Solved

Cant get ride of Adware-MemWatcher

Posted on 2004-05-02
22
3,205 Views
Last Modified: 2013-12-04
I have been infected with a trojan which has been cleaned up, but in the process also picked up a lot of adware.  Spybot and Macaffee cannot permamently delete this, although they both appear to.  With spybot, they are detected and deleted but come right back.  WIth Macaffee, they connot be cleaned or deleted, but they can be quaranteened and later deleted with "manage quaranteened files" but they still come fight back.

What can I do?

Here is a "hijack this" log:

Logfile of HijackThis v1.97.7
Scan saved at 1:35:55 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\IEHost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\senrcall.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\Qife4.exe
C:\Documents and Settings\Dell Desktop\Local Settings\Temp\Temporary Directory 1 for cwshredder.zip\CWShredder.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.3273611111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

0
Comment
Question by:mbbradford
  • 7
  • 7
  • 5
  • +1
22 Comments
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 50 total points
ID: 10972481
Try this one

http://www.spywareinfo.com/downloads.php?cat=sp#det
BHODemon http://www.spywareinfo.com/downloads/bhod/ | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972485
And

Double Check for viruses
Online Scanners

 Norton Web Services  
Virus Detection provides an analysis of your results and offers suggestions for further action. It does not examine compressed files or fix infected files.

When Symantec receives notification about a new virus, we develop and post a solution as quickly as possible. We are committed to providing swift responses to all virus threats, including Trojan horses.
http://security.symantec.com/sscv6/vc_about.asp?ax=0&langid=ie&venid=sym&plfid=23&pkj=BSZNTGXIBVEMBQAUWZK

======================
 Trend Micro HouseCall        
http://housecall.antivirus.com/housecall/start_corp.asp

======================
eTrust Online antivirus scanner
http://www3.ca.com/virusinfo/virusscan.aspx
======================

PC Pitstop Virus Scan
When the download completes, you will receive an ActiveX security dialog for the PC Pitstop virus scanner. Click Yes to install the scanner and proceed to the virus scan.

If you are currently running an antivirus package such as Norton Antivirus, it may detect our own virus detection file as a virus. If this occurs and you wish to use our scanner, please (temporarily) disable any active background virus checking software before scanning, or add our signature file (PAV.SIG) to the scanner's file exclusion list
http://www.pcpitstop.com/antivirus/AVLoad.asp
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972490
Something else to Try is

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972514
I am not sure what these are

O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10972533
Well those first three files I listed are definetly link to a virus
0
 

Author Comment

by:mbbradford
ID: 10972931
Thanks Crazyone,

I disabled everything in the start up menu, and has a slowdown in the popup adds.  I will wait a while and see it that takes care of that problem.

I also deleted the top three files you mentioned with hijackthis.  Lets see what happens.

I need to learn more about this stuff.  It there a book or a website that has a detailed explanation that I should get?

Thanks,
Bruce
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10973469
Hi!

You have PeperA trojan, among other things.
We've found, usually it's best to deal with that first.
You can download one of these tools from:
http://www.mjc1.com/files/peperpage/uninst.exe
http://home.iprimus.com.au/mbuchan/peperuninst.exe
I suggest trying the first one initially - when you run it, make sure you're online it may try to access the internet - let it.
Since you're running XP you'll probably want disable System Restore, so that nothing is hiding in there.
After you run it reboot and post a new HijackThis log for us to look at.
Also it's a good idea to place HijackThis in it's own folder - centralized place for backups and logs.

Good luck!
0
 

Author Comment

by:mbbradford
ID: 10974470
Hi rossfingal,

Thanks for your help.

I should mention first that since the start of this thread, I have reinstalled windows and drivers, updated spybot, and cleaned up many new things that it found.

But I still have 6 programs with random names that cannot be deleted, and when I see them as active processes and disable them, they come back active in a few seconds.  Devils.

I have done as you asked above.  The peperpage uninstall ran in a command window in a blink, so I cant say if it ended with a "congradulations" or a "sucks to be you" message, but at least is seems to have done what was expected.  I then linked to the second mbuchan peperuninst.exe but the link was not available.

Then I rebuted as asked and moved hijack to its own folder, and here is the log:
Also, I recognize the qife4 as one of the bad guys
also temp/q.exe
also virtualbounder.exe

Logfile of HijackThis v1.97.7
Scan saved at 11:28:54 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\Qife4.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL  (file missing)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL  (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL  (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL  (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL  (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\YjpWR9t0.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

0
 
LVL 12

Accepted Solution

by:
rossfingal earned 350 total points
ID: 10974903
Hi!

Download and install Ad-Aware from Lavasoft at:
http://majorgeeks.com/download.php?det=506
Or:
http://www.webattack.com/download/dladaware.shtml
Before you have it scan, click on the "Check for updates now" and let it install the latest update.
Then configure it according to the following:
"Quote"
Step 4- Configuring Ad-Aware 6 for your first scan
[NOTE: Ad-Aware 6 has two scanning options: SmartScan and Custom. As explained more fully below,
SmartScan is faster, but also less comprehensive.
While SmartScan is satisfactory for routine use, it is HIGHLY recommended that your FIRST scan with A-A,
should be a Custom scan. After a thorough cleaning, use the capabilities within SmartScan for everyday use.
Think of SmartScan as your regular oil change, whereas the Custom Scan is the 30,000 mile checkup.]

Ad-Aware 6 comes pre-configured with default options that are already ON (green check-mark)
 ... do not change them. The following are changes that you will need to make to prepare the "Full"
custom scan that is recommended for the first look into your computer
(instead of a red "x", you will make them a green "check-mark")
[NOTE: any options that are greyed out are only available for users of the
paid Plus or Professional versions of A-A]

Launch the program, and click on the Gear at the top of the start screen to access the
preferences/setting window.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and "Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Automatically try to unregister objects prior to deletion" and
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.

When you are finished, you will be using the Custom Scan with Memory and Both registry scans ON.
Please make sure that you activate IN-DEPTH scanning before you proceed.

NOTE: For the Full Scan setup instructions for users with the paid Plus or Professional versions,
or if you have previously changed your settings in the Personal version, see this thread:
http://www.lavahelp.com/howto/fullscan/index.html

Step 5- Scanning
From the start screen, click on the "Scan now" button.
On the next screen, select "Use custom scanning options". [You would change this to SmartScan in the future]
Click on "Next" to begin the A-A scan.

---------- Note: Important decision -----------

If you are unsure about what to remove, you will need to post your logfile for someone to
evaluate and assist you in the removal

Posting your Logfile
When the scan is complete, click "Show Log", then hi-lite all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Right click "Paste" in your thread.

Or, you can navigate to your Ad-aware 6 folder in Windows Explorer: C:\Program Files\Lavasoft\Ad-Aware 6\Logs
Open this folder and find the correct logfile. The logfiles will be named "Ad-Aware-log ##-##-##.txt
(the #'s will be the date of the scan, shown in the European format). Right click, choose "Select all",
then right click and choose "Copy". Right click and select "Paste" in your thread.
-------------------------------------------------------

Step 6- Quarantine and Removal of Detected Objects
Quarantine: Ad-Aware includes a Quarantine feature, which can back up detected objects before they are removed.
This can prove useful in the event a program doesn't work after certain detected objects are removed ...
you can restore the detected objects, much like an anti-virus quarantine.
The program is pre-configured to automatically quarantine the selected objects before removal,
so you do not need to click on the 'Quarantine' button.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.

