Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Regenerating DLL Malware :help:

Started by Slyphox , Oct 29 2005 08:16 AM

  • Please log in to reply

#1
Slyphox
Posted 29 October 2005 - 08:16 AM

Slyphox

    New Member

  • Member
  • Pip
  • 4 posts
Hello,

I am not sure the exact title of my infection or I would usually be able to fix it my self. For the past few days I have been trying to find what program keeps regenerating the dll's I find through Hijack This. I know that it has a registry sting under Shell Extenstions and the Runonce on start up field. It's kinda like a zombie. I blow it's brains out or i cut it's arm off and it either regenerates or it has another zombie take it's place. Any help on the issue would be greatly appreciated as I have been not been able to do much of anything since this started. IE. I would be playing a game full screen, this decides to open a new tab in FireFox which inturn closes the game and 99.99% of the time I am killed in the process. Here is the Hijack This log to show where it is hiding.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:03 AM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\X-Chat\xchat.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.micros...n&&thankspage=5
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAA393FC-0EB0-40C5-B6D1-473BC2050423}: NameServer = 205.188.146.145
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\mvl0l93m1.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

If it can help in the identification of the malware, one of the sites it brings up is Ad-A-W-A-R-E.com, http://e.rn11.com/ad.../a174-admed-ron, http://www.geekstogo...o=new_post&f=37, ect.

Again, any help to rid my computer of this malware would be greatly appreciated. :tazz:
  • 0

Advertisements

#2
Wizard
Posted 29 October 2005 - 03:19 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Slyphox and Welcome to GeekstoGo!

Download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!
  • 0

#3
Slyphox
Posted 30 October 2005 - 11:37 AM

Slyphox

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you for your welcome and for replying :)

Here is the L2MFix Log

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvl0l93m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{87160D96-E275-1785-53CC-523A5252E814}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{25F156F9-028E-4E95-B02B-9CCB8CC55C5E}"="Hide Files and Folders Context Menu Handler"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}"="PhoneBrowser"
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}"="Contact View"
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}"="Message View"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{218E0C68-F484-43D9-8E69-1175B9EF4CB1}"=""
"{DD3D38B6-609F-4681-9423-3E7985AD6207}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled]
"{218E0C68-F484-43D9-8E69-1175B9EF4CB1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqmsgnet.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DD3D38B6-609F-4681-9423-3E7985AD6207}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD3D38B6-609F-4681-9423-3E7985AD6207}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD3D38B6-609F-4681-9423-3E7985AD6207}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD3D38B6-609F-4681-9423-3E7985AD6207}\InprocServer32]
@="C:\\WINDOWS\\system32\\nomarta.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{218E0C68-F484-43D9-8E69-1175B9EF4CB1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqmsgnet.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Tue Oct 25 2005 8:36:52p A.... 34,308 33.50 K
ceb.dll Thu Oct 27 2005 4:05:00p ..S.R 235,485 229.96 K
clrds.dll Thu Oct 27 2005 8:58:54p ..S.R 235,685 230.16 K
divx.dll Tue Aug 9 2005 5:14:00p A.... 692,736 676.50 K
divx_x~1.dll Tue Aug 9 2005 5:13:52p A.... 688,128 672.00 K
divx_x~2.dll Tue Aug 9 2005 5:13:54p A.... 688,128 672.00 K
divx_x~3.dll Tue Aug 9 2005 5:13:52p A.... 671,744 656.00 K
dn6601~1.dll Thu Oct 27 2005 3:07:22p ..S.R 234,296 228.80 K
dpl100.dll Tue Aug 9 2005 5:12:30p A.... 86,016 84.00 K
dpu11.dll Tue Aug 9 2005 5:12:28p A.... 245,760 240.00 K
dpugui11.dll Tue Aug 9 2005 5:12:30p A.... 581,632 568.00 K
dpus11.dll Tue Aug 9 2005 5:12:28p A.... 303,104 296.00 K
dpv11.dll Tue Aug 9 2005 5:12:28p A.... 57,344 56.00 K
dqmsgnet.dll Fri Oct 28 2005 9:23:46p ..S.R 235,128 229.62 K
dtu100.dll Tue Aug 9 2005 5:12:30p A.... 200,704 196.00 K
firaflib.dll Thu Oct 27 2005 12:16:28a ..S.R 234,272 228.78 K
gwfspi~1.dll Mon Aug 29 2005 12:27:06p A.... 23,304 22.76 K
hr8u05~1.dll Sun Oct 30 2005 11:30:34a ..S.R 236,919 231.36 K
irl6l5~1.dll Thu Oct 27 2005 8:08:44p ..S.R 237,320 231.76 K
legitc~1.dll Mon Aug 29 2005 12:27:12p A.... 520,968 508.76 K
lvr409~1.dll Thu Oct 27 2005 8:57:28p A.S.. 0 0.00 K
mq4sdmod.dll Wed Oct 26 2005 9:30:44p ..S.R 234,272 228.78 K
mvl0l9~1.dll Fri Oct 28 2005 11:54:38p ..S.R 235,934 230.40 K
n42u0e~1.dll Thu Oct 27 2005 7:31:54p ..S.R 235,186 229.67 K
nomarta.dll Sun Oct 30 2005 11:30:34a ..S.R 235,934 230.40 K
p6r4lg~1.dll Sat Oct 29 2005 8:40:06a ..S.R 233,996 228.51 K
pncrt.dll Fri Oct 21 2005 3:12:56p A.... 278,528 272.00 K
pndx5016.dll Fri Oct 21 2005 3:12:58p A.... 6,656 6.50 K
pndx5032.dll Fri Oct 21 2005 3:12:58p A.... 5,632 5.50 K
qlink32.dll Mon Sep 19 2005 3:24:20p A.... 200,704 196.00 K
qt-dx331.dll Tue Aug 9 2005 5:12:30p A.... 3,596,288 3.43 M
rmoc3260.dll Fri Oct 21 2005 3:13:08p A.... 157,696 154.00 K
sogina.dll Tue Oct 25 2005 11:01:16p ..... 234,272 228.78 K
srcfiles.dll Fri Oct 28 2005 8:36:42p ..S.R 235,938 230.41 K
stimgvw.dll Tue Oct 25 2005 11:01:22p ..S.R 234,272 228.78 K
vxipxspx.dll Thu Oct 27 2005 7:31:54p ..S.R 234,262 228.77 K

