ad.yieldmanager, inqwire, & clickandtrack popups

[LeftieLouie]

Hi! I have a nasty case of ad.yieldmanager popup. It is often accompanied by Inqwire and clickandtrack popups. Can somebody please tell me how to delouse my system? I hope somebody else is working on Thanksgiving Day!

I am running Windows 98SE w/IE6 and all the updates. I use Firefox 1.07. Firefox popup blocking is enabled and the "allow sites to install software" is disabled.

Before posting this I did the following things:
In Windows98SE:
I updated AVG, SpybotSD, Ad-Aware w/VX2 Variants, & CWShredder

In MS-DOS mode:
I searched for all hidden system files and unhid them (ATTRIB -s -h then ATTRIB +S for each file found)

I unhid all hidden files (ATTRIB -h *.*/s)

In SAFE mode:
I ran Ad-Aware, VX2 checker, Spybot SD, CW Shredder, and AVG

In Windows 98se I ran HiJackThis. The log is posted below:
-----
Logfile of HijackThis v1.97.7
Scan saved at 11:36:13 AM, on 11/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODTRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTMGR.EXE
C:\WINDOWS\WINIPCFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Odyssey Client Manager.lnk = C:\WINDOWS\Installer\{BF36757F-1D6F-4AC9-8F8C-90A80381A3E8}\OdysseyConfig.exe
O4 - Startup: Shortcut to WINIPCFG.EXE.lnk = C:\WINDOWS\WINIPCFG.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_02) -

[Ried]

Hello LeftieLouie and welcome to TSF,

Thank you for your patience. You are using an outdated version of HijackThis, please download version 1.99.1:

HijackThis - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS Do not run a new scan yet.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)
When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

Download and install CleanUp!

**Disconnect this PC from any internet access.

---------------------------

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot when prompted.
* CleanUp! will not create any backups!!

---------------------------

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

---------------------------

Launch & use the diagnostic version of SpySweeper & configure it as followed:

• Click on the Start button
• After it has finished scanning, click the Next button
• Allow Spysweeper to reboot your machine to remove the infected files.

## IMPORTANT - do not use your computer as you scan.

Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Next, Double click on HijackThis.exe to run the program.
1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log and post it here along with the Session Log and Panda ActiveScan results.

[LeftieLouie]

Thanks Ried, CleanUp! clobbered my wireless link so it took a while to get things running again. Here are the results:
********
1:43 AM: | Start of Session, Sunday, November 27, 2005 |
1:43 AM: Spy Sweeper started
1:43 AM: Sweep initiated using definitions version 575
1:43 AM: Starting Memory Sweep
1:48 AM: Memory Sweep Complete, Elapsed Time: 00:05:25
1:48 AM: Starting Registry Sweep
1:53 AM: Registry Sweep Complete, Elapsed Time:00:05:12
1:53 AM: Starting Cookie Sweep
1:53 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:53 AM: Starting File Sweep
1:53 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d81-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d82-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d83-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d84-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d85-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d86-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d87-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d88-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d89-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8a-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8b-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8c-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8d-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8e-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d8f-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d90-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d91-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d92-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d93-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d94-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d95-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d96-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d97-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d98-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d99-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9a-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9b-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9c-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9d-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9e-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8d9f-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da0-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da1-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da2-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da3-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da4-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da5-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da6-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da7-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da8-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8da9-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8daa-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dab-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dac-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dad-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dae-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8daf-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db0-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db1-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db2-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db3-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db4-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db5-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db6-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db7-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db8-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8db9-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dba-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dbb-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dbc-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dbd-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dbe-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dbf-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc0-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc1-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc2-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc3-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc4-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc5-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc6-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc7-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc8-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dc9-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dca-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dcb-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dcc-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dcd-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dce-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dcf-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd0-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd1-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd2-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd3-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd4-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd5-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd6-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd7-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd8-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dd9-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dda-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8ddb-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8ddc-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8ddd-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8dde-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8ddf-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de0-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de1-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de2-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de3-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de4-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de5-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:57 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de6-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:58 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de7-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:58 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs123b8de8-5ee7-11da-8d15-f11450863e6e.tmp". The process cannot access the file because
it is being used by another process
1:58 AM: Warning: Failed to open file "c:\recycled\_Ç". The system cannot find the file specified
2:06 AM: File Sweep Complete, Elapsed Time: 00:12:52
2:06 AM: Full Sweep has completed. Elapsed time 00:23:35
2:06 AM: Traces Found: 0
********
1:10 AM: | Start of Session, Sunday, November 27, 2005 |
1:10 AM: Spy Sweeper started
1:10 AM: Sweep initiated using definitions version 556
1:10 AM: Starting Memory Sweep
1:15 AM: Memory Sweep Complete, Elapsed Time: 00:04:13
1:15 AM: Starting Registry Sweep
1:20 AM: Registry Sweep Complete, Elapsed Time:00:05:02
1:20 AM: Starting Cookie Sweep
1:20 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:20 AM: Starting File Sweep
1:20 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d41-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d42-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d43-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d44-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d45-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d46-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d47-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d48-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d49-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d4f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d50-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d51-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d52-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d53-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d54-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d55-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d56-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d57-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d58-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d59-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d5f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d60-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d61-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d62-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d63-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d64-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d65-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d66-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d67-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d68-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d69-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d6f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d70-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d71-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d72-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d73-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d74-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d75-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d76-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d77-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d78-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d79-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d7f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d80-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d81-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d82-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d83-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d84-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d85-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d86-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d87-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d88-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d89-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d8f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d90-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d91-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d92-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d93-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d94-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d95-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d96-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d97-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d98-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d99-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9a-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9b-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9c-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9d-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9e-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1d9f-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da0-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da1-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da2-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da3-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da4-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da5-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da6-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da7-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs87ee1da8-5ee2-11da-8d15-96ead0e8396f.tmp". The process cannot access the file because
it is being used by another process
1:22 AM: Warning: Failed to open file "c:\recycled\_Ç". The system cannot find the file specified
1:27 AM: File Sweep Complete, Elapsed Time: 00:07:02
1:27 AM: Full Sweep has completed. Elapsed time 00:16:22
1:27 AM: Traces Found: 0
1:37 AM: Your spyware definitions have been updated.
1:43 AM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 575
1:43 AM: | End of Session, Sunday, November 27, 2005 |
********
1:09 AM: | Start of Session, Sunday, November 27, 2005 |
1:09 AM: Spy Sweeper started
1:10 AM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 556
1:10 AM: | End of Session, Sunday, November 27, 2005 |


======


Incident Status Location

Spyware:spyware/searchcentrix Not disinfected Windows Registry
=======

Logfile of HijackThis v1.99.1
Scan saved at 11:28:44 AM, on 11/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODTRAY.EXE
C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTMGR.EXE
C:\WINDOWS\WINIPCFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - Startup: Odyssey Client Manager.lnk = C:\WINDOWS\Installer\{BF36757F-1D6F-4AC9-8F8C-90A80381A3E8}\OdysseyConfig.exe
O4 - Startup: Shortcut to WINIPCFG.EXE.lnk = C:\WINDOWS\WINIPCFG.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

[Ried]

I should have noticed this earlier, you are using an outdated version of HiJackThis. Please click on the link below to download the latest version 1.99.1:

* HiJackThis_sfx.exe
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Run another scan with the newer version of HJT and post the log here.

Are you still getting the pop-ups?

[LeftieLouie]

Ried, thanks again for the follow-up. Yes, I'm still getting the popups. I went back and checked my post of 'yesterday' Nov 27, it was done with HiJackThis 1.991, to wit:
Logfile of HijackThis v1.99.1
Scan saved at 11:28:44 AM, on 11/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Is there some other possible difference between this computer and others that I have? I run Win98se and Firefox 1.07 exclusively. The other machines do not experience popups - only the one you're helping me delouse. I have confirmed that the settings on each computer are the same for Firefox. Also, while I've not done an exhaustive survey, the popups are always the ones I mentioned: ad.yieldmanager, inqwire, clickandtrack, and venus123.com. Does the spyware detect cookie activity or is it activated by some trick of banner ads?

[Ried]

Hi,

The difference between your two systems is the OS sytem. Each OS has it's own weaknesses and points of exploit. Many factors come in to play as to how this got on this system. What we're doing now is trying to locate the source so it can be eradicated.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/products/download_center.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here along with a new HijackThis log.