Removal:
From the "Scan complete" window ...
Click on "Next".
This will take you to the "Results" window ... this is where you will need to mark the objects
that you wish to remove. There are many options available with a right-click.
It is recommended (as stated above) to remove all of the objects unless you wish to ignore some
(see below for instructions on the ignore list).
To remove everything, right click in the Results List and click "Select all objects".
DO NOT click the 'Quarantine' button, this is automatically done as
explained above.
Click "Next" to remove the chosen objects.
Click "OK".
The Quarantine will be made and the objects will then be removed.

[Please Note: After removing a Browser Hijacker, Ad-aware 6 will set your Start Page to "Blank",
so you may need to set the Start and Search pages in your Browser manually back to your preferred one.
The reason for this is that the hijack has changed the page, and since Ad-aware 6 does not know
what it was set to before the hijack, it resets it to a blank page.
If you do not see any differences, then disregard this note.]

Ignore List
Always do the Ignore List items first, before removing anything.
If you wish to ignore some of the detected objects:
From the same "Results" window that lists the detected items, select any items from
the list that you want to "Ignore".
Right click in the scan results window and select "Add selection to ignore-list".
Click "OK".
Then continue with the removal process.

Subsequent Scanning with Ad-Aware 6
While a full custom scan is recommended for your first "cleaning", you can run the SmartScan after that.
SmartScan is a set of preset scanning options.
Ad-Aware comes with pre-defined settings that most users will find sufficient for their scanning needs.
[Of course, should a user require (or want) more or less than defined here, they can always perform a custom scan]
SmartScan uses these scanning options: Scan Memory, Scan Registry, Deep Scan Registry, System Folder, Cookies,
and then the conditional scans based on what's located.

From the start screen, click on the "Scan now" button.
On the next screen, select "Perform smart system-scan".
Click on "Next" to begin the A-A scan.
Follow the same quarantine and removal instructions as above.
The SmartScan option is obviously faster than the full custom scan.

Miscellaneous
If you used any other Anti-Trackware application to remove detected content
immediately prior to running a scan with Ad-aware 6, you will need to perform a Custom Full System scan
to ensure that the objects have all been successfully removed. Do not use the SmartScan option in this case.
Also, it is recommended that you re-boot your computer between running the applications.
"End quote"

After it has scanned; empty your temp files (just the files, not the temp folders), delete your temporary internet files with the box checked to "delete all
offline content" and empty your recycle bin.
Reboot the computer and post another HijackThis log.
Thanks!
0
 

Author Comment

by:mbbradford
ID: 10976138
Hi rossfingal,

Thanks for the response,  I'll do this as soon as I get home from work tonight.

Regards,
Bruce
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10976278
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 50 total points
ID: 10976290
How to remove
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

http://www.pestpatrol.com/PestInfo/w/whenusearch.asp#Detection%20and%20Removal
0
 

Author Comment

by:mbbradford
ID: 10979415
Hi rossfingal,

I'm halfway there.  I downloaded, configured, and ran ad-aware per your instructions.  I don't know what to remove, so I'm posting the log.  After posting this message, I will "remove all" and complete your origional instructions.  Thanks again for your help.

Here is the log file:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on  :Monday, May 03, 2004 12:45:04 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R301 03.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455
5-3-2004 12:35:55 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R301 03.05.2004
Internal build : 233
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1082422 Bytes
Signature data size : 1064020 Bytes
Reference data size : 18338 Bytes
Signatures total : 23868
Target categories : 10
Target families : 460

5-3-2004 12:36:04 PM Success.
Update successfully downlodaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:260096 kb
Available physical memory:74568 kb
Total page file size:640412 kb
Available on page file:403788 kb
Total virtual memory:2097024 kb
Available virtual memory:2048712 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


5-3-2004 12:45:04 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ThreadCreationTime : 5-3-2004 4:16:53 PM
    BasePriority       : Normal


#:2 [winlogon.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-3-2004 4:16:56 PM
    BasePriority       : High


#:3 [services.exe]
    FilePath           : C:\WINDOWS\system32\
    ThreadCreationTime : 5-3-2004 4:17:00 PM
    BasePriority       : Normal
    FileSize           : 99 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion     : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    OriginalFilename   : services.exe
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:44:23 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 7/16/2003 8:44:23 PM

#:4 [lsass.exe]
    FilePath           : C:\WINDOWS\system32\
    ThreadCreationTime : 5-3-2004 4:17:00 PM
    BasePriority       : Normal
    FileSize           : 11 KB
    FileVersion        : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion     : 5.1.2600.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName       : lsass.exe
    OriginalFilename   : lsass.exe
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:32:16 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 7/16/2003 8:32:16 PM

#:5 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ThreadCreationTime : 5-3-2004 4:17:04 PM
    BasePriority       : Normal
    FileSize           : 12 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion     : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    OriginalFilename   : svchost.exe
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:47:02 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 7/16/2003 8:47:02 PM

#:6 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:04 PM
    BasePriority       : Normal
    FileSize           : 12 KB
    FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion     : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    OriginalFilename   : svchost.exe
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:47:02 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 7/16/2003 8:47:02 PM

#:7 [explorer.exe]
    FilePath           : C:\WINDOWS\
    ThreadCreationTime : 5-3-2004 4:17:06 PM
    BasePriority       : Normal
    FileSize           : 980 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion     : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    OriginalFilename   : EXPLORER.EXE
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:28:11 PM
    Last accessed      : 5/3/2004 4:28:47 PM
    Last modified      : 7/16/2003 8:28:11 PM

#:8 [spoolsv.exe]
    FilePath           : C:\WINDOWS\system32\
    ThreadCreationTime : 5-3-2004 4:17:06 PM
    BasePriority       : Normal
    FileSize           : 50 KB
    FileVersion        : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion     : 5.1.2600.0
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName       : spoolsv.exe
    OriginalFilename   : spoolsv.exe
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:46:20 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 7/16/2003 8:46:20 PM

#:9 [support.exe]
    FilePath           : C:\Program Files\Common Files\Dell\EUSW\
    ThreadCreationTime : 5-3-2004 4:17:07 PM
    BasePriority       : Normal
    FileSize           : 288 KB
    FileVersion        : 2, 0, 0, 34
    ProductVersion     : 1, 0, 0, 1
    Copyright          : Copyright  
    CompanyName        : Dell
    FileDescription    : Support
    InternalName       : Support
    OriginalFilename   : Support.exe
    ProductName        : Dell Support
    Created on         : 10/7/2003 10:21:10 PM
    Last accessed      : 5/3/2004 4:17:07 PM
    Last modified      : 10/7/2003 10:21:10 PM

#:10 [notifyalert.exe]
    FilePath           : C:\Program Files\Dell\Support\Alert\bin\
    ThreadCreationTime : 5-3-2004 4:17:08 PM
    BasePriority       : Normal
    FileSize           : 344 KB
    FileVersion        : 2.1.0.72
    ProductVersion     : 2.1.0.72
    InternalName       : NotifyAlert.exe
    OriginalFilename   : NotifyAlert.exe
    Created on         : 10/7/2003 10:20:18 PM
    Last accessed      : 5/3/2004 4:17:08 PM
    Last modified      : 10/7/2003 10:20:18 PM

