Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! My wife is gonna kill me!

Started by Osiris , Nov 07 2005 12:37 PM

  • This topic is locked This topic is locked
7 replies to this topic

#1 Osiris

Osiris

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 07 November 2005 - 12:37 PM

Hello all....i need your help! I was destitute when my computer got hijacked over a year ago, but you guys came to my rescue and it has been flawless ever since.

Now my wifes computer has become badly infected and I need you again. She is getting constant pop ups. Some of which look like normal windows with ads on them. The others will appear over whatever program you are running, in all different forms (i.e. cartoon girl waving) and they have no option to close, you have to click on them and go to some dumb add. Her homepage was hijacked too, but i think i fixed that issue with the things i have already done.

I want to tell you what i have already done (prior to running this log).
I installed and ran Xoft and removed like 265 items--rebooted.
Installed and ran winpatrol--rebooted
Installed and ran TrojanHunter, removed 30+ items--rebooted.
Installed and ran AdawareSE (newest updated), removed 80+ items--rebooted.

I ran her log and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:38 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\sp2update00.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jodi\LOCALS~1\Temp\Rar$EX01.867\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 153.26.85.51:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\en26l1fs1.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9kaQ\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help is greatly appreciated.

    Advertisements

Register to Remove

#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 November 2005 - 06:29 PM

Hello and welcome to TomCoyote forum, you have several nasties and I need to remove a trojan first. SpySweeper has recently updated their software to remove this trojan, and they are nice enough to allow you a free trial version to do this. Before we start, I will need you to move HJT.exe from the Temp folder you have it in. HJT needs a permanent folder to store logs and backups for safety. I prefer you put it here: C:\HJT\HijackThis.exe. If you need more instructions use these: http://russelltexas....tehjtfolder.htm

Please follow the instructions carefully: Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer <<< very important
and then please copy and paste the SpySweeper log and a new HJT log into this same thread.

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 Osiris

Osiris

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 November 2005 - 09:08 AM

Hello pskelly, thank you so much for your reply. I did as you instructed and i had a lot of problems with spysweeper. I would run it and it would find a lot of bad stuff, but when i would go to remove this stuff it would always automatically check everything except something that said "potentially rootkit-masked files".

So i would go and manually check that and click remove. Well it would totally lock my wifes laptop up and i could only shut it down by holding the power button. So i ran this full scan 3 times and tried this, but everytime it would lock her up while trying to remove the "potentially rootkit-masked files". So finally i ran it a forth time this morning, and didn't check that one, but checked everything else. It immediately removed the files. The report on this one is a real whopper, but i will post it anyway.....................

