Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora! [RESOLVED]

Started by sh4d0wz , Oct 28 2005 05:39 PM

  • This topic is locked This topic is locked

#1
sh4d0wz
Posted 28 October 2005 - 05:39 PM

sh4d0wz

    Member

  • Member
  • PipPip
  • 52 posts
Need help with removing the malware "aurora" i've used tons of different programs but non of them work
so I someone can help me. I've experienced random pop-ups every few minutes when there is a connection to the internet so i end up unplug my modem a lot this week :tazz: i'm not sure if I really have "aurora" but other people who made complaints about it seems to match what i'm experiencing if it isnt "aurora" then please tell me and how to fix the problem :) I've tried using many programs like Ad-aware, spybot, spyware doctor, avg antivirus, norton antivirus, mcafee, ewindo security suite, cleanup! and some other programs I might have forgotten about so i hope someone out there can help me :) heres the logfile

Logfile of HijackThis v1.99.1
Scan saved at 7:31:20 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\2005102812518_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\20051028125114_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uuwm] C:\PROGRA~1\COMMON~1\uuwm\uuwmm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: ??QQ????? - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ATS??????????(503b.) - {B270F4FF-FFC3-44A9-ACDB-63B0E4EBF58C} - C:\PROGRA~1\ATS-WW~1.NET\ats.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: IntlRun.OC - C:\WINDOWS\system32\h6n0lg5m16.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 01 November 2005 - 05:54 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
sh4d0wz
Posted 02 November 2005 - 03:28 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ok heres the logfile however the pop-ups all of a sudden stopped but please check for me if I still have it and any other problems thank you! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 4:27:05 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\2005102812518_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\20051028125114_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uuwm] C:\PROGRA~1\COMMON~1\uuwm\uuwmm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: ??QQ????? - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ATS??????????(503b.) - {B270F4FF-FFC3-44A9-ACDB-63B0E4EBF58C} - C:\PROGRA~1\ATS-WW~1.NET\ats.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: drivers.desc - C:\WINDOWS\system32\gpnul3591.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Buckeye_Sam
Posted 02 November 2005 - 08:05 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log still shows a few issues.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
sh4d0wz
Posted 03 November 2005 - 03:31 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ok i did what you told me heres the notepad report

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drivers.desc]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpnul3591.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
  • 0

#6
Buckeye_Sam
Posted 03 November 2005 - 03:32 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
There should have been more to that log, but I can see what I needed to.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
sh4d0wz
Posted 04 November 2005 - 04:54 AM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ok I did the reboot thing with the run fix and heres the report the hijack this log is under it. Also the pop-ups started again after I did the run fix :tazz:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1720 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1480 'rundll32.exe'
Killing PID 164 'rundll32.exe'
Killing PID 352 'rundll32.exe'
Error 0x6 : The handle is invalid.


Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ogesvr.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\ogesvr.dll
Successfully Deleted: C:\WINDOWS\system32\ogesvr.dll


