:30: winres.dll (ID = 282896)
17:33: srvzci[1].exe (ID = 280087)
17:33: srvpzu[1].exe (ID = 280087)
17:34: srvuof[1].exe (ID = 280087)
17:35: Found Trojan Horse: trojan-downloader-errlook
17:35: wizp32[1].exe (ID = 283245)
17:36: wina38.tmp.exe (ID = 283245)
17:37: Found Trojan Horse: trojan_backdoor_retro64
17:37: backup-20060415-121813-437.dll (ID = 81258)
17:39: srvetb[1].exe (ID = 280087)
17:40: wind0.tmp.exe (ID = 280087)
17:40: wind6.tmp.exe (ID = 282640)
17:41: win15.tmp.exe (ID = 280087)
17:41: win2e4.tmp.exe (ID = 280087)
17:41: win57.tmp.exe (ID = 280087)
17:41: win6e.tmp.exe (ID = 280087)
17:41: wina3.tmp.exe (ID = 280087)
17:41: File Sweep Complete, Elapsed Time: 00:14:22
17:41: Full Sweep has completed. Elapsed time 00:17:03
17:41: Traces Found: 522
17:45: Removal process initiated
17:45: Quarantining All Traces: 180search assistant/zango
17:45: Quarantining All Traces: cws-aboutblank
17:45: Quarantining All Traces: ist istbar
17:45: Quarantining All Traces: apropos
17:45: Quarantining All Traces: coolwebsearch (cws)
17:45: coolwebsearch (cws) is in use. It will be removed on reboot.
17:45: winres.dll is in use. It will be removed on reboot.
17:45: winres.dll is in use. It will be removed on reboot.
17:45: Quarantining All Traces: internetoptimizer
17:45: Quarantining All Traces: trojan agent winlogonhook
17:45: Quarantining All Traces: trojan_backdoor_retro64
17:45: Quarantining All Traces: trojan-downloader-aux
17:45: trojan-downloader-aux is in use. It will be removed on reboot.
17:45: win57.tmp.exe is in use. It will be removed on reboot.
17:45: win6e.tmp.exe is in use. It will be removed on reboot.
17:45: Quarantining All Traces: trojan-downloader-errlook
17:45: Quarantining All Traces: 2020search hijack
17:45: Quarantining All Traces: ist powerscan
17:45: Quarantining All Traces: ist sidefind
17:45: Quarantining All Traces: ist software
17:45: Quarantining All Traces: prosearch.com hijack
17:45: Quarantining All Traces: prosearching hijacker
17:45: Quarantining All Traces: targetsaver
17:45: Quarantining All Traces: targetsoft
17:45: Quarantining All Traces: 247realmedia cookie
17:45: Quarantining All Traces: 2o7.net cookie
17:45: Quarantining All Traces: 888 cookie
17:45: Quarantining All Traces: a cookie
17:45: Quarantining All Traces: about cookie
17:45: Quarantining All Traces: adbureau cookie
17:45: Quarantining All Traces: adreactor cookie
17:45: Quarantining All Traces: adrevolver cookie
17:45: Quarantining All Traces: ad-rotator cookie
17:46: Quarantining All Traces: adserver cookie
17:46: Quarantining All Traces: adtech cookie
17:46: Quarantining All Traces: advertising cookie
17:46: Quarantining All Traces: adviva cookie
17:46: Quarantining All Traces: affiliatefuel.com cookie
17:46: Quarantining All Traces: angelfire cookie
17:46: Quarantining All Traces: anm.co.uk cookie
17:46: Quarantining All Traces: apmebf cookie
17:46: Quarantining All Traces: ask cookie
17:46: Quarantining All Traces: atlas dmt cookie
17:46: Quarantining All Traces: atwola cookie
17:46: Quarantining All Traces: belnk cookie
17:46: Quarantining All Traces: bluestreak cookie
17:46: Quarantining All Traces: bpath cookie
17:46: Quarantining All Traces: bravenet cookie
17:46: Quarantining All Traces: bs.serving-sys cookie
17:46: Quarantining All Traces: burstnet cookie
17:46: Quarantining All Traces: casalemedia cookie
17:46: Quarantining All Traces: cassava cookie
17:46: Quarantining All Traces: centrport net cookie
17:46: Quarantining All Traces: commission junction cookie
17:46: Quarantining All Traces: customer cookie
17:46: Quarantining All Traces: did-it cookie
17:46: Quarantining All Traces: falkag cookie
17:46: Quarantining All Traces: fastclick cookie
17:46: Quarantining All Traces: firstchoice cookie
17:46: Quarantining All Traces: go.com cookie
17:46: Quarantining All Traces: hitslink cookie
17:46: Quarantining All Traces: humanclick cookie
17:46: Quarantining All Traces: ic-live cookie
17:46: Quarantining All Traces: infospace cookie
17:46: Quarantining All Traces: l2m.net cookie
17:46: Quarantining All Traces: maxserving cookie
17:46: Quarantining All Traces: mediaplex cookie
17:46: Quarantining All Traces: netster cookie
17:46: Quarantining All Traces: netvenda cookie
17:46: Quarantining All Traces: nextag cookie
17:46: Quarantining All Traces: offeroptimizer cookie
17:46: Quarantining All Traces: onestat.com cookie
17:46: Quarantining All Traces: overture cookie
17:46: Quarantining All Traces: partypoker cookie
17:46: Quarantining All Traces: pointroll cookie
17:46: Quarantining All Traces: pokerroom cookie
17:46: Quarantining All Traces: pro-market cookie
17:46: Quarantining All Traces: prosearching cookie
17:46: Quarantining All Traces: qksrv cookie
17:46: Quarantining All Traces: questionmarket cookie
17:46: Quarantining All Traces: realmedia cookie
17:46: Quarantining All Traces: revenue.net cookie
17:46: Quarantining All Traces: ru4 cookie
17:46: Quarantining All Traces: sandboxer cookie
17:46: Quarantining All Traces: server.iad.liveperson cookie
17:46: Quarantining All Traces: serving-sys cookie
17:46: Quarantining All Traces: servlet cookie
17:46: Quarantining All Traces: sidefind cookie
17:46: Quarantining All Traces: spylog cookie
17:46: Quarantining All Traces: statcounter cookie
17:46: Quarantining All Traces: tacoda cookie
17:46: Quarantining All Traces: targetnet cookie
17:46: Quarantining All Traces: tickle cookie
17:46: Quarantining All Traces: touchclarity cookie
17:46: Quarantining All Traces: tradedoubler cookie
17:46: Quarantining All Traces: trafficmp cookie
17:46: Quarantining All Traces: tribalfusion cookie
17:46: Quarantining All Traces: tripod cookie
17:46: Quarantining All Traces: websponsors cookie
17:46: Quarantining All Traces: webtrends cookie
17:46: Quarantining All Traces: webtrendslive cookie
17:46: Quarantining All Traces: xiti cookie
17:46: Quarantining All Traces: yadro cookie
17:46: Quarantining All Traces: yieldmanager cookie
17:46: Quarantining All Traces: zedo cookie
17:46: Preparing to restart your computer. Please wait...
17:46: Removal process completed. Elapsed time 00:01:23
17:52: ActiveX Shield: found: Adware: coolwebsearch (cws), version 1.0.0.0 -- Installation denied
17:52: BHO Shield: found: -- BHO installation denied at user request
17:52: Spy Installation Shield: found: Adware: purityscan, version 1.0.0.0 -- Execution Denied
17:52: | End of Session, 29 April 2006 |
********
17:22: | Start of Session, 29 April 2006 |
17:22: Spy Sweeper started
17:22: Sweep initiated using definitions version 668
17:22: Found Adware: coolwebsearch (cws)
17:22: HKCR\clsid\{2d38a51a-23c9-48a1-a33c-48675aa2b494}\inprocserver32\ (2 subtraces) (ID = 1183061)
17:22: winres.dll (ID = 1183061)
17:22: Starting Memory Sweep
17:22: Detected running threat: C:\WINDOWS\winres.dll (ID = 282896)
17:24: Sweep Canceled
17:24: Memory Sweep Complete, Elapsed Time: 00:02:17
17:24: Traces Found: 5
17:24: | End of Session, 29 April 2006 |
********
17:20: | Start of Session, 29 April 2006 |
17:20: Spy Sweeper started
17 Your spyware definitions have been updated.
17:22: | End of Session, 29 April 2006 |


thanks, Ben