nomad2224

Well, guess what? ABOUTBUSTER Worked now! I can put my finger on it, perhaps when it was originally trying to go through that C:\WINDOWS\_detmp.2 file, it got "overloaded" since there were like >1000 infected items found in that file? Anyways, it worked now. But my Killbox folder still has a 'sdkpp32.exe' file in it and those other 3 .dll files still show up when I run ADSspy with the Quickscan unchecked. Here's the log: AboutBuster 6.0 Scan started on [2/5/2006] at [2:21:49 AM] ------------------------------------------------------------- Internet Explorer Instances Terminated! HomeSearch Service stopped if present ------------------------------------------------------------- No Ads Found! ------------------------------------------------------------- No Files Found! ------------------------------------------------------------- Scan was COMPLETED SUCCESSFULLY at 2:24:39 AM

Hi jwbirdsong! Ok, I ran Killbox in safemode, but maybe I'm not doing something right...it seems I can't get rid of the 3 files C:\WINDOWS\system32\efrh.dll C:\WINDOWS\system32\riwj.dll C:\WINDOWS\system32\rojk.dll As soon as I reboot and re-run ADSspy, those files are back again...in fact they don't even show up in the killbox folder. I ran the blacklight program from F-Secure...it didn't find anything. I will send the SFP .CAB file asap to the email you requsted. Thanks for your help! I Also ran ADSspy again and got this log: C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes) C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes)

Ok, back at this again, I think I'm just about done now, here are my scans from this afternoon! Thanks to everyone for there help so far! Nomad2224 --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:28:04 AM, 2/3/2006 + Report-Checksum: 638D600E + Scan result: No infected objects found. ::Report End -------------------------------------------------------------------- Activescan Online Incident Status Location Adware:adware/searchaid Not disinfected C:\WINDOWS\sdkpp32.exe ---------------------------------------------------------- ADSspy - I ran this with the quick scan and without the Quick scan. 1. Quickscan (Windows folder only): Nothing found. 2. Quickscan Unchecked: C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes) C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes) ------------------------------------------------------------ HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 6:38:01 PM, on 2/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe C:\WINDOWS\notepad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

What do I do with the infected files in the killbox folder? Do I just delete them? I've posted the log from the WinPfind, but haven't heard any response back on it yet, are there any red flags in it I should be concerned about? Also, how can I be sure my system is now clean or not? I'm not sure how to proceed... Thanks