36 items found: 36 files (16 H/S), 0 directories.
Total of file sizes: 12,802,551 bytes 12.21 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5445-BFC2

Directory of C:\WINDOWS\System32

10/30/2005 11:30 AM 235,934 nomarta.dll
10/30/2005 11:30 AM 236,919 hr8u05l9e.dll
10/29/2005 08:40 AM 233,996 p6r4lg9q16.dll
10/28/2005 11:54 PM 235,934 mvl0l93m1.dll
10/28/2005 10:25 PM 5,120 Thumbs.db
10/28/2005 09:23 PM 235,128 dqmsgnet.dll
10/28/2005 08:36 PM 235,938 srcfiles.dll
10/27/2005 08:58 PM 235,685 cLrds.dll
10/27/2005 08:57 PM 0 lvr4099qe.dll
10/27/2005 08:20 PM <DIR> dllcache
10/27/2005 08:08 PM 237,320 irl6l53s1.dll
10/27/2005 07:31 PM 234,262 vxipxspx.dll
10/27/2005 07:31 PM 235,186 n42u0ef9eh2.dll
10/27/2005 04:04 PM 235,485 ceb.dll
10/27/2005 03:07 PM 234,296 dn6601jse.dll
10/27/2005 12:16 AM 234,272 FIRAFLIB.DLL
10/26/2005 09:30 PM 234,272 mq4sdmod.dll
10/25/2005 11:01 PM 234,272 stimgvw.dll
08/29/2005 07:49 PM <DIR> Microsoft
17 File(s) 3,534,019 bytes
2 Dir(s) 18,358,439,936 bytes free

:tazz:

Edited by Slyphox, 30 October 2005 - 11:39 AM.

  • 0

#4
Wizard
Posted 30 October 2005 - 11:53 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,go into Safe Mode and Run the l2mfix again,this time run Option 4 first and then run Option 2.

Save both of those logs please.


Restart Normal and Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


Post back in one reply with the logs from Option 4 and 2 from the l2mfix.