#:11 [cfd.exe]
    FilePath           : C:\Program Files\BroadJump\Client Foundation\
    ThreadCreationTime : 5-3-2004 4:17:08 PM
    BasePriority       : Normal
    FileSize           : 360 KB
    Created on         : 5/2/2004 2:20:27 PM
    Last accessed      : 5/3/2004 4:17:08 PM
    Last modified      : 9/11/2002 1:26:26 AM

#:12 [ybrwicon.exe]
    FilePath           : C:\Program Files\Yahoo!\browser\
    ThreadCreationTime : 5-3-2004 4:17:08 PM
    BasePriority       : Normal
    FileSize           : 56 KB
    FileVersion        : 2003, 7, 11, 1
    ProductVersion     : 1, 0, 0, 1
    Copyright          : Copyright  
    CompanyName        : Yahoo!, Inc.
    FileDescription    : YBrwIcon
    InternalName       : YBrwIcon
    OriginalFilename   : YBrwIcon.exe
    ProductName        : Yahoo!, Inc. YBrwIcon
    Created on         : 5/2/2004 2:14:34 PM
    Last accessed      : 5/3/2004 4:17:08 PM
    Last modified      : 7/11/2003 6:51:16 PM

#:13 [dpi.exe]
    FilePath           : C:\Program Files\Common Files\Dpi\
    ThreadCreationTime : 5-3-2004 4:17:09 PM
    BasePriority       : Normal
    FileSize           : 92 KB
    Created on         : 1/16/2004 7:01:48 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 1/16/2004 7:01:26 PM
Warning! PromulGate object found in memory(C:\Program Files\Common Files\Dpi\dpi.exe)

 PromulGate Object recognized!
    Type               : Process
    Data               : dpi.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\Program Files\Common Files\Dpi\
    FileSize           : 92 KB
    Created on         : 1/16/2004 7:01:48 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 1/16/2004 7:01:26 PM


"dpi.exe"Process terminated successfully.

#:14 [ycommon.exe]
    FilePath           : C:\PROGRA~1\Yahoo!\browser\
    ThreadCreationTime : 5-3-2004 4:17:09 PM
    BasePriority       : Normal
    FileSize           : 208 KB
    FileVersion        : 2003, 7, 14, 1
    ProductVersion     : 1, 0, 0, 1
    Copyright          : Copyright 2003 Yahoo! Inc.
    CompanyName        : Yahoo!, Inc.
    FileDescription    : YCommon Exe Module
    InternalName       : YCommonExe
    OriginalFilename   : YCommon.EXE
    ProductName        : YCommon Exe Module
    Created on         : 5/2/2004 2:14:08 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 7/14/2003 1:55:44 PM

#:15 [pcsvc.exe]
    FilePath           : C:\WINDOWS\system32\pcs\
    ThreadCreationTime : 5-3-2004 4:17:09 PM
    BasePriority       : Normal
    FileSize           : 35 KB
    FileVersion        : 2.14.0000
    Created on         : 1/27/2004 2:57:34 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 1/28/2004 1:42:24 PM
Warning! PromulGate object found in memory(C:\WINDOWS\system32\pcs\pcsvc.exe)

 PromulGate Object recognized!
    Type               : Process
    Data               : pcsvc.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\system32\pcs\
    FileSize           : 35 KB
    FileVersion        : 2.14.0000
    Created on         : 1/27/2004 2:57:34 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 1/28/2004 1:42:24 PM


"pcsvc.exe"Process terminated successfully.

#:16 [senrcall.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:10 PM
    BasePriority       : Normal
    FileSize           : 84 KB
    Created on         : 5/1/2004 8:10:58 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 5/1/2004 8:10:39 PM

#:17 [mcvsshld.exe]
    FilePath           : C:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 5-3-2004 4:17:10 PM
    BasePriority       : Normal
    FileSize           : 160 KB
    FileVersion        : 8, 0, 0, 15
    ProductVersion     : 8, 0, 0, 0
    Copyright          : Copyright  
    CompanyName        : Networks Associates Technology, Inc
    FileDescription    : McAfee VirusScan ActiveShield Resource
    InternalName       : msvcshld
    OriginalFilename   : mcvsshld.exe
    ProductName        : McAfee VirusScan
    Created on         : 1/7/2004 5:26:23 PM
    Last accessed      : 5/3/2004 4:17:10 PM
    Last modified      : 8/18/2003 2:50:34 AM

#:18 [mcvsescn.exe]
    FilePath           : c:\progra~1\mcafee.com\vso\
    ThreadCreationTime : 5-3-2004 4:17:11 PM
    BasePriority       : Normal
    FileSize           : 404 KB
    FileVersion        : 8, 0, 0, 20
    ProductVersion     : 8, 0, 0, 0
    Copyright          : Copyright  
    CompanyName        : Networks Associates Technology, Inc
    FileDescription    : McAfee VirusScan E-mail Scan Module
    InternalName       : mcvsescn
    OriginalFilename   : mcvsescn.EXE
    ProductName        : McAfee VirusScan
    Created on         : 1/7/2004 5:26:29 PM
    Last accessed      : 5/3/2004 4:15:59 PM
    Last modified      : 9/28/2003 6:47:00 PM

#:19 [mcagent.exe]
    FilePath           : c:\program files\mcafee.com\agent\
    ThreadCreationTime : 5-3-2004 4:17:11 PM
    BasePriority       : Normal
    FileSize           : 240 KB
    FileVersion        : 4, 3, 0, 27
    ProductVersion     : 4, 3, 0, 0
    Copyright          : Copyright  
    CompanyName        : Networks Associates Technology, Inc
    FileDescription    : McAfee SecurityCenter Agent
    InternalName       : mcagent
    OriginalFilename   : mcagent.exe
    ProductName        : McAfee SecurityCenter
    Created on         : 1/7/2004 5:26:14 PM
    Last accessed      : 5/3/2004 4:17:11 PM
    Last modified      : 12/8/2003 8:38:52 PM

#:20 [mm_tray.exe]
    FilePath           : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
    ThreadCreationTime : 5-3-2004 4:17:11 PM
    BasePriority       : Normal
    FileSize           : 116 KB
    FileVersion        : 8.10.1006
    ProductVersion     : 8.10.1006
    Copyright          : Copyright  
    CompanyName        : MUSICMATCH, Inc.
    FileDescription    : mm_tray
    InternalName       : mm_tray
    OriginalFilename   : mm_tray.exe
    ProductName        : MUSICMATCH JUKEBOX
    Created on         : 12/30/2003 4:43:11 AM
    Last accessed      : 5/3/2004 4:17:12 PM
    Last modified      : 10/6/2003 4:05:40 PM

#:21 [acsd.exe]
    FilePath           : C:\PROGRA~1\COMMON~1\AOL\ACS\
    ThreadCreationTime : 5-3-2004 4:17:13 PM
    BasePriority       : Normal
    FileSize           : 1344 KB
    FileVersion        : 1,0,17,5
    ProductVersion     : 1,0,17,5
    Copyright          : Copyright  
    CompanyName        : America Online, Inc.
    FileDescription    : AOL Connectivity Service
    InternalName       : acsd
    OriginalFilename   : acsd.exe
    ProductName        : AOL Connectivity Service
    Created on         : 12/30/2003 4:37:09 AM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 8/6/2003 10:58:26 PM