Zipping up files for submission:
adding: ogesvr.dll (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 63%)
adding: avi_log.txt (188 bytes security) (deflated 94%)
adding: lo2.txt (188 bytes security) (deflated 56%)
adding: log.txt (188 bytes security) (deflated 88%)
adding: Oscar.Txt (188 bytes security) (stored 0%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 44%)
adding: test3.txt (188 bytes security) (deflated 44%)
adding: test5.txt (188 bytes security) (deflated 44%)
adding: xfind.txt (188 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ogesvr.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ogesvr.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{36416959-9E0E-4594-BBFF-86AB0B12074F}"=-
"{A1BE6D87-50F4-4119-9E0F-709E138B3904}"=-
"{CAC9FAFF-6CE2-4A3C-9371-4FEAB5215958}"=-
"{E3C0A223-06ED-48D6-9EC0-664E581F75B2}"=-
"{0C123FBA-EF05-448B-A329-A124670EF57F}"=-
"{EACA5881-E58A-4A71-AB42-E2CB2E7892D6}"=-
"{B55B0389-FC8E-49D1-B317-9E00A583A65B}"=-
"{3DF934EA-3F0D-4A38-B219-407743D5AF9B}"=-
"{01A4C217-3422-4B1C-82C4-DA25A18B2667}"=-
[-HKEY_CLASSES_ROOT\CLSID\{36416959-9E0E-4594-BBFF-86AB0B12074F}]
[-HKEY_CLASSES_ROOT\CLSID\{A1BE6D87-50F4-4119-9E0F-709E138B3904}]
[-HKEY_CLASSES_ROOT\CLSID\{CAC9FAFF-6CE2-4A3C-9371-4FEAB5215958}]
[-HKEY_CLASSES_ROOT\CLSID\{E3C0A223-06ED-48D6-9EC0-664E581F75B2}]
[-HKEY_CLASSES_ROOT\CLSID\{0C123FBA-EF05-448B-A329-A124670EF57F}]
[-HKEY_CLASSES_ROOT\CLSID\{EACA5881-E58A-4A71-AB42-E2CB2E7892D6}]
[-HKEY_CLASSES_ROOT\CLSID\{B55B0389-FC8E-49D1-B317-9E00A583A65B}]
[-HKEY_CLASSES_ROOT\CLSID\{3DF934EA-3F0D-4A38-B219-407743D5AF9B}]
[-HKEY_CLASSES_ROOT\CLSID\{01A4C217-3422-4B1C-82C4-DA25A18B2667}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

heres the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 5:53:51 AM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\2005102812518_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\20051028125114_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uuwm] C:\PROGRA~1\COMMON~1\uuwm\uuwmm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: ??QQ????? - C:\Program Files\Tencent\qq\NAF.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ATS??????????(503b.) - {B270F4FF-FFC3-44A9-ACDB-63B0E4EBF58C} - C:\PROGRA~1\ATS-WW~1.NET\ats.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
Buckeye_Sam
Posted 04 November 2005 - 06:54 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That tool only took care of your Look2Me infection. You still have at least two more that we'll get right now, and then another issue we'll take care of in the next round.

Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
    O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
    O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\2005102812518_mcinfo.exe /insfin
    O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\TINGZH~1\LOCALS~1\Temp\20051028125114_mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [uuwm] C:\PROGRA~1\COMMON~1\uuwm\uuwmm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: ??QQ????? - C:\Program Files\Tencent\qq\NAF.htm
    O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
    O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
    O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: ATS??????????(503b.) - {B270F4FF-FFC3-44A9-ACDB-63B0E4EBF58C} - C:\PROGRA~1\ATS-WW~1.NET\ats.exe (file missing)
    O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
    O11 - Options group: [!CNS] Chinese keywords



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\PROGRAM FILES\3721 <-- delete this folder
    C:\PROGRAM FILES\COMMON FILES\uuwm <-- delete this folder
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\cnshook.dll
Reboot your computer to go back to normal mode and post a new log.
  • 0

#9
sh4d0wz
Posted 04 November 2005 - 05:19 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ok i deleted the files with HijackThis however the files you told me to delete in safe mode the files don't seem to exist well here is the new log some of the files that you told me to delete comes back

Logfile of HijackThis v1.99.1
Scan saved at 6:16:44 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: drivers32 - C:\WINDOWS\system32\jt0407dqe.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by sh4d0wz, 05 November 2005 - 03:22 AM.

  • 0

#10
Buckeye_Sam
Posted 05 November 2005 - 06:32 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Click Start -> Control Panel -> Add/Remove Programs and uninstall this program if listed.

New.net Application
or
New.net Domains


If neither is listed, download and run this tool.

http://www.new.net/s...install6_38.exe




Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Also post a new hijackthis log.
  • 0

Advertisements

#11
sh4d0wz
Posted 05 November 2005 - 08:23 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
I have done as you asked i do have the new.net domains 6.90 but the link you gave for the removal tool doesnt seem to work. I used the spysweeper and posted the session log and a new hijackthis log the spy shield thingy blocked adware.com hundreds of times i think was the site that always pop out and redirect me to a ad every few minutes

********
7:58 PM: | Start of Session, Saturday, November 05, 2005 |
7:58 PM: Spy Sweeper started
7:58 PM: Sweep initiated using definitions version 567
7:58 PM: Starting Memory Sweep
7:58 PM: Found Adware: cnsmin
7:58 PM: Detected running threat: C:\WINDOWS\DOWNLO~1\cnshook.dll (ID = 53247)
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:59 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
8:00 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: Found Adware: icannnews
8:00 PM: Detected running threat: C:\WINDOWS\system32\l0j8la1u1d.dll (ID = 83)
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: Detected running threat: C:\WINDOWS\system32\one32(3)(2).dll (ID = 83)
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: Memory Sweep Complete, Elapsed Time: 00:07:06
8:05 PM: Starting Registry Sweep
8:05 PM: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (28 subtraces) (ID = 106163)
8:05 PM: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
8:05 PM: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
8:05 PM: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
8:05 PM: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (50 subtraces) (ID = 106213)
8:05 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
8:05 PM: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
8:05 PM: Found Adware: look2me
8:05 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\h323tsp\ (6 subtraces) (ID = 129939)
8:05 PM: Found Adware: minigolf
8:05 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/wildapp.dll\ (2 subtraces) (ID = 135051)
8:05 PM: Found Adware: targetsaver
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
8:05 PM: Found Adware: targetsoft
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:05 PM: Found Adware: websearch toolbar
8:05 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
8:05 PM: Found Adware: wildmedia
8:05 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
8:05 PM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (5 subtraces) (ID = 146695)
8:05 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
8:05 PM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (5 subtraces) (ID = 146709)
8:05 PM: Found Adware: winad
8:05 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
8:05 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
8:05 PM: HKLM\software\3721\cnsmin\ (5 subtraces) (ID = 872108)
8:05 PM: Found Adware: quicklink search toolbar
8:05 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
8:05 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
8:05 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
8:05 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
8:05 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
8:05 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
8:05 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:05 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
8:05 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
8:05 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
8:05 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
8:05 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
8:05 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
8:05 PM: Found Adware: instant access
8:05 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
8:05 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
8:05 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\3721\ (6 subtraces) (ID = 106182)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnsautoupdate (ID = 106221)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
8:05 PM: Found Adware: drsnsrch.com hijack
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\tsl2\ (1 subtraces) (ID = 143616)
8:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 PM: Registry Sweep Complete, Elapsed Time:00:00:23
8:05 PM: Starting Cookie Sweep
8:05 PM: Found Spy Cookie: adlegend cookie
8:05 PM: ting zhang@adlegend[1].txt (ID = 2074)
8:05 PM: Found Spy Cookie: advertising cookie
8:05 PM: ting zhang@advertising[2].txt (ID = 2175)
8:05 PM: Found Spy Cookie: atwola cookie
8:05 PM: ting [email protected][2].txt (ID = 2256)
8:05 PM: Found Spy Cookie: atlas dmt cookie
8:05 PM: ting zhang@atdmt[2].txt (ID = 2253)
8:05 PM: ting zhang@atwola[1].txt (ID = 2255)
8:05 PM: Found Spy Cookie: tradedoubler cookie
8:05 PM: ting zhang@tradedoubler[1].txt (ID = 3575)