Make a seperate reply with the session log from SpySweeper.
  • 0

#5
Slyphox
Posted 30 October 2005 - 12:47 PM

Slyphox

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Option 4 From L2MFix

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Option 2 From L2MFix
L2Mfix 1.04a

Running From:
C:\Documents and Settings\SlyFox\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Spyware Sweeper Log comming soon as it is still downloading.
  • 0

#6
Slyphox
Posted 30 October 2005 - 12:48 PM

Slyphox

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
********
2:42 PM: | Start of Session, Sunday, October 30, 2005 |
2:42 PM: Spy Sweeper started
2:42 PM: Sweep initiated using definitions version 564
2:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 PM: Starting Memory Sweep
2:43 PM: Found Adware: icannnews
2:43 PM: Detected running threat: C:\WINDOWS\system32\svrstr.dll (ID = 83)
2:43 PM: Detected running threat: C:\WINDOWS\system32\l40u0ed9eh0.dll (ID = 83)
2:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:46 PM: Memory Sweep Complete, Elapsed Time: 00:04:09
2:46 PM: Starting Registry Sweep
2:47 PM: Found Adware: linkmaker
2:47 PM: HKLM\software\classes\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129743)
2:47 PM: HKCR\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129750)
2:47 PM: Found Adware: 180search assistant/zango
2:47 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
2:47 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
2:47 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (17 subtraces) (ID = 135599)
2:47 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (9 subtraces) (ID = 135601)
2:47 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
2:47 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
2:47 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
2:47 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
2:47 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (17 subtraces) (ID = 135624)
2:47 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (9 subtraces) (ID = 135625)
2:47 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
2:47 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
2:47 PM: Found Adware: targetsoft
2:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
2:47 PM: Found Adware: targetsaver
2:47 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
2:47 PM: Found Adware: ist yoursitebar
2:47 PM: HKCR\interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}\ (8 subtraces) (ID = 147832)
2:47 PM: HKCR\interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}\ (8 subtraces) (ID = 147835)
2:47 PM: HKLM\software\classes\interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}\ (8 subtraces) (ID = 147838)
2:47 PM: HKLM\software\classes\interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}\ (8 subtraces) (ID = 147841)
2:47 PM: HKLM\software\classes\typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44}\ (7 subtraces) (ID = 147842)
2:47 PM: Found Adware: ist software
2:47 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
2:47 PM: HKCR\typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44}\ (7 subtraces) (ID = 147861)
2:47 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (7 subtraces) (ID = 147926)
2:47 PM: HKCR\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169517)
2:47 PM: HKLM\software\classes\interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}\ (8 subtraces) (ID = 169520)
2:47 PM: Found Adware: quicklink search toolbar
2:47 PM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359437)
2:47 PM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 359440)
2:47 PM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 359448)
2:47 PM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 359449)
2:47 PM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359450)
2:47 PM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359451)
2:47 PM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 359452)
2:47 PM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 359453)
2:47 PM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 359454)
2:47 PM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 359455)
2:47 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (7 subtraces) (ID = 396447)
2:47 PM: HKCR\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727328)
2:47 PM: HKLM\software\classes\clsid\{3551784b-e99a-474f-b782-3ec814442918}\ (10 subtraces) (ID = 727357)
2:47 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
2:47 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
2:47 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
2:47 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
