Greetings.

When I attempt to run Ad-Aware, my system restarts after the application has run for around twenty or thirty seconds. The NT Authority\System restarts, b/c the DCOM Server Process Launcher service terminated unexpectedly.

I am the newest of newbies. Nonetheless, I did do a little poking around on Microsoft's site, and learned that this restart can be a symptom of infection by the Blaster worm. So I ran Microsoft's malware removal toolhttp://www.microsoft.com/security/malwareremove/default.mspx, which informed me that my machine is free of Blaster or any of the other stuff that the tool is supposed to remove.

It doesn't take me long to get stumped by stuff like this. Can anyone here kindly offer some help? I'd really appreciate it.

Thanks,
Robert

Hello,bobbylife.. See if this helps please ...

Make sure you have the latest Windows critical updates, as this seemed to have resolved the problem other users had.

If you are all updated and it's still happening it could be that SE is bumping into DCOM on certain systems.

You can use this tool to disable/enable DCOM. http://www.grc.com/dcom/

In addition, I have heard of this message as a result of the blaster worm.

Have a look at this Microsoft web page and see if it applies to your situation. http://www.microsoft.com/security/incident/blast.mspx

Can you try running a scan with Ad-Aware SE and when the 60-second countdown starts cancel the shutdown command.

Click on Start then select Run, type this in bold but do not click OK yet.

shutdown -a

Now start Ad-Aware SE and click on the global icon to run a web update to make sure you have the latest definitions file.

Now start the scan running and return to that run command we opened above.

As soon as you see that shutdown message appear click on OK to launch the shutdown -a command. This will abort the shutdown.

Would you please make the following adjustment to the settings of Ad-Aware and run the scan,

1) Open Ad-Aware SE
2) Click on "Settings" (the gear wheel at the top of the main window)
3) Click on the "Tweak" button
4) In the right side of the window click on the + sign next to "Scanning Engine"
5) Uncheck the item "Unload recognized processes & modules during scan" (click the green tick to change it to a red cross)
6) Click "Proceed" to save the change.

Run a scan with the new settings and post a reply as to whether or not you were able to complete the scan without a shutdown occurring.


Regards..

numbnuts..

Thanks numbnuts,

I did as you suggested. Here's the play-by-play:

1. Downloaded all critical XP updates from Microsoft.

2. Rebooted my machine.

3. Ran AdAware. It initiated the shutdown, which I aborted with the run command you gave me. After I did that, AdAware continued to scan. It quarantined a bunch of stuff (I copied parts of the logfiles below.).

4. I restarted my computer reconfigured the settings in AdAware, as per your suggestions, which I've italicized below.
1) Open Ad-Aware SE
2) Click on "Settings" (the gear wheel at the top of the main window)
3) Click on the "Tweak" button
4) In the right side of the window click on the + sign next to "Scanning Engine"
5) Uncheck the item "Unload recognized processes & modules during scan" (click the green tick to change it to a red cross)
6) Click "Proceed" to save the change.

5. I ran AA (with no attempted shutdown) again, which resulted in a new quarantine (logs below).

6. I disconnected from the Internet, rebooted my machine and ran AA yet again (with no attempted shutdown). This time, it quarantined only two objects.

7. I rebooted again, still disconnected from the net, and ran AA again (with no attempted shutdown). It came up clean this time.

Thanks very much for your help. I'm posting parts of the logfiles below in the hopes that they may be helpful in some way.

Best,
R

Logfile #1
ArchiveData(auto-quarantine- 2005-07-04 14-20-55.bckp)
Referencefile : SE1R51 21.06.2005
======================================================

SAHAGENT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\System32\lsp.dll
obj[1]=Process : C:\WINDOWS\System32\lsp.dll
obj[2]=Process : C:\WINDOWS\System32\lsp.dll
obj[3]=Process : C:\WINDOWS\System32\lsp.dll
obj[4]=Process : C:\WINDOWS\System32\lsp.dll
obj[5]=Process : C:\WINDOWS\System32\lsp.dll
obj[6]=Process : C:\WINDOWS\System32\lsp.dll
obj[25]=Regkey : software\vgroup
obj[26]=Regkey : software\vgroup\sahagent
obj[27]=RegValue : software\vgroup\sahagent "PackageName"
obj[28]=RegValue : software\vgroup\sahagent "PrefsServer"
obj[29]=RegValue : software\vgroup\sahagent "PrefsXML"
obj[30]=RegValue : software\vgroup\sahagent "CookieUserAgent"
obj[31]=RegValue : software\vgroup\sahagent "BrowserType"
obj[32]=RegValue : software\vgroup\sahagent "BundleProgress"
obj[33]=RegValue : software\vgroup\sahagent "UniqueBundleKey"
obj[34]=RegValue : software\vgroup\sahagent "UniqueBundleID"
obj[35]=RegValue : software\vgroup\sahagent "GUID"
obj[36]=RegValue : software\vgroup\sahagent "ReadyToInstall"
obj[37]=RegValue : software\vgroup\sahagent "BundleInstall"
obj[38]=RegValue : software\vgroup\sahagent "LSPInstallNeed"
obj[39]=RegValue : software\vgroup\sahagent "LSPNotification"
obj[40]=RegValue : software\vgroup\sahagent "CreateDate"
obj[41]=RegValue : software\vgroup\sahagent "UnInstallExecute"
obj[42]=RegValue : software\vgroup\sahagent "UnInstallRequest"
obj[43]=RegValue : software\vgroup\sahagent "DateToSendNextHeartbeat"
obj[44]=RegValue : software\vgroup\sahagent "DateOfCheckForNewValidate"
obj[45]=RegValue : software\vgroup\sahagent "LastPrefs"
obj[46]=RegValue : software\vgroup\sahagent "LastValid"
obj[47]=RegValue : software\vgroup\sahagent "LastGlobal"
obj[48]=RegValue : software\vgroup\sahagent "Download"
obj[49]=RegValue : software\vgroup\sahagent "ValidateXMLversion"
obj[50]=RegValue : software\vgroup\sahagent "ValidatePath"
obj[51]=RegValue : software\vgroup\sahagent "TemplatePath"
obj[52]=RegValue : software\vgroup\sahagent "Images"
obj[53]=RegValue : software\vgroup\sahagent "PopupCloseButton"
obj[54]=RegValue : software\vgroup\sahagent "PopupDefaultImage"
obj[55]=RegValue : software\vgroup\sahagent "RedirectTo"
obj[56]=RegValue : software\vgroup\sahagent "Categories"
obj[57]=RegValue : software\vgroup\sahagent "WriteToLog"
obj[58]=RegValue : software\vgroup\sahagent "Popup"
obj[59]=RegValue : software\vgroup\sahagent "AgentVersion"
obj[60]=RegValue : software\vgroup\sahagent "LSPVersion"
obj[61]=RegValue : software\vgroup\sahagent "GlobalPath"
obj[62]=RegValue : software\vgroup\sahagent "SiteNotAvailablePeriod"
obj[63]=RegValue : software\vgroup\sahagent "ResponseTime"
obj[64]=RegValue : software\vgroup\sahagent "SuppressTimeout"
obj[65]=RegValue : software\vgroup\sahagent "RetryDays"
obj[66]=RegValue : software\vgroup\sahagent "PrefsXMLversion"
obj[69]=LSP : SAHagent MSAFD Tcpip [TCP/IP] (C:\WINDOWS\System32\lsp.dll)
obj[70]=LSP : SAHagent MSAFD Tcpip [UDP/IP] (C:\WINDOWS\System32\lsp.dll)
obj[71]=LSP : SAHagent MSAFD Tcpip [RAW/IP] (C:\WINDOWS\System32\lsp.dll)
obj[72]=LSP : SAHagent RSVP UDP Service Provider (C:\WINDOWS\System32\lsp.dll)
obj[73]=LSP : SAHagent RSVP TCP Service Provider (C:\WINDOWS\System32\lsp.dll)
obj[74]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A6F15A4-9AF1-4A0A-BAE8-76E6329B38C7}] SEQPACKET 0 (C:\WINDOWS\System32\lsp.dll)
obj[75]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A6F15A4-9AF1-4A0A-BAE8-76E6329B38C7}] DATAGRAM 0 (C:\WINDOWS\System32\lsp.dll)
obj[76]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{87103AFF-C47E-42CC-982B-48621EB6007C}] SEQPACKET 1 (C:\WINDOWS\System32\lsp.dll)
obj[77]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{87103AFF-C47E-42CC-982B-48621EB6007C}] DATAGRAM 1 (C:\WINDOWS\System32\lsp.dll)
obj[78]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{DDDD76D6-AE86-4038-8810-73E87B47A3B7}] SEQPACKET 2 (C:\WINDOWS\System32\lsp.dll)
obj[79]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{DDDD76D6-AE86-4038-8810-73E87B47A3B7}] DATAGRAM 2 (C:\WINDOWS\System32\lsp.dll)
obj[80]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C0B89E6-5F51-4465-B979-EF88BDBBE625}] SEQPACKET 3 (C:\WINDOWS\System32\lsp.dll)
obj[81]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C0B89E6-5F51-4465-B979-EF88BDBBE625}] DATAGRAM 3 (C:\WINDOWS\System32\lsp.dll)
obj[82]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF9699D7-99D7-45BE-BB82-98822A7688D3}] SEQPACKET 4 (C:\WINDOWS\System32\lsp.dll)
obj[83]=LSP : SAHagent MSAFD NetBIOS [\Device\NetBT_Tcpip_{FF9699D7-99D7-45BE-BB82-98822A7688D3}] DATAGRAM 4 (C:\WINDOWS\System32\lsp.dll)
obj[84]=LSP : SAHagent (C:\WINDOWS\System32\lsp.dll)