9:06 AM: | Start of Session, Saturday, November 12, 2005 |
9:06 AM: Spy Sweeper started
9:06 AM: Sweep initiated using definitions version 572
9:06 AM: Starting Memory Sweep
9:06 AM: Found Adware: icannnews
9:06 AM: Detected running threat: C:\WINDOWS\system32\socurity.dll (ID = 83)
9:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: Found Adware: sp2ms
9:07 AM: Detected running threat: C:\WINDOWS\sp2update00.exe (ID = 148759)
9:07 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sp2update (ID = 0)
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: Detected running threat: C:\WINDOWS\system32\ktrul7991.dll (ID = 83)
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: Memory Sweep Complete, Elapsed Time: 00:02:38
9:08 AM: Starting Registry Sweep
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: Found Adware: multidial
9:10 AM: HKCR\smartstart.smartstart\ (3 subtraces) (ID = 662000)
9:10 AM: HKLM\software\microsoft\windows\currentversion\run\ || sp2update (ID = 787992)
9:10 AM: Found Adware: command
9:10 AM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
9:10 AM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
9:10 AM: Found Adware: targetsaver
9:10 AM: HKU\S-1-5-21-2322712386-3238835185-2771580065-1005\software\tsl2\ (1 subtraces) (ID = 143616)
9:10 AM: Found Adware: findthewebsiteyouneed hijacker
9:10 AM: HKU\S-1-5-21-2322712386-3238835185-2771580065-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
9:10 AM: Registry Sweep Complete, Elapsed Time:00:01:19
9:10 AM: Starting Cookie Sweep
9:10 AM: Found Spy Cookie: 888 cookie
9:10 AM: jodi@888[2].txt (ID = 2019)
9:10 AM: Found Spy Cookie: websponsors cookie
9:10 AM: jodi@a.websponsors[2].txt (ID = 3665)
9:10 AM: Found Spy Cookie: yieldmanager cookie
9:10 AM: jodi@ad.yieldmanager[1].txt (ID = 3751)
9:10 AM: Found Spy Cookie: adecn cookie
9:10 AM: jodi@adecn[2].txt (ID = 2063)
9:10 AM: Found Spy Cookie: adknowledge cookie
9:10 AM: jodi@adknowledge[2].txt (ID = 2072)
9:10 AM: Found Spy Cookie: specificclick.com cookie
9:10 AM: jodi@adopt.specificclick[1].txt (ID = 3400)
9:10 AM: Found Spy Cookie: addynamix cookie
9:10 AM: jodi@ads.addynamix[1].txt (ID = 2062)
9:10 AM: Found Spy Cookie: cc214142 cookie
9:10 AM: jodi@ads.cc214142[1].txt (ID = 2367)
9:10 AM: Found Spy Cookie: pointroll cookie
9:10 AM: jodi@ads.pointroll[1].txt (ID = 3148)
9:10 AM: Found Spy Cookie: advertising cookie
9:10 AM: jodi@advertising[1].txt (ID = 2175)
9:10 AM: Found Spy Cookie: apmebf cookie
9:10 AM: jodi@apmebf[1].txt (ID = 2229)
9:10 AM: Found Spy Cookie: atlas dmt cookie
9:10 AM: jodi@atdmt[2].txt (ID = 2253)
9:10 AM: Found Spy Cookie: bannerspace cookie
9:10 AM: jodi@bannerspace[1].txt (ID = 2284)
9:10 AM: Found Spy Cookie: belnk cookie
9:10 AM: jodi@belnk[1].txt (ID = 2292)