Ok, thanks jwbirdsong! I followed your instructions; here's the WinPFind log I ran from safe mode (attached - it was too long). Also, I've posted my latest ADSspy log. I ran ADSspy with the "Ignore safe system info streams" option checked, but the "Quick scan (Windows base folder only)" UNCHECKED. Thanks in advance for all your help! C:\!KillBox\_detmp.2 : aaaeg (88487 bytes) C:\!KillBox\_detmp.2 : aband (88487 bytes) C:\!KillBox\_detmp.2 : abqdc (88487 bytes) C:\!KillBox\_detmp.2 : abvga (88487 bytes) C:\!KillBox\_detmp.2 : adceu (88487 bytes) C:\!KillBox\_detmp.2 : adjji (88487 bytes) C:\!KillBox\_detmp.2 : adlfj (88487 bytes) C:\!KillBox\_detmp.2 : agvai (88487 bytes) C:\!KillBox\_detmp.2 : ahaeh (88487 bytes) C:\!KillBox\_detmp.2 : ahpai (88487 bytes) C:\!KillBox\_detmp.2 : aillsz (197751 bytes) C:\!KillBox\_detmp.2 : ajegh (88487 bytes) C:\!KillBox\_detmp.2 : ajkgi (88487 bytes) C:\!KillBox\_detmp.2 : ajkis (88487 bytes) C:\!KillBox\_detmp.2 : akakp (88487 bytes) C:\!KillBox\_detmp.2 : akyxw (88487 bytes) C:\!KillBox\_detmp.2 : alcks (88487 bytes) C:\!KillBox\_detmp.2 : alniu (88487 bytes) C:\!KillBox\_detmp.2 : alupj (88487 bytes) C:\!KillBox\_detmp.2 : anthh (88487 bytes) C:\!KillBox\_detmp.2 : aoblt (88487 bytes) C:\!KillBox\_detmp.2 : aoibh (88487 bytes) C:\!KillBox\_detmp.2 : aoskn (88487 bytes) C:\!KillBox\_detmp.2 : aosmx (88487 bytes) C:\!KillBox\_detmp.2 : apixi (88487 bytes) C:\!KillBox\_detmp.2 : apvna (88487 bytes) C:\!KillBox\_detmp.2 : aqxal (88487 bytes) C:\!KillBox\_detmp.2 : arkdn (88487 bytes) C:\!KillBox\_detmp.2 : arncx (88487 bytes) C:\!KillBox\_detmp.2 : ashzy (88487 bytes) C:\!KillBox\_detmp.2 : asxcr (88487 bytes) C:\!KillBox\_detmp.2 : atabt (88487 bytes) C:\!KillBox\_detmp.2 : athua (88487 bytes) C:\!KillBox\_detmp.2 : atlgq (88487 bytes) C:\!KillBox\_detmp.2 : atohe (88487 bytes) C:\!KillBox\_detmp.2 : auwut (88487 bytes) C:\!KillBox\_detmp.2 : awtgx (88487 bytes) C:\!KillBox\_detmp.2 : awvso (88487 bytes) C:\!KillBox\_detmp.2 : axddv (88487 bytes) C:\!KillBox\_detmp.2 : axpxv (88487 bytes) C:\!KillBox\_detmp.2 : ayucl (88487 bytes) C:\!KillBox\_detmp.2 : azban (88487 bytes) C:\!KillBox\_detmp.2 : bbabd (88487 bytes) C:\!KillBox\_detmp.2 : bboep (88487 bytes) C:\!KillBox\_detmp.2 : bbwis (88487 bytes) C:\!KillBox\_detmp.2 : bcigm (88487 bytes) C:\!KillBox\_detmp.2 : bcygx (88487 bytes) C:\!KillBox\_detmp.2 : bcyil (88487 bytes) C:\!KillBox\_detmp.2 : bdinc (88487 bytes) C:\!KillBox\_detmp.2 : bdloh (88487 bytes) C:\!KillBox\_detmp.2 : bdmtg (88487 bytes) C:\!KillBox\_detmp.2 : betqol (197751 bytes) C:\!KillBox\_detmp.2 : bfzhm (88487 bytes) C:\!KillBox\_detmp.2 : bggdm (88487 bytes) C:\!KillBox\_detmp.2 : bhngr (88487 bytes) C:\!KillBox\_detmp.2 : bjrpw (88487 bytes) C:\!KillBox\_detmp.2 : blhbp (88487 bytes) C:\!KillBox\_detmp.2 : bmdwa (88487 bytes) C:\!KillBox\_detmp.2 : bmpmc (88487 bytes) C:\!KillBox\_detmp.2 : bnqnl (88487 bytes) C:\!KillBox\_detmp.2 : bnynz (88487 bytes) C:\!KillBox\_detmp.2 : bogsn (88487 bytes) C:\!KillBox\_detmp.2 : bonxo (88487 bytes) C:\!KillBox\_detmp.2 : bpifem (197751 bytes) C:\!KillBox\_detmp.2 : bpkzt (88487 bytes) C:\!KillBox\_detmp.2 : bplyd (88487 bytes) C:\!KillBox\_detmp.2 : bqebm (88487 bytes) C:\!KillBox\_detmp.2 : brneh (88487 bytes) C:\!KillBox\_detmp.2 : brtwv (88487 bytes) C:\!KillBox\_detmp.2 : btitq (88487 bytes) C:\!KillBox\_detmp.2 : btjas (0 bytes) C:\!KillBox\_detmp.2 : bvdev (88487 bytes) C:\!KillBox\_detmp.2 : bvsijj (0 bytes) C:\!KillBox\_detmp.2 : bwbgn (88487 bytes) C:\!KillBox\_detmp.2 : bxscw (88487 bytes) C:\!KillBox\_detmp.2 : bygtz (88487 bytes) C:\!KillBox\_detmp.2 : bzoby (0 bytes) C:\!KillBox\_detmp.2 : bzozp (88487 bytes) C:\!KillBox\_detmp.2 : bzscp (88487 bytes) C:\!KillBox\_detmp.2 : calme (88487 bytes) C:\!KillBox\_detmp.2 : cayro (88487 bytes) C:\!KillBox\_detmp.2 : cbigv (88487 bytes) C:\!KillBox\_detmp.2 : cbtfl (88487 bytes) C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes) C:\WINDOWS\system32 : efrh.dll (9 bytes) C:\WINDOWS\system32 : riwj.dll (9 bytes) C:\WINDOWS\system32 : rojk.dll (9 bytes) WinPFind.Txt WinPFind.Txt

Not sure if this helps at all...but I just ran RootKitRevealer from Sysinternals and it gave me the following scan: C:\WINDOWS\_detmp.2:thxci 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:thyxi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:titul 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tjpqa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tkklv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tlgjn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tljrh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tlnht 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tluir 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tmuyn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tmymu 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tncyj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tnmzg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tnpmr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tntlv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:toeav 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tpbtw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tpvrl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tpxgw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tqfkq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tqrxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:trihx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:trisn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tsqog 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tsuyh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ttgho 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ttpxj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tuets 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:twcja 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:twcvl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:twsfp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:twyps 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:txfsl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:txicx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:txksw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:tzugt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uabwx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ubcuj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ubpau 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ucedx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ucffmx 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uckze 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ucwff 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:udcco 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:udook 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ufecy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ufkkk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ufqho 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ufqoy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ufzjh 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uggbf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ugmdp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ugnec 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ugtco 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uhihf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ukkww 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ukpqj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ukzyt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ulvgg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:umvaw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:unbkr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:unmwo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:unrgr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:unscj 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uosul 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:upuzi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:upzny 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uqlte 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uquux 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:urhof 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:utfpb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:utlbt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uurrx 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uvmdd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uwdvdt 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uxulz 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uzohv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:uzrvo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vafjyz 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vbdbw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vbdqy 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vbsqq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vckte 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vcosn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vcpvd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vdgxm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vdqcb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:veihk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:velem 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:venzm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:veted 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vftxe 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vfvrw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vgald 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vgnjxd 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vhbkl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vizsj 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vjiih 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vkafi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vkegr 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vkkvb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vkoxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vmfep 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vmhci 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vmhnc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vnrot 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vptju 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vqjfu 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vswfs 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vtbjp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vtrfq 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vudxxu 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vujfk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vvexw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vvglp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vvhbe 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vvozw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vwsgn 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vxpko 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:vyejt 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:waskg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wbarsp 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wbplv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wbqtoo 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wbzli 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wczwh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:weezp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wfcmo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wfqfc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wfttf 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wfued 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wgloo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:whera 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:whezd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:whker 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:whlin 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:whlos 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wiqqb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wjkpb 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wjlpo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wjmdi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wkuei 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wmamh 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wmbel 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wmvaw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wnbxi 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wnfvd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wohxa 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:woneo 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wrndl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wshrw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wsjtc 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wsjva 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wsrjm 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wszny 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wtldd 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wttqv 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wuhhl 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wukuk 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wvkrp 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wxeog 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wxirg 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:wxnvw 6/28/2005 10:38 AM 86.41 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:xbgzy 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:xfbgk 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:xfweq 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:xmecce 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:xsbnl 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:yagni 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:ycgoeu 6/28/2005 10:38 AM 193.12 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:yuwav 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:zijhna 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\_detmp.2:zqvpq 6/28/2005 10:38 AM 0 bytes Visible in Windows API, but not in MFT or directory index.