PRIBI.BHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[7]=Regkey : interface\{a8c761d6-31f2-429a-bf1f-63b416ac87ea}
obj[8]=Regkey : interface\{f11126ab-5429-42a3-8fa4-d4899d23a8ea}
obj[9]=Regkey : typelib\{12da4940-557b-4dab-a1cc-e7fe615c2f89}
obj[10]=Regkey : typelib\{12da4940-557b-4dab-a1cc-e7fe615c2f89}\1.0

REPLACESEARCH.BHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[11]=Regkey : clsid\{832bebed-c3da-4534-a2c2-b2fff220c820}
obj[12]=Regkey : interface\{faaeb405-b7b0-4749-81de-df36b2d36531}
obj[13]=Regkey : replacesearch.replacesearchctl
obj[14]=Regkey : replacesearch.replacesearchctl.1
obj[15]=Regkey : replacesearch.replacesearchctl.1\clsid
obj[16]=Regkey : replacesearch.replacesearchctl\clsid
obj[17]=Regkey : typelib\{b9c1dd92-b443-4bf1-b4c0-950e41a9f9f7}
obj[24]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{832bebed-c3da-4534-a2c2-b2fff220c820}

DYFUCA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[18]=Regkey : S-1-5-21-1644491937-412668190-682003330-1004\software\policies\avenue media
obj[23]=Regkey : software\policies\avenue media

TOPMOXIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[19]=Regkey : S-1-5-21-1644491937-412668190-682003330-1004\software\microsoft\internet explorer\menuext\web rebates
obj[20]=RegValue : S-1-5-21-1644491937-412668190-682003330-1004\software\microsoft\internet explorer\menuext\web rebates "Contexts"

VIRTUMONDE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[21]=Regkey : S-1-5-21-1644491937-412668190-682003330-1004\software\microsoft\windows\currentversion\explorer\menuorder\start menu2\programs\earn

BLAZEFIND
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[22]=Regkey : software\classes\clsid\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[67]=RegValue : S-1-5-21-1644491937-412668190-682003330-1004\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

180SOLUTIONS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[68]=RegValue : software\salm "partner_id"
obj[134]=Regkey : software\salm
obj[135]=RegValue : software\salm "mt2"
obj[136]=RegValue : software\salm "mt3"
obj[137]=RegValue : software\salm "gma"
obj[138]=RegValue : software\salm "gvi"
obj[139]=RegValue : software\salm "gpi"
obj[140]=RegValue : software\salm "boom"
obj[141]=RegValue : software\salm "boom_ver"
obj[142]=RegValue : software\salm "did"
obj[143]=RegValue : software\salm "duid"
obj[144]=RegValue : software\salm "product_id"
obj[145]=RegValue : software\salm "umt"

EZULA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[146]=Folder : C:\Program Files\eZula
obj[151]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\CHCON.dll.bak
obj[153]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\eZinstall.exe.bak
obj[154]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\ezStub.exe.bak
obj[155]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\genun.ez.bak
obj[156]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\mmod.exe.bak
obj[159]=File : C:\Program Files\ezula\UNWISE.EXE

WHENU
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[147]=Folder : C:\Program Files\ClockSync
obj[152]=File : C:\Program Files\Enigma Software Group\SpyHunter\Backup\DnldNCSX0002.exe.bak
obj[160]=File : C:\Program Files\clocksync\dnldapp.cfg
obj[161]=File : C:\DOCUME~1\Robert\LOCALS~1\Temp\GLF13GLF13.EXE
obj[162]=File : C:\DOCUME~1\Robert\LOCALS~1\Temp\GLF8GLF8.EXE

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[148]=Regkey : software\vendor
obj[149]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[150]=RegValue : software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions "iexplore.exe"
obj[157]=File : C:\WINDOWS\cgetaway.exe
obj[158]=File : C:\WINDOWS\kwv2.dat
obj[163]=File : C:\WINDOWS\twaintec.ini
obj[164]=File : C:\WINDOWS\inf\twaintec.PNF
obj[165]=File : C:\WINDOWS\inf\payload2.inf

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[166]=File : C:\WINDOWS\prefetch\MEDIAACCK.EXE-09A6D792.pf

Logfile #2
ArchiveData(auto-quarantine- 2005-07-04 14-37-10.bckp)
Referencefile : SE1R52 30.06.2005
======================================================
SAHAGENT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[38]=Process : C:\WINDOWS\System32\lsp.dll
obj[39]=Process : C:\WINDOWS\System32\lsp.dll
obj[40]=Process : C:\WINDOWS\System32\lsp.dll
obj[41]=Process : C:\WINDOWS\System32\lsp.dll
obj[42]=Process : C:\WINDOWS\System32\lsp.dll
obj[43]=Process : C:\WINDOWS\System32\lsp.dll
obj[51]=Regkey : software\winsock2\layered provider sample
obj[137]=File : C:\WINDOWS\Downloaded Program Files\lsp_.dll
obj[138]=File : C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
obj[139]=File : C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
obj[140]=File : C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
obj[141]=File : C:\WINDOWS\SAHUninstall.exe
obj[142]=File : C:\WINDOWS\system32\lsp.dll
obj[144]=File : C:\WINDOWS\system32\SahAgent.exe
obj[145]=File : C:\WINDOWS\system32\SahHtml.exe
obj[146]=File : C:\WINDOWS\system32\v.dat
obj[147]=File : C:\WINDOWS\system32\vg.dat
obj[148]=File : C:\DOCUME~1\Robert\LOCALS~1\Temp\bundletracking.asp
obj[149]=File : C:\WINDOWS\downloaded program files\setup.inf
obj[150]=File : C:\WINDOWS\downloaded program files\xmlparse_.dll
obj[151]=File : C:\WINDOWS\downloaded program files\xmltok_.dll
obj[152]=File : c:\SahAgent.log

WINDUPDATES
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[44]=Regkey : typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
obj[45]=Regkey : mediaaccess.installer
obj[46]=Regkey : interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
obj[47]=Regkey : clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}
obj[48]=RegValue : clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c} "AppID"
obj[49]=Regkey : appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
obj[50]=Regkey : appid\loaderx.exe
obj[55]=Regkey : software\windows controlad
obj[56]=RegValue : software\windows controlad "track"
obj[57]=RegValue : software\windows controlad "LastUpdate"
obj[58]=RegValue : software\windows controlad "reqcount"
obj[59]=RegValue : software\windows controlad "DownloadPath"
obj[60]=RegValue : software\windows controlad "Language"
obj[61]=RegValue : software\windows controlad "SoftwareTable"
obj[62]=RegValue : software\windows controlad "Updating"
obj[63]=RegValue : software\windows controlad "Request"
obj[64]=Regkey : software\microsoft\windows\currentversion\uninstall\media access
obj[65]=RegValue : software\microsoft\windows\currentversion\uninstall\media access "DisplayName"
obj[66]=Regkey : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
obj[67]=RegValue : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} "Installer"
obj[77]=Regkey : software\microsoft\downloadmanager
obj[78]=RegValue : software\microsoft\windows\currentversion\run "Media Access"
obj[79]=Folder : C:\Program Files\Media Access
obj[134]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP376\A0068890.EXE
obj[135]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP376\A0068891.EXE
obj[136]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP376\A0068892.DLL
obj[153]=File : C:\WINDOWS\system32\ide21201.vxd
obj[154]=File : C:\Program Files\media access\Info.txt
obj[155]=File : C:\Program Files\media access\MediaAccC.dll
obj[156]=File : C:\Program Files\media access\MediaAccess.exe
obj[157]=File : C:\Program Files\media access\MediaAccK.exe

SEARCH RELEVANCY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[52]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{1d7e3b41-23ce-469b-be1b-a64b877923e1}
obj[53]=Regkey : software\microsoft\windows\currentversion\uninstall\search relevancy
obj[54]=RegValue : software\microsoft\windows\currentversion\uninstall\search relevancy "UninstallString"
obj[80]=Folder : C:\Program Files\SearchRelevancy

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[68]=RegValue : software\tsa "UID"
obj[81]=Regkey : software\tsa
obj[82]=RegValue : software\tsa "Ts2HWND"
obj[83]=Regkey : software\tsa
obj[84]=RegValue : software\tsa "CODE"
obj[85]=RegValue : software\tsa "CountryCode"
obj[86]=RegValue : software\tsa "RegionCode"
obj[87]=RegValue : software\tsa "CityCode"
obj[88]=RegValue : software\tsa "MetroCode"
obj[89]=RegValue : software\tsa "ContinentCode"
obj[90]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions"
obj[91]=RegValue : software\microsoft\internet explorer\main "Use Custom Search URL"
obj[92]=RegValue : software\microsoft\internet explorer\new windows "PopupMgr"
obj[93]=RegValue : software\microsoft\windows\currentversion\run "tsa2"
obj[94]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[95]=RegData : software\microsoft\internet explorer\main "Use Search Asst"
obj[96]=Folder : C:\Documents and Settings\Robert\Favorites\Health
obj[158]=File : C:\Documents and Settings\Robert\Favorites\health\Medicinenet.com.url
obj[159]=File : C:\WINDOWS\system32\wbem\logs\wbemess.log

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[69]=RegData : Software\Microsoft\Internet Explorer\Main "Search Page"
obj[70]=RegData : Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[71]=RegData : Software\Microsoft\Internet Explorer\Main "Default_Search_URL"
obj[72]=RegData : Software\Microsoft\Internet Explorer\Search "SearchAssistant"
obj[73]=RegData : S-1-5-21-1644491937-412668190-682003330-1004\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[74]=RegData : S-1-5-21-1644491937-412668190-682003330-1004\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[75]=RegData : S-1-5-21-1644491937-412668190-682003330-1004\Software\Microsoft\Internet Explorer\SearchURL ""

PRIBI.BHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[76]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79c03bc5-6c55-4b5b-921f-c02b6f1abd7b}
obj[97]=Folder : c:\documents and settings\all users\application data\Pribi
obj[101]=File : C:\Documents and Settings\All Users\Application Data\Pribi\Pribi.exe
obj[160]=File : c:\documents and settings\all users\application data\pribi\spif.ini

TOPMOXIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[98]=Folder : C:\Program Files\Web_Rebates
obj[102]=File : C:\Documents and Settings\Robert\Local Settings\Temp\jkill.exe
obj[104]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP345\A0060612.exe
obj[105]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP345\A0060613.exe
obj[106]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP345\A0060621.exe
obj[107]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP345\A0060622.exe
obj[108]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP345\A0060637.exe
obj[109]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060638.exe
obj[110]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060639.exe
obj[111]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060640.exe
obj[112]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060649.exe
obj[113]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060650.exe
obj[114]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060651.exe
obj[115]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060659.exe
obj[116]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060660.exe
obj[117]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060661.exe
obj[118]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060674.exe
obj[119]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060675.exe
obj[120]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP346\A0060676.exe
obj[121]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP347\A0060707.exe
obj[122]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP347\A0060708.exe
obj[123]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP347\A0060709.exe
obj[126]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP359\A0061472.EXE
obj[127]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP359\A0061473.EXE
obj[133]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP376\A0068889.exe
obj[161]=File : C:\Program Files\web_rebates\README.txt
obj[162]=File : C:\DOCUME~1\Robert\LOCALS~1\Temp\jkill.exe

DYFUCA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[99]=Regkey : software\microsoft\windows\currentversion\uninstall\rotue
obj[100]=Folder : C:\Program Files\Internet Optimizer
obj[124]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP349\A0060780.dll
obj[125]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP359\A0061444.dll
obj[128]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP359\A0061475.dll
obj[129]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP360\A0061521.dll
obj[130]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP367\A0065569.exe
obj[131]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP367\A0065570.exe
obj[132]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP367\A0065571.dll

EBATES MONEYMAKER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[103]=File : C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_1.dat

REPLACESEARCH.BHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[143]=File : C:\WINDOWS\system32\replaceSearch.dll

Logfile #3
ArchiveData(auto-quarantine- 2005-07-04 14-55-31.bckp)
Referencefile : SE1R52 30.06.2005
======================================================

SAHAGENT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : C:\Documents and Settings\Robert\Local Settings\Temp\temp.fr05C6
obj[1]=File : C:\System Volume Information\_restore{51730770-5326-4CF3-A6DC-F91A7202E07A}\RP401\A0075086.dll

Hello, bobbylife..

please follow these instructions carefully, and in the order I give you:
please clear your cache folder ie: temporary internet folder.
There are some free programs that you can use that will do that for you if needed like
CCleaner



Now this is going to take a couple of scans
in the first scan you will remove Remove SahAgent only!!!!
scan doing a full scan then after the scan has finished
Highlight one of the entries that are from SahAgent.
Right click and choose the option to mark all of the entries of that group.
Remove them,
then Re-boot your PC
Now rescan doing a "Full Scan" then and once the scan has finished
mark and remove the items then Reboot (ie: Re-start your PC)
Then re-scan with Ad-ware by doing a "Full Scan" and post your logfile here by using the "reply" feature.

Please NOTE if once you fix the Hijackers you will need to
set the Start & Search pages in your Browser manually back to your preferred one.




It may take a few scans to complete, but it should work for you. Reboot after each scan
please can you clear out your cache folder ie: temporary internet folder also
please can you make sure that you still have “Ticks by these :
"Unload recognized processes during scanning",
"Let Windows remove files in use after reboot."
to do this Open Ad-aware SE
Click “settings” (the Gear)
then Click “Tweaks“,
then click “Scanning Engine”
Tick ."Unload recognized processes during scanning"
Then Click “Cleaning Engine”
And Tick
"Let Windows remove files in use after reboot."
then Click “proceed”.
now use the WebUpDate
(to make sure you are upto date) if you want to clean your PC then scan by doing a
"Full Scan" then and once the scan has finished
Highlite one items that there seems to be a bunch of.
Right click and choose the command to highlite all of those entries.
Then remove them.
then Reboot (ie: Re-start your PC)
(Do this with all of the items with multiple objects then When you are reduced to just the others items with one or a few, remove them. )
Then re-scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .



Regards...

numbnuts..

This post has been edited by numbnuts: Jul 4 2005, 02:50 PM