Cant get ride of Adware-MemWatcher

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

And

Double Check for viruses
Online Scanners

Norton Web Services
Virus Detection provides an analysis of your results and offers suggestions for further action. It does not examine compressed files or fix infected files.

When Symantec receives notification about a new virus, we develop and post a solution as quickly as possible. We are committed to providing swift responses to all virus threats, including Trojan horses.
http://security.symantec.com/sscv6/vc_about.asp?ax=0&langid=ie&venid=sym&plfid=23&pkj=BSZNTGXIBVEMBQAUWZK

======================
Trend Micro HouseCall
http://housecall.antivirus.com/housecall/start_corp.asp

======================
eTrust Online antivirus scanner
http://www3.ca.com/virusinfo/virusscan.aspx
======================

PC Pitstop Virus Scan
When the download completes, you will receive an ActiveX security dialog for the PC Pitstop virus scanner. Click Yes to install the scanner and proceed to the virus scan.

If you are currently running an antivirus package such as Norton Antivirus, it may detect our own virus detection file as a virus. If this occurs and you wish to use our scanner, please (temporarily) disable any active background virus checking software before scanning, or add our signature file (PAV.SIG) to the scanner's file exclusion list
http://www.pcpitstop.com/antivirus/AVLoad.asp

Something else to Try is

Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.

I am not sure what these are

O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

Well those first three files I listed are definetly link to a virus

ASKER

Thanks Crazyone,

I disabled everything in the start up menu, and has a slowdown in the popup adds. I will wait a while and see it that takes care of that problem.

I also deleted the top three files you mentioned with hijackthis. Lets see what happens.

I need to learn more about this stuff. It there a book or a website that has a detailed explanation that I should get?

Thanks,
Bruce

Hi!

You have PeperA trojan, among other things.
We've found, usually it's best to deal with that first.
You can download one of these tools from:
http://www.mjc1.com/files/peperpage/uninst.exe
http://home.iprimus.com.au/mbuchan/peperuninst.exe
I suggest trying the first one initially - when you run it, make sure you're online it may try to access the internet - let it.
Since you're running XP you'll probably want disable System Restore, so that nothing is hiding in there.
After you run it reboot and post a new HijackThis log for us to look at.
Also it's a good idea to place HijackThis in it's own folder - centralized place for backups and logs.

Good luck!

ASKER

Hi rossfingal,

Thanks for your help.

I should mention first that since the start of this thread, I have reinstalled windows and drivers, updated spybot, and cleaned up many new things that it found.

But I still have 6 programs with random names that cannot be deleted, and when I see them as active processes and disable them, they come back active in a few seconds. Devils.

I have done as you asked above. The peperpage uninstall ran in a command window in a blink, so I cant say if it ended with a "congradulations" or a "sucks to be you" message, but at least is seems to have done what was expected. I then linked to the second mbuchan peperuninst.exe but the link was not available.

Then I rebuted as asked and moved hijack to its own folder, and here is the log:
Also, I recognize the qife4 as one of the bad guys
also temp/q.exe
also virtualbounder.exe

Logfile of HijackThis v1.97.7
Scan saved at 11:28:54 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\Qife4.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\YjpWR9t0.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi rossfingal,

Thanks for the response, I'll do this as soon as I get home from work tonight.

Regards,
Bruce

trywaredk

Cleaning your computer - and protecting it in the future - can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

SOLUTION

trywaredk

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Hi rossfingal,

I'm halfway there. I downloaded, configured, and ran ad-aware per your instructions. I don't know what to remove, so I'm posting the log. After posting this message, I will "remove all" and complete your origional instructions. Thanks again for your help.

Here is the log file:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, May 03, 2004 12:45:04 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R301 03.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455
5-3-2004 12:35:55 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R301 03.05.2004
Internal build : 233
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1082422 Bytes
Signature data size : 1064020 Bytes
Reference data size : 18338 Bytes
Signatures total : 23868
Target categories : 10
Target families : 460

5-3-2004 12:36:04 PM Success.
Update successfully downlodaded and installed.