Ok, so here's the logs you asked for. Sorry it took some time to run (Ewido took nearly 2 hrs...) I had to let it go overnight. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 1:25:37 AM, 1/25/2006 + Report-Checksum: 5EF66C76 + Scan result: No infected objects found. ::Report End --------------------------------------------------------------------------------------------------------- ActiveScan Incident Status Location Adware:adware/searchaid Not disinfected C:\WINDOWS\sdkog32.exe Adware:adware/adwhere Not disinfected Windows Registry --------------------------------------------------------------------------------------------------------- ADSspy log - C:\WINDOWS\systen32 : xadrb (0 bytes) C:\WINDOWS\systen32 : [4 (29 bytes) C:\WINDOWS\_detmp.2 : aaaeg (88487 bytes) C:\WINDOWS\_detmp.2 : aband (88487 bytes) C:\WINDOWS\_detmp.2 : abqdc (88487 bytes) C:\WINDOWS\_detmp.2 : abvga (88487 bytes) C:\WINDOWS\_detmp.2 : adceu (88487 bytes) C:\WINDOWS\_detmp.2 : adjji (88487 bytes) C:\WINDOWS\_detmp.2 : adlfj (88487 bytes) C:\WINDOWS\_detmp.2 : agvai (88487 bytes) C:\WINDOWS\_detmp.2 : ahaeh (88487 bytes) C:\WINDOWS\_detmp.2 : ahpai (88487 bytes) C:\WINDOWS\_detmp.2 : aillsz (197751 bytes) C:\WINDOWS\_detmp.2 : ajegh (88487 bytes) C:\WINDOWS\_detmp.2 : ajkgi (88487 bytes) C:\WINDOWS\_detmp.2 : ajkis (88487 bytes) C:\WINDOWS\_detmp.2 : akakp (88487 bytes) C:\WINDOWS\_detmp.2 : akyxw (88487 bytes) C:\WINDOWS\_detmp.2 : alcks (88487 bytes) C:\WINDOWS\_detmp.2 : alniu (88487 bytes) C:\WINDOWS\_detmp.2 : alupj (88487 bytes) C:\WINDOWS\_detmp.2 : anthh (88487 bytes) C:\WINDOWS\_detmp.2 : aoblt (88487 bytes) C:\WINDOWS\_detmp.2 : aoibh (88487 bytes) C:\WINDOWS\_detmp.2 : aoskn (88487 bytes) C:\WINDOWS\_detmp.2 : aosmx (88487 bytes) C:\WINDOWS\_detmp.2 : apixi (88487 bytes) C:\WINDOWS\_detmp.2 : apvna (88487 bytes) C:\WINDOWS\_detmp.2 : aqxal (88487 bytes) C:\WINDOWS\_detmp.2 : arkdn (88487 bytes) C:\WINDOWS\_detmp.2 : arncx (88487 bytes) C:\WINDOWS\_detmp.2 : ashzy (88487 bytes) C:\WINDOWS\_detmp.2 : asxcr (88487 bytes) C:\WINDOWS\_detmp.2 : atabt (88487 bytes) C:\WINDOWS\_detmp.2 : athua (88487 bytes) C:\WINDOWS\_detmp.2 : atlgq (88487 bytes) C:\WINDOWS\_detmp.2 : atohe (88487 bytes) C:\WINDOWS\_detmp.2 : auwut (88487 bytes) C:\WINDOWS\_detmp.2 : awtgx (88487 bytes) C:\WINDOWS\_detmp.2 : awvso (88487 bytes) C:\WINDOWS\_detmp.2 : axddv (88487 bytes) C:\WINDOWS\_detmp.2 : axpxv (88487 bytes) C:\WINDOWS\_detmp.2 : ayucl (88487 bytes) C:\WINDOWS\_detmp.2 : azban (88487 bytes) C:\WINDOWS\_detmp.2 : bbabd (88487 bytes) C:\WINDOWS\_detmp.2 : bboep (88487 bytes) C:\WINDOWS\_detmp.2 : bbwis (88487 bytes) C:\WINDOWS\_detmp.2 : bcigm (88487 bytes) C:\WINDOWS\_detmp.2 : bcygx (88487 bytes) C:\WINDOWS\_detmp.2 : bcyil (88487 bytes) C:\WINDOWS\_detmp.2 : bdinc (88487 bytes) C:\WINDOWS\_detmp.2 : bdloh (88487 bytes) C:\WINDOWS\_detmp.2 : bdmtg (88487 bytes) C:\WINDOWS\_detmp.2 : betqol (197751 bytes) C:\WINDOWS\_detmp.2 : bfzhm (88487 bytes) C:\WINDOWS\_detmp.2 : bggdm (88487 bytes) C:\WINDOWS\_detmp.2 : bhngr (88487 bytes) C:\WINDOWS\_detmp.2 : bjrpw (88487 bytes) C:\WINDOWS\_detmp.2 : blhbp (88487 bytes) C:\WINDOWS\_detmp.2 : bmdwa (88487 bytes) C:\WINDOWS\_detmp.2 : bmpmc (88487 bytes) C:\WINDOWS\_detmp.2 : bnqnl (88487 bytes) C:\WINDOWS\_detmp.2 : bnynz (88487 bytes) C:\WINDOWS\_detmp.2 : bogsn (88487 bytes) C:\WINDOWS\_detmp.2 : bonxo (88487 bytes) C:\WINDOWS\_detmp.2 : bpifem (197751 bytes) C:\WINDOWS\_detmp.2 : bpkzt (88487 bytes) C:\WINDOWS\_detmp.2 : bplyd (88487 bytes) C:\WINDOWS\_detmp.2 : bqebm (88487 bytes) C:\WINDOWS\_detmp.2 : brneh (88487 bytes) C:\WINDOWS\_detmp.2 : brtwv (88487 bytes) C:\WINDOWS\_detmp.2 : btitq (88487 bytes) C:\WINDOWS\_detmp.2 : btjas (0 bytes) C:\WINDOWS\_detmp.2 : bvdev (88487 bytes) C:\WINDOWS\_detmp.2 : bvsijj (0 bytes) C:\WINDOWS\_detmp.2 : bwbgn (88487 bytes) C:\WINDOWS\_detmp.2 : bxscw (88487 bytes) C:\WINDOWS\_detmp.2 : bygtz (88487 bytes) C:\WINDOWS\_detmp.2 : bzoby (0 bytes) C:\WINDOWS\_detmp.2 : bzozp (88487 bytes) C:\WINDOWS\_detmp.2 : bzscp (88487 bytes) C:\WINDOWS\_detmp.2 : calme (88487 bytes) C:\WINDOWS\_detmp.2 : cayro (88487 bytes) C:\WINDOWS\_detmp.2 : cbigv (88487 bytes) C:\WINDOWS\_detmp.2 : cbtfl (88487 bytes) ----------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:25:21 AM, on 1/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\alg.exe D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Will do...but I can only do this in the evening (At work unfortunately!) Thanks Nomad2224