[LeftieLouie]

Ried, Thanks again for the instructions. I assume that you're going to compare the HiJackThis log to the mwav log? Please clue me into what you're doing and the significance of your instructions? I appreciate the chance to learn from your thought process here! The logs are pasted below:

mwav log file:
File C:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe tagged as not-a-virus:PSWTool.Win32.RAS.a. No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Wireless-G Notebook Adapter" refers to invalid object "C:\WINDOWS\Start Menu\Programs\Wireless-G Notebook Adapter". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\odConfig.exe" refers to invalid object "C:\Program Files\Funk Software\Odyssey Client\odConfig.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\Quarantine\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton SystemWorks\Norton Ghost\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\PowerQuest\PartitionMagic 8.0\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\PowerQuest\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Java\Update\Base Images\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Java\Update\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Java\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Java\jre1.5.0_02\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Java\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Java\jre1.5.0_02\bin\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\msoc.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{601413E0-BDD4-11D1-B232-0020AF3F276F}" refers to invalid object "R:\FLIPALBUMCD\FLIPALBUMCD\LTVID12N.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5CE55CD7-5179-11D2-931D-0000F875AE17}" refers to invalid object "C:\PROGRAM FILES\NETMEETING\CONF.EXE". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}" refers to invalid object "C:\PROGRAM FILES\JAVA\JRE1.5.0_02\BIN\JAVAWEBSTART.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{667862F7-C211-11D7-8B03-00096B5218A8}" refers to invalid object "C:\Program Files\WordPerfect Office 12\Programs\". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe tagged as not-a-virus:PSWTool.Win32.RAS.a. No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:25 PM, on 11/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Odyssey Client Manager.lnk = C:\WINDOWS\Installer\{BF36757F-1D6F-4AC9-8F8C-90A80381A3E8}\OdysseyConfig.exe
O4 - Startup: Shortcut to WINIPCFG.EXE.lnk = C:\WINDOWS\WINIPCFG.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

[Ried]

Hi,

HJT is one of many tools used to expose any malware that may be present on a system. What I am doing is trying to locate the source of your pop ups.

Those entries in Mwav are harmless, orphaned registry entries as they no longer have any files asociated with them for activation.

We need to look further.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

*Save it to your desktop.
*Double-click the new icon on your desktop (tmas-web-scan.exe)
*It will say "Loading TrendMicro definitions".
*Once the definitions are loaded, the program will appear to close then re-open.
*Click "Start Scan"
*After it's done scanning, click "Scan Results"
*Make sure all items found have a check next to them, then click "Clean Threats Now".

Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

If you are still getting pop ups:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

[LeftieLouie]

Ried, thanks for the explanations; how do you decide which spyware program to run next? I've run 8-10 different ones over the last week.

Can I remove the extraneous Mwave discovered registry entries?

I'm still getting popups. They don't happen at every website, it's as though certain activity in a web page triggers the popups. I think I can capture the HTML if that gives a clue. I'm also thinking about starting a class action suit - do you know of anyone else that's had success or has attempted that?

I'm still getting hits in machine-gun rapid-fire sequence from:
hits.clickandtrack.com
a.websponsors.com
venus123.com
server.cmpstar.com
m.2mdn.net
ad.doubleclick.net
view.atdmt.com
trafficmp.com

Thanks again
-Lou

Here is the Trend AntiSpyware log:
Started Scanning
Files and Directories
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Dynamic Toolbar'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Files and Directories
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Dynamic Toolbar'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning


=====
Here's the uninstall list from HiJackThis:
3ivx D4 4.0.4 (remove only)
Abacast Client
Adaptec DirectCD
Adaptec Easy CD Creator 4
Adaptec UDF Reader
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe Business Edition 1.0
AniTuner 1.1
AppCAD
AudioCatalyst
Avery Wizard 2.0 for Microsoft Word 97
AVG Free Edition
Boingo Wireless
Canon Creative Components
Canon Creative Pro
Canon ScanGear Toolbox FAU 2.5
CleanUp!
Cookie Pal
DivX Codec 3.1alpha release
EasyCleaner
FireTune
GoldWave v4.24
HijackThis 1.99.1
Infrared Support for Windows 95 Version 2.0
Internet Explorer Q896688
IomegaWare
J2SE Runtime Environment 5.0 Update 2
LARGAN Lmini V2.02
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Maxwell SV Version 9.0
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 97 Unique Identifier Removal Tool
Microsoft Office 97, Professional Edition
Microsoft Windows Media Video 9 VCM
Mozilla Firefox (1.0.7)
MSN Messenger 6.2
NIST Fire Dynamics Simulator Version 4.02 and Smokeview 4.01
NIST Fire Dynamics Simulator Version 4.05 and Smokeview 4.05
NIST Fire Dynamics Simulator Version 4.06 and Smokeview 4.06
Norton SystemWorks 2003
Odyssey Client
OLYMPUS CAMEDIA Master 1.0
OnSpec USB to ATAPI/LS120 Link with Port Driver
Orcad PSpice
Orcad Unison Suite Capture
Panda ActiveScan
PerformanceTest v4.0
QuickTime
Rescue Disk
RingCentral Fax
Schematic Capture Libraries
Sony USB Driver
Spy Sweeper
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
SpywareGuard v2.2
TextBridge Plus
ThinkPad Configuration
USB Storage Driver
U-Storage 3.0
ViewMate 8.0
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
Winroc 4.5
WinZip
Wireless-G Notebook Adapter
WordPerfect Office 12
WordPerfect Office 12 Setup Files
XBasic version 6.2.3
XingMP3 Editor
XingMP3 Player
Yahoo! Toolbar
ZoneAlarm

[Ried]

Hi Lou,

My decisions on which tools or scanner to run is based on training and experience. You may be interested in joining our Academy. See the 'sticky' threads at the top of the HijackThis forum.

Regarding class action lawsuits, you may want to check our General Security section.

To clean out those orphaned registry entries showing in Mwav, please download Ccleaner www.ccleaner.com

Launch Ccleaner. Click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section.

Click 'Analyze', look over the list carefully, then 'Fix Issues'

All of your scans and logs have been coming up clean. Let's check the settings of your various Anti-Malware programs and 'beef up' your protection:

I see Spybot 1.3 installed. Download Spybot 1.4 from this site Spybot 1.4. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Click ’Check for Problems’ and fix all the entries, which are indicated in RED.

Configure AdAware SE 1.06 according to these instructions.

Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.


We'll take one more look just to be certain:

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Reboot into Safe Mode.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

[LeftieLouie]

Ried,
Sorry about the delay in responding - I was out of town on business.

I updated Spybot SD to V1.4 (the TeaTimer registry change prompt box is broken). Spybot found no problems. I checked the configuration of Ad-Aware - I had all the settings correct according to the guide. It also showed no problems.

I ran WinPFind - it cooked for TWELVE HOURS with VIGOROUS hard-drive activity. Then I had to power cycle the system; no damage done but a grand waste of time.

I'm still getting hits in machine-gun rapid-fire sequence from only on this computer:
hits.clickandtrack.com
a.websponsors.com
venus123.com
server.cmpstar.com
m.2mdn.net
ad.doubleclick.net
view.atdmt.com
trafficmp.com

I'm still wide open to suggestions, however, I'm curious, as an engineer when I debug a system, I look to see what it's actually doing. Isn't there some way to insert some Java code that intercepts and shows what's going on at the exact time the ad-ware opens it's window? It has to be executing a script to do what it does and that ought to be detectable and trappable while the code has its window open.

Thanks again
-Lou

[MicroBell]

You would need to write a "Script" sniffer to see whats being called for by the hijacker when it excutes. A packet sniffer may display the website being called and whats being downloaded.

What do you use for a standard popup blocker?

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread


I also need you to try this and it MUST be done in safe mode.

Reboot to safe mode (as this entry won't show in normal) and open regedit.

Do a search using the following as your search term adchannel

Let me know if you find it under any keys.

[LeftieLouie]

Microbell, thanks for the reply!

When I went to install the Silent Runners.vbs it complained "The script requires "WMI"... It can be downloaded at http://tinyurl.com/jbxe"

Is this a wise thing to do or am I introducing a new Micrsoft scripting language that can be exploited?

Searching for "adchannel" in the registry turned up no entrys.

I am using Firefox 1.07 as my popup blocker. The popups mentioned in a previous posting, only seem to occur at web sites that have banner ads or other active windows.

Also during this particular series of searches Spybot SD Teatimer gave the following message:

"Module SpybotSD.exe at 00025A76. Error reading scbar.Sections: Error reading TCPCSBSection.Active: System Error. Code: 87 The parameter is incorrect."

Is this significant?

When I use the Windows Add/Delete programs control panel, there is one entry (unchecked) which is completely blank. Is this significant?