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:260096 kb
Available physical memory:74568 kb
Total page file size:640412 kb
Available on page file:403788 kb
Total virtual memory:2097024 kb
Available virtual memory:2048712 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

5-3-2004 12:45:04 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-3-2004 4:16:53 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:16:56 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 7/16/2003 8:44:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:44:23 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 7/16/2003 8:32:16 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:32:16 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:28:11 PM
Last accessed : 5/3/2004 4:28:47 PM
Last modified : 7/16/2003 8:28:11 PM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 7/16/2003 8:46:20 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:46:20 PM

#:9 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 5-3-2004 4:17:07 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 10:21:10 PM
Last accessed : 5/3/2004 4:17:07 PM
Last modified : 10/7/2003 10:21:10 PM

#:10 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 10:20:18 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 10/7/2003 10:20:18 PM

#:11 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 360 KB
Created on : 5/2/2004 2:20:27 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 9/11/2002 1:26:26 AM

#:12 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 5/2/2004 2:14:34 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 7/11/2003 6:51:16 PM

#:13 [dpi.exe]
FilePath : C:\Program Files\Common Files\Dpi\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
Warning! PromulGate object found in memory(C:\Program Files\Common Files\Dpi\dpi.exe)

PromulGate Object recognized!
Type : Process
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM

"dpi.exe"Process terminated successfully.

#:14 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 5/2/2004 2:14:08 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 7/14/2003 1:55:44 PM

#:15 [pcsvc.exe]
FilePath : C:\WINDOWS\system32\pcs\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
Warning! PromulGate object found in memory(C:\WINDOWS\system32\pcs\pcsvc.exe)

PromulGate Object recognized!
Type : Process
Data : pcsvc.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\pcs\
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM

"pcsvc.exe"Process terminated successfully.

#:16 [senrcall.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 84 KB
Created on : 5/1/2004 8:10:58 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 5/1/2004 8:10:39 PM

#:17 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:17:10 PM
Last modified : 8/18/2003 2:50:34 AM

#:18 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:29 PM
Last accessed : 5/3/2004 4:15:59 PM
Last modified : 9/28/2003 6:47:00 PM

#:19 [mcagent.exe]
FilePath : c:\program files\mcafee.com\agent\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 1/7/2004 5:26:14 PM
Last accessed : 5/3/2004 4:17:11 PM
Last modified : 12/8/2003 8:38:52 PM

#:20 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.10.1006
ProductVersion : 8.10.1006
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:12 PM
Last modified : 10/6/2003 4:05:40 PM

#:21 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 1344 KB
FileVersion : 1,0,17,5
ProductVersion : 1,0,17,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 12/30/2003 4:37:09 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/6/2003 10:58:26 PM

#:22 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:13 PM
Last modified : 10/6/2003 4:05:40 PM

#:23 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/8/2003 11:04:38 PM

#:24 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 6/20/2003 5:25:00 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 6/20/2003 5:25:00 AM

#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:18 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 12/30/2003 4:37:15 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 1/10/2003 11:13:04 PM

#:26 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.05b
Copyright : Copyright
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
Created on : 12/30/2003 4:35:55 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 8/6/2003 7:04:00 AM

#:27 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.24 02/24/2003 18:29:41
ProductVersion : 3.5.24 02/24/2003 18:29:41
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 6/2/2003 11:00:30 AM

#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:25 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 10/2/2003 6:19:44 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 10/2/2003 6:19:44 PM

#:29 [wtoolsa.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:27 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:41 AM
Last accessed : 5/3/2004 4:17:27 PM
Last modified : 4/30/2004 2:48:08 PM

#:30 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-3-2004 4:17:28 PM
BasePriority : High
FileSize : 220 KB
Created on : 1/23/2004 1:53:46 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 3/13/2002 1:50:34 PM

#:31 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:26:03 PM
Last accessed : 5/3/2004 4:17:30 PM
Last modified : 7/16/2003 8:26:03 PM

#:32 [wtoolss.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 75 KB
Created on : 5/3/2004 12:11:45 AM
Last accessed : 5/3/2004 4:17:31 PM
Last modified : 4/20/2004 12:15:06 PM

#:33 [wsup.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:31 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:42 AM
Last accessed : 5/3/2004 4:17:38 PM
Last modified : 4/30/2004 2:48:08 PM

#:34 [qife4.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:46 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:20:06 PM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:20:06 PM

#:35 [wvyq4ux.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:49 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:50:01 AM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:50:01 AM

#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:18:19 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:18:37 PM
BasePriority : Normal
FileSize : 136 KB
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:18:36 PM
Last modified : 8/29/2002 11:00:00 AM

#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:19:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:39 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:33:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM

#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-3-2004 4:35:18 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/3/2004 4:33:47 PM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

AdDestroyer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\vb and vba program settings\addestroyer

Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000000-0000-0000-0000-000000000221}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore.1

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\CLRSCH

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000221}

ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{60494593-5408-447d-bd5e-a16640d6af99}

ClickSpring Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ClickSpring

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho.1

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4fc95edd-4796-4966-9049-29649c80111d}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5d60ff48-95be-4956-b4c6-6bb168a70310}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d60ff48-95be-4956-b4c6-6bb168a70310}

Favoriteman Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HAUTO_UNINSTALL

MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MemoryWatcher

MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MemoryWatcher

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000ef1-0786-4633-87c6-1aa7a44296da}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client.1.1

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A4A58A2C-B039-432B-8BC1-DCA7AC0757DC}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Apropos

VirtualBouncer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\VB and VBA Program Settings\VBouncer

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSearch

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\WhenUSearch

WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : WUSE.1

eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{5D60FF48-95BE-4956-B4C6-6BB168A70310}"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\URLSearchHooks
Value : {5D60FF48-95BE-4956-B4C6-6BB168A70310}

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Counter"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Counter

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Server"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Server

Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Object"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Object

Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{00000762-3965-4A1A-98CE-3D4BF457D4C8}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value : {00000762-3965-4A1A-98CE-3D4BF457D4C8}

Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{000007AB-7059-463E-BD44-101A1750D732}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value : {000007AB-7059-463E-BD44-101A1750D732}

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 34
Objects found so far: 36

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Dpi"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : Dpi

PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Pcsv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : Pcsv

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 38

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[3].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:33:54 PM
Last accessed : 5/3/2004 4:33:54 PM
Last modified : 5/3/2004 4:33:54 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:06:44 PM
Last accessed : 5/3/2004 4:06:44 PM
Last modified : 5/3/2004 4:06:44 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@centrport[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:38:45 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 4:38:45 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:21:42 PM
Last accessed : 5/3/2004 4:21:42 PM
Last modified : 5/3/2004 4:21:42 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:25:22 PM
Last accessed : 5/3/2004 4:25:22 PM
Last modified : 5/3/2004 4:25:22 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 10:12:00 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 10:12:00 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:06:31 PM
Last accessed : 5/3/2004 4:06:31 PM
Last modified : 5/3/2004 4:06:31 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@tribalfusion[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:39:28 AM
Last accessed : 5/3/2004 4:05:20 PM
Last modified : 5/3/2004 4:39:28 AM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM

Tracking Cookie Object recognized!
Type : File
Data : dell desktop@~~local~~[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\

Created on : 5/3/2004 4:07:42 PM
Last accessed : 5/3/2004 4:07:42 PM
Last modified : 5/3/2004 4:07:42 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM

IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 221 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 4/6/2004 1:33:00 PM

IBIS Toolbar Object recognized!
Type : File
Data : wintools.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 6 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:10 PM
Last modified : 3/19/2004 8:21:54 AM

Rads01.Quadrogram Object recognized!
Type : File
Data : wowex32[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\
FileSize : 448 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : wowex32
OriginalFilename : wowex32.exe
ProductName : wowex32
Created on : 5/3/2004 2:41:30 AM
Last accessed : 5/3/2004 4:47:11 PM
Last modified : 5/3/2004 2:41:33 AM

IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\WinTools\
FileSize : 221 KB
Created on : 5/1/2004 8:10:31 PM
Last accessed : 5/3/2004 4:49:18 PM
Last modified : 4/6/2004 1:33:00 PM

MemoryWatcher Object recognized!
Type : File
Data : memorywatcher.exe
Category : Malware
Comment :
Object : C:\Program Files\MemoryWatcher\
FileSize : 52 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Memory Watcher 2003
CompanyName : Memory Watcher
FileDescription : Memory Watcher
InternalName : MemoryWatcher
OriginalFilename : MemoryWatcher.exe
ProductName : Memory Watcher
Created on : 10/17/2003 6:17:00 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 10/17/2003 6:17:00 PM

VX2.BetterInternet Object recognized!
Type : File
Data : 0021-bdl94126.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 245 KB
Created on : 5/1/2004 6:33:49 PM
Last accessed : 5/3/2004 4:53:09 PM
Last modified : 5/1/2004 8:26:50 PM

TurboDownload Object recognized!
Type : File
Data : dp-him.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 60 KB
Created on : 11/24/2003 5:48:40 AM
Last accessed : 5/3/2004 4:53:17 PM
Last modified : 11/24/2003 5:48:40 AM

Favoriteman Object recognized!
Type : File
Data : im64.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\

Created on : 2/25/2004 8:28:09 PM
Last accessed : 5/3/2004 4:53:24 PM
Last modified : 2/26/2004 12:07:23 AM

180Solutions Object recognized!
Type : File
Data : msbb321.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 95 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2001
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
OriginalFilename : exe_in_dll.DLL
ProductName : exe_in_dll Module
Created on : 2/26/2004 12:07:55 AM
Last accessed : 5/3/2004 4:53:31 PM
Last modified : 2/26/2004 12:08:25 AM

SahAgent Object recognized!
Type : File
Data : sahagent1014.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 53 KB
Created on : 2/25/2004 8:28:38 PM
Last accessed : 5/3/2004 4:53:43 PM
Last modified : 2/25/2004 8:28:38 PM

MemoryWatcher Object recognized!
Type : File
Data : memorywatcher_b.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileSize : 501 KB
Created on : 5/1/2004 8:09:49 PM
Last accessed : 5/3/2004 4:53:55 PM
Last modified : 5/1/2004 8:09:53 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:53:56 PM
Last modified : 12/13/2003 3:48:18 PM

SahAgent Object recognized!
Type : File
Data : sahuninstall.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 29 KB
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
Copyright : Copyright
FileDescription : SAHUninstall
InternalName : SAHUninstall
OriginalFilename : SAHUninstall.dll
ProductName : SAHUninstall
Created on : 2/25/2004 8:28:43 PM
Last accessed : 5/3/2004 4:53:57 PM
Last modified : 1/27/2004 10:34:48 AM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 64

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 64

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi

PromulGate Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\Dpi

PromulGate Object recognized!
Type : File
Data : dpi.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
FileSize : 3 KB
Created on : 5/1/2004 8:36:10 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 5/2/2004 8:37:58 PM

PromulGate Object recognized!
Type : File
Data : dpih.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\

Created on : 5/1/2004 8:41:26 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:41:26 PM

AdDestroyer Object recognized!
Type : File
Data : popoops.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
FileVersion : 2, 1, 0, 3
ProductVersion : 2, 1, 0, 3
CompanyName : Shahin Gasanov
FileDescription : PopOops
InternalName : PopOops
OriginalFilename : PopOops.dll
ProductName : PopOops
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:53:39 PM
Last modified : 3/18/2003 9:00:00 AM

AdDestroyer Object recognized!
Type : File
Data : popoops2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.01.0001
ProductVersion : 1.01.0001
CompanyName : Shahin Gasanov
FileDescription : PopOops2
InternalName : PopOops2
OriginalFilename : PopOops2.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:45:31 PM
Last modified : 7/30/2003 8:07:16 PM

AdDestroyer Object recognized!
Type : File
Data : swlad1.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Globes
InternalName : SWLAD1
OriginalFilename : SWLAD1.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:45:57 PM
Last modified : 8/25/2003 6:29:50 PM

AdDestroyer Object recognized!
Type : File
Data : swlad2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:53:48 PM
Last modified : 8/25/2003 6:29:26 PM

ClearSearch Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\ClrSch

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\IncrediFind

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4FC95EDD-4796-4966-9049-29649C80111D}

eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\updmgr

eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\URLSearchHooks
Value : {4FC95EDD-4796-4966-9049-29649C80111D}

eUniverse Object recognized!
Type : File
Data : incredifindbholog.tmp
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\

Created on : 2/25/2004 8:28:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 9:30:00 PM

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Toolbar

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Toolbar

MemoryWatcher Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\MemoryWatcher

MemoryWatcher Object recognized!
Type : File
Data : comctl32.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 594 KB
FileVersion : 6.00.8105
ProductVersion : 6.00.8105
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows Common Controls ActiveX Control DLL
InternalName : COMCTL
OriginalFilename : COMCTL32.OCX
ProductName : COMCTL
Created on : 8/31/2003 6:04:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 8/31/2003 6:04:36 PM

MemoryWatcher Object recognized!
Type : File
Data : eula.url
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\

Created on : 5/1/2004 8:14:11 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:14:12 PM

MemoryWatcher Object recognized!
Type : File
Data : trayicon.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 36 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Robdogg Inc.
InternalName : TrayIcon
OriginalFilename : TrayIcon.ocx
ProductName : vbRad
Created on : 8/30/2003 10:27:34 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 8/30/2003 10:27:34 PM

MemoryWatcher Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 83 KB
Created on : 5/1/2004 8:11:02 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:11:02 PM

NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A2872B10-39F2-42DF-9335-7DD38CF75255}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A1558B18-F76C-40FE-B358-9E47449F3CFE}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A7D0472E-C1FC-4D8F-ABA1-98A7692561BF}

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\AutoLoader

PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\AutoUpdate

PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\AutoUpdate0

PeopleOnPage Object recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : c:\program files\autoupdate\
FileSize : 140 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:48:55 PM
Last modified : 5/1/2004 8:11:05 PM

PeopleOnPage Object recognized!
Type : File
Data : aproposplugin.dll
Category : Data Miner
Comment :
Object : c:\program files\sysai\
FileSize : 60 KB
Created on : 5/1/2004 8:10:51 PM
Last accessed : 5/3/2004 4:45:18 PM
Last modified : 5/1/2004 8:10:39 PM

PeopleOnPage Object recognized!
Type : File
Data : auto_update_uninstall.exe
Category : Data Miner
Comment :
Object : c:\windows\system32\
FileSize : 228 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:53:10 PM
Last modified : 5/1/2004 8:11:04 PM

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\ClockSync

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\WhenUSearch

WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\dell desktop\start menu\programs\WhenUSearch

WhenU Object recognized!
Type : File
Data : content
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\

Created on : 5/1/2004 8:11:33 PM
Last accessed : 5/3/2004 4:51:10 PM
Last modified : 5/1/2004 8:11:34 PM

WhenU Object recognized!
Type : File
Data : search.cch
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 1028 KB
Created on : 5/1/2004 8:11:32 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM

WhenU Object recognized!
Type : File
Data : search.db
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 46 KB
Created on : 5/1/2004 8:11:15 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM

WhenU Object recognized!
Type : File
Data : search.htm
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 28 KB
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/22/2004 9:45:34 PM

WhenU Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 38 KB
FileVersion : 2, 0, 1, 1
ProductVersion : 2, 0, 1, 1
Copyright : Copyright 2001
CompanyName : WhenU.com, Inc.
FileDescription : WhenUSearch Uninstall
InternalName : Uninst
OriginalFilename : Uninst.exe
ProductName : WhenUSearch Uninstall
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/20/2004 3:39:46 PM

VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Dbi

VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM

VX2.BetterInternet Object recognized!
Type : File
Data : biini.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\

Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 12/13/2003 3:50:24 PM

VX2.BetterInternet Object recognized!
Type : File
Data : bij.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\locals~1\temp\
FileSize : 1 KB
Created on : 2/25/2004 8:28:30 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 10/24/2003 5:55:34 PM

TurboDownload Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MaxSpeed

180Solutions Object recognized!
Type : File
Data : ncase.ini
Category : Data Miner
Comment :
Object : c:\windows\system32\

Created on : 2/26/2004 12:08:25 AM
Last accessed : 5/3/2004 4:55:04 PM
Last modified : 2/26/2004 12:08:25 AM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 48
Objects found so far: 112

12:55:04 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:10:00:235
Objects scanned :132210
Objects identified :112
Objects ignored :0
New objects :112

Hi!