Forgot to mention also: - There's no log in the aboutbuster folder. - I have disabled AVG FREE realtime scanning and using EZ Trust AV on a trial basis.

- I am running AboutBuster 6.0 (I believe so since the Window Titlebar says AboutBuster 6.0). - I have extracted the Zipped files to a folder. I am using 'C:\aboutbuster'. - I know at one point I did have CWS.Homesearch since Spybot kept finding it but couldn't remove it. That was about two months ago (before i got into seriously cleaning my system), and I ended up manually deleting (I know, this isn't good!) whatever spybot found since it couldn't get rid of it itself. - The only reason I'm trying to run AboutBuster now is because I think there might be leftover files/reg settings on my system and I've been told to run it along with HJT. I think my HJT log is pretty clean but there definitely is still infected malware on my system. - Specifically, (although there's no sign of this in HJT), I am getting many results of ADS in Adsspy with a file called C:\WINDOWS\_detmp.2:'xxxxx' where 'xxxxx' is a random series of letters. I've run bitdefender online scan and Kaspersky online scan and both of them tell me that there are infections there (Kaspersky found nearly a thousand instances of 'Trojan.Win32.Agent.bq' on this file). Sorry if this post is beyond the scope of this Forum, I just refuse to throw in the towel yet! Any help is greatly appreciated!

Hi, I'm having a difficult time trying to run AboutBuster 6.0 as it keeps returning an "error 6, overflow" message. This happens in Safe mode as well as normal. I've downloaded from malwarebytes.org several times, ran it from different folders, and made sure it was extracted to it's own folder. Still, can't seem to get it running. Is something corrupted on my PC? I've tried several forums but this is the official aboutBuster one, so I figured this would be a better place than any. Here's my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 9:53:34 PM, on 1/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe D:\My Documents\My Downloads\Spyware removal\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.castlecops.com O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093307627328 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121571153937 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~3\ETRUST~1\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'm in the same situation...keep getting error 6 overflow. It's happening in safe mode too. Running Windows XP Pro SP2. The program launchs, but after a couple of seconds, as soon as I run the scan, the error pops up. Hope I can get it working since there is not many answers to this problem in the forums that I've searched.