Here is the report from StartDrek:
StartDreck (build 2.1.7 public stable) - 2005-12-04 @ 19:12:25 (GMT -08:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Big Mo at BIG MO

»Registry
»Run Keys
»Current User
»Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Default User
»Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Setup - Applets/AppletsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Fonts/FontsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
+Internet Connection Wizard/{5A8D6EE0-3E18-11D0-821E-444553540000}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
+PerUser_ICW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
+Internet Explorer 6 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
+MSN-Migration/>PerUser_MSN_Clean
*StubPath=C:\WINDOWS\msnmgsr1.exe
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
+Windows Setup - System Information/PerUser_Msinfo
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - System Information/PerUser_Msinfo2
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - Multimedia/MotownMmsysPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownAvivideoPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
+Windows Setup - Multimedia/MotownMPlayPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf
+Windows Setup - Messaging/PerUser_Base
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
+Windows Setup - Shell/ShellPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
+Windows Setup - Color Schemes/Shell2PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
+Windows Setup - Start Menu/PerUser_winbase_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Start Menu/PerUser_winapps_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Links Bar/PerUser_LinkBar_URLs
*StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L
+Windows Setup - Telephony Support/TapiPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
+Web Folders/{73fa19d0-2d75-11d2-995d-00c04f98bbc9}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1
+Windows Setup - More Applets/PerUserOldLinks
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Sound Schemes/MmoptRegisterPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Online Services/OlsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - The Microsoft Network/OlsMsnPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Paint/PerUser_Paint_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Calculator/PerUser_Calc_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - DriveSpace/PerUser_dxxspace_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - FAT32 Converter/PerUser_CVT_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - Multimedia/MotownRecPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Volume Control/PerUser_Vol
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Wordpad/PerUser_MSWordPad_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
+Windows Setup - Dial-Up Networking/PerUser_RNA_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 C:\WINDOWS\INF\rna.inf
+Windows Setup - Direct Cable Connection/PerUser_DCC_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf
+Windows Setup - System Monitor/PerUser_Sysmon_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Netwatch/PerUser_netwatch_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Character Map/PerUser_CharMap_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - HyperTerminal/PerUser_Onlinelnks_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Phone Dialer/PerUser_Dialer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Clipboard Viewer/PerUser_ClipBrd_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis_remove 64 C:\WINDOWS\INF\clip.inf
+Windows Setup - CD Player/PerUser_CDPlayer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
+NetMeeting 3.0/{44BBA842-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95
+Windows Setup - Infrared Transfer/IrXferPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection IrXferPerUser 64 C:\WINDOWS\INF\irxfer.inf
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+Windows Setup - Net Server/NetservrPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf
+Windows Setup - America Online/OlsAolPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - AT&T WorldNet Service/OlsAttPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - CompuServe/OlsCompuservePerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Prodigy Internet/OlsProdigyPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Windows Setup - System Meter/PerUser_Sysmeter_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Microsoft Web Publishing Wizard 1.6/{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exeadvpack.dll
+PerUser_Winpopup_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Winpopup_Inis_remove 64 C:\WINDOWS\INF\winpopup.inf
+Windows Setup - Shell Cursors/Shell3PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=
*{02DCA195-602B-4B1F-83FF-381B7E804BDB}
`InprocServer32=
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
»Internet Explorer
»Current User
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=about:blank
+SearchUrl
*Provider=yaho
»Default User
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=about:blank
+SearchUrl
*Provider=yaho
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
»Special NT Values
»Current User
*Load=
*Run=
*Programs=
*SHELL=
»Default User
*Load=
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Odyssey Client Manager.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shortcut to WINIPCFG.EXE.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Odyssey Client Manager.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shortcut to WINIPCFG.EXE.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Local Machine
*C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`;FORMAT
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`Logo=1
`BootMulti=1
`BootGUI=1
`BootWarn=0
`DoubleBuffer=1
`AutoScan=1
`WinVer=4.10.2222
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
`BootMenu=1
*C:\config.sys
`LastDrive=z
`Files=64
*C:\autoexec.bat
`C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
`SET BLASTER=A220 I5 D1 T4
`Set MAXWELL_DIR=C:\Maxwell
`SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\THINKPAD\UTILIT~1;%PATH%;"C:\ProgramFiles\NortonSystemWorks\NortonGhost\";C:\PROGRA~1\GRISOFT\AVG6;C:\NIST\FDS
`@SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
`:: Set Path=%path%;C:\CADENCE\ORCAD_9.2.3\TOOLS\CAPTURE;C:\CADENCE\ORCAD_9.2.3\TOOLS\JRE\BIN;C:\CADENCE\ORCAD_9.2.3\TOOLS\FET\BIN;C:\CADENCE\ORCAD_9.2.3\TOOLS\BIN;
`:: SET CDSROOT=C:\Cadence\Orcad_9.2.3
`:: SET CDS_LIC_FILE=C:\Cadence\Orcad_9.2.3\tools\license.dat
`set SMOKEVIEWINI=C:\NIST\FDS
*C:\WINDOWS\wininit.bak
`[Rename]
`NUL=C:\WINDOWS\COOKIES\INDEX.DAT
*C:\WINDOWS\dosstart.bat
`LoadStart = DDEML.DLL
`LoadSuccess = DDEML.DLL
`LoadStart = C:\WINDOWS\SYSTEM\USER32.DLL
`LoadStart = USER.EXE
`LoadSuccess = USER.EXE
`LoadStart = USER.EXE
`LoadSuccess = USER.EXE
`LoadStart = USER.EXE
`LoadSuccess = USER.EXE
`LoadStart = USER.EXE
`LoadSuccess = USER.EXE
`LoadStart = USER.EXE
`LoadSuccess = USER.EXE
`LoadSuccess = C:\WINDOWS\SYSTEM\USER32.DLL
`LoadStart = COOL.DLL
`LoadSuccess = COOL.DLL
`Init = KEYBOARD
`InitDone = KEYBOARD
`Init = Mouse
`Status = Mouse driver installed
`InitDone = Mouse
`Init =
`LoadStart = DISPLAY.drv
`LoadSuccess = DISPLAY.drv
`InitDone = DISPLAY
`Init = Display Resources
`InitDone = Display Resources
`LoadStart = C:\WINDOWS\fonts\MARLETT.TTF
`LoadFail = C:\WINDOWS\fonts\MARLETT.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\SSERIFE.FON
`LoadSuccess = C:\WINDOWS\fonts\SSERIFE.FON
`LoadStart = C:\WINDOWS\fonts\LUCON.TTF
`LoadFail = C:\WINDOWS\fonts\LUCON.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TAHOMA.TTF
`LoadFail = C:\WINDOWS\fonts\TAHOMA.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TAHOMABD.TTF
`LoadFail = C:\WINDOWS\fonts\TAHOMABD.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\ARIAL.TTF
`LoadFail = C:\WINDOWS\fonts\ARIAL.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\ARIALBD.TTF
`LoadFail = C:\WINDOWS\fonts\ARIALBD.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\ARIALBI.TTF
`LoadFail = C:\WINDOWS\fonts\ARIALBI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\ARIALI.TTF
`LoadFail = C:\WINDOWS\fonts\ARIALI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COUR.TTF
`LoadFail = C:\WINDOWS\fonts\COUR.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COURBD.TTF
`LoadFail = C:\WINDOWS\fonts\COURBD.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COURBI.TTF
`LoadFail = C:\WINDOWS\fonts\COURBI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COURI.TTF
`LoadFail = C:\WINDOWS\fonts\COURI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TIMES.TTF
`LoadFail = C:\WINDOWS\fonts\TIMES.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TIMESBD.TTF
`LoadFail = C:\WINDOWS\fonts\TIMESBD.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TIMESBI.TTF
`LoadFail = C:\WINDOWS\fonts\TIMESBI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\TIMESI.TTF
`LoadFail = C:\WINDOWS\fonts\TIMESI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\WINGDING.TTF
`LoadFail = C:\WINDOWS\fonts\WINGDING.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\SYMBOL.TTF
`LoadFail = C:\WINDOWS\fonts\SYMBOL.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\ARIBLK.TTF
`LoadFail = C:\WINDOWS\fonts\ARIBLK.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COMIC.TTF
`LoadFail = C:\WINDOWS\fonts\COMIC.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\COMICBD.TTF
`LoadFail = C:\WINDOWS\fonts\COMICBD.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\IMPACT.TTF
`LoadFail = C:\WINDOWS\fonts\IMPACT.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\VERDANA.TTF
`LoadFail = C:\WINDOWS\fonts\VERDANA.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\VERDANAB.TTF
`LoadFail = C:\WINDOWS\fonts\VERDANAB.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\VERDANAI.TTF
`LoadFail = C:\WINDOWS\fonts\VERDANAI.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\VERDANAZ.TTF
`LoadFail = C:\WINDOWS\fonts\VERDANAZ.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\WEBDINGS.TTF
`LoadFail = C:\WINDOWS\fonts\WEBDINGS.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Georgia.TTF
`LoadFail = C:\WINDOWS\fonts\Georgia.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Georgiab.TTF
`LoadFail = C:\WINDOWS\fonts\Georgiab.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Georgiai.TTF
`LoadFail = C:\WINDOWS\fonts\Georgiai.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Georgiaz.TTF
`LoadFail = C:\WINDOWS\fonts\Georgiaz.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Trebuc.TTF
`LoadFail = C:\WINDOWS\fonts\Trebuc.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Trebucbd.TTF
`LoadFail = C:\WINDOWS\fonts\Trebucbd.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Trebucbi.TTF
`LoadFail = C:\WINDOWS\fonts\Trebucbi.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Trebucit.TTF
`LoadFail = C:\WINDOWS\fonts\Trebucit.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\Andalemo.TTF
`LoadFail = C:\WINDOWS\fonts\Andalemo.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPAJ____.TTF
`LoadFail = C:\WINDOWS\fonts\MPAJ____.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPC_____.TTF
`LoadFail = C:\WINDOWS\fonts\MPC_____.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPLC____.TTF
`LoadFail = C:\WINDOWS\fonts\MPLC____.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPLED___.TTF
`LoadFail = C:\WINDOWS\fonts\MPLED___.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPLEV___.TTF
`LoadFail = C:\WINDOWS\fonts\MPLEV___.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPLST___.TTF
`LoadFail = C:\WINDOWS\fonts\MPLST___.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPLV____.TTF
`LoadFail = C:\WINDOWS\fonts\MPLV____.TTF Failure code is 0016
`LoadStart = C:\WINDOWS\fonts\MPRR____.TTF
`LoadFail = C:\WINDOWS\fonts\MPRR____.TTF Failure code is 0016
`LoadSuccess = USER.EXE
`LoadStart = MSGSRV32.EXE
`LoadSuccess = MSGSRV32.EXE
`Terminate = User
`Terminate = Query Drivers
`EndTerminate = Query Drivers
`Terminate = User
`Terminate = Query Drivers
`EndTerminate = Query Drivers
`[00113B4D] Loading Vxd = mtrr
`[00113B4D] LoadSuccess = mtrr
`[00113B4D] Loading Vxd = SPOOLER
`[00113B4E] LoadSuccess = SPOOLER
`[00113B4E] Loading Vxd = UDF
`[00113B4E] LoadSuccess = UDF
`[00113B4E] Loading Vxd = VFAT
`[00113B4E] LoadSuccess = VFAT
`[00113B4E] Loading Vxd = VCACHE
`[00113B4D] LoadSuccess = VCACHE
`[00113B4D] Loading Vxd = VCOND
`[00113B4D] LoadSuccess = VCOND
`[00113B4D] Loading Vxd = VCDFSD
`[00113B4D] LoadSuccess = VCDFSD
`[00113B4D] Loading Vxd = VXDLDR
`[00113B4D] LoadSuccess = VXDLDR
`[00113B4D] Loading Vxd = VDEF
`[00113B4D] LoadSuccess = VDEF
`[00113B4D] Loading Vxd = VPICD
`[00113B4D] LoadSuccess = VPICD
`[00113B4D] Loading Vxd = VTD
`[00113B4D] LoadSuccess = VTD
`[00113B4D] Loading Vxd = REBOOT
`[00113B4D] LoadSuccess = REBOOT
`[00113B4D] Loading Vxd = VDMAD
`[00113B4D] LoadSuccess = VDMAD
`[00113B4D] Loading Vxd = VSD
`[00113B4D] LoadSuccess = VSD
`[00113B4D] Loading Vxd = V86MMGR
`[00113B4D] LoadSuccess = V86MMGR
`[00113B4D] Loading Vxd = PAGESWAP
`[00113B4D] LoadSuccess = PAGESWAP
`[00113B4D] Loading Vxd = DOSMGR
`[00113B4D] LoadSuccess = DOSMGR
`[00113B4D] Loading Vxd = VMPOLL
`[00113B4D] LoadSuccess = VMPOLL
`[00113B4D] Loading Vxd = SHELL
`[00113B4D] LoadSuccess = SHELL
`[00113B4D] Loading Vxd = PARITY
`[00113B4D] LoadSuccess = PARITY
`[00113B4E] Loading Vxd = BIOSXLAT
`[00113B4E] LoadSuccess = BIOSXLAT
`[00113B4E] Loading Vxd = VMCPD
`[00113B4E] LoadSuccess = VMCPD
`[00113B4E] Loading Vxd = VTDAPI
`[00113B4E] LoadSuccess = VTDAPI
`[00113B4E] Loading Vxd = PERF
`[00113B4E] LoadSuccess = PERF
`[00113B4F] Loading Vxd = C:\WINDOWS\SYSTEM\vrtwd.386
`[00113B4D] LoadSuccess = C:\WINDOWS\SYSTEM\vrtwd.386
`[00113B4F] Loading Vxd = C:\WINDOWS\SYSTEM\vfixd.vxd
`[00113B4D] LoadSuccess = C:\WINDOWS\SYSTEM\vfixd.vxd
`[00113B4F] Loading Vxd = vnetbios.vxd
`[00113B5F] LoadSuccess = vnetbios.vxd
`[00113B5F] Loading Vxd = vredir.vxd
`[00113B5F] LoadSuccess = vredir.vxd
`[00113B5F] Loading Vxd = dfs.vxd
`[00113B5F] LoadSuccess = dfs.vxd
`[00113B5F] Loading Vxd = vserver.vxd
`[00113B5F] Skipped (not needed) = vserver.vxd
`[00113B61] Loading Vxd = C:\PROGRA~1\SYMANTEC\SYMEVNT.386
`[00113B5F] LoadSuccess = C:\PROGRA~1\SYMANTEC\SYMEVNT.386
`[00113B61] Loading Vxd = SYMTDI.VXD
`[00113B71] LoadSuccess = SYMTDI.VXD
`[00113B73] Loading Vxd = C:\PROGRA~1\NORTON~1\NAVAP.VXD
`[00113B71] LoadSuccess = C:\PROGRA~1\NORTON~1\NAVAP.VXD
`[00113B72] Loading Vxd = vsdata95.vxd
`[00113B71] LoadSuccess = vsdata95.vxd
`[00113B71] Loading Vxd = ebios
`[00113B71] LoadSuccess = ebios
`[
`C:\WINDOWS\CWDINIT.EXE /A
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\COMMAND.COM
*C:\WINDOWS\command.PIF
*C:\WINDOWS\COMMAND.COM
+C:\WINDOWS\SYSTEM\NOTEPAD.EXE
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\REGEDIT.COM
*C:\WINDOWS\REGEDIT.EXE
»System/Drivers
»Running Processes
+FFEF2EF3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
+FFFF6F13=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*C:\WINDOWS\SYSTEM\CFGMGR32.DLL
*C:\WINDOWS\SYSTEM\NTDLL.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF5C63=C:\WINDOWS\SYSTEM\MPREXE.EXE
*C:\WINDOWS\SYSTEM\MSNP32.DLL
*C:\WINDOWS\SYSTEM\MSNET32.DLL
*C:\WINDOWS\SYSTEM\MPRSERV.DLL
*C:\WINDOWS\SYSTEM\MSPWL32.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF43AB=C:\WINDOWS\SYSTEM\mmtask.tsk
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFEB677=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
*C:\WINDOWS\SYSTEM\RNR20.DLL
*C:\WINDOWS\SYSTEM\SENSAPI.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\ZONELABS\SSLEAY32.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\VSDATA.DLL
*C:\WINDOWS\SYSTEM\ZONELABS\HTML.TDR
*C:\WINDOWS\SYSTEM\ZONELABS\VSRULEDB.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\ZONELABS\VSDB.DLL
*C:\WINDOWS\SYSTEM\VSUTIL.DLL
*C:\WINDOWS\SYSTEM\WINTRUST.DLL
*C:\WINDOWS\SYSTEM\RSABASE.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE3177=C:\WINDOWS\EXPLORER.EXE
*C:\WINDOWS\SYSTEM\ACTXPRXY.DLL
*C:\WINDOWS\SYSTEM\IMGUTIL.DLL
*C:\WINDOWS\SYSTEM\MSHTMLED.DLL
*C:\WINDOWS\SYSTEM\WEBVW.DLL
*C:\WINDOWS\SYSTEM\JSCRIPT.DLL
*C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
*C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
*C:\WINDOWS\SYSTEM\OLEPRO32.DLL
*C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*C:\WINDOWS\SYSTEM\MSVBVM60.DLL
*C:\WINDOWS\SYSTEM\MYDOCS.DLL
*C:\WINDOWS\SYSTEM\BROWSELC.DLL
*C:\WINDOWS\SYSTEM\IMM32.DLL
*C:\WINDOWS\SYSTEM\MSLS31.DLL
*C:\WINDOWS\SYSTEM\SHDOCLC.DLL
*C:\WINDOWS\SYSTEM\SENSAPI.DLL
*C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
*C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
*C:\WINDOWS\SYSTEM\ICMP.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\NETAPI32.DLL
*C:\WINDOWS\SYSTEM\NETBIOS.DLL
*C:\WINDOWS\SYSTEM\ES.DLL
*C:\WINDOWS\SYSTEM\SENS.DLL
*C:\WINDOWS\SYSTEM\ESTIER2.DLL
*C:\WINDOWS\SYSTEM\ESSHARED.DLL
*C:\WINDOWS\SYSTEM\MSI.DLL
*C:\WINDOWS\SYSTEM\WEBCHECK.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\MSHTML.DLL
*C:\WINDOWS\SYSTEM\MLANG.DLL
*C:\WINDOWS\SYSTEM\URLMON.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\SHD401LC.DLL
*C:\WINDOWS\SYSTEM\LINKINFO.DLL
*C:\WINDOWS\SYSTEM\MSSHRUI.DLL
*C:\WINDOWS\SYSTEM\SVRAPI.DLL
*C:\WINDOWS\SYSTEM\MSNET32.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\BROWSEUI.DLL
*C:\WINDOWS\SYSTEM\SHDOC401.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\SHDOCVW.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFD1A6F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*C:\WINDOWS\SYSTEM\USBUI.DLL
*C:\WINDOWS\SYSTEM\WMI.DLL
*C:\WINDOWS\SYSTEM\BATMETER.DLL
*C:\WINDOWS\SYSTEM\POWRPROF.DLL
*C:\WINDOWS\SYSTEM\SETUPAPI.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\CFGMGR32.DLL
*C:\WINDOWS\SYSTEM\WINSPOOL.DRV
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\LZ32.DLL
*C:\WINDOWS\SYSTEM\NTDLL.DLL
*C:\WINDOWS\SYSTEM\WINMM.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFD6247=C:\WINDOWS\TASKMON.EXE
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFD553B=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMCPS.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\SENSAPI.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGMAIL.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\SASLPL~2.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\SASLDIGESTMD5.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\SASLCRAMMD5.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\SASLPL~1.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\SASLLOGIN.DLL
*C:\WINDOWS\SYSTEM\SCHANNEL.DLL
*C:\WINDOWS\SYSTEM\RASAPI32.DLL
*C:\WINDOWS\SYSTEM\SECUR32.DLL
*C:\WINDOWS\SYSTEM\MSVCRT20.DLL
*C:\WINDOWS\SYSTEM\SVRAPI.DLL
*C:\WINDOWS\SYSTEM\MSNET32.DLL
*C:\WINDOWS\SYSTEM\MSPWL32.DLL
*C:\WINDOWS\SYSTEM\TAPI32.DLL
*C:\WINDOWS\SYSTEM\NETAPI32.DLL
*C:\WINDOWS\SYSTEM\NETBIOS.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSCAN.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUNARC.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGLNG.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCFG.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGKLIB.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\MSVCP71.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\LIBSASL.DLL
*C:\WINDOWS\SYSTEM\MSVCR71.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFD65DB=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCFG.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGKLIB.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGLOG.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\MSVCP71.DLL