9:10 AM: Found Spy Cookie: bluestreak cookie
9:10 AM: jodi@bluestreak[1].txt (ID = 2314)
9:10 AM: Found Spy Cookie: zedo cookie
9:10 AM: jodi@c5.zedo[1].txt (ID = 3763)
9:10 AM: Found Spy Cookie: casalemedia cookie
9:10 AM: jodi@casalemedia[2].txt (ID = 2354)
9:10 AM: Found Spy Cookie: centrport net cookie
9:10 AM: jodi@centrport[1].txt (ID = 2374)
9:10 AM: jodi@dist.belnk[2].txt (ID = 2293)
9:10 AM: Found Spy Cookie: exitexchange cookie
9:10 AM: jodi@exitexchange[1].txt (ID = 2633)
9:10 AM: Found Spy Cookie: fastclick cookie
9:10 AM: jodi@fastclick[2].txt (ID = 2651)
9:10 AM: Found Spy Cookie: clickandtrack cookie
9:10 AM: jodi@hits.clickandtrack[2].txt (ID = 2397)
9:10 AM: Found Spy Cookie: maxserving cookie
9:10 AM: jodi@maxserving[2].txt (ID = 2966)
9:10 AM: Found Spy Cookie: nextag cookie
9:10 AM: jodi@nextag[1].txt (ID = 5014)
9:10 AM: Found Spy Cookie: overture cookie
9:10 AM: jodi@perf.overture[1].txt (ID = 3106)
9:10 AM: Found Spy Cookie: qksrv cookie
9:10 AM: jodi@qksrv[1].txt (ID = 3213)
9:10 AM: Found Spy Cookie: questionmarket cookie
9:10 AM: jodi@questionmarket[1].txt (ID = 3217)
9:10 AM: Found Spy Cookie: realmedia cookie
9:10 AM: jodi@realmedia[2].txt (ID = 3235)
9:10 AM: Found Spy Cookie: reunion cookie
9:10 AM: jodi@reunion[1].txt (ID = 3255)
9:10 AM: Found Spy Cookie: revenue.net cookie
9:10 AM: jodi@revenue[2].txt (ID = 3257)
9:10 AM: Found Spy Cookie: rn11 cookie
9:10 AM: jodi@rn11[2].txt (ID = 3261)
9:10 AM: Found Spy Cookie: servedby advertising cookie
9:10 AM: jodi@servedby.advertising[1].txt (ID = 3335)
9:10 AM: Found Spy Cookie: server.iad.liveperson cookie
9:10 AM: jodi@server.iad.liveperson[1].txt (ID = 3341)
9:10 AM: Found Spy Cookie: serving-sys cookie
9:10 AM: jodi@serving-sys[1].txt (ID = 3343)
9:10 AM: Found Spy Cookie: dealtime cookie
9:10 AM: jodi@stat.dealtime[1].txt (ID = 2506)
9:10 AM: Found Spy Cookie: statcounter cookie
9:10 AM: jodi@statcounter[2].txt (ID = 3447)
9:10 AM: Found Spy Cookie: webtrendslive cookie
9:10 AM: jodi@statse.webtrendslive[2].txt (ID = 3667)
9:10 AM: Found Spy Cookie: targetnet cookie
9:10 AM: jodi@targetnet[2].txt (ID = 3489)
9:10 AM: Found Spy Cookie: trafficmp cookie
9:10 AM: jodi@trafficmp[2].txt (ID = 3581)
9:10 AM: Found Spy Cookie: tribalfusion cookie
9:10 AM: jodi@tribalfusion[1].txt (ID = 3589)
9:10 AM: jodi@www.888[1].txt (ID = 2020)
9:10 AM: Found Spy Cookie: myaffiliateprogram.com cookie
9:10 AM: jodi@www.myaffiliateprogram[1].txt (ID = 3032)
9:10 AM: jodi@yieldmanager[1].txt (ID = 3749)
9:10 AM: Found Spy Cookie: adserver cookie
9:10 AM: jodi@z1.adserver[1].txt (ID = 2142)
9:10 AM: jodi@zedo[2].txt (ID = 3762)
9:10 AM: Found Spy Cookie: searchadnetwork cookie
9:10 AM: system@searchadnetwork[2].txt (ID = 3311)
9:10 AM: system@www.searchadnetwork[1].txt (ID = 3312)
9:10 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
9:10 AM: Starting File Sweep
9:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: tsupdate_4_0_3_9_b2.exe (ID = 78281)
9:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: asappsrv.dll.tcf (ID = 144945)
9:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 AM: command.exe.tcf (ID = 144946)
9:12 AM: Found Adware: apropos
9:12 AM: wingenerics.dll (ID = 50187)
9:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:14 AM: qookl.exe.tcf (ID = 78246)
9:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:15 AM: qookp.exe.tcf (ID = 78285)
9:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:22 AM: atmtd.dll (ID = 166754)
9:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 AM: tsinstall_4_0_3_8_b17.exe.tcf (ID = 78267)
9:25 AM: atmtd.dll._ (ID = 166754)
9:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:31 AM: sp2update00.exe (ID = 148759)
9:31 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || sp2update (ID = 0)
9:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:31 AM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
9:31 AM: cmdinst.exe (ID = 185986)
9:31 AM: contextplus.exe (ID = 185940)
9:31 AM: glf35glf35.exe (ID = 166444)
9:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:32 AM: mte3ndi6odoxng.exe (ID = 185985)
9:32 AM: vocabulary (ID = 78283)
9:32 AM: class-barrel (ID = 78229)
9:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 AM: ma64uk.vbs (ID = 185675)
9:33 AM: Found System Monitor: potentially rootkit-masked files
9:33 AM: mdhcap32.exe (ID = 0)
9:33 AM: 00006784_436d57bf_00066e13 (ID = 0)
9:33 AM: 00004ae1_436d57bf_00090718 (ID = 0)
9:33 AM: 00007dd1_436d7220_0002e373 (ID = 0)
9:33 AM: lfpwcc32.exe (ID = 0)
9:33 AM: 00006d22_436e0222_0009b8f6 (ID = 0)
9:33 AM: 00001049_436e2de2_0002c048 (ID = 0)
9:33 AM: 00001a49_436e1b5a_000a68d6 (ID = 0)
9:33 AM: 000050a9_436e1d03_000bd932 (ID = 0)
9:33 AM: 00001316_436e1c5d_0004c9b0 (ID = 0)
9:33 AM: 00005d17_436e1ea8_000906b0 (ID = 0)
9:33 AM: 00006be8_436e2c8e_000b2c21 (ID = 0)
9:33 AM: 00001dc0_436e2cd2_000506b1 (ID = 0)
9:33 AM: 00003f4a_436e2d26_000d714c (ID = 0)
9:33 AM: 00000ddc_436e2bf4_000b267e (ID = 0)
9:33 AM: 00003004_436e2d13_0005899b (ID = 0)
9:33 AM: 0000591d_436e2ccf_00006041 (ID = 0)
9:33 AM: 00001643_436e1c6a_000e3bd0 (ID = 0)
9:33 AM: 00005039_436e1bc9_000ca0c0 (ID = 0)
9:33 AM: 00000822_436e2c13_0000ad33 (ID = 0)
9:33 AM: 000028e2_436e2e52_0009f2f6 (ID = 0)
9:33 AM: 00006bfc_436e2bd2_0005aa90 (ID = 0)
9:33 AM: 000049bb_436e1c5d_000762ae (ID = 0)
9:33 AM: ace.dll (ID = 0)
9:33 AM: data.bin (ID = 0)
9:33 AM: 00006778_436e1eb8_00027f21 (ID = 0)
9:33 AM: 00003f4a_436d77d8_000e464c (ID = 0)
9:33 AM: 000078b4_436e1daa_0005a96f (ID = 0)
9:34 AM: 0000134c_436e1da6_000f0c8f (ID = 0)
9:34 AM: 0000567e_436e1e1c_000e8cbb (ID = 0)
9:34 AM: 000058d5_436e1e25_0003e547 (ID = 0)
9:34 AM: 00000a41_436e1d88_000bf444 (ID = 0)
9:34 AM: 000033cd_436e1d94_00026f47 (ID = 0)
9:34 AM: 00005422_436e1b70_0004eb94 (ID = 0)
9:34 AM: 0000214e_436e1dd5_00044d2e (ID = 0)
9:34 AM: 00005e41_436e1df2_000711b1 (ID = 0)
9:34 AM: apcnetpp.exe (ID = 0)
9:34 AM: 00003bb1_436e1c43_000b9120 (ID = 0)
9:34 AM: 000054dc_436e2c5a_00012abe (ID = 0)
9:34 AM: 000012c2_436e1d42_000194d2 (ID = 0)
9:34 AM: 000053d1_436e1e05_00050931 (ID = 0)
9:34 AM: 0000700d_436e1ec3_000cd1ee (ID = 0)
9:34 AM: 00007a61_436e1c9f_0004ab74 (ID = 0)
9:34 AM: 00001796_436e2d14_0003e0ec (ID = 0)
9:34 AM: 00006be8_436e0028_000c3448 (ID = 0)
9:34 AM: 0000773b_436e2cf5_000619ce (ID = 0)
9:34 AM: 000046cf_436e2cb4_000cc579 (ID = 0)
9:34 AM: 00001d18_436e2cf8_00060390 (ID = 0)
9:34 AM: 000001d3_436e2cb7_00024b28 (ID = 0)
9:34 AM: 0000368e_436e1ba0_0006dcc8 (ID = 0)
9:34 AM: 0000086a_436e2de2_0009c7be (ID = 0)
9:34 AM: 00003807_436e2cf3_000d1604 (ID = 0)
9:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 AM: 00007ff5_436e2bd5_0009dba4 (ID = 0)
9:34 AM: 00006479_436e2de2_000b00b1 (ID = 0)
9:34 AM: 00006ea1_436e2e36_0004bfe6 (ID = 0)
9:34 AM: 00003807_436e1c2d_000bdc66 (ID = 0)
9:34 AM: 00003bf6_436e1b5b_0004519e (ID = 0)
9:34 AM: 00004908_436e1de5_00080286 (ID = 0)
9:34 AM: ntfrdpwd.sys (ID = 0)
9:34 AM: 0000440d_436dfe2d_00011068 (ID = 0)
9:34 AM: 0000030a_436dfe93_00080ad6 (ID = 0)
9:34 AM: 000049f7_436e2cd2_0008d8a9 (ID = 0)
9:34 AM: 00007cfe_436d7888_0007991b (ID = 0)
9:34 AM: 00000e99_436e1d8f_000e8cfb (ID = 0)
9:34 AM: 00000e90_436d74e5_00030894 (ID = 0)
9:34 AM: 00005a9f_436e010f_00097c99 (ID = 0)
9:34 AM: 00005079_436e234b_000d0c14 (ID = 0)
9:34 AM: 00005fa4_436e0116_000a8eb0 (ID = 0)
9:34 AM: 0000491c_436dfe2d_000ad801 (ID = 0)
9:34 AM: 00001238_436dfe62_000176f0 (ID = 0)
9:34 AM: 00003807_436e05f8_00029263 (ID = 0)
9:34 AM: 00000d66_436e0000_0009cc18 (ID = 0)
9:34 AM: 000069d0_436e2dd9_000686be (ID = 0)
9:34 AM: 00001649_436d57cb_000af8e6 (ID = 0)
9:34 AM: 0000441d_436e1cb5_0005991e (ID = 0)
9:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 AM: 00001b32_436e1e50_0006d054 (ID = 0)
9:34 AM: 0000480b_436e1e7b_000a099d (ID = 0)
9:34 AM: 00006172_436e1bb5_0008afae (ID = 0)
9:34 AM: 000050bf_436e1ccc_000728b8 (ID = 0)
9:34 AM: 000066be_436e1d64_000d7759 (ID = 0)
9:34 AM: 00005db8_436e23ec_0000569e (ID = 0)
9:34 AM: 0000252a_436e02fd_00049a1e (ID = 0)
9:34 AM: 0000442b_436e2cd8_000836d1 (ID = 0)
9:34 AM: 00005078_436e2cd9_00088aae (ID = 0)
9:34 AM: 0000187e_436dffa3_000155fb (ID = 0)
9:34 AM: 00004c85_436e0916_00039a50 (ID = 0)
9:34 AM: 00007cbe_436e1e29_00061f1e (ID = 0)
9:34 AM: 000058c5_436e1d49_000193fc (ID = 0)
9:34 AM: 00000c7b_436e1c27_0009e62e (ID = 0)
9:34 AM: 00003f4a_436e1c56_0006c70c (ID = 0)