2:47 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (5 subtraces) (ID = 890604)
2:47 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (7 subtraces) (ID = 890613)
2:47 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (7 subtraces) (ID = 890624)
2:47 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
2:47 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
2:47 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
2:47 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
2:47 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (5 subtraces) (ID = 890677)
2:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (7 subtraces) (ID = 890686)
2:47 PM: Found Adware: instant access
2:47 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
2:47 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (7 subtraces) (ID = 890697)
2:47 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
2:47 PM: HKU\S-1-5-21-602162358-746137067-1343024091-1003\software\tsl2\ (1 subtraces) (ID = 143616)
2:47 PM: Registry Sweep Complete, Elapsed Time:00:00:17
2:47 PM: Starting Cookie Sweep
2:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:47 PM: Starting File Sweep
2:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:47 PM: a0038159.dll (ID = 78253)
2:48 PM: Found Adware: ist sidefind
2:48 PM: a0020567.dll (ID = 157822)
2:48 PM: a0038474.exe (ID = 168232)
2:48 PM: a0038475.exe (ID = 131326)
2:48 PM: a0035849.dll (ID = 181444)
2:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:48 PM: Found Adware: internetoptimizer
2:48 PM: a0020572.exe (ID = 122872)
2:48 PM: backup-20051027-153416-489.dll (ID = 181444)
2:49 PM: Found Adware: spysheriff
2:49 PM: a0034343.exe (ID = 178643)
2:49 PM: Found Adware: sp2ms
2:49 PM: a0033814.exe (ID = 148760)
2:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:50 PM: a0036899.exe (ID = 178643)
2:50 PM: a0036783.exe (ID = 178643)
2:51 PM: Found Adware: ist istbar
2:51 PM: jfghjhhfgudk.exe (ID = 181597)
2:51 PM: msresearch.exe.q_2cf9cf0_q (ID = 148760)
2:51 PM: a0020568.exe (ID = 154905)
2:51 PM: a0020526.exe (ID = 141831)
2:51 PM: Found Adware: surf accuracy
2:51 PM: uninstall.exe (ID = 156655)
2:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:51 PM: preuninstallql.exe (ID = 131326)
2:51 PM: a0021727.exe (ID = 73428)
2:51 PM: a0020623.exe (ID = 161561)
2:51 PM: glf63glf63.exe (ID = 166444)
2:51 PM: a0038202.exe (ID = 78285)
2:51 PM: drsmartload.exe (ID = 178567)
2:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:52 PM: a0033804.exe (ID = 144585)
2:52 PM: a0037036.dll (ID = 181444)
2:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:54 PM: a0020571.dll (ID = 161559)
2:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:55 PM: mrwzm.exe.q_18d06000_q (ID = 107479)
2:55 PM: Found Adware: look2me
2:55 PM: a0034511.dll (ID = 163672)
2:55 PM: Found Adware: apropos
2:55 PM: wingenerics.dll (ID = 50187)
2:56 PM: a0036805.dll (ID = 163672)
2:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 PM: res34.tmp (ID = 107353)
2:57 PM: installer.exe (ID = 168558)
2:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:58 PM: Found Trojan Horse: trojan-downloader-nextern
2:58 PM: drin.exe (ID = 168231)
2:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:59 PM: a0035859.dll (ID = 163672)
2:59 PM: dc13.exe (ID = 168232)
3:00 PM: a0038430.exe (ID = 166444)
3:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:00 PM: a0034334.exe (ID = 178643)
3:00 PM: a0034351.exe (ID = 73428)
3:00 PM: a0033816.exe (ID = 148759)
3:00 PM: a0038429.exe (ID = 166206)
3:01 PM: a0038165.exe (ID = 64496)
3:01 PM: a0033818.exe (ID = 107479)
3:01 PM: a0034346.exe (ID = 178643)
3:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:01 PM: firaflib.dll (ID = 163672)
3:01 PM: mq4sdmod.dll (ID = 163672)
3:01 PM: sogina.dll (ID = 163672)
3:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:04 PM: Found Adware: isearch desktop search
3:04 PM: mte3ndi6odoxng.exe (ID = 178687)
3:04 PM: Found Adware: powerscan
3:04 PM: a0021728.exe (ID = 72675)
3:04 PM: Found Adware: personal money tree
3:04 PM: pmt.exe (ID = 137597)
3:05 PM: a0038086.exe (ID = 178643)
3:05 PM: a0037970.exe (ID = 178643)
3:05 PM: sp2update00.exe.q_2cf5760_q (ID = 148759)
3:05 PM: jfghjfgudk.exe (ID = 181597)
3:05 PM: d3c6f.tmp (ID = 153752)
3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:06 PM: f1f5e.tmp (ID = 168162)
3:06 PM: a0037992.dll (ID = 163672)
3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: a0020569.exe (ID = 72679)
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: stimgvw.dll (ID = 163672)
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: a0038197.exe (ID = 78284)
3:12 PM: a0038199.exe (ID = 78246)