Remove everything that Adaware has found, empty the contents of all your temp folders (don't delete the temp folders themselves - just what's in them).
Empty your recycle bin.
Reboot and post another HijackThis log.

Thanks and good luck!

ASKER

Hi rossfingal,

I am impressed with ad aware 6.0 as it found about 60 additional items that macaffee and spybot did not find. They have all been cleaned up and I was hopeful that my problems were solved. I have no pop-ups anymore.

I emptied the temp files, temp internet files, and the recycle bin, rebooted, ad captured a new hijack this log, which will be attached below.

However when I check for viruses, it still catches on the same 6 files called adware-memwatcher. They are random names, cannot be cleaned or deleted, and when quaranteened and deleted they come immediately back. i can see them also as active processes, and when an active process is deleted, it imeediately comes back. There is also a process which often takes 100% of the processing resource for about 10 or 15 seconds and everything just hangs.

Sorry for the delay, I couldn't get on the web, and had to reinstall my drivers and internet software. Thanks again for your help.

Here is the newest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:37:19 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\senrcall.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\Qife4.exe
C:\WINDOWS\System32\WvyQ4Ux.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\DOCUME~1\DELLDE~1\LOCALS~1\Temp\WToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrcall.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit.exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Hi!

Well, I could go on and on about "horror stories" concerning the increasing difficulties with trying to remove some of the
things out there - just ran into someone who had 948 various "nasties" on their computer!
However, you still have the Peper A trojan - so:
If you don't still have it; download the Peper removal tool from one of the links above.
Make sure System Restore is turned off.
Turn off your firewall, if you have one (and if you don't - I recommend you get one).
Run the tool - might as well run it twice! (this is what other people are suggesting, as of today).
Empty your temp files. (make sure you empty all temp files in "documents and settings")
Empty your recycle bin.
Reboot your computer, make sure you're showing all files (system, hidden, etc.)
Post a new HijackThis log.

Thanks and good luck! :)

ASKER

Hi rossfingal,

I'll work on that peper trojan again.

Can you tell me what in my log shows up that tells you its the pepertrojan?

I ran the peper uninstall tool before, so I dont know if it was ineffective (probably user error) or if I got reinfected again from visiting my usual sites (very very right now, just yahoo and experts exchange). Knowing what to look for would help me narrow it down.

Thanks.

Also, when I ran the pepertrojan uninstall, it ran in a command window in a fraction of a second so I don't know if it ended correctly or not. Is this normal?

Thanks again. Bruce.

trywaredk

Remember to protect yourself in the future...

AntiVir - The private and individual use of the AntiVir Personal Edition is free of charge
http://www.free-av.com

Hi!

The thing that usually sticks out is an entry like this:
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.exe
Note 14 letters/numbers inside the brackets and a random exe file.

Yes the peper tool runs very fast.
As to where people are picking this pest up I'm not sure if anyone knows yet; howver, be assured that there are a lot of
people looking into it.

Remember to clear your restore points when you turn off system restore; as there might be a remnant something there.
It's not that uncommon to have to run the peper tool several times.
Let us know!

ASKER

Hi rossfingal,

Thanks for the above.

I assure you I have tried real hard last night to rid myself of the peper/memwatcher/sandboxer problem. I've run the peperpage/uninstall.exe hundreds of times, in as many combinations (emptying temp folders, temp internet files folder, rebooting etc) as possible and am convinced that it will not work for me. I can watch it get eliminated and watch it come immediately back. The random fileames are always in my hijackthis log and always in my list of active processes. I'm about to surrender to erasing my harddrive.

I though I might try the second tool you suggested (the peperuninstall.exe in australia) but the link is/has been down. Is there another path or another choice?

Thanks again.

Hi!

Sorry to hear you're having problems.
Hang in there for a moment, I'm looking into a few things concerning your HJT log.
I'd hate to see you have to do a format/restore.
Check back in a little while.
OK?