#:22 [mmtask.exe]
    FilePath           : C:\Program Files\MusicMatch\MusicMatch Jukebox\
    ThreadCreationTime : 5-3-2004 4:17:13 PM
    BasePriority       : Normal
    FileSize           : 52 KB
    FileVersion        : 1.0.0.1
    ProductVersion     : 1.0.0.1
    Copyright          : TODO: (c) <Company name>.  All rights reserved.
    CompanyName        : TODO: <Company name>
    FileDescription    : TODO: <File description>
    InternalName       : mmtask.exe
    OriginalFilename   : mmtask.exe
    ProductName        : TODO: <Product name>
    Created on         : 12/30/2003 4:43:11 AM
    Last accessed      : 5/3/2004 4:17:13 PM
    Last modified      : 10/6/2003 4:05:40 PM

#:23 [mcvsrte.exe]
    FilePath           : c:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 5-3-2004 4:17:14 PM
    BasePriority       : Normal
    FileSize           : 104 KB
    FileVersion        : 8, 0, 0, 12
    ProductVersion     : 8, 0, 0, 0
    Copyright          : Copyright  
    CompanyName        : Networks Associates Technology, Inc
    FileDescription    : McAfee VirusScan Real-time Engine
    InternalName       : mcvsrte
    OriginalFilename   : mcvsrte.exe
    ProductName        : McAfee VirusScan
    Created on         : 1/7/2004 5:26:23 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 8/8/2003 11:04:38 PM

#:24 [mdm.exe]
    FilePath           : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
    ThreadCreationTime : 5-3-2004 4:17:14 PM
    BasePriority       : Normal
    FileSize           : 314 KB
    FileVersion        : 7.00.9466
    ProductVersion     : 7.00.9466
    CompanyName        : Microsoft Corporation
    FileDescription    : Machine Debug Manager
    InternalName       : mdm.exe
    OriginalFilename   : mdm.exe
    ProductName        : Microsoft
    Created on         : 6/20/2003 5:25:00 AM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 6/20/2003 5:25:00 AM

#:25 [wanmpsvc.exe]
    FilePath           : C:\WINDOWS\
    ThreadCreationTime : 5-3-2004 4:17:18 PM
    BasePriority       : Normal
    FileSize           : 64 KB
    FileVersion        : 7, 0, 0, 2
    ProductVersion     : 7, 0, 0, 2
    Copyright          : Copyright  
    CompanyName        : America Online, Inc.
    FileDescription    : Wan Miniport (ATW) Service
    InternalName       : WanMPSvc
    OriginalFilename   : WanMPSvc.exe
    ProductName        : America Online
    Created on         : 12/30/2003 4:37:15 AM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 1/10/2003 11:13:04 PM

#:26 [tfswctrl.exe]
    FilePath           : C:\WINDOWS\system32\dla\
    ThreadCreationTime : 5-3-2004 4:17:24 PM
    BasePriority       : Normal
    FileSize           : 112 KB
    FileVersion        : 1.04.05b
    Copyright          : Copyright  
    CompanyName        : Sonic Solutions
    FileDescription    : Drive Letter Access Component
    Created on         : 12/30/2003 4:35:55 AM
    Last accessed      : 5/3/2004 4:17:24 PM
    Last modified      : 8/6/2003 7:04:00 AM

#:27 [bcmsmmsg.exe]
    FilePath           : C:\WINDOWS\
    ThreadCreationTime : 5-3-2004 4:17:24 PM
    BasePriority       : Normal
    FileSize           : 120 KB
    FileVersion        :  3.5.24 02/24/2003 18:29:41
    ProductVersion     :  3.5.24 02/24/2003 18:29:41
    Copyright          : Copyright  
    CompanyName        : Broadcom Corporation
    FileDescription    : Modem Messaging Applet
    InternalName       : smdmstat.exe
    OriginalFilename   : smdmstat.exe
    ProductName        : BCM Modem Messaging Applet
    Created on         : 1/1/1980 6:00:00 AM
    Last accessed      : 5/3/2004 4:17:24 PM
    Last modified      : 6/2/2003 11:00:30 AM

#:28 [hkcmd.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:25 PM
    BasePriority       : Normal
    FileSize           : 116 KB
    FileVersion        : 3.0.0.2285
    ProductVersion     : 7.0.0.2285
    Copyright          : Copyright 1999-2003, Intel Corporation
    CompanyName        : Intel Corporation
    FileDescription    : hkcmd Module
    InternalName       : HKCMD
    OriginalFilename   : HKCMD.EXE
    ProductName        : Intel(R) Common User Interface
    Created on         : 10/2/2003 6:19:44 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 10/2/2003 6:19:44 PM

#:29 [wtoolsa.exe]
    FilePath           : C:\Program Files\Common files\WinTools\
    ThreadCreationTime : 5-3-2004 4:17:27 PM
    BasePriority       : Normal
    FileSize           : 429 KB
    Created on         : 5/3/2004 12:11:41 AM
    Last accessed      : 5/3/2004 4:17:27 PM
    Last modified      : 4/30/2004 2:48:08 PM

#:30 [mcshield.exe]
    FilePath           : c:\PROGRA~1\mcafee.com\vso\
    ThreadCreationTime : 5-3-2004 4:17:28 PM
    BasePriority       : High
    FileSize           : 220 KB
    Created on         : 1/23/2004 1:53:46 PM
    Last accessed      : 5/3/2004 4:16:51 PM
    Last modified      : 3/13/2002 1:50:34 PM

#:31 [ctfmon.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:30 PM
    BasePriority       : Normal
    FileSize           : 13 KB
    FileVersion        : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion     : 5.1.2600.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : CTF Loader
    InternalName       : CTFMON
    OriginalFilename   : CTFMON.EXE
    ProductName        : Microsoft
    Created on         : 7/16/2003 8:26:03 PM
    Last accessed      : 5/3/2004 4:17:30 PM
    Last modified      : 7/16/2003 8:26:03 PM

#:32 [wtoolss.exe]
    FilePath           : C:\Program Files\Common files\WinTools\
    ThreadCreationTime : 5-3-2004 4:17:30 PM
    BasePriority       : Normal
    FileSize           : 75 KB
    Created on         : 5/3/2004 12:11:45 AM
    Last accessed      : 5/3/2004 4:17:31 PM
    Last modified      : 4/20/2004 12:15:06 PM

#:33 [wsup.exe]
    FilePath           : C:\Program Files\Common files\WinTools\
    ThreadCreationTime : 5-3-2004 4:17:31 PM
    BasePriority       : Normal
    FileSize           : 429 KB
    Created on         : 5/3/2004 12:11:42 AM
    Last accessed      : 5/3/2004 4:17:38 PM
    Last modified      : 4/30/2004 2:48:08 PM

#:34 [qife4.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:46 PM
    BasePriority       : Normal
    FileSize           : 228 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    InternalName       : Kern32
    OriginalFilename   : Kern32.exe
    ProductName        : Kern32
    Created on         : 5/2/2004 4:20:06 PM
    Last accessed      : 5/3/2004 4:17:43 PM
    Last modified      : 5/2/2004 4:20:06 PM