9:34 AM: 00000914_436e1dbb_000a27ea (ID = 0)
9:34 AM: 000037e5_436e2cd1_000a5a39 (ID = 0)
9:34 AM: 00005f49_436dfed4_000d718d (ID = 0)
9:34 AM: 00003a9e_436e2bf2_000b425c (ID = 0)
9:34 AM: 00000d66_436e2c5d_000b7893 (ID = 0)
9:34 AM: 0000513e_436e0944_00089626 (ID = 0)
9:34 AM: 00000384_436e2c80_000b2b9e (ID = 0)
9:34 AM: 000041bb_436e29d6_00030fb6 (ID = 0)
9:35 AM: 000010d9_436e2e27_00015d26 (ID = 0)
9:35 AM: 00003a61_436e0020_000bb90b (ID = 0)
9:35 AM: 00005e73_436e2d17_00094af4 (ID = 0)
9:35 AM: 000015b4_436e1e49_000065a9 (ID = 0)
9:35 AM: 000043db_436e1d66_0009feba (ID = 0)
9:35 AM: 000007cf_436e0206_000e9bbd (ID = 0)
9:35 AM: 0000542c_436e0029_00092b88 (ID = 0)
9:35 AM: 00005f34_436e1d25_000452ce (ID = 0)
9:35 AM: 00003ee9_436e2e12_0007c75e (ID = 0)
9:35 AM: 0000412f_436e1cb2_0008970e (ID = 0)
9:35 AM: 000075ec_436e1da2_0001f958 (ID = 0)
9:35 AM: 00002725_436e2db0_000cceb3 (ID = 0)
9:35 AM: 000001e1_436e2e3d_00092e99 (ID = 0)
9:35 AM: 00007a5a_436dfe60_000eb705 (ID = 0)
9:35 AM: 00006732_436e1be8_00030d6e (ID = 0)
9:35 AM: 00007e64_436e1dcc_00018240 (ID = 0)
9:35 AM: 00003295_436e1cb6_0004db00 (ID = 0)
9:35 AM: 00001ff1_436e1d33_0005b130 (ID = 0)
9:35 AM: 00004823_436e17f2_0000165b (ID = 0)
9:35 AM: 00001a49_436dfec8_000d552b (ID = 0)
9:35 AM: 00007e0e_436e1d34_000a250e (ID = 0)
9:35 AM: 0000579c_436e1dc3_000e4d5b (ID = 0)
9:35 AM: 00005db2_436e1b90_00023e00 (ID = 0)
9:35 AM: 00001366_436e2c02_0006b890 (ID = 0)
9:35 AM: 000013e9_436dffaa_000e2c36 (ID = 0)
9:35 AM: 0000658c_436e2dfe_000bc550 (ID = 0)
9:35 AM: 000013e9_436e1b8b_000cd4dc (ID = 0)
9:35 AM: 00002f14_436e1b96_000e22d6 (ID = 0)
9:35 AM: 00006d69_436e1c44_0008d67c (ID = 0)
9:35 AM: 000068f5_436e1c7b_00098dea (ID = 0)
9:35 AM: 00004e48_436e1eb4_00017e3c (ID = 0)
9:35 AM: 00002079_436e1d07_000add40 (ID = 0)
9:35 AM: 00004080_436dffab_00046a3d (ID = 0)
9:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:35 AM: 000026ca_436dff5f_00088d40 (ID = 0)
9:35 AM: 00004087_436e0403_0005c64e (ID = 0)
9:35 AM: 00006270_436e2cfb_00043f03 (ID = 0)
9:35 AM: 0000442b_436e1c11_000cf190 (ID = 0)
9:35 AM: 00006d22_436e1be8_000d232a (ID = 0)
9:35 AM: 00004e68_436e1e8b_0009c5e4 (ID = 0)
9:35 AM: ai_12-11-2005.log (ID = 0)
9:35 AM: ai_11-11-2005.log (ID = 0)
9:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 AM: File Sweep Complete, Elapsed Time: 00:25:51
9:36 AM: Full Sweep has completed. Elapsed time 00:30:06
9:36 AM: Traces Found: 238
9:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 AM: Removal process initiated
9:40 AM: Quarantining All Traces: icannnews
9:40 AM: icannnews is in use. It will be removed on reboot.
9:40 AM: C:\WINDOWS\system32\socurity.dll is in use. It will be removed on reboot.
9:40 AM: C:\WINDOWS\system32\ktrul7991.dll is in use. It will be removed on reboot.
9:40 AM: Quarantining All Traces: apropos
9:40 AM: apropos is in use. It will be removed on reboot.
9:40 AM: wingenerics.dll is in use. It will be removed on reboot.
9:40 AM: Quarantining All Traces: sp2ms
9:40 AM: sp2ms is in use. It will be removed on reboot.
9:40 AM: C:\WINDOWS\sp2update00.exe is in use. It will be removed on reboot.
9:40 AM: Quarantining All Traces: command
9:40 AM: Quarantining All Traces: findthewebsiteyouneed hijacker
9:40 AM: Quarantining All Traces: multidial
9:40 AM: Quarantining All Traces: targetsaver
9:40 AM: Quarantining All Traces: 888 cookie
9:40 AM: Quarantining All Traces: addynamix cookie
9:40 AM: Quarantining All Traces: adecn cookie
9:40 AM: Quarantining All Traces: adknowledge cookie
9:40 AM: Quarantining All Traces: adserver cookie
9:40 AM: Quarantining All Traces: advertising cookie
9:40 AM: Quarantining All Traces: apmebf cookie
9:40 AM: Quarantining All Traces: atlas dmt cookie
9:40 AM: Quarantining All Traces: bannerspace cookie
9:40 AM: Quarantining All Traces: belnk cookie
9:40 AM: Quarantining All Traces: bluestreak cookie
9:40 AM: Quarantining All Traces: casalemedia cookie
9:40 AM: Quarantining All Traces: cc214142 cookie
9:40 AM: Quarantining All Traces: centrport net cookie
9:40 AM: Quarantining All Traces: clickandtrack cookie
9:40 AM: Quarantining All Traces: dealtime cookie
9:40 AM: Quarantining All Traces: exitexchange cookie
9:40 AM: Quarantining All Traces: fastclick cookie
9:40 AM: Quarantining All Traces: maxserving cookie
9:40 AM: Quarantining All Traces: myaffiliateprogram.com cookie
9:40 AM: Quarantining All Traces: nextag cookie
9:40 AM: Quarantining All Traces: overture cookie
9:40 AM: Quarantining All Traces: pointroll cookie
9:40 AM: Quarantining All Traces: qksrv cookie
9:40 AM: Quarantining All Traces: questionmarket cookie
9:40 AM: Quarantining All Traces: realmedia cookie
9:40 AM: Quarantining All Traces: reunion cookie
9:40 AM: Quarantining All Traces: revenue.net cookie
9:40 AM: Quarantining All Traces: rn11 cookie
9:40 AM: Quarantining All Traces: searchadnetwork cookie
9:40 AM: Quarantining All Traces: servedby advertising cookie
9:40 AM: Quarantining All Traces: server.iad.liveperson cookie
9:40 AM: Quarantining All Traces: serving-sys cookie
9:40 AM: Quarantining All Traces: specificclick.com cookie
9:40 AM: Quarantining All Traces: statcounter cookie
9:40 AM: Quarantining All Traces: targetnet cookie
9:40 AM: Quarantining All Traces: trafficmp cookie
9:40 AM: Quarantining All Traces: tribalfusion cookie
9:40 AM: Quarantining All Traces: websponsors cookie
9:40 AM: Quarantining All Traces: webtrendslive cookie
9:40 AM: Quarantining All Traces: yieldmanager cookie
9:40 AM: Quarantining All Traces: zedo cookie
9:41 AM: Removal process completed. Elapsed time 00:01:21