3:12 PM: tsuninst.exe (ID = 78276)
3:13 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281)
3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267)
3:14 PM: 180sainstallersilsais1.exe (ID = 107349)
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: a0033871.dll (ID = 163672)
3:17 PM: a0021475.dll (ID = 157821)
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: a0038164.exe (ID = 64496)
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: Found Adware: isearch toolbar
3:19 PM: cmdinst.exe (ID = 154747)
3:19 PM: a0037046.dll (ID = 163672)
3:20 PM: iinstall.exe (ID = 181597)
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: sais.exe (ID = 93787)
3:20 PM: saishook.dll (ID = 70604)
3:20 PM: sais_gdf.dat (ID = 93789)
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: qlink32.dll (ID = 153756)
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: Found System Monitor: potentially rootkit-masked files
3:22 PM: wsnetcfg.exe (ID = 0)
3:22 PM: lz3owser.exe (ID = 0)
3:22 PM: ace.dll (ID = 0)
3:22 PM: data.bin (ID = 0)
3:22 PM: rdbslm75.sys (ID = 0)
3:22 PM: ipnfil32.exe (ID = 0)
3:22 PM: ai_30-10-2005.log (ID = 0)
3:22 PM: ai_26-10-2005.log (ID = 0)
3:22 PM: ai_29-10-2005.log (ID = 0)
3:22 PM: ai_27-10-2005.log (ID = 0)
3:22 PM: ai_28-10-2005.log (ID = 0)
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: Warning: Unhandled Archive Type
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: Warning: Unhandled Archive Type
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: Warning: Invalid Stream
3:27 PM: Warning: Invalid Stream
3:27 PM: Warning: Invalid Stream
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: File Sweep Complete, Elapsed Time: 00:40:44
3:28 PM: Full Sweep has completed. Elapsed time 00:45:15
3:28 PM: Traces Found: 448
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: Removal process initiated
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: Quarantining All Traces: potentially rootkit-masked files
3:30 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
3:30 PM: wsnetcfg.exe is in use. It will be removed on reboot.
3:30 PM: lz3owser.exe is in use. It will be removed on reboot.
3:30 PM: ace.dll is in use. It will be removed on reboot.
3:30 PM: data.bin is in use. It will be removed on reboot.
3:30 PM: rdbslm75.sys is in use. It will be removed on reboot.
3:30 PM: ipnfil32.exe is in use. It will be removed on reboot.
3:30 PM: ai_30-10-2005.log is in use. It will be removed on reboot.
3:30 PM: ai_26-10-2005.log is in use. It will be removed on reboot.
3:30 PM: ai_29-10-2005.log is in use. It will be removed on reboot.
3:30 PM: ai_27-10-2005.log is in use. It will be removed on reboot.
3:30 PM: ai_28-10-2005.log is in use. It will be removed on reboot.
3:30 PM: Quarantining All Traces: look2me
3:30 PM: Quarantining All Traces: spysheriff
3:30 PM: Quarantining All Traces: 180search assistant/zango
3:30 PM: Quarantining All Traces: apropos
3:30 PM: apropos is in use. It will be removed on reboot.
3:30 PM: wingenerics.dll is in use. It will be removed on reboot.
3:30 PM: Quarantining All Traces: icannnews
3:30 PM: icannnews is in use. It will be removed on reboot.
3:30 PM: C:\WINDOWS\system32\svrstr.dll is in use. It will be removed on reboot.
3:30 PM: C:\WINDOWS\system32\l40u0ed9eh0.dll is in use. It will be removed on reboot.
3:30 PM: Quarantining All Traces: instant access
3:30 PM: Quarantining All Traces: internetoptimizer
3:30 PM: Quarantining All Traces: isearch desktop search
3:30 PM: Quarantining All Traces: isearch toolbar
3:30 PM: Quarantining All Traces: ist istbar
3:30 PM: Quarantining All Traces: ist sidefind
3:30 PM: Quarantining All Traces: ist software
3:30 PM: Quarantining All Traces: ist yoursitebar
3:31 PM: Quarantining All Traces: linkmaker
3:31 PM: Quarantining All Traces: personal money tree
3:31 PM: Quarantining All Traces: powerscan
3:31 PM: Quarantining All Traces: quicklink search toolbar
3:31 PM: Quarantining All Traces: sp2ms
3:31 PM: Quarantining All Traces: surf accuracy
3:31 PM: Quarantining All Traces: targetsaver
3:31 PM: Quarantining All Traces: targetsoft
3:31 PM: Quarantining All Traces: trojan-downloader-nextern
3:31 PM: Warning: Launched explorer.exe
3:31 PM: Warning: Quarantine process could not restart Explorer.
3:31 PM: Removal process completed. Elapsed time 00:02:46
********
2:25 PM: | Start of Session, Sunday, October 30, 2005 |
2:25 PM: Spy Sweeper started
2:26 PM: Your spyware definitions have been updated.
2:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:42 PM: | End of Session, Sunday, October 30, 2005 |

Edited by Slyphox, 30 October 2005 - 02:43 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP