~ Serenity
Searc-h.com, infotrack.net, etc.
Started by
Ser3nity
, Oct 24 2005 02:17 PM
#31
Posted 01 November 2005 - 06:47 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
~ Serenity
#32
Posted 01 November 2005 - 06:49 PM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity,
3) Once in Safe Mode, please run Killbox. Put a check mark next to "End explorer shell while killing file".
4) In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. (don't worry if this does not work)
5) Select "Delete on Reboot".
6) Copy the file names below to the
clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\p44uleh91h4.dll
C:\WINDOWS\system32\__delete_on_reboot__rimps.dll
C:\WINDOWS\system32\dvrgres.dll
C:\WINDOWS\system32\guard.tmp
7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, this is pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!
8) Click the red-and-white "Delete File" button.
Click "Ok" at the Delete on Reboot prompt.
Click "Ok" at the Reboot needed prompt.
9) Restart you computer.
3) Once in Safe Mode, please run Killbox. Put a check mark next to "End explorer shell while killing file".
4) In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. (don't worry if this does not work)
5) Select "Delete on Reboot".
6) Copy the file names below to the
clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\p44uleh91h4.dll
C:\WINDOWS\system32\__delete_on_reboot__rimps.dll
C:\WINDOWS\system32\dvrgres.dll
C:\WINDOWS\system32\guard.tmp
7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, this is pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!
8) Click the red-and-white "Delete File" button.
Click "Ok" at the Delete on Reboot prompt.
Click "Ok" at the Reboot needed prompt.
9) Restart you computer.
#33
Posted 01 November 2005 - 06:55 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
C:\WINDOWS\system32\p44uleh91h4.dll is the only file (out of those that I was told to copy and paste) that's showing up in the drop down menu (aside from the temp files). I copied all of them though... am I being stupid here?
#35
Posted 01 November 2005 - 07:05 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
Done!
~ Serenity
~ Serenity
#36
Posted 01 November 2005 - 07:06 PM
rambro
-
- Member
-
- 1,383 posts
Member 1K
And the results (in detail)?
#37
Posted 01 November 2005 - 07:09 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
Nothing has changed. File 020 is still there and I'm still getting pop-ups/re-directed.
~ Serenity
~ Serenity
#38
Posted 01 November 2005 - 07:35 PM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity, 
I would like you to run a new application. But first I would like you to save a copy of your present registry to your desktop in case of any problems that might occur. Here is how it is done:
Back up your current registry
1) Click on the Start button.
2) From the menu that appears, choose Run.
3) In the window that appears, there is a text area labeled Open. In that area, type "regedit" (without the quotation marks").
4) Click the OK button (or hit the Enter or Return key on your keyboard).
5) The Registry Editor window should open.
6) If My Computer is not highlighted, click on it once so that it is highlighted.
7) On the menu bar, click on Registry and then click on Export Registry File.
8) The Export Registry File window will appear. In the Save In drop-down box at the top, choose Desktop.
9) In the File Name box at the bottom, type "backup" (without the quotation marks), then click the Save button.
10) A backup copy of the entire registry will now be saved to your desktop in case something goes wrong.
Notes:
* To restore the registry from the backup file you made, follow the same steps as above, but in step 2 choose Import Registry File instead of Export Registry File. Or, alternatively, you could double-click on the backup file on the desktop and answer Yes when it asks if you want to import the information into the registry.
* Once you've made changes to the registry and you are sure that you no longer need the backup file you made, simply delete it from the desktop.
See the following link: http://helpdesk.umd....ndows_2000/555/. Pay attention to the following sections: Starting the Registry Editor and Backing Up the Registry.
****************************
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
To disable SpySweeper Shields
Please restart your computer and then post a new HijackThis log, along with the log from the SpySweeper application.
In addition, let me know in detail how your computer system is running after performing the above steps.
I would like you to run a new application. But first I would like you to save a copy of your present registry to your desktop in case of any problems that might occur. Here is how it is done:
Back up your current registry
1) Click on the Start button.
2) From the menu that appears, choose Run.
3) In the window that appears, there is a text area labeled Open. In that area, type "regedit" (without the quotation marks").
4) Click the OK button (or hit the Enter or Return key on your keyboard).
5) The Registry Editor window should open.
6) If My Computer is not highlighted, click on it once so that it is highlighted.
7) On the menu bar, click on Registry and then click on Export Registry File.
8) The Export Registry File window will appear. In the Save In drop-down box at the top, choose Desktop.
9) In the File Name box at the bottom, type "backup" (without the quotation marks), then click the Save button.
10) A backup copy of the entire registry will now be saved to your desktop in case something goes wrong.
Notes:
* To restore the registry from the backup file you made, follow the same steps as above, but in step 2 choose Import Registry File instead of Export Registry File. Or, alternatively, you could double-click on the backup file on the desktop and answer Yes when it asks if you want to import the information into the registry.
* Once you've made changes to the registry and you are sure that you no longer need the backup file you made, simply delete it from the desktop.
See the following link: http://helpdesk.umd....ndows_2000/555/. Pay attention to the following sections: Starting the Registry Editor and Backing Up the Registry.
****************************
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
- Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers" to download the program.
- Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click "Yes".
- Once the definitions are installed, click "Sweep Now" on the left side.
- Click the "Start" button.
- When it's done scanning, click the "Next" button.
- Make sure everything has a check next to it, then click the "Next" button.
- It will remove all of the items found.
- Click "Session Log" in the upper right corner, copy everything in that window.
- Click the Summary tab and click "Finish".
- Paste the contents of the session log you copied into your next reply.
To disable SpySweeper Shields
- Click "Shields" on the left.
- Click "Internet Explorer" and uncheck all items.
- Click "Windows System" and uncheck all items.
- Click "Startup Programs" and uncheck all items.
- Exit Spysweeper.
Please restart your computer and then post a new HijackThis log, along with the log from the SpySweeper application.
In addition, let me know in detail how your computer system is running after performing the above steps.
Edited by rambro, 01 November 2005 - 09:06 PM.
#39
Posted 01 November 2005 - 09:20 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
Rambro,
I just finished doing as you asked, and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 9:16:04 PM, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130088941562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\l02slaf71d2.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
Here're the Spy Sweeper results:
********
8:44 PM: | Start of Session, Tuesday, November 01, 2005 |
8:44 PM: Spy Sweeper started
8:44 PM: Sweep initiated using definitions version 564
8:44 PM: Starting Memory Sweep
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: Found Adware: icannnews
8:45 PM: Detected running threat: C:\WINDOWS\system32\lv0809due.dll (ID = 83)
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: Memory Sweep Complete, Elapsed Time: 00:01:57
8:46 PM: Starting Registry Sweep
8:47 PM: Found Adware: quicklink search toolbar
8:47 PM: HKLM\software\ql\ (4 subtraces) (ID = 359458)
8:47 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
8:47 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
8:47 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
8:47 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
8:47 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
8:47 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
8:47 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:47 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
8:47 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
8:47 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
8:47 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
8:47 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
8:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
8:47 PM: Found Adware: instant access
8:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
8:47 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
8:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:47 PM: Found Adware: targetsaver
