Question

Cant get ride of Adware-MemWatcher

Asked by: mbbradford

I have been infected with a trojan which has been cleaned up, but in the process also picked up a lot of adware. Spybot and Macaffee cannot permamently delete this, although they both appear to. With spybot, they are detected and deleted but come right back. WIth Macaffee, they connot be cleaned or deleted, but they can be quaranteened and later deleted with "manage quaranteened files" but they still come fight back.

What can I do?

Here is a "hijack this" log:

Logfile of HijackThis v1.97.7
Scan saved at 1:35:55 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\IEHost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\senrcall.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\Qife4.exe
C:\Documents and Settings\Dell Desktop\Local Settings\Temp\Temporary Directory 1 for cwshredder.zip\CWShredder.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.3273611111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Plus...

30 Day FREE access, no risk, no obligation
Collaborate with the world's top tech experts
Unlimited access to our exclusive solution database
Never be left without tech help again

Subscribe Now

Asked On: 2004-05-02 at 10:47:41ID20975228
Tags: memwatcher
,; adware
Topic: Windows Network Security
Participating Experts: 3
Points: 450
Comments: 22

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

"The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
"Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
"Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Free Tech Articles

WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Watch More

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

by: CrazyOnePosted on 2004-05-02 at 10:49:53ID: 10972481

Try this one

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

by: CrazyOnePosted on 2004-05-02 at 10:50:37ID: 10972485

And

Double Check for viruses
Online Scanners

Norton Web Services
Virus Detection provides an analysis of your results and offers suggestions for further action. It does not examine compressed files or fix infected files.

When Symantec receives notification about a new virus, we develop and post a solution as quickly as possible. We are committed to providing swift responses to all virus threats, including Trojan horses.
http://security.symantec.com/sscv6/vc_about.asp?ax=0&langid=ie&venid=sym&plfid=23&pkj=BSZNTGXIBVEMBQAUWZK

======================
Trend Micro HouseCall
http://housecall.antivirus.com/housecall/start_corp.asp

======================
eTrust Online antivirus scanner
http://www3.ca.com/virusinfo/virusscan.aspx
======================

PC Pitstop Virus Scan
When the download completes, you will receive an ActiveX security dialog for the PC Pitstop virus scanner. Click Yes to install the scanner and proceed to the virus scan.

If you are currently running an antivirus package such as Norton Antivirus, it may detect our own virus detection file as a virus. If this occurs and you wish to use our scanner, please (temporarily) disable any active background virus checking software before scanning, or add our signature file (PAV.SIG) to the scanner's file exclusion list
http://www.pcpitstop.com/antivirus/AVLoad.asp

by: CrazyOnePosted on 2004-05-02 at 10:52:26ID: 10972490

Something else to Try is

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.

by: CrazyOnePosted on 2004-05-02 at 10:56:38ID: 10972514

I am not sure what these are

O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

by: CrazyOnePosted on 2004-05-02 at 11:01:21ID: 10972533

Well those first three files I listed are definetly link to a virus

by: mbbradfordPosted on 2004-05-02 at 12:27:54ID: 10972931

Thanks Crazyone,

I disabled everything in the start up menu, and has a slowdown in the popup adds. I will wait a while and see it that takes care of that problem.

I also deleted the top three files you mentioned with hijackthis. Lets see what happens.

I need to learn more about this stuff. It there a book or a website that has a detailed explanation that I should get?

Thanks,
Bruce

by: rossfingalPosted on 2004-05-02 at 14:17:24ID: 10973469

Hi!

You have PeperA trojan, among other things.
We've found, usually it's best to deal with that first.
You can download one of these tools from:
http://www.mjc1.com/files/peperpage/uninst.exe
http://home.iprimus.com.au/mbuchan/peperuninst.exe
I suggest trying the first one initially - when you run it, make sure you're online it may try to access the internet - let it.
Since you're running XP you'll probably want disable System Restore, so that nothing is hiding in there.
After you run it reboot and post a new HijackThis log for us to look at.
Also it's a good idea to place HijackThis in it's own folder - centralized place for backups and logs.

Good luck!

by: mbbradfordPosted on 2004-05-02 at 20:44:12ID: 10974470

Hi rossfingal,

Thanks for your help.

I should mention first that since the start of this thread, I have reinstalled windows and drivers, updated spybot, and cleaned up many new things that it found.