#:35 [wvyq4ux.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:17:49 PM
    BasePriority       : Normal
    FileSize           : 228 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    InternalName       : Kern32
    OriginalFilename   : Kern32.exe
    ProductName        : Kern32
    Created on         : 5/2/2004 4:50:01 AM
    Last accessed      : 5/3/2004 4:17:43 PM
    Last modified      : 5/2/2004 4:50:01 AM

#:36 [iexplore.exe]
    FilePath           : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 5-3-2004 4:18:19 PM
    BasePriority       : Normal
    FileSize           : 89 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion     : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName       : iexplore
    OriginalFilename   : IEXPLORE.EXE
    ProductName        : Microsoft
    Created on         : 8/29/2002 11:00:00 AM
    Last accessed      : 5/3/2004 4:33:49 PM
    Last modified      : 8/29/2002 11:00:00 AM

#:37 [wuauclt.exe]
    FilePath           : C:\WINDOWS\System32\
    ThreadCreationTime : 5-3-2004 4:18:37 PM
    BasePriority       : Normal
    FileSize           : 136 KB
    FileVersion        : 5.4.3630.1106 (xpsp1.020828-1920)
    ProductVersion     : 5.4.3630.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Update AutoUpdate Client
    InternalName       : wuauclt.exe
    OriginalFilename   : wuauclt.exe
    ProductName        : Microsoft
    Created on         : 8/29/2002 11:00:00 AM
    Last accessed      : 5/3/2004 4:18:36 PM
    Last modified      : 8/29/2002 11:00:00 AM

#:38 [iexplore.exe]
    FilePath           : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 5-3-2004 4:19:49 PM
    BasePriority       : Normal
    FileSize           : 89 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion     : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName       : iexplore
    OriginalFilename   : IEXPLORE.EXE
    ProductName        : Microsoft
    Created on         : 8/29/2002 11:00:00 AM
    Last accessed      : 5/3/2004 4:33:49 PM
    Last modified      : 8/29/2002 11:00:00 AM

#:39 [iexplore.exe]
    FilePath           : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 5-3-2004 4:33:49 PM
    BasePriority       : Normal
    FileSize           : 89 KB
    FileVersion        : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion     : 6.00.2800.1106
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName       : iexplore
    OriginalFilename   : IEXPLORE.EXE
    ProductName        : Microsoft
    Created on         : 8/29/2002 11:00:00 AM
    Last accessed      : 5/3/2004 4:33:49 PM
    Last modified      : 8/29/2002 11:00:00 AM

#:40 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 5-3-2004 4:35:18 PM
    BasePriority       : Normal
    FileSize           : 668 KB
    FileVersion        : 6.0.1.181
    ProductVersion     : 6.0.0.0
    Copyright          : Copyright  
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-aware 6 core application
    InternalName       : Ad-aware.exe
    OriginalFilename   : Ad-aware.exe
    ProductName        : Lavasoft Ad-aware Plus
    Created on         : 5/3/2004 4:33:47 PM
    Last accessed      : 5/3/2004 4:33:49 PM
    Last modified      : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 AdDestroyer Object recognized!
    Type               : RegKey
    Data               :
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : software\vb and vba program settings\addestroyer


 Alexa Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{00000000-0000-0000-0000-000000000221}


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : csie.csiecore


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : csie.csiecore.1


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\CLRSCH


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000221}


 ClearSearch Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : TYPELIB\{60494593-5408-447d-bd5e-a16640d6af99}


 ClickSpring Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\ClickSpring


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : bho.incredifindbho


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : bho.incredifindbho.1


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{4fc95edd-4796-4966-9049-29649c80111d}


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{5d60ff48-95be-4956-b4c6-6bb168a70310}


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d60ff48-95be-4956-b4c6-6bb168a70310}


 Favoriteman Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}


 IBIS Toolbar Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HAUTO_UNINSTALL


 MemoryWatcher Object recognized!
    Type               : RegKey
    Data               :
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\MemoryWatcher


 MemoryWatcher Object recognized!
    Type               : RegKey
    Data               :
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MemoryWatcher


 NetPal Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}


 NetPal Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{00000ef1-0786-4633-87c6-1aa7a44296da}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Apropos.Client


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Apropos.Client.1.1


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{A4A58A2C-B039-432B-8BC1-DCA7AC0757DC}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Apropos


 VirtualBouncer Object recognized!
    Type               : RegKey
    Data               :
    Category           : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\VB and VBA Program Settings\VBouncer


 WhenU Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch


 WhenU Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\WhenUSearch


 WhenU Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : WUSE.1


 eUniverse Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "{5D60FF48-95BE-4956-B4C6-6BB168A70310}"
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Microsoft\Internet Explorer\URLSearchHooks
    Value              : {5D60FF48-95BE-4956-B4C6-6BB168A70310}


 Favoriteman Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "Counter"
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Microsoft\Windows
    Value              : Counter


 Favoriteman Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "Server"
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Microsoft\Windows
    Value              : Server


 Favoriteman Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "Object"
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Microsoft\Windows
    Value              : Object


 Lycos Sidesearch Object recognized!
    Type               : RegValue
    Data               :
    Category           : Misc
    Comment            : "{00000762-3965-4A1A-98CE-3D4BF457D4C8}"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    Value              : {00000762-3965-4A1A-98CE-3D4BF457D4C8}


 Lycos Sidesearch Object recognized!
    Type               : RegValue
    Data               :
    Category           : Misc
    Comment            : "{000007AB-7059-463E-BD44-101A1750D732}"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    Value              : {000007AB-7059-463E-BD44-101A1750D732}


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 34
Objects found so far: 36


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 PromulGate Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "Dpi"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : Software\Microsoft\Windows\CurrentVersion\Run
    Value              : Dpi


 PromulGate Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            : "Pcsv"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : Software\Microsoft\Windows\CurrentVersion\Run
    Value              : Pcsv


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 38


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@0[2].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:04:58 PM
    Last accessed      : 5/3/2004 4:04:58 PM
    Last modified      : 5/3/2004 4:04:58 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@0[3].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:33:54 PM
    Last accessed      : 5/3/2004 4:33:54 PM
    Last modified      : 5/3/2004 4:33:54 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@atdmt[2].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:06:44 PM
    Last accessed      : 5/3/2004 4:06:44 PM
    Last modified      : 5/3/2004 4:06:44 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@centrport[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:38:45 AM
    Last accessed      : 5/3/2004 4:47:06 PM
    Last modified      : 5/3/2004 4:38:45 AM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@doubleclick[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:21:42 PM
    Last accessed      : 5/3/2004 4:21:42 PM
    Last modified      : 5/3/2004 4:21:42 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@edge.ru4[2].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:25:22 PM
    Last accessed      : 5/3/2004 4:25:22 PM
    Last modified      : 5/3/2004 4:25:22 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@mediaplex[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 10:12:00 AM
    Last accessed      : 5/3/2004 4:47:06 PM
    Last modified      : 5/3/2004 10:12:00 AM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@qksrv[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:06:31 PM
    Last accessed      : 5/3/2004 4:06:31 PM
    Last modified      : 5/3/2004 4:06:31 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@tribalfusion[2].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:39:28 AM
    Last accessed      : 5/3/2004 4:05:20 PM
    Last modified      : 5/3/2004 4:39:28 AM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@z1.adserver[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:04:58 PM
    Last accessed      : 5/3/2004 4:04:58 PM
    Last modified      : 5/3/2004 4:04:58 PM



 Tracking Cookie Object recognized!
    Type               : File
    Data               : dell desktop@~~local~~[1].txt
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Cookies\

    Created on         : 5/3/2004 4:07:42 PM
    Last accessed      : 5/3/2004 4:07:42 PM
    Last modified      : 5/3/2004 4:07:42 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : bi.ini
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
    FileSize           : 224 KB
    Created on         : 2/25/2004 8:38:24 PM
    Last accessed      : 5/3/2004 4:47:09 PM
    Last modified      : 12/13/2003 3:48:18 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : biini.cab
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
    FileSize           : 85 KB
    Created on         : 2/25/2004 8:38:23 PM
    Last accessed      : 5/3/2004 4:47:09 PM
    Last modified      : 2/25/2004 8:38:24 PM



 IBIS Toolbar Object recognized!
    Type               : File
    Data               : btiein.dll
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
    FileSize           : 221 KB
    Created on         : 5/1/2004 8:10:25 PM
    Last accessed      : 5/3/2004 4:47:09 PM
    Last modified      : 4/6/2004 1:33:00 PM



 IBIS Toolbar Object recognized!
    Type               : File
    Data               : wintools.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
    FileSize           : 6 KB
    Created on         : 5/1/2004 8:10:25 PM
    Last accessed      : 5/3/2004 4:47:10 PM
    Last modified      : 3/19/2004 8:21:54 AM



 Rads01.Quadrogram Object recognized!
    Type               : File
    Data               : wowex32[1].exe
    Category           : Malware
    Comment            :
    Object             : C:\Documents and Settings\Dell Desktop\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\
    FileSize           : 448 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    InternalName       : wowex32
    OriginalFilename   : wowex32.exe
    ProductName        : wowex32
    Created on         : 5/3/2004 2:41:30 AM
    Last accessed      : 5/3/2004 4:47:11 PM
    Last modified      : 5/3/2004 2:41:33 AM



 IBIS Toolbar Object recognized!
    Type               : File
    Data               : btiein.dll
    Category           : Data Miner
    Comment            :
    Object             : C:\Program Files\Common Files\WinTools\
    FileSize           : 221 KB
    Created on         : 5/1/2004 8:10:31 PM
    Last accessed      : 5/3/2004 4:49:18 PM
    Last modified      : 4/6/2004 1:33:00 PM



 MemoryWatcher Object recognized!
    Type               : File
    Data               : memorywatcher.exe
    Category           : Malware
    Comment            :
    Object             : C:\Program Files\MemoryWatcher\
    FileSize           : 52 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    Copyright          : Memory Watcher 2003
    CompanyName        : Memory Watcher
    FileDescription    : Memory Watcher
    InternalName       : MemoryWatcher
    OriginalFilename   : MemoryWatcher.exe
    ProductName        : Memory Watcher
    Created on         : 10/17/2003 6:17:00 PM
    Last accessed      : 5/3/2004 4:50:13 PM
    Last modified      : 10/17/2003 6:17:00 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : 0021-bdl94126.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\SYSTEM32\
    FileSize           : 245 KB
    Created on         : 5/1/2004 6:33:49 PM
    Last accessed      : 5/3/2004 4:53:09 PM
    Last modified      : 5/1/2004 8:26:50 PM



 TurboDownload Object recognized!
    Type               : File
    Data               : dp-him.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\SYSTEM32\
    FileSize           : 60 KB
    Created on         : 11/24/2003 5:48:40 AM
    Last accessed      : 5/3/2004 4:53:17 PM
    Last modified      : 11/24/2003 5:48:40 AM



 Favoriteman Object recognized!
    Type               : File
    Data               : im64.dll
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\SYSTEM32\

    Created on         : 2/25/2004 8:28:09 PM
    Last accessed      : 5/3/2004 4:53:24 PM
    Last modified      : 2/26/2004 12:07:23 AM



 180Solutions Object recognized!
    Type               : File
    Data               : msbb321.dll
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\SYSTEM32\
    FileSize           : 95 KB
    FileVersion        : 1, 0, 0, 1
    ProductVersion     : 1, 0, 0, 1
    Copyright          : Copyright 2001
    FileDescription    : exe_in_dll Module
    InternalName       : exe_in_dll
    OriginalFilename   : exe_in_dll.DLL
    ProductName        : exe_in_dll Module
    Created on         : 2/26/2004 12:07:55 AM
    Last accessed      : 5/3/2004 4:53:31 PM
    Last modified      : 2/26/2004 12:08:25 AM



 SahAgent Object recognized!
    Type               : File
    Data               : sahagent1014.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\SYSTEM32\
    FileSize           : 53 KB
    Created on         : 2/25/2004 8:28:38 PM
    Last accessed      : 5/3/2004 4:53:43 PM
    Last modified      : 2/25/2004 8:28:38 PM



 MemoryWatcher Object recognized!
    Type               : File
    Data               : memorywatcher_b.exe
    Category           : Malware
    Comment            :
    Object             : C:\WINDOWS\Temp\
    FileSize           : 501 KB
    Created on         : 5/1/2004 8:09:49 PM
    Last accessed      : 5/3/2004 4:53:55 PM
    Last modified      : 5/1/2004 8:09:53 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : bi.ini
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\
    FileSize           : 224 KB
    Created on         : 2/25/2004 8:38:24 PM
    Last accessed      : 5/3/2004 4:53:56 PM
    Last modified      : 12/13/2003 3:48:18 PM



 SahAgent Object recognized!
    Type               : File
    Data               : sahuninstall.exe
    Category           : Data Miner
    Comment            :
    Object             : C:\WINDOWS\
    FileSize           : 29 KB
    FileVersion        : 2, 0, 0, 2
    ProductVersion     : 2, 0, 0, 2
    Copyright          : Copyright  
    FileDescription    : SAHUninstall
    InternalName       : SAHUninstall
    OriginalFilename   : SAHUninstall.dll
    ProductName        : SAHUninstall
    Created on         : 2/25/2004 8:28:43 PM
    Last accessed      : 5/3/2004 4:53:57 PM
    Last modified      : 1/27/2004 10:34:48 AM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 64


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 64




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 PromulGate Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Dpi


 PromulGate Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\documents and settings\all users\application data\Dpi


 PromulGate Object recognized!
    Type               : File
    Data               : dpi.inf
    Category           : Data Miner
    Comment            :
    Object             : c:\documents and settings\all users\application data\dpi\
    FileSize           : 3 KB
    Created on         : 5/1/2004 8:36:10 PM
    Last accessed      : 5/3/2004 4:17:09 PM
    Last modified      : 5/2/2004 8:37:58 PM



 PromulGate Object recognized!
    Type               : File
    Data               : dpih.inf
    Category           : Data Miner
    Comment            :
    Object             : c:\documents and settings\all users\application data\dpi\

    Created on         : 5/1/2004 8:41:26 PM
    Last accessed      : 5/3/2004 4:53:59 PM
    Last modified      : 5/1/2004 8:41:26 PM



 AdDestroyer Object recognized!
    Type               : File
    Data               : popoops.dll
    Category           : Malware
    Comment            :
    Object             : c:\windows\system32\
    FileSize           : 24 KB
    FileVersion        : 2, 1, 0, 3
    ProductVersion     : 2, 1, 0, 3
    CompanyName        : Shahin Gasanov
    FileDescription    : PopOops
    InternalName       : PopOops
    OriginalFilename   : PopOops.dll
    ProductName        : PopOops
    Created on         : 2/26/2004 11:32:31 AM
    Last accessed      : 5/3/2004 4:53:39 PM
    Last modified      : 3/18/2003 9:00:00 AM



 AdDestroyer Object recognized!
    Type               : File
    Data               : popoops2.dll
    Category           : Malware
    Comment            :
    Object             : c:\windows\system32\
    FileSize           : 40 KB
    FileVersion        : 1.01.0001
    ProductVersion     : 1.01.0001
    CompanyName        : Shahin Gasanov
    FileDescription    : PopOops2
    InternalName       : PopOops2
    OriginalFilename   : PopOops2.dll
    ProductName        : PopOops2
    Created on         : 2/26/2004 11:32:31 AM
    Last accessed      : 5/3/2004 4:45:31 PM
    Last modified      : 7/30/2003 8:07:16 PM



 AdDestroyer Object recognized!
    Type               : File
    Data               : swlad1.dll
    Category           : Malware
    Comment            :
    Object             : c:\windows\system32\
    FileSize           : 40 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    CompanyName        : Globes
    InternalName       : SWLAD1
    OriginalFilename   : SWLAD1.dll
    ProductName        : PopOops2
    Created on         : 2/26/2004 11:32:32 AM
    Last accessed      : 5/3/2004 4:45:57 PM
    Last modified      : 8/25/2003 6:29:50 PM



 AdDestroyer Object recognized!
    Type               : File
    Data               : swlad2.dll
    Category           : Malware
    Comment            :
    Object             : c:\windows\system32\
    FileSize           : 24 KB
    Created on         : 2/26/2004 11:32:32 AM
    Last accessed      : 5/3/2004 4:53:48 PM
    Last modified      : 8/25/2003 6:29:26 PM



 ClearSearch Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\ClrSch


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\IncrediFind


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4FC95EDD-4796-4966-9049-29649C80111D}


 eUniverse Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\updmgr


 eUniverse Object recognized!
    Type               : RegValue
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Microsoft\Internet Explorer\URLSearchHooks
    Value              : {4FC95EDD-4796-4966-9049-29649C80111D}


 eUniverse Object recognized!
    Type               : File
    Data               : incredifindbholog.tmp
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\

    Created on         : 2/25/2004 8:28:36 PM
    Last accessed      : 5/3/2004 4:53:59 PM
    Last modified      : 5/1/2004 9:30:00 PM



 IBIS Toolbar Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object             : Software\Toolbar


 IBIS Toolbar Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Toolbar


 MemoryWatcher Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\MemoryWatcher


 MemoryWatcher Object recognized!
    Type               : File
    Data               : comctl32.ocx
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\memorywatcher\
    FileSize           : 594 KB
    FileVersion        : 6.00.8105
    ProductVersion     : 6.00.8105
    Copyright          : Copyright  
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Common Controls ActiveX Control DLL
    InternalName       : COMCTL
    OriginalFilename   : COMCTL32.OCX
    ProductName        : COMCTL
    Created on         : 8/31/2003 6:04:36 PM
    Last accessed      : 5/3/2004 4:53:59 PM
    Last modified      : 8/31/2003 6:04:36 PM



 MemoryWatcher Object recognized!
    Type               : File
    Data               : eula.url
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\memorywatcher\

    Created on         : 5/1/2004 8:14:11 PM
    Last accessed      : 5/3/2004 4:53:59 PM
    Last modified      : 5/1/2004 8:14:12 PM



 MemoryWatcher Object recognized!
    Type               : File
    Data               : trayicon.ocx
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\memorywatcher\
    FileSize           : 36 KB
    FileVersion        : 1.00
    ProductVersion     : 1.00
    CompanyName        : Robdogg Inc.
    InternalName       : TrayIcon
    OriginalFilename   : TrayIcon.ocx
    ProductName        : vbRad
    Created on         : 8/30/2003 10:27:34 PM
    Last accessed      : 5/3/2004 4:50:13 PM
    Last modified      : 8/30/2003 10:27:34 PM



 MemoryWatcher Object recognized!
    Type               : File
    Data               : uninst.exe
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\memorywatcher\
    FileSize           : 83 KB
    Created on         : 5/1/2004 8:11:02 PM
    Last accessed      : 5/3/2004 4:53:59 PM
    Last modified      : 5/1/2004 8:11:02 PM



 NetPal Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : CLSID\{A2872B10-39F2-42DF-9335-7DD38CF75255}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Interface\{A1558B18-F76C-40FE-B358-9E47449F3CFE}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}


 PeopleOnPage Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\AutoLoader


 PeopleOnPage Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\AutoUpdate


 PeopleOnPage Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\AutoUpdate0


 PeopleOnPage Object recognized!
    Type               : File
    Data               : libexpat.dll
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\autoupdate\
    FileSize           : 140 KB
    Created on         : 5/1/2004 8:11:11 PM
    Last accessed      : 5/3/2004 4:48:55 PM
    Last modified      : 5/1/2004 8:11:05 PM



 PeopleOnPage Object recognized!
    Type               : File
    Data               : aproposplugin.dll
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\sysai\
    FileSize           : 60 KB
    Created on         : 5/1/2004 8:10:51 PM
    Last accessed      : 5/3/2004 4:45:18 PM
    Last modified      : 5/1/2004 8:10:39 PM



 PeopleOnPage Object recognized!
    Type               : File
    Data               : auto_update_uninstall.exe
    Category           : Data Miner
    Comment            :
    Object             : c:\windows\system32\
    FileSize           : 228 KB
    Created on         : 5/1/2004 8:11:11 PM
    Last accessed      : 5/3/2004 4:53:10 PM
    Last modified      : 5/1/2004 8:11:04 PM



 WhenU Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\ClockSync


 WhenU Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\WhenUSearch


 WhenU Object recognized!
    Type               : Folder
    Category           : Data Miner
    Comment            :
    Object             : c:\documents and settings\dell desktop\start menu\programs\WhenUSearch


 WhenU Object recognized!
    Type               : File
    Data               : content
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\whenusearch\

    Created on         : 5/1/2004 8:11:33 PM
    Last accessed      : 5/3/2004 4:51:10 PM
    Last modified      : 5/1/2004 8:11:34 PM



 WhenU Object recognized!
    Type               : File
    Data               : search.cch
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\whenusearch\
    FileSize           : 1028 KB
    Created on         : 5/1/2004 8:11:32 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 5/1/2004 8:28:13 PM



 WhenU Object recognized!
    Type               : File
    Data               : search.db
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\whenusearch\
    FileSize           : 46 KB
    Created on         : 5/1/2004 8:11:15 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 5/1/2004 8:28:13 PM



 WhenU Object recognized!
    Type               : File
    Data               : search.htm
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\whenusearch\
    FileSize           : 28 KB
    Created on         : 5/1/2004 8:11:28 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 1/22/2004 9:45:34 PM



 WhenU Object recognized!
    Type               : File
    Data               : uninst.exe
    Category           : Data Miner
    Comment            :
    Object             : c:\program files\whenusearch\
    FileSize           : 38 KB
    FileVersion        : 2, 0, 1, 1
    ProductVersion     : 2, 0, 1, 1
    Copyright          : Copyright 2001
    CompanyName        : WhenU.com, Inc.
    FileDescription    : WhenUSearch Uninstall
    InternalName       : Uninst
    OriginalFilename   : Uninst.exe
    ProductName        : WhenUSearch Uninstall
    Created on         : 5/1/2004 8:11:28 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 1/20/2004 3:39:46 PM



 VX2.BetterInternet Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : Software\Dbi


 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : bi.ini
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\
    FileSize           : 224 KB
    Created on         : 2/25/2004 8:38:24 PM
    Last accessed      : 5/3/2004 4:47:09 PM
    Last modified      : 12/13/2003 3:48:18 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : biini.cab
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\
    FileSize           : 85 KB
    Created on         : 2/25/2004 8:38:23 PM
    Last accessed      : 5/3/2004 4:47:09 PM
    Last modified      : 2/25/2004 8:38:24 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : biini.inf
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\

    Created on         : 2/25/2004 8:38:24 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 12/13/2003 3:50:24 PM



 VX2.BetterInternet Object recognized!
    Type               : File
    Data               : bij.inf
    Category           : Data Miner
    Comment            :
    Object             : c:\docume~1\dellde~1\locals~1\temp\
    FileSize           : 1 KB
    Created on         : 2/25/2004 8:28:30 PM
    Last accessed      : 5/3/2004 4:54:00 PM
    Last modified      : 10/24/2003 5:55:34 PM



 TurboDownload Object recognized!
    Type               : RegKey
    Data               :
    Category           : Data Miner
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : SOFTWARE\MaxSpeed


 180Solutions Object recognized!
    Type               : File
    Data               : ncase.ini
    Category           : Data Miner
    Comment            :
    Object             : c:\windows\system32\

    Created on         : 2/26/2004 12:08:25 AM
    Last accessed      : 5/3/2004 4:55:04 PM
    Last modified      : 2/26/2004 12:08:25 AM



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 48
Objects found so far: 112


12:55:04 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:10:00:235
Objects scanned :132210
Objects identified :112
Objects ignored :0
New objects :112
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10980366
Hi!

Remove everything that Adaware has found, empty the contents of all your temp folders (don't delete the temp folders themselves - just what's in them).
Empty your recycle bin.
Reboot and post another HijackThis log.

Thanks and good luck!
0
 

Author Comment

by:mbbradford
ID: 10985150
Hi rossfingal,

I am impressed with ad aware 6.0 as it found about 60 additional items that macaffee and spybot did not find.  They have all been cleaned up and I was hopeful that my problems were solved.  I have no pop-ups anymore.

I emptied the temp files, temp internet files, and the recycle bin, rebooted, ad captured a new hijack this log, which will be attached below.

However when I check for viruses, it still catches on the same 6 files called adware-memwatcher.  They are random names, cannot be cleaned or deleted, and when quaranteened and deleted they come immediately back.  i can see them also as active processes, and when an active process is deleted, it imeediately comes back.  There is also a process which often takes 100% of the processing resource for about 10 or 15 seconds and everything just hangs.

Sorry for the delay, I couldn't get on the web, and had to reinstall my drivers and internet software.  Thanks again for your help.

Here is the newest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:37:19 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10985499
Hi!

Well, I could go on and on about "horror stories" concerning the increasing difficulties with trying to remove some of the
things out there - just ran into someone who had 948 various "nasties" on their computer!
However, you still have the Peper A trojan - so:
If you don't still have it; download the Peper removal tool from one of the links above.
Make sure System Restore is turned off.
Turn off your firewall, if you have  one (and if you don't - I recommend you get one).
Run the tool - might as well run it twice! (this is what other people are suggesting, as of today).
Empty your temp files. (make sure you empty all temp files in "documents and settings")
Empty your recycle bin.
Reboot your computer, make sure you're showing all files (system, hidden, etc.)
Post a new HijackThis log.

Thanks and good luck! :)
0
 

Author Comment

by:mbbradford
ID: 10986770
Hi rossfingal,

I'll work on that peper trojan again.

Can you tell me what in my log shows up that tells you its the pepertrojan?

I ran the peper uninstall tool before, so I dont know if it was ineffective (probably user error) or if I got reinfected again from visiting my usual sites (very very right now, just yahoo and experts exchange).  Knowing what to look for would help me narrow it down.

Thanks.

Also, when I ran the pepertrojan uninstall, it ran in a command window in a fraction of a second so I don't know if it ended correctly or not.  Is this normal?

Thanks again.  Bruce.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10987483
Remember to protect yourself in the future...

AntiVir - The private and individual use of the AntiVir Personal Edition is free of charge
http://www.free-av.com
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10987511
Hi!

The thing that usually sticks out is an entry like this:
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
Note 14 letters/numbers inside the brackets and a random exe file.

Yes the peper tool runs very fast.
As to where people are picking this pest up I'm not sure if anyone knows yet; howver, be assured that there are a lot of
people looking into it.

Remember to clear your restore points when you turn off system restore; as there might be a remnant something there.
It's not that uncommon to have to run the peper tool several times.
Let us know!
0
 

Author Comment

by:mbbradford
ID: 10998500
Hi rossfingal,

Thanks for the above.

I assure you I have tried real hard last night to rid myself of the peper/memwatcher/sandboxer problem.  I've run the peperpage/uninstall.exe hundreds of times, in as many combinations (emptying temp folders, temp internet files folder, rebooting etc) as possible and am convinced that it will not work for me.  I can watch it get eliminated and watch it come immediately back.  The random fileames are always in my hijackthis log and always in my list of active processes.  I'm about to surrender to erasing my harddrive.

I though I might try the second tool you suggested (the peperuninstall.exe in australia) but the link is/has been down.  Is there another path or another choice?

Thanks again.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10999045
Hi!

Sorry to hear you're having problems.
Hang in there for a moment, I'm looking into a few things concerning your HJT log.
I'd hate to see you have to do a format/restore.
Check back in a little while.
OK?
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10999292
Hi!

Before you do anything, could you look at these 4 files and post their properties - manufacturer, version, etc.
C:\WINDOWS\System32\senrcall.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\Qife4.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe

Then, turn off System Restore and clear your restore points.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed. If you do not know how to log in as Administrator, contact your system administrator (if you are on a network), the computer manufacturer, or installer.
Turning off System Restore will delete all previous restore points. You must create new restore points once you turn System Restore back on.

To turn off Windows XP System Restore
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
Click Apply. a message appears:
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.
Proceed with what you need to do. For example, removing viruses. Restart the computer and follow the instructions in the next section to turn on System Restore.

Next,download this uninstaller:
http://www.computercops.biz/downloads-file-330.html
It comes in a zipped file . Launch "Uninst.exe". Follow the Uninstallation process and restart/reboot the computer when its finished. If you have a firewall installed, please temporarily disable it while running this.
Before you reboot - Empty "temp" folders, delete "Temporary Internet Files", and empty your recyle bin.

Reboot and post a new HijackThis log.
Thanks!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now