*C:\WINDOWS\SYSTEM\MSVCR71.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFCF18B=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMCPS.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMSUI.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGREP.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSCAN.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUNARC.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGVAULT.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCCKRN.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGRES.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGF.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGLNG.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCFG.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGKLIB.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGTEST.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSET.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGTRES.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGTMGR.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGLOG.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGABOUT.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCTRL.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\MSVCP71.DLL
*C:\WINDOWS\SYSTEM\MSVFW32.DLL
*C:\WINDOWS\SYSTEM\WOW32.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\DCIMAN32.DLL
*C:\WINDOWS\SYSTEM\WINMM.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\PROGRAM FILES\GRISOFT\AVG FREE\MFC71.DLL
*C:\WINDOWS\SYSTEM\MSVCR71.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFC755F=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
*C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\ADVCHECK.DLL
*C:\WINDOWS\SYSTEM\IMAGEHLP.DLL
*C:\WINDOWS\SYSTEM\HHCTRL.OCX
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\WINSPOOL.DRV
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFBAA3F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*C:\WINDOWS\SYSTEM\WMICORE.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFB94B3=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\FIREWALL_ZA.ZAP
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\EMAIL_ZA.ZAP
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ALERT_ZA.ZAP
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\SECURITY_ZA.ZAP
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\PROGRAMS_ZA.ZAP
*C:\WINDOWS\SYSTEM\VSDATA.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\PROGRAM FILES\ZONE LABS\ZONEALARM\FRAMEWRK.DLL
*C:\WINDOWS\SYSTEM\VSPUBAPI.DLL
*C:\WINDOWS\SYSTEM\VSMONAPI.DLL
*C:\WINDOWS\SYSTEM\VSUTIL.DLL
*C:\WINDOWS\SYSTEM\WINTRUST.DLL
*C:\WINDOWS\SYSTEM\RSABASE.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFBDBCF=C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTMGR.EXE
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\ODCERT_M.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTRESOURCE0009.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTMGRDIALOGS.DLL
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\DCFDOM.DLL
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\DCFLIBRARY.DLL
*C:\WINDOWS\SYSTEM\CRYPTUI.DLL
*C:\WINDOWS\SYSTEM\WINTRUST.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
*C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
*C:\WINDOWS\SYSTEM\ICMP.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\UNICOWS.DLL
*C:\WINDOWS\SYSTEM\AVICAP32.DLL
*C:\WINDOWS\SYSTEM\MSVFW32.DLL
*C:\WINDOWS\SYSTEM\WOW32.DLL
*C:\WINDOWS\SYSTEM\DCIMAN32.DLL
*C:\WINDOWS\SYSTEM\WINMM.DLL
*C:\WINDOWS\SYSTEM\OLEDLG.DLL
*C:\WINDOWS\SYSTEM\MSVCRT20.DLL
*C:\WINDOWS\SYSTEM\WINSPOOL.DRV
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFB227B=C:\WINDOWS\WINIPCFG.EXE
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFB728F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
*C:\WINDOWS\SYSTEM\SCRRUN.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\RICHED32.DLL
*C:\WINDOWS\SYSTEM\RICHTX32.OCX
*C:\WINDOWS\SYSTEM\OLEDLG.DLL
*C:\WINDOWS\SYSTEM\MSVCRT20.DLL
*C:\WINDOWS\SYSTEM\ASYCFILT.DLL
*C:\WINDOWS\SYSTEM\MSCOMCTL.OCX
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\MSVBVM60.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFF9A573=C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODTRAY.EXE
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\ODLIB_OSSL.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODSERVICERESOURCE0009.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODSERVICEDIALOGS.DLL
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\ODCERT_M.DLL
*C:\WINDOWS\SYSTEM\CRYPTUI.DLL
*C:\WINDOWS\SYSTEM\WINTRUST.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODSERVICE.DLL
*C:\WINDOWS\SYSTEM\SETUPAPI.DLL
*C:\WINDOWS\SYSTEM\LZ32.DLL
*C:\WINDOWS\SYSTEM\CFGMGR32.DLL
*C:\WINDOWS\SYSTEM\NTDLL.DLL
*C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
*C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
*C:\WINDOWS\SYSTEM\ICMP.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\DCFDOM.DLL
*C:\PROGRAM FILES\COMMON FILES\FUNK SOFTWARE\DCFLIBRARY.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTRESOURCE0009.DLL
*C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\UNICOWS.DLL
*C:\WINDOWS\SYSTEM\AVICAP32.DLL
*C:\WINDOWS\SYSTEM\MSVFW32.DLL
*C:\WINDOWS\SYSTEM\WOW32.DLL
*C:\WINDOWS\SYSTEM\DCIMAN32.DLL
*C:\WINDOWS\SYSTEM\WINMM.DLL
*C:\WINDOWS\SYSTEM\OLEDLG.DLL
*C:\WINDOWS\SYSTEM\MSVCRT20.DLL
*C:\WINDOWS\SYSTEM\WINSPOOL.DRV
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFF97A9F=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
*C:\WINDOWS\SYSTEM\MSVBVM60.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFE7406B=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
*C:\PROGRAM FILES\MOZILLA FIREFOX\NSSCKBI.DLL
*C:\WINDOWS\SYSTEM\MLANG.DLL
*C:\WINDOWS\SYSTEM\RNR20.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS\JAR50.DLL
*C:\WINDOWS\SYSTEM\SENSAPI.DLL
*C:\WINDOWS\SYSTEM\SHFOLDER.DLL
*C:\WINDOWS\SYSTEM\MSAFD.DLL
*C:\WINDOWS\SYSTEM\WINSPOOL.DRV
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\XPCOM_COMPAT.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\SSL3.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\SMIME3.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\NSS3.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\SOFTOKN3.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\XPCOM.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\PLDS4.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\PLC4.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\JS3250.DLL
*C:\PROGRAM FILES\MOZILLA FIREFOX\NSPR4.DLL
*C:\WINDOWS\SYSTEM\WSOCK32.DLL
*C:\WINDOWS\SYSTEM\MSWSOCK.DLL
*C:\WINDOWS\SYSTEM\WS2_32.DLL
*C:\WINDOWS\SYSTEM\WININET.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\CRYPT32.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\WINDOWS\SYSTEM\MSOSS.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\WS2HELP.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFE5F50F=C:\WINDOWS\SYSTEM\DDHELP.EXE
*C:\WINDOWS\SYSTEM\NMGCDD.DLL
*C:\WINDOWS\SYSTEM\DDRAW.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\NTDLL.DLL
*C:\WINDOWS\SYSTEM\WINMM.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFE53697=C:\WINDOWS\NOTEPAD.EXE
*C:\WINDOWS\SYSTEM\MSSHRUI.DLL
*C:\WINDOWS\SYSTEM\MPR.DLL
*C:\WINDOWS\SYSTEM\MYDOCS.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\SHDOCVW.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFE6BE7F=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
*C:\WINDOWS\SYSTEM\MSI.DLL
*C:\WINDOWS\SYSTEM\RPCRT4.DLL
*C:\PROGRAM FILES\WINZIP\WZ32.DLL
*C:\PROGRAM FILES\WINZIP\WZCAB3.DLL
*C:\PROGRAM FILES\WINZIP\WZVINFO.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\COMDLG32.DLL
*C:\WINDOWS\SYSTEM\SHELL32.DLL
*C:\WINDOWS\SYSTEM\COMCTL32.DLL
*C:\WINDOWS\SYSTEM\SHLWAPI.DLL
*C:\WINDOWS\SYSTEM\MSVCRT.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFE66DCF=C:\WINDOWS\TEMP\STARTDRECK.EXE
*C:\WINDOWS\SYSTEM\VERSION.DLL
*C:\WINDOWS\SYSTEM\VB40032.DLL
*C:\WINDOWS\SYSTEM\OLEPRO32.DLL
*C:\WINDOWS\SYSTEM\OLEAUT32.DLL
*C:\WINDOWS\SYSTEM\OLE32.DLL
*C:\WINDOWS\SYSTEM\MSVCRT20.DLL
*C:\WINDOWS\SYSTEM\USER32.DLL
*C:\WINDOWS\SYSTEM\GDI32.DLL
*C:\WINDOWS\SYSTEM\ADVAPI32.DLL
*C:\WINDOWS\SYSTEM\KERNEL32.DLL
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*vshare.vxd=
*vwin32.vxd=
*vfbackup.vxd=
*vcomm.vxd=
*combuff.vxd=
*vcd.vxd=
*vpd.vxd=
*spooler.vxd=
*udf.vxd=
*vfat.vxd=
*vcache.vxd=
*vcond.vxd=
*vcdfsd.vxd=
*int13.vxd=
*vxdldr.vxd=
*vdef.vxd=
*dynapage.vxd=
*configmg.vxd=
*ntkern.vxd=
*ebios.vxd=
*vmd.vxd=
*dosnet.vxd=
*vpicd.vxd=
*vtd.vxd=
*reboot.vxd=
*vdmad.vxd=
*vsd.vxd=
*v86mmgr.vxd=
*pageswap.vxd=
*dosmgr.vxd=
*vmpoll.vxd=
*shell.vxd=
*parity.vxd=
*biosxlat.vxd=
*vmcpd.vxd=
*vtdapi.vxd=
*perf.vxd=
*vkd.vxd=
*vmouse.vxd=
*mtrr.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\HPZIOU00.DLL
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\IOS.VXD
*C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD
*C:\WINDOWS\SYSTEM\VMM32\QEMMFIX.VXD
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\PPA3.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\Clikcard.mpd
*C:\WINDOWS\SYSTEM\IoSubSys\USB_IOS.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\cd_read.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDRPWD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDUDF.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDUDFRW.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\UdfReadr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\ONSTRPDR.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\AIC78XX.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\SPARROW.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\USBSTOR.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SONYMVCD.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD_1
*C:\WINDOWS\SYSTEM\IoSubSys\scsi1hlp.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\NTMAPHLP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\M5619.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\esdi_506.pdr
*C:\WINDOWS\SYSTEM\IoSubSys\genestor.pdr
*C:\WINDOWS\SYSTEM\IoSubSys\MCUSBMSP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\CDRALVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SONYPVU4.pdr
*C:\WINDOWS\SYSTEM\IoSubSys\USTORAGE.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SMARTVSD.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
*C:\Program Files\Microsoft Office\Office\STARTUP\MSCREATE.DIR
*C:\Program Files\Microsoft Office\Office\STARTUP\A20MSW97.DOT
»Default User
*C:\Program Files\Microsoft Office\Office\STARTUP\MSCREATE.DIR
*C:\Program Files\Microsoft Office\Office\STARTUP\A20MSW97.DOT
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[MicroBell]

It's safe to download WMI script for the SilentRunners tools. I also need to make sure I understand your problem..

Your NOT getting these popups when just online...but within Firefox only and Only on certain sites? What happens if you go to the same site using IE?

The Teatimer error...is not part of this issue.....ignore it for now. Open Hijackthis...click Config>>MiscTools>> Uninstall Manager. ONce that loads click "Save List" and post it here so I can take a look. While your in there getting the scan..."highlight" that Blank entry..and see if it lists an Uninstall path on the right. If so..post that path here.

[LeftieLouie]

MicroBell, thanks for sticking with me on this trek! To answer your question, IE 6 and Firefox 1.07 have the same problem. I have 3 other WIndows 98SE systems with IE6 and Firefox 1.07 that do not suffer from this popup problem. Certain web sites (I have not found a common denominator except Lycos and Yahoo) seem to trigger it. The popup sequences through the following websites in rapid sequence:
hits.clickandtrack.com
a.websponsors.com
venus123.com
server.cmpstar.com
m.2mdn.net
ad.doubleclick.net
view.atdmt.com
trafficmp.com

I was not able to get MSConfig Startup Tab to give me any information about the blank entry - all I have is a PRTSCR .TIF file that shows it.

Please let me know what to do next - the log files you requested are posted below.

Here is the HijackThis uninstall log:
3ivx D4 4.0.4 (remove only)
Abacast Client
Adaptec DirectCD
Adaptec Easy CD Creator 4
Adaptec UDF Reader
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe Business Edition 1.0
AniTuner 1.1
AppCAD
AudioCatalyst
Avery Wizard 2.0 for Microsoft Word 97
AVG Free Edition
Boingo Wireless
Canon Creative Components
Canon Creative Pro
Canon ScanGear Toolbox FAU 2.5
CCleaner (remove only)
CleanUp!
Cookie Pal
DivX Codec 3.1alpha release
EasyCleaner
FireTune
GoldWave v4.24
HijackThis 1.99.1
Infrared Support for Windows 95 Version 2.0
Internet Explorer Q896688
IomegaWare
J2SE Runtime Environment 5.0 Update 2
LARGAN Lmini V2.02
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Maxwell SV Version 9.0
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 97 Unique Identifier Removal Tool
Microsoft Office 97, Professional Edition
Microsoft Windows Media Video 9 VCM
Mozilla Firefox (1.0.7)
MSN Messenger 6.2
NIST Fire Dynamics Simulator Version 4.02 and Smokeview 4.01
NIST Fire Dynamics Simulator Version 4.05 and Smokeview 4.05
NIST Fire Dynamics Simulator Version 4.06 and Smokeview 4.06
Norton SystemWorks 2003
Odyssey Client
OLYMPUS CAMEDIA Master 1.0
OnSpec USB to ATAPI/LS120 Link with Port Driver
Orcad PSpice
Orcad Unison Suite Capture
Panda ActiveScan
PerformanceTest v4.0
QuickTime
Rescue Disk
RingCentral Fax
Schematic Capture Libraries
Sony USB Driver
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
SpywareGuard v2.2
TextBridge Plus
ThinkPad Configuration
USB Storage Driver
U-Storage 3.0
ViewMate 8.0
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
Winroc 4.5
WinZip
Wireless-G Notebook Adapter
WordPerfect Office 12
WordPerfect Office 12 Setup Files
XBasic version 6.2.3
XingMP3 Editor
XingMP3 Player
Yahoo! Toolbar
ZoneAlarm

====
The Silent Runners Log:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 C:\WINDOWS\INF\applets1.inf" [MS]
PerUser_RNA_Inis\(Default) = "Windows Setup - Dial-Up Networking"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 C:\WINDOWS\INF\rna.inf" [MS]
PerUser_DCC_Inis\(Default) = "Windows Setup - Direct Cable Connection"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_ClipBrd_Inis\(Default) = "Windows Setup - Clipboard Viewer"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis_remove 64 C:\WINDOWS\INF\clip.inf" [MS]
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.0"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsCompuservePerUser\(Default) = "Windows Setup - CompuServe"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
PerUser_Sysmeter_Inis\(Default) = "Windows Setup - System Meter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf" [MS]
{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Web Publishing Wizard 1.6"
\StubPath = "rundll32.exeadvpack.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon Creative\pdeluxe\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
QuickFinderMenu\(Default) = "{C0E10002-0028-0005-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WordPerfect Office 12\Programs\PFSE120.DLL" ["Corel Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Desktop\Tatiana1a.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Odyssey Client Manager" -> shortcut to: "C:\Program Files\Funk Software\Odyssey Client\odClientMgr.exe" ["Funk Software, Inc."]
"Shortcut to WINIPCFG.EXE" -> shortcut to: "C:\WINDOWS\WINIPCFG.EXE" [MS]
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\WINDOWS\All Users\Start Menu\Programs\StartUp
"ZoneAlarm" -> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs Inc."]


Enabled Scheduled Tasks:
------------------------

"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJC Language Monitor\Driver = "CBJMON.DLL" ["Canon Information Systems"]
PostScript Language Monitor\Driver = "PSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 44 seconds, including 7 seconds for message boxes)


====
StartDrek Log:
StartDreck (build 2.1.7 public stable) - 2005-12-05 @ 21:35:02 (GMT -08:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Big Mo at BIG MO

»Registry
»Run Keys
»Current User
»Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Default User
»Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=
*{02DCA195-602B-4B1F-83FF-381B7E804BDB}
`InprocServer32=
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Odyssey Client Manager.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shortcut to WINIPCFG.EXE.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Odyssey Client Manager.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shortcut to WINIPCFG.EXE.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Local Machine
*C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
»System/Drivers
»Running Processes
+FFEF011F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF40C7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF7377=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF6C3F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE9963=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FFFEEA7B=C:\WINDOWS\EXPLORER.EXE
+FFFD3FBB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD7F5B=C:\WINDOWS\TASKMON.EXE
+FFFD6D07=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFFD32DF=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFCC5EF=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFC52AF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFC44DB=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFBA22F=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
+FFFBCEAF=C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODCLIENTMGR.EXE
+FFFBEF6B=C:\WINDOWS\WINIPCFG.EXE
+FFFB1E8F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
+FFF9CF2B=C:\PROGRAM FILES\FUNK SOFTWARE\ODYSSEY CLIENT\ODTRAY.EXE
+FFF9068F=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
+FFE6982F=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+FFE6C3B7=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFE5EFA3=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFE67817=C:\WINDOWS\TEMP\STARTDRECK.EXE
»NT Services
»Application specific

[MicroBell]

This thing is buried...

First....

Please download and run EliteToolbar Remover
http://www.simplytech.it/ETRemover/

I don't see a hosts file. Please search for a file called hosts and see if you have one. On Win98 it's useally located here.. C:\Windows\Hosts

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log

[LeftieLouie]

MicroBell, I hope you're finding this exercise educational, I am looking forward to getting to the bottom of this mystery.

WinPFind reports "file not found" when I click OK I get one entry "PTech" that WinPFind located in winzip.log. The process continues forever. My drive partition is 3GB. As I reported in an earlier entry the process ran for 12 hours without stopping and I had to power cycle to get control of the machine.

Let me know how I can fix WinPFind.
Best Regards,
Lou

Here is the qoo.vbs log:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7}


Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey ---


==============================


==============================
C:\WINDOWS\Start Menu\Programs\StartUp

Odyssey Client Manager.lnk
Shortcut to WINIPCFG.EXE.lnk
SpywareGuard.lnk
==============================
C:\WINDOWS\SYSTEM cpl files


INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
STICPL.CPL
POWERCFG.CPL Microsoft Corporation
INFRARED.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
TP98.CPL IBM Corp.
camcpl.cpl FotoNation inc.
UILib.cpl Sony Corporation
QuickTime.cpl Apple Computer, Inc.
TELEPHON.CPL Microsoft Corporation
Odcpl.cpl Funk Software, Inc.
odbccp32.cpl Microsoft Corporation
bdeadmin.cpl Borland Software Corporation
ISUSPM.cpl InstallShield Software Corporation

[MicroBell]

Sorry Lou....I forgot. I didn't see the log and asummed we didn't run it.

Question:

When you run it...does it stop or error out? I'm not concerned with the time it's taking as this happens when it's scanning the files and registry. You did extract the file to it's own folder...correct?? You can't run it from within the ZIP file and you MUST be in safe mode.


If you did all that...lets try this....

Open hijackthis...click...config..misctools. Check the 2 box’s next to "Generate Startup List" and then click "Generate Startup List". Post that log in your next post.

Download Rkfiles.zip http://skads.org/special/rkfiles.zip
UNZIP the contents to a permanent folder on your desktop

REBOOT TO SAFE MODE… These tools MUST be run in safe mode!!
Once in safe mode…

Double click rkfiles.bat
It will scan for a while, so please be patient.
Wait till the dos window closes.
Open the C:\log.txt it created and post it here.

*Note* Make sure you shut down everything during these scans.... (AntiVirus, Firewall...etc)

[LeftieLouie]

Hey MicroBell,
That's OK my bug ain't the only thread you're fussing with and I DO appreciate your help!

I did extract WinPFind to it's own folder C:\WinPFind and executed WinPFind.exe in Safe mode. It does not error out, it pops up a message box that says "file not found". The box has an "OK" when I click it WinPFind does A LOT of disk activity. It lists only the one item on the screen. Ctrl-Alt-Del failed to get it's attention. Twelve hours seems excessive to scan the registry.

Are you sure that we can't narrow it down to Java, Javascript, ActiveX, VBS or some other nasty Microsoft wormhole? Then trap the script and search it for its id and execution path?

Here's the HJT startup log:
StartupList report, 12/8/05, 8:52:18 AM
StartupList version: 1.52.2
Started from : C:\HJT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Odyssey Client Manager.lnk = C:\WINDOWS\Installer\{BF36757F-1D6F-4AC9-8F8C-90A80381A3E8}\OdysseyConfig.exe
Shortcut to WINIPCFG.EXE.lnk = C:\WINDOWS\WINIPCFG.EXE
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
TaskMonitor = C:\WINDOWS\taskmon.exe
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
AVG7_CC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf

[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 C:\WINDOWS\INF\rna.inf

[PerUser_DCC_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Onlinelnks_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_ClipBrd_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis_remove 64 C:\WINDOWS\INF\clip.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95

[IrXferPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection IrXferPerUser 64 C:\WINDOWS\INF\irxfer.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[OlsAolPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[PerUser_Sysmeter_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exeadvpack.dll

[PerUser_Winpopup_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Winpopup_Inis_remove 64 C:\WINDOWS\INF\winpopup.inf

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/12/2005, 9:17:48)

[rename]
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVG.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVG7.LNG=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG7.LNG
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVG7CORE.VXD=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVG7CORE.VXD
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGABOUT.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGABOUT.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGAMSVR.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCFG.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGCFG.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCORE.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGCORE.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGEMC.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMSUI.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGEMSUI.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGSCAN.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGSCAN.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGSET.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGSET.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGTEST.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGTEST.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGUNARC.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGUNARC.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGVV.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGVV.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGXCH32.DLL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\AVGXCH32.DLL
C:\PROGRA~1\GRISOFT\AVGFRE~1\MICROAVI.AVG=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\MICROAVI.AVG
C:\PROGRA~1\GRISOFT\AVGFRE~1\SETUP.DAT=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\SETUP.DAT
C:\PROGRA~1\GRISOFT\AVGFRE~1\SETUP.EXE=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\SETUP.EXE
C:\PROGRA~1\GRISOFT\AVGFRE~1\UPD_VERS.CFG=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\UPD_VERS.CFG
C:\PROGRA~1\GRISOFT\AVGFRE~1\INCAVI.AVM=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\INCAVI.AVM
NUL=C:\PROGRA~1\GRISOFT\AVGFRE~1\WAIT4SD
NUL=C:\WINDOWS\ALLUSE~1\APPLIC~1\GRISOFT\AVG7DATA\AVG7UPD\INSTALL.1\U-FWD.IDX

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
SET BLASTER=A220 I5 D1 T4
Rem TShoot:
Set MAXWELL_DIR=C:\Maxwell
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\THINKPAD\UTILIT~1;%PATH%;"C:\ProgramFiles\NortonSystemWorks\NortonGhost\";C:\PROGRA~1\GRISOFT\AVG6;C:\NIST\FDS;C:\WINDOWS\SYSTEM\WBEM
SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
:: Set Path=%path%;C:\CADENCE\ORCAD_9.2.3\TOOLS\CAPTURE;C:\CADENCE\ORCAD_9.2.3\TOOLS\JRE\BIN;C:\CADENCE\ORCAD_9.2.3\TOOLS\FET\BIN;C:\CADENCE\ORCAD_9.2.3\TOOLS\BIN;
:: SET CDSROOT=C:\Cadence\Orcad_9.2.3
:: SET CDS_LIC_FILE=C:\Cadence\Orcad_9.2.3\tools\license.dat
set SMOKEVIEWINI=C:\NIST\FDS

--------------------------------------------------

C:\CONFIG.SYS listing:

LastDrive=z
Files=64

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

LoadStart = DDEML.DLL
LoadSuccess = DDEML.DLL
LoadStart = C:\WINDOWS\SYSTEM\USER32.DLL
LoadStart = USER.EXE
LoadSuccess = USER.EXE
LoadStart = USER.EXE
LoadSuccess = USER.EXE
LoadStart = USER.EXE
LoadSuccess = USER.EXE
LoadStart = USER.EXE
LoadSuccess = USER.EXE
LoadStart = USER.EXE
LoadSuccess = USER.EXE
LoadSuccess = C:\WINDOWS\SYSTEM\USER32.DLL
LoadStart = COOL.DLL
LoadSuccess = COOL.DLL
Init = KEYBOARD
InitDone = KEYBOARD
Init = Mouse
Status = Mouse driver installed
InitDone = Mouse
Init =
LoadStart = DISPLAY.drv
LoadSuccess = DISPLAY.drv
InitDone = DISPLAY
Init = Display Resources
InitDone = Display Resources
LoadStart = C:\WINDOWS\fonts\MARLETT.TTF
LoadFail = C:\WINDOWS\fonts\MARLETT.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\SSERIFE.FON
LoadSuccess = C:\WINDOWS\fonts\SSERIFE.FON
LoadStart = C:\WINDOWS\fonts\LUCON.TTF
LoadFail = C:\WINDOWS\fonts\LUCON.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TAHOMA.TTF
LoadFail = C:\WINDOWS\fonts\TAHOMA.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TAHOMABD.TTF
LoadFail = C:\WINDOWS\fonts\TAHOMABD.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\ARIAL.TTF
LoadFail = C:\WINDOWS\fonts\ARIAL.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\ARIALBD.TTF
LoadFail = C:\WINDOWS\fonts\ARIALBD.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\ARIALBI.TTF
LoadFail = C:\WINDOWS\fonts\ARIALBI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\ARIALI.TTF
LoadFail = C:\WINDOWS\fonts\ARIALI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COUR.TTF
LoadFail = C:\WINDOWS\fonts\COUR.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COURBD.TTF
LoadFail = C:\WINDOWS\fonts\COURBD.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COURBI.TTF
LoadFail = C:\WINDOWS\fonts\COURBI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COURI.TTF
LoadFail = C:\WINDOWS\fonts\COURI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TIMES.TTF
LoadFail = C:\WINDOWS\fonts\TIMES.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TIMESBD.TTF
LoadFail = C:\WINDOWS\fonts\TIMESBD.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TIMESBI.TTF
LoadFail = C:\WINDOWS\fonts\TIMESBI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\TIMESI.TTF
LoadFail = C:\WINDOWS\fonts\TIMESI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\WINGDING.TTF
LoadFail = C:\WINDOWS\fonts\WINGDING.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\SYMBOL.TTF
LoadFail = C:\WINDOWS\fonts\SYMBOL.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\ARIBLK.TTF
LoadFail = C:\WINDOWS\fonts\ARIBLK.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COMIC.TTF
LoadFail = C:\WINDOWS\fonts\COMIC.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\COMICBD.TTF
LoadFail = C:\WINDOWS\fonts\COMICBD.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\IMPACT.TTF
LoadFail = C:\WINDOWS\fonts\IMPACT.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\VERDANA.TTF
LoadFail = C:\WINDOWS\fonts\VERDANA.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\VERDANAB.TTF
LoadFail = C:\WINDOWS\fonts\VERDANAB.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\VERDANAI.TTF
LoadFail = C:\WINDOWS\fonts\VERDANAI.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\VERDANAZ.TTF
LoadFail = C:\WINDOWS\fonts\VERDANAZ.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\WEBDINGS.TTF
LoadFail = C:\WINDOWS\fonts\WEBDINGS.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Georgia.TTF
LoadFail = C:\WINDOWS\fonts\Georgia.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Georgiab.TTF
LoadFail = C:\WINDOWS\fonts\Georgiab.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Georgiai.TTF
LoadFail = C:\WINDOWS\fonts\Georgiai.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Georgiaz.TTF
LoadFail = C:\WINDOWS\fonts\Georgiaz.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Trebuc.TTF
LoadFail = C:\WINDOWS\fonts\Trebuc.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Trebucbd.TTF
LoadFail = C:\WINDOWS\fonts\Trebucbd.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Trebucbi.TTF
LoadFail = C:\WINDOWS\fonts\Trebucbi.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Trebucit.TTF
LoadFail = C:\WINDOWS\fonts\Trebucit.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\Andalemo.TTF
LoadFail = C:\WINDOWS\fonts\Andalemo.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPAJ____.TTF
LoadFail = C:\WINDOWS\fonts\MPAJ____.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPC_____.TTF
LoadFail = C:\WINDOWS\fonts\MPC_____.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPLC____.TTF
LoadFail = C:\WINDOWS\fonts\MPLC____.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPLED___.TTF
LoadFail = C:\WINDOWS\fonts\MPLED___.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPLEV___.TTF
LoadFail = C:\WINDOWS\fonts\MPLEV___.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPLST___.TTF
LoadFail = C:\WINDOWS\fonts\MPLST___.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPLV____.TTF
LoadFail = C:\WINDOWS\fonts\MPLV____.TTF Failure code is 0016
LoadStart = C:\WINDOWS\fonts\MPRR____.TTF
LoadFail = C:\WINDOWS\fonts\MPRR____.TTF Failure code is 0016
LoadSuccess = USER.EXE
LoadStart = MSGSRV32.EXE
LoadSuccess = MSGSRV32.EXE
Terminate = User
Terminate = Query Drivers
EndTerminate = Query Drivers
Terminate = User
Terminate = Query Drivers
EndTerminate = Query Drivers
[00113B4D] Loading Vxd = mtrr
[00113B4D] LoadSuccess = mtrr
[00113B4D] Loading Vxd = SPOOLER
[00113B4E] LoadSuccess = SPOOLER
[00113B4E] Loading Vxd = UDF
[00113B4E] LoadSuccess = UDF
[00113B4E] Loading Vxd = VFAT
[00113B4E] LoadSuccess = VFAT
[00113B4E] Loading Vxd = VCACHE
[00113B4D] LoadSuccess = VCACHE
[00113B4D] Loading Vxd = VCOND
[00113B4D] LoadSuccess = VCOND
[00113B4D] Loading Vxd = VCDFSD
[00113B4D] LoadSuccess = VCDFSD
[00113B4D] Loading Vxd = VXDLDR
[00113B4D] LoadSuccess = VXDLDR
[00113B4D] Loading Vxd = VDEF
[00113B4D] LoadSuccess = VDEF
[00113B4D] Loading Vxd = VPICD
[00113B4D] LoadSuccess = VPICD
[00113B4D] Loading Vxd = VTD
[00113B4D] LoadSuccess = VTD
[00113B4D] Loading Vxd = REBOOT
[00113B4D] LoadSuccess = REBOOT
[00113B4D] Loading Vxd = VDMAD
[00113B4D] LoadSuccess = VDMAD
[00113B4D] Loading Vxd = VSD
[00113B4D] LoadSuccess = VSD
[00113B4D] Loading Vxd = V86MMGR
[00113B4D] LoadSuccess = V86MMGR
[00113B4D] Loading Vxd = PAGESWAP
[00113B4D] LoadSuccess = PAGESWAP
[00113B4D] Loading Vxd = DOSMGR
[00113B4D] LoadSuccess = DOSMGR
[00113B4D] Loading Vxd = VMPOLL
[00113B4D] LoadSuccess = VMPOLL
[00113B4D] Loading Vxd = SHELL
[00113B4D] LoadSuccess = SHELL
[00113B4D] Loading Vxd = PARITY
[00113B4D] LoadSuccess = PARITY
[00113B4E] Loading Vxd = BIOSXLAT
[00113B4E] LoadSuccess = BIOSXLAT
[00113B4E] Loading Vxd = VMCPD
[00113B4E] LoadSuccess = VMCPD
[00113B4E] Loading Vxd = VTDAPI
[00113B4E] LoadSuccess = VTDAPI
[00113B4E] Loading Vxd = PERF
[00113B4E] LoadSuccess = PERF
[00113B4F] Loading Vxd = C:\WINDOWS\SYSTEM\vrtwd.386
[00113B4D] LoadSuccess = C:\WINDOWS\SYSTEM\vrtwd.386
[00113B4F] Loading Vxd = C:\WINDOWS\SYSTEM\vfixd.vxd
[00113B4D] LoadSuccess = C:\WINDOWS\SYSTEM\vfixd.vxd
[00113B4F] Loading Vxd = vnetbios.vxd
[00113B5F] LoadSuccess = vnetbios.vxd
[00113B5F] Loading Vxd = vredir.vxd
[00113B5F] LoadSuccess = vredir.vxd
[00113B5F] Loading Vxd = dfs.vxd
[00113B5F] LoadSuccess = dfs.vxd
[00113B5F] Loading Vxd = vserver.vxd
[00113B5F] Skipped (not needed) = vserver.vxd
[00113B61] Loading Vxd = C:\PROGRA~1\SYMANTEC\SYMEVNT.386
[00113B5F] LoadSuccess = C:\PROGRA~1\SYMANTEC\SYMEVNT.386
[00113B61] Loading Vxd = SYMTDI.VXD
[00113B71] LoadSuccess = SYMTDI.VXD
[00113B73] Loading Vxd = C:\PROGRA~1\NORTON~1\NAVAP.VXD
[00113B71] LoadSuccess = C:\PROGRA~1\NORTON~1\NAVAP.VXD
[00113B72] Loading Vxd = vsdata95.vxd
[00113B71] LoadSuccess = vsdata95.vxd
[00113B71] Loading Vxd = ebios
[00113B71] LoadSuccess = ebios
[
C:\WINDOWS\CWDINIT.EXE /A

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - (no file) - {02DCA195-602B-4B1F-83FF-381B7E804BDB}
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Norton SystemWorks One Button Checkup.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}]

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
VSERVER: vserver.vxd
VSDATA95: vsdata95.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: *Registry key not found*

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,243 bytes
Report generated in 0.995 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


And now the RKFiles log listing:
ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\imscan.dll: UPX!
C:\WINDOWS\SYSTEM\TV_ENG32.DLL: upX!
C:\WINDOWS\SYSTEM\imscan.dll: FSPEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t
Finished
bye

[MicroBell]

Lou,

I'm not great with scripts....so I don't think that would help as I don't think this thing will show. I'm beginning to think it's a rootkit and will be hidden from the windows API anyway as none of the logs are displaying it's entrys..or it's deleting it's entrys like Elitebar does and runs from memory.

Please visit this website - http://virusscan.jotti.org/
Submit these file(s) for a comprehensive scan & then post the results back here

C:\WINDOWS\SYSTEM\TV_ENG32.DLL
C:\WINDOWS\SYSTEM\imscan.dll

Please download and install RootkitRevealer
http://www.sysinternals.com/Utilitie...tRevealer.html

Run the program...do a scan and post the log here.

I also need you preform the following....

1. Open regedit again and search for any keys that begin with this..Aprop and see if you find any keys.

2. Navigate to this key..HKEY_LOCAL_MACHINE\Software See if there is a folder in the list made up of random letters. Example: fystpws

3. I'm not totally convinced you have a problem program on the PC. I need you to confirm you have some sort of general popup blocker running. Do a test on a site that generates Popups and see if the problem PC blocks them. The ads you listed are popups that are useally delivered by a cookie.