Ok so that is that...........now here is the new Hijackthis Log....................


Logfile of HijackThis v1.99.1
Scan saved at 10:03:08 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Jodi\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 153.26.85.51:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hopefully some of the nasties are gone.............I will be standing by for further instructions.
THANKS AGAIN!!

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 12 November 2005 - 09:32 AM

Let's hope Spysweeper mananaged to remove the Rootkit, some of those infections leave security so affected that you can never be sure again. Management is suggesting that reformat is the only safe option. There is one Rootkit that SS is supposed to remove. Seems the key is that NOTHING else be open when SS is run. Let's see how you did.

I see a lot of cookies, I would locate the SS quarantine file and delete those.

9:40 AM: Quarantining All Traces: apropos
9:40 AM: apropos is in use. It will be removed on reboot.
This is the RK it located, that's the reason for the restart as soon as SS has completed it's run. If there is L2m, it will also morph unlesss removed right away.

Looks good so far, less remove the stuff SS is not for:

WinPatrol may block the HJT fix, you will need to disable it until after you finish if it does?

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

You have two of these lines, click the link to see where they go. If you use them, pass over them. http://yahoo.sbc.com/dsl Check and remove the others.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
(if this is not used as the startpage, you may also remove it)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

You will want to have your wife review this information, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.syma...src=sec_doc_nam

Let me see one final log and any feedback you have.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 November 2005 - 06:51 AM

Edited out this information...Phil We will wait to see how things are running, let me have that new log and your feedback. Thanks

Edited by pskelley, 13 November 2005 - 07:33 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#6 Osiris

Osiris

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 13 November 2005 - 12:26 PM

Ok Phil, feedback wise I cannot thank you enough!!

I followed all of your instructions to a tee. I installed most of the programs listed in this advice board:
http://boards.cexx.o...topic.php?t=957

I also ran SS again after I had done everything with hijack this (but before i messed with any restore points), and i found that potential rootkit file that i mentioned before. This time however, with so much nasty stuff removed, i think it was able to get rid of it and reboot.

Let me know if you would like to see the most recent session log of SS.

Here is my most recent Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 1:19:53 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jodi\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 153.26.85.51:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I do have 2 questions:

1. when the trial is up on SS, do i need to do anything special before uninstalling (ie. remove quarantined files, etc.)??
2. I posted in tomcoyote and then about 4 days later i posted the same log file in spywareinfo.com. You replied to me first so i ignored the advice i recieved there and followed you instructions. However, i recieved different instructions from them. I want to post them below, to see if you think i should do any of this (considering i had the rootkit file). If you think that this stuff is redundant, then just let me know and i will let them know my problems have been solved!!

Hi Boomerzs;
You may want to copy and paste this text into a Notepad file, to place on your desktop and review as you work.

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

Next:
Part 1
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
Copy the contents of that log and paste it into this thread, along with a fresh Hijack This logfile.

To post, please use the Add Reply feature, so I will be notified.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
(All the above is what they had to say)


My wife's laptop is running smoothly again, yeeeahh!
Phil you have my sincere gratitude! THANK YOU!!!

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 November 2005 - 01:36 PM

Hello, and I am glad to hear the computer is running well. The importance of the reboot in removing these infections shows in your experience. I might mention that it is not a good policy to use resources at multiple sites, we all work closely together, in fact the folks who created the fix you posted, atribune and subratam, were instrumental in helping to develope the SpySweeper fix. That fix is a more complex and of late because the Look2me infection has been morphing and changing so often it has been hard for them to keep up with the fix and parts of it were failing. It is updated now and if SS had not done the job, that would have been the next thing we would have tried. If you did not close that thread, please do so so efforts are not wasted.

As far as the question concerning SS, the only bad thing is if you pick up that infection again, your free trial has been used. Once you are finished with the program, I will say that the thing to do would be to uninstall the program in Add Remove programs and then to remove the folder: C:\Program Files\Webroot\ everything, quarantine and all should go with the folder. If it remains in your Services, disable it and you can use HJT to delete it if you wish,
http://is-it-true.or...s/utips76.shtml

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (the service) and press OK.
OK any prompts, close HijackThis, and restart your computer.

If any of the lines remain in your HJT log, use HJT to remove them.

I do need to point out that adware I scheduled for removal is still in your log. It is possible that the powerful programs like WinPatrol and Spysweeper is blocking removal if you did try to remove it with HJT. It is just adware and clutter that will slow your browser and I suggest you remove it. I would say to be offline then turn off the spyware programs, remove the stuff, then restart your protection before going back online. Here is that junk:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"

don't be fooled by the yahoo word in the link, this is adware and should be removed from the computer.

Safe surfing...Phil

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Edited by pskelley, 13 November 2005 - 01:37 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 14 November 2005 - 06:58 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·