8:05 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:05 PM: Starting File Sweep
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 PM: Found Adware: internetoptimizer
8:06 PM: c:\windows\stwsi (1 subtraces) (ID = -2147480829)
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 PM: a0112284.exe (ID = 65722)
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: Found Adware: clearsearch
8:08 PM: a0094756.exe (ID = 145638)
8:08 PM: a0112285.exe (ID = 65721)
8:08 PM: a0094950.exe (ID = 145638)
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 PM: a0110387.exe (ID = 78255)
8:08 PM: a0110388.exe (ID = 78256)
8:08 PM: a0110389.exe (ID = 78275)
8:09 PM: qllib.dll (ID = 168233)
8:09 PM: a0111172.exe (ID = 65739)
8:09 PM: a0110520.exe (ID = 73428)
8:09 PM: a0095225.exe (ID = 145638)
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: a0094904.exe (ID = 145638)
8:10 PM: a0094971.exe (ID = 145638)
8:10 PM: Found Adware: effective-i toolbar
8:10 PM: a0110439.dll (ID = 59843)
8:10 PM: a0110442.dll (ID = 106574)
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: a0110632.exe (ID = 78276)
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 PM: cnsmindt.cab (ID = 53260)
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: a0110641.exe (ID = 78285)
8:12 PM: a0110495.dll (ID = 163672)
8:12 PM: class-barrel (ID = 78229)
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 PM: a0110496.dll (ID = 163672)
8:13 PM: mfex-2.dat (ID = 163672)
8:13 PM: mfex-8.dat (ID = 163672)
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: a0097798.exe (ID = 145638)
8:14 PM: a0110385.exe (ID = 78252)
8:14 PM: a0110386.exe (ID = 78254)
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: a0111104.exe (ID = 65739)
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: a0097731.exe (ID = 145638)
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 PM: mfex-1.dat (ID = 163672)
8:15 PM: mfex-17.dat (ID = 163672)
8:15 PM: mfex-18.dat (ID = 163672)
8:15 PM: Found Adware: spysheriff
8:15 PM: a0110454.exe (ID = 178643)
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: 51757006.txt (ID = 116398)
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 PM: Found Adware: marketscore
8:19 PM: a0110631.exe (ID = 180410)
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 PM: a0103901.dll (ID = 112499)
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 PM: 35102821.exe (ID = 145638)
8:21 PM: a0097700.exe (ID = 145638)
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: a0110449.exe (ID = 59853)
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: a0103902.exe (ID = 112498)
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: cnsminkp.sys (ID = 53268)
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: cnsmin.dll (ID = 53251)
8:29 PM: cnsmincg.ini (ID = 53257)
8:29 PM: cnshook.dll (ID = 53247)
8:29 PM: cns.dll (ID = 53245)
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: cnsmindt.dll (ID = 53261)
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: a0109085.exe (ID = 159065)
8:33 PM: 37967750.txt (ID = 116398)
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: Found Adware: shopathomeselect
8:36 PM: a0094739.dll (ID = 75611)
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: a0094738.exe (ID = 75603)
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
8:38 PM: a0110904.exe (ID = 65739)
8:38 PM: Found Adware: apropos
8:38 PM: a0112279.exe (ID = 166347)
8:38 PM: Found Trojan Horse: trojan-downloader-nextern
8:38 PM: a0112280.exe (ID = 168231)
8:38 PM: Found Adware: sp2ms
8:38 PM: a0112281.exe (ID = 178567)
8:38 PM: Found Adware: 180search assistant/zango
8:38 PM: a0112283.dll (ID = 107552)
8:38 PM: a0112282.exe (ID = 168558)
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: qlutility.exe (ID = 168232)
8:38 PM: a0110638.exe (ID = 78284)
8:38 PM: a0110639.dll (ID = 78253)
8:38 PM: vocabulary (ID = 78283)
8:38 PM: a0110640.exe (ID = 78246)
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: a0111184.exe (ID = 168558)
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: rlls.dll (ID = 159066)
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: BHO Shield: found: -- BHO installation denied at user request
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: BHO Shield: found: -- BHO installation denied at user request
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: clean internet access record.url (ID = 53242)
8:47 PM: about chinese keyword.url (ID = 53218)
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: Found Adware: whenu
8:49 PM: a0098506.cfg (ID = 161463)
8:49 PM: 27868236.dat (ID = 52512)
8:49 PM: 34552737.bin (ID = 116395)
8:49 PM: Found Adware: ieplugin
8:49 PM: wininit.ini (ID = 63389)
8:49 PM: 293322.bin (ID = 116395)
8:49 PM: 31242705.dat (ID = 52512)
8:49 PM: a0110446.lnk (ID = 59855)
8:49 PM: a0110444.lnk (ID = 59838)
8:49 PM: Found System Monitor: potentially rootkit-masked files
8:49 PM: flpiaide.sys (ID = 0)
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy
  • 0