8:47 PM: HKU\S-1-5-21-1177238915-813497703-1417001333-1003\software\tsl2\ (1 subtraces) (ID = 143616)
8:47 PM: Registry Sweep Complete, Elapsed Time:00:00:29
8:47 PM: Starting Cookie Sweep
8:47 PM: Found Spy Cookie: 2o7.net cookie
8:47 PM: tammy@2o7[2].txt (ID = 1957)
8:47 PM: Found Spy Cookie: 888 cookie
8:47 PM: tammy@888[1].txt (ID = 2019)
8:47 PM: Found Spy Cookie: yieldmanager cookie
8:47 PM: [email protected][1].txt (ID = 3751)
8:47 PM: Found Spy Cookie: hbmediapro cookie
8:47 PM: [email protected][2].txt (ID = 2768)
8:47 PM: Found Spy Cookie: adprofile cookie
8:47 PM: tammy@adprofile[2].txt (ID = 2084)
8:47 PM: Found Spy Cookie: falkag cookie
8:47 PM: [email protected][1].txt (ID = 2650)
8:47 PM: Found Spy Cookie: ask cookie
8:47 PM: tammy@ask[1].txt (ID = 2245)
8:47 PM: Found Spy Cookie: atwola cookie
8:47 PM: tammy@atwola[1].txt (ID = 2255)
8:47 PM: Found Spy Cookie: azjmp cookie
8:47 PM: tammy@azjmp[1].txt (ID = 2270)
8:47 PM: Found Spy Cookie: enhance cookie
8:47 PM: [email protected][1].txt (ID = 2614)
8:47 PM: Found Spy Cookie: gamespy cookie
8:47 PM: tammy@gamespy[1].txt (ID = 2719)
8:47 PM: Found Spy Cookie: starware.com cookie
8:47 PM: [email protected][2].txt (ID = 3442)
8:47 PM: Found Spy Cookie: top-banners cookie
8:47 PM: [email protected][1].txt (ID = 3548)
8:47 PM: Found Spy Cookie: go.com cookie
8:47 PM: [email protected][1].txt (ID = 2729)
8:47 PM: [email protected][1].txt (ID = 2729)
8:47 PM: Found Spy Cookie: aptimus cookie
8:47 PM: [email protected][1].txt (ID = 2235)
8:47 PM: Found Spy Cookie: nextag cookie
8:47 PM: tammy@nextag[1].txt (ID = 5014)
8:47 PM: Found Spy Cookie: partypoker cookie
8:47 PM: tammy@partypoker[2].txt (ID = 3111)
8:47 PM: Found Spy Cookie: overture cookie
8:47 PM: [email protected][1].txt (ID = 3106)
8:47 PM: Found Spy Cookie: reliablestats cookie
8:47 PM: [email protected][1].txt (ID = 3254)
8:47 PM: Found Spy Cookie: sexsearch cookie
8:47 PM: [email protected][1].txt (ID = 3358)
8:47 PM: Found Spy Cookie: epilot cookie
8:47 PM: [email protected][2].txt (ID = 2622)
8:47 PM: [email protected][1].txt (ID = 3442)
8:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:47 PM: Starting File Sweep
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: c:\program files\quick links (1 subtraces) (ID = -2147478145)
8:47 PM: c:\program files\quicklinks (1 subtraces) (ID = -2147468660)
8:47 PM: Found Adware: redswoosh
8:47 PM: c:\program files\rsnet (8 subtraces) (ID = -2147480402)
8:47 PM: Found Adware: look2me
8:47 PM: appwrap[1].exe (ID = 65721)
8:47 PM: appwrap[1].exe (ID = 65722)
8:47 PM: appwrap[1].exe (ID = 65739)
8:48 PM: icont.exe (ID = 65722)
8:48 PM: bw2.com (ID = 65721)
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: iconu.exe (ID = 65721)
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: Found Trojan Horse: trojan downloader sysupdates
8:50 PM: wsebate1.exe (ID = 80968)
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: Found Adware: apropos
8:51 PM: wingenerics.dll (ID = 50187)
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: qlutility.exe (ID = 168232)
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: qllib.dll (ID = 168233)
8:54 PM: atmtd.dll (ID = 166754)
8:55 PM: atmtd.dll._ (ID = 166754)
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: Found Adware: twain-tech
8:56 PM: polmx.inf (ID = 81856)
8:56 PM: twaintec.inf (ID = 81889)
8:56 PM: twaintec.inf (ID = 81889)
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: File Sweep Complete, Elapsed Time: 00:12:03
8:59 PM: Full Sweep has completed. Elapsed time 00:14:35
8:59 PM: Traces Found: 157
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: Removal process initiated
9:08 PM: Quarantining All Traces: look2me
9:08 PM: Quarantining All Traces: apropos
9:08 PM: apropos is in use. It will be removed on reboot.
9:08 PM: wingenerics.dll is in use. It will be removed on reboot.
9:08 PM: Quarantining All Traces: icannnews
9:08 PM: icannnews is in use. It will be removed on reboot.
9:08 PM: C:\WINDOWS\system32\lv0809due.dll is in use. It will be removed on reboot.
9:08 PM: Quarantining All Traces: instant access
9:08 PM: Quarantining All Traces: quicklink search toolbar
9:08 PM: Quarantining All Traces: redswoosh
9:08 PM: Quarantining All Traces: targetsaver
9:08 PM: Quarantining All Traces: trojan downloader sysupdates
9:08 PM: Quarantining All Traces: twain-tech
9:08 PM: Quarantining All Traces: 2o7.net cookie
9:08 PM: Quarantining All Traces: 888 cookie
9:08 PM: Quarantining All Traces: adprofile cookie
9:08 PM: Quarantining All Traces: aptimus cookie
9:08 PM: Quarantining All Traces: ask cookie
9:08 PM: Quarantining All Traces: atwola cookie
9:08 PM: Quarantining All Traces: azjmp cookie
9:08 PM: Quarantining All Traces: enhance cookie
9:08 PM: Quarantining All Traces: epilot cookie
9:08 PM: Quarantining All Traces: falkag cookie
9:08 PM: Quarantining All Traces: gamespy cookie
9:08 PM: Quarantining All Traces: go.com cookie
9:08 PM: Quarantining All Traces: hbmediapro cookie
9:08 PM: Quarantining All Traces: nextag cookie
9:08 PM: Quarantining All Traces: overture cookie
9:08 PM: Quarantining All Traces: partypoker cookie
9:08 PM: Quarantining All Traces: reliablestats cookie
9:08 PM: Quarantining All Traces: sexsearch cookie
9:08 PM: Quarantining All Traces: starware.com cookie
9:08 PM: Quarantining All Traces: top-banners cookie
9:08 PM: Quarantining All Traces: yieldmanager cookie
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: Removal process completed. Elapsed time 00:00:48
********
8:42 PM: | Start of Session, Tuesday, November 01, 2005 |
8:42 PM: Spy Sweeper started
8:43 PM: Your spyware definitions have been updated.
8:44 PM: | End of Session, Tuesday, November 01, 2005 |
As for how my computer is running... well, I'm still having my usual problems.
~ Serenity
I just finished doing as you asked, and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 9:16:04 PM, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130088941562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\l02slaf71d2.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
Here're the Spy Sweeper results:
********
8:44 PM: | Start of Session, Tuesday, November 01, 2005 |
8:44 PM: Spy Sweeper started
8:44 PM: Sweep initiated using definitions version 564
8:44 PM: Starting Memory Sweep
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: Found Adware: icannnews
8:45 PM: Detected running threat: C:\WINDOWS\system32\lv0809due.dll (ID = 83)
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: Memory Sweep Complete, Elapsed Time: 00:01:57
8:46 PM: Starting Registry Sweep
8:47 PM: Found Adware: quicklink search toolbar
8:47 PM: HKLM\software\ql\ (4 subtraces) (ID = 359458)
8:47 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
8:47 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
8:47 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
8:47 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
8:47 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
8:47 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
8:47 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:47 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
8:47 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
8:47 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
8:47 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
8:47 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
8:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
8:47 PM: Found Adware: instant access
8:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
8:47 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
8:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:47 PM: Found Adware: targetsaver
8:47 PM: HKU\S-1-5-21-1177238915-813497703-1417001333-1003\software\tsl2\ (1 subtraces) (ID = 143616)
8:47 PM: Registry Sweep Complete, Elapsed Time:00:00:29
8:47 PM: Starting Cookie Sweep
8:47 PM: Found Spy Cookie: 2o7.net cookie
8:47 PM: tammy@2o7[2].txt (ID = 1957)
8:47 PM: Found Spy Cookie: 888 cookie
8:47 PM: tammy@888[1].txt (ID = 2019)
8:47 PM: Found Spy Cookie: yieldmanager cookie
8:47 PM: [email protected][1].txt (ID = 3751)
8:47 PM: Found Spy Cookie: hbmediapro cookie
8:47 PM: [email protected][2].txt (ID = 2768)
8:47 PM: Found Spy Cookie: adprofile cookie
8:47 PM: tammy@adprofile[2].txt (ID = 2084)
8:47 PM: Found Spy Cookie: falkag cookie
8:47 PM: [email protected][1].txt (ID = 2650)
8:47 PM: Found Spy Cookie: ask cookie
8:47 PM: tammy@ask[1].txt (ID = 2245)
8:47 PM: Found Spy Cookie: atwola cookie
8:47 PM: tammy@atwola[1].txt (ID = 2255)
8:47 PM: Found Spy Cookie: azjmp cookie
8:47 PM: tammy@azjmp[1].txt (ID = 2270)
8:47 PM: Found Spy Cookie: enhance cookie
8:47 PM: [email protected][1].txt (ID = 2614)
8:47 PM: Found Spy Cookie: gamespy cookie
8:47 PM: tammy@gamespy[1].txt (ID = 2719)
8:47 PM: Found Spy Cookie: starware.com cookie
8:47 PM: [email protected][2].txt (ID = 3442)
8:47 PM: Found Spy Cookie: top-banners cookie
8:47 PM: [email protected][1].txt (ID = 3548)
8:47 PM: Found Spy Cookie: go.com cookie
8:47 PM: [email protected][1].txt (ID = 2729)
8:47 PM: [email protected][1].txt (ID = 2729)
8:47 PM: Found Spy Cookie: aptimus cookie
8:47 PM: [email protected][1].txt (ID = 2235)
8:47 PM: Found Spy Cookie: nextag cookie
8:47 PM: tammy@nextag[1].txt (ID = 5014)
8:47 PM: Found Spy Cookie: partypoker cookie
8:47 PM: tammy@partypoker[2].txt (ID = 3111)
8:47 PM: Found Spy Cookie: overture cookie
8:47 PM: [email protected][1].txt (ID = 3106)
8:47 PM: Found Spy Cookie: reliablestats cookie
8:47 PM: [email protected][1].txt (ID = 3254)
8:47 PM: Found Spy Cookie: sexsearch cookie
8:47 PM: [email protected][1].txt (ID = 3358)
8:47 PM: Found Spy Cookie: epilot cookie
8:47 PM: [email protected][2].txt (ID = 2622)
8:47 PM: [email protected][1].txt (ID = 3442)
8:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:47 PM: Starting File Sweep
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: c:\program files\quick links (1 subtraces) (ID = -2147478145)
8:47 PM: c:\program files\quicklinks (1 subtraces) (ID = -2147468660)
8:47 PM: Found Adware: redswoosh
8:47 PM: c:\program files\rsnet (8 subtraces) (ID = -2147480402)
8:47 PM: Found Adware: look2me
8:47 PM: appwrap[1].exe (ID = 65721)
8:47 PM: appwrap[1].exe (ID = 65722)
8:47 PM: appwrap[1].exe (ID = 65739)
8:48 PM: icont.exe (ID = 65722)
8:48 PM: bw2.com (ID = 65721)
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: iconu.exe (ID = 65721)
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: Found Trojan Horse: trojan downloader sysupdates
8:50 PM: wsebate1.exe (ID = 80968)
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: Found Adware: apropos
8:51 PM: wingenerics.dll (ID = 50187)
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: qlutility.exe (ID = 168232)
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: qllib.dll (ID = 168233)
8:54 PM: atmtd.dll (ID = 166754)
8:55 PM: atmtd.dll._ (ID = 166754)
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: Found Adware: twain-tech
8:56 PM: polmx.inf (ID = 81856)
8:56 PM: twaintec.inf (ID = 81889)
8:56 PM: twaintec.inf (ID = 81889)
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: File Sweep Complete, Elapsed Time: 00:12:03
8:59 PM: Full Sweep has completed. Elapsed time 00:14:35
8:59 PM: Traces Found: 157
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: Removal process initiated
9:08 PM: Quarantining All Traces: look2me
9:08 PM: Quarantining All Traces: apropos
9:08 PM: apropos is in use. It will be removed on reboot.
9:08 PM: wingenerics.dll is in use. It will be removed on reboot.
9:08 PM: Quarantining All Traces: icannnews
9:08 PM: icannnews is in use. It will be removed on reboot.
9:08 PM: C:\WINDOWS\system32\lv0809due.dll is in use. It will be removed on reboot.
9:08 PM: Quarantining All Traces: instant access
9:08 PM: Quarantining All Traces: quicklink search toolbar
9:08 PM: Quarantining All Traces: redswoosh
9:08 PM: Quarantining All Traces: targetsaver
9:08 PM: Quarantining All Traces: trojan downloader sysupdates
9:08 PM: Quarantining All Traces: twain-tech
9:08 PM: Quarantining All Traces: 2o7.net cookie
9:08 PM: Quarantining All Traces: 888 cookie
9:08 PM: Quarantining All Traces: adprofile cookie
9:08 PM: Quarantining All Traces: aptimus cookie
9:08 PM: Quarantining All Traces: ask cookie
9:08 PM: Quarantining All Traces: atwola cookie
9:08 PM: Quarantining All Traces: azjmp cookie
9:08 PM: Quarantining All Traces: enhance cookie
9:08 PM: Quarantining All Traces: epilot cookie
9:08 PM: Quarantining All Traces: falkag cookie
9:08 PM: Quarantining All Traces: gamespy cookie
9:08 PM: Quarantining All Traces: go.com cookie
9:08 PM: Quarantining All Traces: hbmediapro cookie
9:08 PM: Quarantining All Traces: nextag cookie
9:08 PM: Quarantining All Traces: overture cookie
9:08 PM: Quarantining All Traces: partypoker cookie
9:08 PM: Quarantining All Traces: reliablestats cookie
9:08 PM: Quarantining All Traces: sexsearch cookie
9:08 PM: Quarantining All Traces: starware.com cookie
9:08 PM: Quarantining All Traces: top-banners cookie
9:08 PM: Quarantining All Traces: yieldmanager cookie
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: Removal process completed. Elapsed time 00:00:48
********
8:42 PM: | Start of Session, Tuesday, November 01, 2005 |
8:42 PM: Spy Sweeper started
8:43 PM: Your spyware definitions have been updated.
8:44 PM: | End of Session, Tuesday, November 01, 2005 |
As for how my computer is running... well, I'm still having my usual problems.
~ Serenity
#40
Posted 01 November 2005 - 09:29 PM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity,
I am going to talk to some other members in this forum about your malware infection, for any suggestions. I will post back to you on what I find out. Take care.
rambro
I am going to talk to some other members in this forum about your malware infection, for any suggestions. I will post back to you on what I find out. Take care.
rambro
#41
Posted 02 November 2005 - 09:05 AM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity,
(After conferring with other people in this forum, I found these set of instructions, it is in three parts. Since we know that the random file changes at each reboot, try not to reboot the computer between posts one and two, in this series of posts. Due to the fact of the random file change at each reboot, if you want to schedule a time (your time schedule in your part of the USA), to carry out these posts, feel free to scheldule a time (if you want to).)
You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Do not restart your computer.
(After conferring with other people in this forum, I found these set of instructions, it is in three parts. Since we know that the random file changes at each reboot, try not to reboot the computer between posts one and two, in this series of posts. Due to the fact of the random file change at each reboot, if you want to schedule a time (your time schedule in your part of the USA), to carry out these posts, feel free to scheldule a time (if you want to).)
You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Do not restart your computer.
#42
Posted 03 November 2005 - 07:23 AM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity,
Before you try my last post you might want to try this:
Make sure you have version 4.5 of Webroot's SpySweeper and make sure this application's "file definitions" are up to date.
Run Webroot's Spysweeper, let it fix anything it finds and then let it reboot (that is restart your computer).
Then run "Post #9" (i.e. upper right hand corner).
Then run "Post #12".
rambro
Before you try my last post you might want to try this:
Make sure you have version 4.5 of Webroot's SpySweeper and make sure this application's "file definitions" are up to date.
Run Webroot's Spysweeper, let it fix anything it finds and then let it reboot (that is restart your computer).
Then run "Post #9" (i.e. upper right hand corner).
Then run "Post #12".
rambro
Edited by rambro, 03 November 2005 - 07:35 AM.
#43
Posted 05 November 2005 - 11:10 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
Hmm... a good time for me would probably be around 8:00pm CST, on Tuesdays or Thursdays.
~ Serenity
~ Serenity
Edited by Ser3nity, 05 November 2005 - 11:13 PM.
#44
Posted 06 November 2005 - 05:27 PM
rambro
-
- Member
-
- 1,383 posts
Member 1K
Dear Ser3nity,
I was looking through some logs in the Geekstogo forum, and I found a log that is similar to your log. See the following link: http://www.geekstogo...opic=74203&st=0.
Look at post #3 and #4 from that link. The user runs "WebRoot SpySweeper" and then reboots. The user then runs the two parts of the L2mfix. See post #42 of your thread. Well here is an example, when a user performs the instructions in that post (post #42) in your thread.
rambro
I was looking through some logs in the Geekstogo forum, and I found a log that is similar to your log. See the following link: http://www.geekstogo...opic=74203&st=0.
Look at post #3 and #4 from that link. The user runs "WebRoot SpySweeper" and then reboots. The user then runs the two parts of the L2mfix. See post #42 of your thread. Well here is an example, when a user performs the instructions in that post (post #42) in your thread.
rambro
#45
Posted 08 November 2005 - 08:19 PM
Ser3nity
- Topic Starter
-
- Member
-
- 26 posts
Member
Rambro,
Okay... so I just noticed I had Trojan Hunter running at start up. I have no idea why I didn't notice it before... but yeah, I turned that off, and tried Spy Sweeper and L2MFix again. It actually WORKED this time. Thank you so much for all of your patience with me, and for taking the time to help me. You rock
~ Serenity
Okay... so I just noticed I had Trojan Hunter running at start up. I have no idea why I didn't notice it before... but yeah, I turned that off, and tried Spy Sweeper and L2MFix again. It actually WORKED this time. Thank you so much for all of your patience with me, and for taking the time to help me. You rock
~ Serenity
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