But I still have 6 programs with random names that cannot be deleted, and when I see them as active processes and disable them, they come back active in a few seconds. Devils.

I have done as you asked above. The peperpage uninstall ran in a command window in a blink, so I cant say if it ended with a "congradulations" or a "sucks to be you" message, but at least is seems to have done what was expected. I then linked to the second mbuchan peperuninst.exe but the link was not available.

Then I rebuted as asked and moved hijack to its own folder, and here is the log:
Also, I recognize the qife4 as one of the bad guys
also temp/q.exe
also virtualbounder.exe

Logfile of HijackThis v1.97.7
Scan saved at 11:28:54 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\Qife4.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\YjpWR9t0.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

by: rossfingalPosted on 2004-05-02 at 22:57:51ID: 10974903

Hi!

Download and install Ad-Aware from Lavasoft at:
http://majorgeeks.com/download.php?det=506
Or:
http://www.webattack.com/download/dladaware.shtml
Before you have it scan, click on the "Check for updates now" and let it install the latest update.
Then configure it according to the following:
"Quote"
Step 4- Configuring Ad-Aware 6 for your first scan
[NOTE: Ad-Aware 6 has two scanning options: SmartScan and Custom. As explained more fully below,
SmartScan is faster, but also less comprehensive.
While SmartScan is satisfactory for routine use, it is HIGHLY recommended that your FIRST scan with A-A,
should be a Custom scan. After a thorough cleaning, use the capabilities within SmartScan for everyday use.
Think of SmartScan as your regular oil change, whereas the Custom Scan is the 30,000 mile checkup.]

Ad-Aware 6 comes pre-configured with default options that are already ON (green check-mark)
... do not change them. The following are changes that you will need to make to prepare the "Full"
custom scan that is recommended for the first look into your computer
(instead of a red "x", you will make them a green "check-mark")
[NOTE: any options that are greyed out are only available for users of the
paid Plus or Professional versions of A-A]

Launch the program, and click on the Gear at the top of the start screen to access the
preferences/setting window.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and "Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Automatically try to unregister objects prior to deletion" and
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.

When you are finished, you will be using the Custom Scan with Memory and Both registry scans ON.
Please make sure that you activate IN-DEPTH scanning before you proceed.

NOTE: For the Full Scan setup instructions for users with the paid Plus or Professional versions,
or if you have previously changed your settings in the Personal version, see this thread:
http://www.lavahelp.com/howto/fullscan/index.html

Step 5- Scanning
From the start screen, click on the "Scan now" button.
On the next screen, select "Use custom scanning options". [You would change this to SmartScan in the future]
Click on "Next" to begin the A-A scan.

---------- Note: Important decision -----------

If you are unsure about what to remove, you will need to post your logfile for someone to
evaluate and assist you in the removal

Posting your Logfile
When the scan is complete, click "Show Log", then hi-lite all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Right click "Paste" in your thread.

Or, you can navigate to your Ad-aware 6 folder in Windows Explorer: C:\Program Files\Lavasoft\Ad-Aware 6\Logs
Open this folder and find the correct logfile. The logfiles will be named "Ad-Aware-log ##-##-##.txt
(the #'s will be the date of the scan, shown in the European format). Right click, choose "Select all",
then right click and choose "Copy". Right click and select "Paste" in your thread.
-------------------------------------------------------

Step 6- Quarantine and Removal of Detected Objects
Quarantine: Ad-Aware includes a Quarantine feature, which can back up detected objects before they are removed.
This can prove useful in the event a program doesn't work after certain detected objects are removed ...
you can restore the detected objects, much like an anti-virus quarantine.
The program is pre-configured to automatically quarantine the selected objects before removal,
so you do not need to click on the 'Quarantine' button.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.

Removal:
From the "Scan complete" window ...
Click on "Next".
This will take you to the "Results" window ... this is where you will need to mark the objects
that you wish to remove. There are many options available with a right-click.
It is recommended (as stated above) to remove all of the objects unless you wish to ignore some
(see below for instructions on the ignore list).
To remove everything, right click in the Results List and click "Select all objects".
DO NOT click the 'Quarantine' button, this is automatically done as
explained above.
Click "Next" to remove the chosen objects.
Click "OK".
The Quarantine will be made and the objects will then be removed.

[Please Note: After removing a Browser Hijacker, Ad-aware 6 will set your Start Page to "Blank",
so you may need to set the Start and Search pages in your Browser manually back to your preferred one.
The reason for this is that the hijack has changed the page, and since Ad-aware 6 does not know
what it was set to before the hijack, it resets it to a blank page.
If you do not see any differences, then disregard this note.]

Ignore List
Always do the Ignore List items first, before removing anything.
If you wish to ignore some of the detected objects:
From the same "Results" window that lists the detected items, select any items from
the list that you want to "Ignore".
Right click in the scan results window and select "Add selection to ignore-list".
Click "OK".
Then continue with the removal process.

Subsequent Scanning with Ad-Aware 6
While a full custom scan is recommended for your first "cleaning", you can run the SmartScan after that.
SmartScan is a set of preset scanning options.
Ad-Aware comes with pre-defined settings that most users will find sufficient for their scanning needs.
[Of course, should a user require (or want) more or less than defined here, they can always perform a custom scan]
SmartScan uses these scanning options: Scan Memory, Scan Registry, Deep Scan Registry, System Folder, Cookies,
and then the conditional scans based on what's located.

From the start screen, click on the "Scan now" button.
On the next screen, select "Perform smart system-scan".
Click on "Next" to begin the A-A scan.
Follow the same quarantine and removal instructions as above.
The SmartScan option is obviously faster than the full custom scan.

Miscellaneous
If you used any other Anti-Trackware application to remove detected content
immediately prior to running a scan with Ad-aware 6, you will need to perform a Custom Full System scan
to ensure that the objects have all been successfully removed. Do not use the SmartScan option in this case.
Also, it is recommended that you re-boot your computer between running the applications.
"End quote"

After it has scanned; empty your temp files (just the files, not the temp folders), delete your temporary internet files with the box checked to "delete all
offline content" and empty your recycle bin.
Reboot the computer and post another HijackThis log.
Thanks!

by: mbbradfordPosted on 2004-05-03 at 03:17:07ID: 10976138

Hi rossfingal,

Thanks for the response, I'll do this as soon as I get home from work tonight.

Regards,
Bruce

by: trywaredkPosted on 2004-05-03 at 03:48:48ID: 10976278

Cleaning your computer - and protecting it in the future - can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

by: trywaredkPosted on 2004-05-03 at 03:51:35ID: 10976290

How to remove
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

http://www.pestpatrol.com/PestInfo/w/whenusearch.asp#Detection%20and%20Removal

by: mbbradfordPosted on 2004-05-03 at 10:09:57ID: 10979415

Hi rossfingal,

I'm halfway there. I downloaded, configured, and ran ad-aware per your instructions. I don't know what to remove, so I'm posting the log. After posting this message, I will "remove all" and complete your origional instructions. Thanks again for your help.

Here is the log file:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, May 03, 2004 12:45:04 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R301 03.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455
5-3-2004 12:35:55 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R301 03.05.2004
Internal build : 233
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1082422 Bytes
Signature data size : 1064020 Bytes
Reference data size : 18338 Bytes
Signatures total : 23868
Target categories : 10
Target families : 460

5-3-2004 12:36:04 PM Success.
Update successfully downlodaded and installed.

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:260096 kb
Available physical memory:74568 kb
Total page file size:640412 kb
Available on page file:403788 kb
Total virtual memory:2097024 kb
Available virtual memory:2048712 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

5-3-2004 12:45:04 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-3-2004 4:16:53 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:16:56 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 7/16/2003 8:44:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:44:23 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 7/16/2003 8:32:16 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:32:16 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:28:11 PM
Last accessed : 5/3/2004 4:28:47 PM
Last modified : 7/16/2003 8:28:11 PM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 7/16/2003 8:46:20 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:46:20 PM

#:9 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 5-3-2004 4:17:07 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 10:21:10 PM
Last accessed : 5/3/2004 4:17:07 PM
Last modified : 10/7/2003 10:21:10 PM

#:10 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 10:20:18 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 10/7/2003 10:20:18 PM

#:11 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 360 KB
Created on : 5/2/2004 2:20:27 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 9/11/2002 1:26:26 AM

#:12 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 5/2/2004 2:14:34 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 7/11/2003 6:51:16 PM

#:13 [dpi.exe]
FilePath : C:\Program Files\Common Files\Dpi\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
Warning! PromulGate object found in memory(C:\Program Files\Common Files\Dpi\dpi.exe)

PromulGate Object recognized!
Type : Process
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM

"dpi.exe"Process terminated successfully.

#:14 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 5/2/2004 2:14:08 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 7/14/2003 1:55:44 PM

#:15 [pcsvc.exe]
FilePath : C:\WINDOWS\system32\pcs\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
Warning! PromulGate object found in memory(C:\WINDOWS\system32\pcs\pcsvc.exe)

PromulGate Object recognized!
Type : Process
Data : pcsvc.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\pcs\
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM

"pcsvc.exe"Process terminated successfully.

#:16 [senrcall.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 84 KB
Created on : 5/1/2004 8:10:58 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 5/1/2004 8:10:39 PM

#:17 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:17:10 PM
Last modified : 8/18/2003 2:50:34 AM

#:18 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:29 PM
Last accessed : 5/3/2004 4:15:59 PM
Last modified : 9/28/2003 6:47:00 PM

#:19 [mcagent.exe]
FilePath : c:\program files\mcafee.com\agent\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 1/7/2004 5:26:14 PM
Last accessed : 5/3/2004 4:17:11 PM
Last modified : 12/8/2003 8:38:52 PM

#:20 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.10.1006
ProductVersion : 8.10.1006
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:12 PM
Last modified : 10/6/2003 4:05:40 PM

#:21 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 1344 KB
FileVersion : 1,0,17,5
ProductVersion : 1,0,17,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 12/30/2003 4:37:09 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/6/2003 10:58:26 PM

#:22 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:13 PM
Last modified : 10/6/2003 4:05:40 PM

#:23 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/8/2003 11:04:38 PM

#:24 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 6/20/2003 5:25:00 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 6/20/2003 5:25:00 AM

#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:18 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 12/30/2003 4:37:15 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 1/10/2003 11:13:04 PM

#:26 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.05b
Copyright : Copyright
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
Created on : 12/30/2003 4:35:55 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 8/6/2003 7:04:00 AM

#:27 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.24 02/24/2003 18:29:41
ProductVersion : 3.5.24 02/24/2003 18:29:41
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 6/2/2003 11:00:30 AM

#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:25 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 10/2/2003 6:19:44 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 10/2/2003 6:19:44 PM

#:29 [wtoolsa.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:27 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:41 AM
Last accessed : 5/3/2004 4:17:27 PM
Last modified : 4/30/2004 2:48:08 PM

#:30 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:28 PM
BasePriority : High
FileSize : 220 KB
Created on : 1/23/2004 1:53:46 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 3/13/2002 1:50:34 PM

#:31 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:26:03 PM
Last accessed : 5/3/2004 4:17:30 PM
Last modified : 7/16/2003 8:26:03 PM

#:32 [wtoolss.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 75 KB
Created on : 5/3/2004 12:11:45 AM
Last accessed : 5/3/2004 4:17:31 PM
Last modified : 4/20/2004 12:15:06 PM

#:33 [wsup.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:31 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:42 AM
Last accessed : 5/3/2004 4:17:38 PM
Last modified : 4/30/2004 2:48:08 PM

#:34 [qife4.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:46 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:20:06 PM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:20:06 PM

#:35 [wvyq4ux.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:49 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:50:01 AM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:50:01 AM

#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:18:19 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:18:37 PM
BasePriority : Normal
FileSize : 136 KB
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:18:36 PM
Last modified : 8/29/2002 11:00:00 AM

#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:19:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:39 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:33:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-3-2004 4:35:18 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/3/2004 4:33:47 PM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

AdDestroyer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\vb and vba program settings\addestroyer

Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000000-0000-0000-0000-000000000221}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore.1

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\CLRSCH

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000221}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{60494593-5408-447d-bd5e-a16640d6af99}

ClickSpring Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ClickSpring

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho.1

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4fc95edd-4796-4966-9049-29649c80111d}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5d60ff48-95be-4956-b4c6-6bb168a70310}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d60ff48-95be-4956-b4c6-6bb168a70310}

Favoriteman Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HAUTO_UNINSTALL

MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MemoryWatcher

MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MemoryWatcher

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000ef1-0786-4633-87c6-1aa7a44296da}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client.1.1

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A4A58A2C-B039-432B-8BC1-DCA7AC0757DC}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Apropos

VirtualBouncer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\VB and VBA Program Settings\VBouncer

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\WhenUSearch

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : WUSE.1

eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{5D60FF48-95BE-4956-B4C6-6BB168A70310}"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\URLSearchHooks
Value : {5D60FF48-95BE-4956-B4C6-6BB168A70310}

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Counter"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Counter

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Server"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Server

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Object"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Object

Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{00000762-3965-4A1A-98CE-3D4BF457D4C8}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value : {00000762-3965-4A1A-98CE-3D4BF457D4C8}

Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{000007AB-7059-463E-BD44-101A1750D732}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value : {000007AB-7059-463E-BD44-101A1750D732}

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 34
Objects found so far: 36

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Dpi"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : Dpi

PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Pcsv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : Pcsv

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 38

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[3].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:33:54 PM
Last accessed : 5/3/2004 4:33:54 PM
Last modified : 5/3/2004 4:33:54 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:06:44 PM
Last accessed : 5/3/2004 4:06:44 PM
Last modified : 5/3/2004 4:06:44 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@centrport[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:38:45 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 4:38:45 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:21:42 PM
Last accessed : 5/3/2004 4:21:42 PM
Last modified : 5/3/2004 4:21:42 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:25:22 PM
Last accessed : 5/3/2004 4:25:22 PM
Last modified : 5/3/2004 4:25:22 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 10:12:00 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 10:12:00 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:06:31 PM
Last accessed : 5/3/2004 4:06:31 PM
Last modified : 5/3/2004 4:06:31 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@tribalfusion[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:39:28 AM
Last accessed : 5/3/2004 4:05:20 PM
Last modified : 5/3/2004 4:39:28 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@~~local~~[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:07:42 PM
Last accessed : 5/3/2004 4:07:42 PM
Last modified : 5/3/2004 4:07:42 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM

IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 221 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 4/6/2004 1:33:00 PM

IBIS Toolbar Object recognized!
Type : File
Data : wintools.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 6 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:10 PM
Last modified : 3/19/2004 8:21:54 AM

Rads01.Quadrogram Object recognized!
Type : File
Data : wowex32[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\
FileSize : 448 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : wowex32
OriginalFilename : wowex32.exe
ProductName : wowex32
Created on : 5/3/2004 2:41:30 AM
Last accessed : 5/3/2004 4:47:11 PM
Last modified : 5/3/2004 2:41:33 AM

IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\WinTools\
FileSize : 221 KB
Created on : 5/1/2004 8:10:31 PM
Last accessed : 5/3/2004 4:49:18 PM
Last modified : 4/6/2004 1:33:00 PM

MemoryWatcher Object recognized!
Type : File
Data : memorywatcher.exe
Category : Malware
Comment :
Object : C:\Program Files\MemoryWatcher\
FileSize : 52 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Memory Watcher 2003
CompanyName : Memory Watcher
FileDescription : Memory Watcher
InternalName : MemoryWatcher
OriginalFilename : MemoryWatcher.exe
ProductName : Memory Watcher
Created on : 10/17/2003 6:17:00 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 10/17/2003 6:17:00 PM

VX2.BetterInternet Object recognized!
Type : File
Data : 0021-bdl94126.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 245 KB
Created on : 5/1/2004 6:33:49 PM
Last accessed : 5/3/2004 4:53:09 PM
Last modified : 5/1/2004 8:26:50 PM

TurboDownload Object recognized!
Type : File
Data : dp-him.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 60 KB
Created on : 11/24/2003 5:48:40 AM
Last accessed : 5/3/2004 4:53:17 PM
Last modified : 11/24/2003 5:48:40 AM

Favoriteman Object recognized!
Type : File
Data : im64.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\

Created on : 2/25/2004 8:28:09 PM
Last accessed : 5/3/2004 4:53:24 PM
Last modified : 2/26/2004 12:07:23 AM

180Solutions Object recognized!
Type : File
Data : msbb321.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 95 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2001
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
OriginalFilename : exe_in_dll.DLL
ProductName : exe_in_dll Module
Created on : 2/26/2004 12:07:55 AM
Last accessed : 5/3/2004 4:53:31 PM
Last modified : 2/26/2004 12:08:25 AM

SahAgent Object recognized!
Type : File
Data : sahagent1014.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 53 KB
Created on : 2/25/2004 8:28:38 PM
Last accessed : 5/3/2004 4:53:43 PM
Last modified : 2/25/2004 8:28:38 PM

MemoryWatcher Object recognized!
Type : File
Data : memorywatcher_b.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileSize : 501 KB
Created on : 5/1/2004 8:09:49 PM
Last accessed : 5/3/2004 4:53:55 PM
Last modified : 5/1/2004 8:09:53 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:53:56 PM
Last modified : 12/13/2003 3:48:18 PM

SahAgent Object recognized!
Type : File
Data : sahuninstall.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 29 KB
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
Copyright : Copyright
FileDescription : SAHUninstall
InternalName : SAHUninstall
OriginalFilename : SAHUninstall.dll
ProductName : SAHUninstall
Created on : 2/25/2004 8:28:43 PM
Last accessed : 5/3/2004 4:53:57 PM
Last modified : 1/27/2004 10:34:48 AM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 64

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 64

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi

PromulGate Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\Dpi

PromulGate Object recognized!
Type : File
Data : dpi.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
FileSize : 3 KB
Created on : 5/1/2004 8:36:10 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 5/2/2004 8:37:58 PM

PromulGate Object recognized!
Type : File
Data : dpih.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\

Created on : 5/1/2004 8:41:26 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:41:26 PM

AdDestroyer Object recognized!
Type : File
Data : popoops.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
FileVersion : 2, 1, 0, 3
ProductVersion : 2, 1, 0, 3
CompanyName : Shahin Gasanov
FileDescription : PopOops
InternalName : PopOops
OriginalFilename : PopOops.dll
ProductName : PopOops
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:53:39 PM
Last modified : 3/18/2003 9:00:00 AM

AdDestroyer Object recognized!
Type : File
Data : popoops2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.01.0001
ProductVersion : 1.01.0001
CompanyName : Shahin Gasanov
FileDescription : PopOops2
InternalName : PopOops2
OriginalFilename : PopOops2.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:45:31 PM
Last modified : 7/30/2003 8:07:16 PM

AdDestroyer Object recognized!
Type : File
Data : swlad1.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Globes
InternalName : SWLAD1
OriginalFilename : SWLAD1.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:45:57 PM
Last modified : 8/25/2003 6:29:50 PM

AdDestroyer Object recognized!
Type : File
Data : swlad2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:53:48 PM
Last modified : 8/25/2003 6:29:26 PM

ClearSearch Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\ClrSch

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\IncrediFind

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4FC95EDD-4796-4966-9049-29649C80111D}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\updmgr

eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\URLSearchHooks
Value : {4FC95EDD-4796-4966-9049-29649C80111D}

eUniverse Object recognized!
Type : File
Data : incredifindbholog.tmp
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\

Created on : 2/25/2004 8:28:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 9:30:00 PM

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Toolbar

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Toolbar

MemoryWatcher Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\MemoryWatcher

MemoryWatcher Object recognized!
Type : File
Data : comctl32.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 594 KB
FileVersion : 6.00.8105
ProductVersion : 6.00.8105
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows Common Controls ActiveX Control DLL
InternalName : COMCTL
OriginalFilename : COMCTL32.OCX
ProductName : COMCTL
Created on : 8/31/2003 6:04:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 8/31/2003 6:04:36 PM

MemoryWatcher Object recognized!
Type : File
Data : eula.url
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\

Created on : 5/1/2004 8:14:11 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:14:12 PM

MemoryWatcher Object recognized!
Type : File
Data : trayicon.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 36 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Robdogg Inc.
InternalName : TrayIcon
OriginalFilename : TrayIcon.ocx
ProductName : vbRad
Created on : 8/30/2003 10:27:34 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 8/30/2003 10:27:34 PM

MemoryWatcher Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 83 KB
Created on : 5/1/2004 8:11:02 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:11:02 PM

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A2872B10-39F2-42DF-9335-7DD38CF75255}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A1558B18-F76C-40FE-B358-9E47449F3CFE}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\AutoLoader

PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\AutoUpdate

PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\AutoUpdate0

PeopleOnPage Object recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : c:\program files\autoupdate\
FileSize : 140 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:48:55 PM
Last modified : 5/1/2004 8:11:05 PM

PeopleOnPage Object recognized!
Type : File
Data : aproposplugin.dll
Category : Data Miner
Comment :
Object : c:\program files\sysai\
FileSize : 60 KB
Created on : 5/1/2004 8:10:51 PM
Last accessed : 5/3/2004 4:45:18 PM
Last modified : 5/1/2004 8:10:39 PM

PeopleOnPage Object recognized!
Type : File
Data : auto_update_uninstall.exe
Category : Data Miner
Comment :
Object : c:\windows\system32\
FileSize : 228 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:53:10 PM
Last modified : 5/1/2004 8:11:04 PM

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\ClockSync

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\WhenUSearch

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\dell desktop\start menu\programs\WhenUSearch

WhenU Object recognized!
Type : File
Data : content
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\

Created on : 5/1/2004 8:11:33 PM
Last accessed : 5/3/2004 4:51:10 PM
Last modified : 5/1/2004 8:11:34 PM

WhenU Object recognized!
Type : File
Data : search.cch
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 1028 KB
Created on : 5/1/2004 8:11:32 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM

WhenU Object recognized!
Type : File
Data : search.db
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 46 KB
Created on : 5/1/2004 8:11:15 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM

WhenU Object recognized!
Type : File
Data : search.htm
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 28 KB
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/22/2004 9:45:34 PM

WhenU Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 38 KB
FileVersion : 2, 0, 1, 1
ProductVersion : 2, 0, 1, 1
Copyright : Copyright 2001
CompanyName : WhenU.com, Inc.
FileDescription : WhenUSearch Uninstall
InternalName : Uninst
OriginalFilename : Uninst.exe
ProductName : WhenUSearch Uninstall
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/20/2004 3:39:46 PM

VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Dbi

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\

Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 12/13/2003 3:50:24 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bij.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 1 KB
Created on : 2/25/2004 8:28:30 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 10/24/2003 5:55:34 PM

TurboDownload Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MaxSpeed

180Solutions Object recognized!
Type : File
Data : ncase.ini
Category : Data Miner
Comment :
Object : c:\windows\system32\

Created on : 2/26/2004 12:08:25 AM
Last accessed : 5/3/2004 4:55:04 PM
Last modified : 2/26/2004 12:08:25 AM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 48
Objects found so far: 112

12:55:04 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:10:00:235
Objects scanned :132210
Objects identified :112
Objects ignored :0
New objects :112

by: rossfingalPosted on 2004-05-03 at 11:44:30ID: 10980366

Hi!

Remove everything that Adaware has found, empty the contents of all your temp folders (don't delete the temp folders themselves - just what's in them).
Empty your recycle bin.
Reboot and post another HijackThis log.

Thanks and good luck!

by: mbbradfordPosted on 2004-05-04 at 03:50:45ID: 10985150

Hi rossfingal,

I am impressed with ad aware 6.0 as it found about 60 additional items that macaffee and spybot did not find. They have all been cleaned up and I was hopeful that my problems were solved. I have no pop-ups anymore.

I emptied the temp files, temp internet files, and the recycle bin, rebooted, ad captured a new hijack this log, which will be attached below.

However when I check for viruses, it still catches on the same 6 files called adware-memwatcher. They are random names, cannot be cleaned or deleted, and when quaranteened and deleted they come immediately back. i can see them also as active processes, and when an active process is deleted, it imeediately comes back. There is also a process which often takes 100% of the processing resource for about 10 or 15 seconds and everything just hangs.

Sorry for the delay, I couldn't get on the web, and had to reinstall my drivers and internet software. Thanks again for your help.

Here is the newest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:37:19 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

by: rossfingalPosted on 2004-05-04 at 04:45:21ID: 10985499

Hi!

Well, I could go on and on about "horror stories" concerning the increasing difficulties with trying to remove some of the
things out there - just ran into someone who had 948 various "nasties" on their computer!
However, you still have the Peper A trojan - so:
If you don't still have it; download the Peper removal tool from one of the links above.
Make sure System Restore is turned off.
Turn off your firewall, if you have one (and if you don't - I recommend you get one).
Run the tool - might as well run it twice! (this is what other people are suggesting, as of today).
Empty your temp files. (make sure you empty all temp files in "documents and settings")
Empty your recycle bin.
Reboot your computer, make sure you're showing all files (system, hidden, etc.)
Post a new HijackThis log.

Thanks and good luck! :)

by: mbbradfordPosted on 2004-05-04 at 07:02:06ID: 10986770

Hi rossfingal,

I'll work on that peper trojan again.

Can you tell me what in my log shows up that tells you its the pepertrojan?

I ran the peper uninstall tool before, so I dont know if it was ineffective (probably user error) or if I got reinfected again from visiting my usual sites (very very right now, just yahoo and experts exchange). Knowing what to look for would help me narrow it down.

Thanks.

Also, when I ran the pepertrojan uninstall, it ran in a command window in a fraction of a second so I don't know if it ended correctly or not. Is this normal?

Thanks again. Bruce.

by: trywaredkPosted on 2004-05-04 at 08:11:15ID: 10987483

Remember to protect yourself in the future...

AntiVir - The private and individual use of the AntiVir Personal Edition is free of charge
http://www.free-av.com

by: rossfingalPosted on 2004-05-04 at 08:13:54ID: 10987511

Hi!

The thing that usually sticks out is an entry like this:
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
Note 14 letters/numbers inside the brackets and a random exe file.

Yes the peper tool runs very fast.
As to where people are picking this pest up I'm not sure if anyone knows yet; howver, be assured that there are a lot of
people looking into it.

Remember to clear your restore points when you turn off system restore; as there might be a remnant something there.
It's not that uncommon to have to run the peper tool several times.
Let us know!

by: mbbradfordPosted on 2004-05-05 at 11:11:47ID: 10998500

Hi rossfingal,

Thanks for the above.

I assure you I have tried real hard last night to rid myself of the peper/memwatcher/sandboxer problem. I've run the peperpage/uninstall.exe hundreds of times, in as many combinations (emptying temp folders, temp internet files folder, rebooting etc) as possible and am convinced that it will not work for me. I can watch it get eliminated and watch it come immediately back. The random fileames are always in my hijackthis log and always in my list of active processes. I'm about to surrender to erasing my harddrive.

I though I might try the second tool you suggested (the peperuninstall.exe in australia) but the link is/has been down. Is there another path or another choice?

Thanks again.

by: rossfingalPosted on 2004-05-05 at 12:15:34ID: 10999045

Hi!

Sorry to hear you're having problems.
Hang in there for a moment, I'm looking into a few things concerning your HJT log.
I'd hate to see you have to do a format/restore.
Check back in a little while.
OK?

by: rossfingalPosted on 2004-05-05 at 12:42:18ID: 10999292

Hi!

Before you do anything, could you look at these 4 files and post their properties - manufacturer, version, etc.
C:\WINDOWS\System32\senrcall.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\Qife4.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe

Then, turn off System Restore and clear your restore points.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed. If you do not know how to log in as Administrator, contact your system administrator (if you are on a network), the computer manufacturer, or installer.
Turning off System Restore will delete all previous restore points. You must create new restore points once you turn System Restore back on.

To turn off Windows XP System Restore
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
Click Apply. a message appears:
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.
Proceed with what you need to do. For example, removing viruses. Restart the computer and follow the instructions in the next section to turn on System Restore.

Next,download this uninstaller:
http://www.computercops.biz/downloads-file-330.html
It comes in a zipped file . Launch "Uninst.exe". Follow the Uninstallation process and restart/reboot the computer when its finished. If you have a firewall installed, please temporarily disable it while running this.
Before you reboot - Empty "temp" folders, delete "Temporary Internet Files", and empty your recyle bin.

Reboot and post a new HijackThis log.
Thanks!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

For individual users
Instant access to solutions
Ask your tech questions
Start your 30-day Free Trial

Business Accounts

Perfect for organizations
Multiple users
Save over 36%
Create a Business Account

Answer for Membership

Earn free access
Showcase your knowledge
No credit card required
Sign Up to Answer

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...

Question

Cant get ride of Adware-MemWatcher

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

memwatcher

adware

Windows Network Security

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Need individual assistance?

Our experts are ready to help.

Want to learn from the best?

Read articles from industry experts.

Working on a long term project?

Store your work and research.

What Makes Experts Exchange Unique?

Trusted by the world's most respected brands.

Faithfully serving IT professionals since 1996.

Related Solutions

Free Tech Articles

Cloud Class Webinars

Join the Community

Give a Little. Get a Lot.

Answers

3 Ways to Join

The Experts

The Experts

Testimonials

Testimonials

Testimonials

Business Clients

Business Clients

In the Press

In the Press

In the Press