#12
sh4d0wz
Posted 05 November 2005 - 08:40 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
oh no there wasn't enough space =( ill repost it after the hijackthis log i ran hijackthis after the reboot when spysweeper told me to reboot

Logfile of HijackThis v1.99.1
Scan saved at 9:51:47 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


********
9:22 PM: | Start of Session, Saturday, November 05, 2005 |
9:22 PM: Spy Sweeper started
9:22 PM: Sweep initiated using definitions version 567
9:22 PM: Starting Memory Sweep
9:22 PM: Found Adware: cnsmin
9:22 PM: Detected running threat: C:\WINDOWS\DOWNLO~1\cnshook.dll (ID = 53247)
9:22 PM: Found Adware: icannnews
9:22 PM: Detected running threat: C:\WINDOWS\system32\l0j8la1u1d.dll (ID = 83)
9:24 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
9:24 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)
9:24 PM: Memory Sweep Complete, Elapsed Time: 00:02:52
9:24 PM: Starting Registry Sweep
9:25 PM: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (28 subtraces) (ID = 106163)
9:25 PM: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
9:25 PM: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
9:25 PM: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
9:25 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
9:25 PM: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
9:25 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\3721\ (4 subtraces) (ID = 106182)
9:25 PM: Registry Sweep Complete, Elapsed Time:00:00:27
9:25 PM: Starting Cookie Sweep
9:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:25 PM: Starting File Sweep
9:27 PM: Sweep Canceled
9:27 PM: File Sweep Complete, Elapsed Time: 00:01:35
9:27 PM: Traces Found: 67
********
7:58 PM: | Start of Session, Saturday, November 05, 2005 |
7:58 PM: Spy Sweeper started
7:58 PM: Sweep initiated using definitions version 567
7:58 PM: Starting Memory Sweep
7:58 PM: Found Adware: cnsmin
7:58 PM: Detected running threat: C:\WINDOWS\DOWNLO~1\cnshook.dll (ID = 53247)
7:59 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsMin.dll (ID = 53251)
8:00 PM: Detected running threat: C:\WINDOWS\Downloaded Program Files\CnsHook.dll (ID = 53247)

8:00 PM: Found Adware: icannnews
8:00 PM: Detected running threat: C:\WINDOWS\system32\l0j8la1u1d.dll (ID = 83)
8:03 PM: Detected running threat: C:\WINDOWS\system32\one32(3)(2).dll (ID = 83)
8:05 PM: Memory Sweep Complete, Elapsed Time: 00:07:06
8:05 PM: Starting Registry Sweep
8:05 PM: HKCR\clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ (28 subtraces) (ID = 106163)
8:05 PM: HKCR\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (15 subtraces) (ID = 106166)
8:05 PM: HKCR\cnshelper.ch.1\ (3 subtraces) (ID = 106168)
8:05 PM: HKCR\cnshelper.ch\ (5 subtraces) (ID = 106169)
8:05 PM: HKLM\software\microsoft\internet explorer\advancedoptions\!cns\ (50 subtraces) (ID = 106213)
8:05 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ (1 subtraces) (ID = 106237)
8:05 PM: HKLM\software\microsoft\windows\currentversion\run\ || cnsmin (ID = 106245)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\cnsmin\ (2 subtraces) (ID = 106251)
8:05 PM: Found Adware: look2me
8:05 PM: HKLM\software\microsoft\widows nt\currentversion\winlogon\notify\h323tsp\ (6 subtraces) (ID = 129939)
8:05 PM: Found Adware: minigolf
8:05 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/wildapp.dll\ (2 subtraces) (ID = 135051)
8:05 PM: Found Adware: targetsaver
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
8:05 PM: Found Adware: targetsoft
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:05 PM: Found Adware: websearch toolbar
8:05 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
8:05 PM: Found Adware: wildmedia
8:05 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
8:05 PM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (5 subtraces) (ID = 146695)
8:05 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
8:05 PM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (5 subtraces) (ID = 146709)
8:05 PM: Found Adware: winad
8:05 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
8:05 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
8:05 PM: HKLM\software\3721\cnsmin\ (5 subtraces) (ID = 872108)
8:05 PM: Found Adware: quicklink search toolbar
8:05 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
8:05 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
8:05 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
8:05 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
8:05 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
8:05 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
8:05 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:05 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
8:05 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
8:05 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
8:05 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
8:05 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
8:05 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
8:05 PM: Found Adware: instant access
8:05 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
8:05 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:05 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
8:05 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\3721\ (6 subtraces) (ID = 106182)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnsautoupdate (ID = 106221)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnshint (ID = 106223)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\internet explorer\main\ || cnsreset (ID = 106226)
8:05 PM: Found Adware: drsnsrch.com hijack
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
8:05 PM: HKU\S-1-5-21-4095287019-1241035216-4258194634-1005\software\tsl2\ (1 subtraces) (ID = 143616)
8:05 PM: Registry Sweep Complete, Elapsed Time:00:00:23
8:05 PM: Starting Cookie Sweep
8:05 PM: Found Spy Cookie: adlegend cookie
8:05 PM: ting zhang@adlegend[1].txt (ID = 2074)
8:05 PM: Found Spy Cookie: advertising cookie
8:05 PM: ting zhang@advertising[2].txt (ID = 2175)
8:05 PM: Found Spy Cookie: atwola cookie
8:05 PM: ting [email protected][2].txt (ID = 2256)
8:05 PM: Found Spy Cookie: atlas dmt cookie
8:05 PM: ting zhang@atdmt[2].txt (ID = 2253)
8:05 PM: ting zhang@atwola[1].txt (ID = 2255)
8:05 PM: Found Spy Cookie: tradedoubler cookie
8:05 PM: ting zhang@tradedoubler[1].txt (ID = 3575)
8:05 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:05 PM: Starting File Sweep
8:06 PM: Found Adware: internetoptimizer
8:06 PM: c:\windows\stwsi (1 subtraces) (ID = -2147480829)
8:06 PM: a0112284.exe (ID = 65722)
8:08 PM: Found Adware: clearsearch
8:08 PM: a0094756.exe (ID = 145638)
8:08 PM: a0112285.exe (ID = 65721)
8:08 PM: a0094950.exe (ID = 145638)
8:08 PM: a0110387.exe (ID = 78255)
8:08 PM: a0110388.exe (ID = 78256)
8:08 PM: a0110389.exe (ID = 78275)
8:09 PM: qllib.dll (ID = 168233)
8:09 PM: a0111172.exe (ID = 65739)
8:09 PM: a0110520.exe (ID = 73428)
8:09 PM: a0095225.exe (ID = 145638)
8:10 PM: a0094904.exe (ID = 145638)
8:10 PM: a0094971.exe (ID = 145638)
8:10 PM: Found Adware: effective-i toolbar
8:10 PM: a0110439.dll (ID = 59843)
8:10 PM: a0110442.dll (ID = 106574)
8:11 PM: a0110632.exe (ID = 78276)
8:11 PM: cnsmindt.cab (ID = 53260)
8:12 PM: a0110641.exe (ID = 78285)
8:12 PM: a0110495.dll (ID = 163672)
8:12 PM: class-barrel (ID = 78229)
8:13 PM: a0110496.dll (ID = 163672)
8:13 PM: mfex-2.dat (ID = 163672)
8:13 PM: mfex-8.dat (ID = 163672)
8:14 PM: a0097798.exe (ID = 145638)
8:14 PM: a0110385.exe (ID = 78252)
8:14 PM: a0110386.exe (ID = 78254)
8:14 PM: a0111104.exe (ID = 65739)
8:15 PM: a0097731.exe (ID = 145638)
8:15 PM: mfex-1.dat (ID = 163672)
8:15 PM: mfex-17.dat (ID = 163672)
8:15 PM: mfex-18.dat (ID = 163672)
8:15 PM: Found Adware: spysheriff
8:15 PM: a0110454.exe (ID = 178643)
8:16 PM: 51757006.txt (ID = 116398)
8:19 PM: Found Adware: marketscore
8:19 PM: a0110631.exe (ID = 180410)
8:20 PM: a0103901.dll (ID = 112499)
8:21 PM: 35102821.exe (ID = 145638)
8:21 PM: a0097700.exe (ID = 145638)
8:22 PM: a0110449.exe (ID = 59853)
8:27 PM: a0103902.exe (ID = 112498)
8:29 PM: cnsminkp.sys (ID = 53268)
8:29 PM: cnsmin.dll (ID = 53251)
8:29 PM: cnsmincg.ini (ID = 53257)
8:29 PM: cnshook.dll (ID = 53247)
8:29 PM: cns.dll (ID = 53245)
8:32 PM: cnsmindt.dll (ID = 53261)
8:33 PM: a0109085.exe (ID = 159065)
8:33 PM: 37967750.txt (ID = 116398)
8:36 PM: Found Adware: shopathomeselect
8:36 PM: a0094739.dll (ID = 75611)
8:36 PM: a0094738.exe (ID = 75603)
8:38 PM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
8:38 PM: a0110904.exe (ID = 65739)
8:38 PM: Found Adware: apropos
8:38 PM: a0112279.exe (ID = 166347)
8:38 PM: Found Trojan Horse: trojan-downloader-nextern
8:38 PM: a0112280.exe (ID = 168231)
8:38 PM: Found Adware: sp2ms
8:38 PM: a0112281.exe (ID = 178567)
8:38 PM: Found Adware: 180search assistant/zango
8:38 PM: a0112283.dll (ID = 107552)
8:38 PM: a0112282.exe (ID = 168558)
8:38 PM: qlutility.exe (ID = 168232)
8:38 PM: a0110638.exe (ID = 78284)
8:38 PM: a0110639.dll (ID = 78253)
8:38 PM: vocabulary (ID = 78283)
8:38 PM: a0110640.exe (ID = 78246)
8:39 PM: a0111184.exe (ID = 168558)
8:42 PM: rlls.dll (ID = 159066)
8:44 PM: BHO Shield: found: -- BHO installation denied at user request
8:44 PM: BHO Shield: found: -- BHO installation denied at user request
8:47 PM: clean internet access record.url (ID = 53242)
8:47 PM: about chinese keyword.url (ID = 53218)
8:49 PM: Found Adware: whenu
8:49 PM: a0098506.cfg (ID = 161463)
8:49 PM: 27868236.dat (ID = 52512)
8:49 PM: 34552737.bin (ID = 116395)
8:49 PM: Found Adware: ieplugin
8:49 PM: wininit.ini (ID = 63389)
8:49 PM: 293322.bin (ID = 116395)
8:49 PM: 31242705.dat (ID = 52512)
8:49 PM: a0110446.lnk (ID = 59855)
8:49 PM: a0110444.lnk (ID = 59838)
8:49 PM: Found System Monitor: potentially rootkit-masked files
8:49 PM: flpiaide.sys (ID = 0)
9:04 PM: Warning: Unhandled Archive Type
9:08 PM: Warning: Invalid Stream
9:09 PM: a0101640.lnk (ID = 116398)
9:09 PM: File Sweep Complete, Elapsed Time: 01:03:31
9:09 PM: Full Sweep has completed. Elapsed time 01:11:03
9:09 PM: Traces Found: 363
9:15 PM: Removal process initiated
9:15 PM: Quarantining All Traces: 180search assistant/zango
9:15 PM: Quarantining All Traces: clearsearch
9:15 PM: Quarantining All Traces: icannnews
9:15 PM: icannnews is in use. It will be removed on reboot.
9:15 PM: C:\WINDOWS\system32\l0j8la1u1d.dll is in use. It will be removed on reboot.
9:15 PM: C:\WINDOWS\system32\one32(3)(2).dll is in use. It will be removed on reboot.
9:15 PM: Quarantining All Traces: look2me
9:15 PM: Quarantining All Traces: spysheriff
9:15 PM: Quarantining All Traces: websearch toolbar
9:15 PM: Quarantining All Traces: wildmedia
9:15 PM: Quarantining All Traces: apropos
9:15 PM: Quarantining All Traces: internetoptimizer
9:15 PM: Quarantining All Traces: marketscore
9:15 PM: Quarantining All Traces: sp2ms
9:15 PM: Quarantining All Traces: trojan-downloader-nextern
9:15 PM: Quarantining All Traces: cnsmin
9:16 PM: cnsmin is in use. It will be removed on reboot.
9:16 PM: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\ is in use. It will be removed on reboot.
9:16 PM: clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
9:16 PM: cnshelper.ch.1\ is in use. It will be removed on reboot.
9:16 PM: cnshelper.ch\ is in use. It will be removed on reboot.
9:16 PM: HKLM: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}\ is in use. It will be removed on reboot.
9:16 PM: Quarantining All Traces: drsnsrch.com hijack
9:16 PM: Quarantining All Traces: effective-i toolbar
9:16 PM: Quarantining All Traces: ieplugin
9:16 PM: Quarantining All Traces: instant access
9:16 PM: Quarantining All Traces: minigolf
9:16 PM: Quarantining All Traces: quicklink search toolbar
9:16 PM: Quarantining All Traces: shopathomeselect
9:16 PM: Quarantining All Traces: targetsaver
9:16 PM: Quarantining All Traces: targetsoft
9:16 PM: Quarantining All Traces: whenu
9:16 PM: Quarantining All Traces: winad
9:16 PM: Quarantining All Traces: adlegend cookie
9:16 PM: Quarantining All Traces: advertising cookie
9:16 PM: Quarantining All Traces: atlas dmt cookie
9:16 PM: Quarantining All Traces: atwola cookie
9:16 PM: Quarantining All Traces: tradedoubler cookie
9:16 PM: Warning: Launched explorer.exe
9:16 PM: Warning: Quarantine process could not restart Explorer.
9:16 PM: Removal process completed. Elapsed time 00:01:38
9:21 PM: Memory Shield: Found: Memory-resident threat cnsmin, version 1.0.0.0
9:21 PM: Detected running threat: cnsmin
9:22 PM: | End of Session, Saturday, November 05, 2005 |
********

Edited by sh4d0wz, 05 November 2005 - 08:50 PM.

  • 0

#13
Buckeye_Sam
Posted 05 November 2005 - 10:53 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O11 - Options group: [!CNS] Chinese keywords





Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\Downloaded Program Files\CnsMin.dll
      C:\WINDOWS\Downloaded Program Files\CnsHook.dll

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.




Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#14
sh4d0wz
Posted 06 November 2005 - 01:26 PM

sh4d0wz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
I've used the kill box thingy, used the panda active scan, deleted those 4 files with hijackthis and also since the link to remove the new.net thingy doesn't work i just leave it alone or something?

Heres the panda report
Incident Status Location

Adware:Adware/Look2Me No disinfected C:\backup.zip[ogesvr.dll]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Ting Zhang\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-509d1dcb.zip[InstallerApplet.class]
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_90.exe
Virus:W32/Gaobot.HJC.worm Disinfected C:\Uploads\RawPower 1.2.6.2.zip[setup.exe]
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_90.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\j2j60c1sef.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mnnsspc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\zdwox.dll

Logfile of HijackThis v1.99.1
Scan saved at 2:27:50 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#15
Buckeye_Sam
Posted 06 November 2005 - 04:18 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O11 - Options group: [!CNS] Chinese keywords


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Once in Safe mode run a complete scan with Spysweeper. Save the log and post it here in your next reply.


Reboot back into normal mode.

Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next post.

And also post a normal hijackthis log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP