WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Logfile of HijackThis. Infected with BlackWorm & other

Started by devotion , Mar 09 2006 10:26 AM

This topic is locked

79 replies to this topic

#1 devotion

Authentic Member

Authentic Member
43 posts

Posted 09 March 2006 - 10:26 AM

I have aggressive popups. Programs try to reinstall.
Please find logfile below.
Thank you for your help.

gfile of HijackThis v1.99.1
Scan saved at 10:00:35 AM, on 3/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Sm9uZXM\command.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wupnp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\B7.tmp
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
O20 - Winlogon Notify: Reliability - C:\WINNT\system32\gpp2l37o1.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Sm9uZXM\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe

Advertisements

Register to Remove

#2 devotion

Authentic Member

Authentic Member
43 posts

Posted 09 March 2006 - 05:44 PM

Ad-Aware Log ArchiveData(auto-quarantine- 2006-03-09 17-13-40.bckp) Referencefile : SE1R96 09.03.2006 ====================================================== COOLWEBSEARCH »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[0]=Process : C:\WINNT\system32\e6200gfme62a0.dll obj[3]=Process : C:\WINNT\system32\guard.tmp obj[5]=Process : C:\WINNT\system32\guard.tmp CMDSERVICES »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[1]=Process : C:\WINNT\Sm9uZXM\command.exe obj[2]=Process : C:\WINNT\Sm9uZXM\asappsrv.dll obj[4]=Process : C:\WINNT\Sm9uZXM\asappsrv.dll obj[6]=Process : C:\WINNT\Sm9uZXM\asappsrv.dll TRACKING COOKIE »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[7]=IECache Entry : Cookie:jones@imrworldwide.com/cgi-bin obj[8]=IECache Entry : Cookie:jones@mediaplex.com/ obj[9]=IECache Entry : Cookie:jones@doubleclick.net/ obj[10]=IECache Entry : Cookie:jones@atdmt.com/ obj[11]=IECache Entry : Cookie:jones@www.stopzilla.com/

#3 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 09 March 2006 - 06:11 PM

Hello devotion, welcome to the TC.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#4 devotion

Authentic Member

Authentic Member
43 posts

Posted 09 March 2006 - 10:02 PM

Hi LD Tate, Thanks for your help... tried the Spy Sweep was working fine then the PC stopped responding screen turned solid blue had to restart. Boxes are poping up for programs to install / reinstall. Will try again.

#5 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 09 March 2006 - 10:03 PM

Try unplugging your internet connection and try spysweeper again. It's late and I'm headed to bed. Will post again tomorrow.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#6 devotion

Authentic Member

Authentic Member
43 posts

Posted 10 March 2006 - 04:05 PM

HI LDTate, Sweep log and HJT Log. Unpluged internet to run Spy Sweeper, worked better. I had a large zip file I use for work, I deleted it because it just reviewed that file for hours. Deleted it restarted Spy Sweeper, worked fine to get following log. Computer is still slow but not having popups like before. I have not bothered anything else. Please advise. Thank you. ******** 2:04 PM: | Start of Session, Friday, March 10, 2006 | 2:04 PM: Spy Sweeper started 2:04 PM: Sweep initiated using definitions version 630 2:04 PM: Found Adware: quicklink search toolbar 2:04 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\inprocserver32\ (2 subtraces) (ID = 1190418) 2:04 PM: v9gcyb8xi.dll (ID = 1190418) 2:04 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\inprocserver32\ (2 subtraces) (ID = 1190420) 2:04 PM: v9gcyb8xi.dll (ID = 1190420) 2:04 PM: Starting Memory Sweep 2:06 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 2:07 PM: Found Adware: command 2:07 PM: Detected running threat: C:\WINNT\Sm9uZXM\command.exe (ID = 144946) 2:09 PM: Detected running threat: C:\WINNT\Sm9uZXM\asappsrv.dll (ID = 144945) 2:09 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 2:10 PM: Memory Sweep Complete, Elapsed Time: 00:05:22 2:10 PM: Starting Registry Sweep 2:11 PM: Found Adware: enbrowser 2:11 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808) 2:11 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670) 2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064) 2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072) 2:11 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460) 2:11 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464) 2:11 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468) 2:11 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472) 2:11 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180476) 2:11 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180485) 2:11 PM: HKCR\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180496) 2:11 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510) 2:11 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514) 2:11 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518) 2:11 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522) 2:11 PM: HKLM\software\classes\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180539) 2:11 PM: HKLM\software\classes\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180548) 2:11 PM: HKLM\software\classes\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180559) 2:11 PM: HKU\S-1-5-21-1935655697-1677128483-1060284298-1000\software\system\sysuid\ (1 subtraces) (ID = 731748) 2:11 PM: Registry Sweep Complete, Elapsed Time:00:01:16 2:11 PM: Starting Cookie Sweep 2:11 PM: Found Spy Cookie: 80503492 cookie 2:11 PM: jones@80503492[1].txt (ID = 2013) 2:11 PM: Found Spy Cookie: 888 cookie 2:11 PM: jones@888[1].txt (ID = 2019) 2:11 PM: Found Spy Cookie: websponsors cookie 2:11 PM: jones@a.websponsors[2].txt (ID = 3665) 2:11 PM: Found Spy Cookie: about cookie 2:11 PM: jones@about[2].txt (ID = 2037) 2:11 PM: Found Spy Cookie: yieldmanager cookie 2:11 PM: jones@ad.yieldmanager[1].txt (ID = 3751) 2:11 PM: Found Spy Cookie: adecn cookie 2:11 PM: jones@adecn[2].txt (ID = 2063) 2:11 PM: Found Spy Cookie: adknowledge cookie 2:11 PM: jones@adknowledge[2].txt (ID = 2072) 2:11 PM: Found Spy Cookie: hbmediapro cookie 2:11 PM: jones@adopt.hbmediapro[2].txt (ID = 2768) 2:11 PM: Found Spy Cookie: specificclick.com cookie 2:11 PM: jones@adopt.specificclick[2].txt (ID = 3400) 2:11 PM: Found Spy Cookie: adorigin cookie 2:11 PM: jones@adorigin[2].txt (ID = 2082) 2:11 PM: Found Spy Cookie: adprofile cookie 2:11 PM: jones@adprofile[2].txt (ID = 2084) 2:11 PM: Found Spy Cookie: cc214142 cookie 2:11 PM: jones@ads.cc214142[2].txt (ID = 2367) 2:11 PM: Found Spy Cookie: revenue.net cookie 2:11 PM: jones@ads1.revenue[1].txt (ID = 3258) 2:11 PM: Found Spy Cookie: 2o7.net cookie 2:11 PM: jones@americasnotenetwork.122.2o7[1].txt (ID = 1958) 2:11 PM: Found Spy Cookie: ask cookie 2:11 PM: jones@ask[1].txt (ID = 2245) 2:11 PM: Found Spy Cookie: atwola cookie 2:11 PM: jones@atwola[1].txt (ID = 2255) 2:11 PM: Found Spy Cookie: azjmp cookie 2:11 PM: jones@azjmp[1].txt (ID = 2270) 2:11 PM: Found Spy Cookie: banners cookie 2:11 PM: jones@banners[1].txt (ID = 2282) 2:11 PM: Found Spy Cookie: belnk cookie 2:11 PM: jones@belnk[1].txt (ID = 2292) 2:11 PM: Found Spy Cookie: bizrate cookie 2:11 PM: jones@bizrate[2].txt (ID = 2308) 2:11 PM: Found Spy Cookie: bluestreak cookie 2:11 PM: jones@bluestreak[1].txt (ID = 2314) 2:11 PM: Found Spy Cookie: burstnet cookie 2:11 PM: jones@burstnet[2].txt (ID = 2336) 2:11 PM: Found Spy Cookie: enhance cookie 2:11 PM: jones@c.enhance[1].txt (ID = 2614) 2:11 PM: Found Spy Cookie: cassava cookie 2:11 PM: jones@cassava[1].txt (ID = 2362) 2:11 PM: jones@compreviews.about[2].txt (ID = 2038) 2:11 PM: Found Spy Cookie: overture cookie 2:11 PM: jones@data1.perf.overture[2].txt (ID = 3106) 2:11 PM: Found Spy Cookie: delfinproject cookie 2:11 PM: jones@delfinproject[2].txt (ID = 2509) 2:11 PM: jones@dist.belnk[2].txt (ID = 2293) 2:11 PM: jones@entrepreneurs.about[1].txt (ID = 2038) 2:11 PM: Found Spy Cookie: exitexchange cookie 2:11 PM: jones@exitexchange[2].txt (ID = 2633) 2:11 PM: Found Spy Cookie: starware.com cookie 2:11 PM: jones@h.starware[1].txt (ID = 3442) 2:11 PM: jones@hbmediapro[1].txt (ID = 2767) 2:11 PM: Found Spy Cookie: clickandtrack cookie 2:11 PM: jones@hits.clickandtrack[1].txt (ID = 2397) 2:11 PM: Found Spy Cookie: hypertracker.com cookie 2:11 PM: jones@hypertracker[2].txt (ID = 2817) 2:11 PM: Found Spy Cookie: ic-live cookie 2:11 PM: jones@ic-live[1].txt (ID = 2821) 2:11 PM: Found Spy Cookie: nextag cookie 2:11 PM: jones@nextag[2].txt (ID = 5014) 2:11 PM: Found Spy Cookie: megago cookie 2:11 PM: jones@northalabamahomeeducators.freeservers[1].txt (ID = 2983) 2:11 PM: jones@partygaming.122.2o7[1].txt (ID = 1958) 2:11 PM: Found Spy Cookie: partypoker cookie 2:11 PM: jones@partypoker[2].txt (ID = 3111) 2:11 PM: Found Spy Cookie: paypopup cookie 2:11 PM: jones@paypopup[1].txt (ID = 3119) 2:11 PM: Found Spy Cookie: pricegrabber cookie 2:11 PM: jones@pricegrabber[2].txt (ID = 3185) 2:11 PM: jones@secure.adprofile[1].txt (ID = 2085) 2:11 PM: Found Spy Cookie: sirsearch cookie 2:11 PM: jones@sirsearch[1].txt (ID = 3379) 2:11 PM: Found Spy Cookie: dealtime cookie 2:11 PM: jones@stat.dealtime[1].txt (ID = 2506) 2:11 PM: Found Spy Cookie: reliablestats cookie 2:11 PM: jones@stats1.reliablestats[1].txt (ID = 3254) 2:11 PM: Found Spy Cookie: tacoda cookie 2:11 PM: jones@tacoda[1].txt (ID = 6444) 2:11 PM: Found Spy Cookie: upspiral cookie 2:11 PM: jones@upspiral[1].txt (ID = 3614) 2:11 PM: Found Spy Cookie: videodome cookie 2:11 PM: jones@videodome[1].txt (ID = 3638) 2:11 PM: Found Spy Cookie: burstbeacon cookie 2:11 PM: jones@www.burstbeacon[2].txt (ID = 2335) 2:11 PM: jones@www.nextag[1].txt (ID = 5015) 2:11 PM: Found Spy Cookie: redzip cookie 2:11 PM: jones@www.redzip[2].txt (ID = 3250) 2:11 PM: jones@www.upspiral[2].txt (ID = 3615) 2:11 PM: Found Spy Cookie: winantiviruspro cookie 2:11 PM: jones@www.winantiviruspro[1].txt (ID = 3690) 2:11 PM: Found Spy Cookie: seeq cookie 2:11 PM: jones@www48.seeq[1].txt (ID = 3332) 2:11 PM: jones@yieldmanager[1].txt (ID = 3749) 2:11 PM: Cookie Sweep Complete, Elapsed Time: 00:00:13 2:11 PM: Starting File Sweep 2:12 PM: atmtd.dll._ (ID = 166754) 2:17 PM: Found Adware: effective-i toolbar 2:17 PM: glb8a.tmp (ID = 253666) 2:17 PM: Found Adware: comet cursor 2:17 PM: csbho.dll (ID = 53512) 2:19 PM: Found Adware: adlogix 2:19 PM: gcllzf.exe (ID = 49210) 2:20 PM: Found Trojan Horse: trojan-downloader-nextern 2:20 PM: aebcq9z5w.exe (ID = 252979) 2:21 PM: ms03836209409.exe (ID = 244278) 2:21 PM: Found Adware: winantispyware 2005 2:21 PM: uwasfsd.sys (ID = 242115) 2:25 PM: gcllzd.exe (ID = 49209) 2:27 PM: ms038362094092006.exe (ID = 254903) 2:30 PM: sysc00.exe (ID = 244277) 2:30 PM: Found Adware: elitemediagroup-mediamotor 2:30 PM: mcspy.exe (ID = 251295) 2:31 PM: Found Adware: look2me 2:31 PM: k2620cjoefoc0.dll (ID = 159) 2:31 PM: gcllzc.exe (ID = 49208) 2:31 PM: Found System Monitor: spion 2:31 PM: unistb32.exe (ID = 76299) 2:31 PM: u1um0id.exe (ID = 257313) 2:32 PM: Found Adware: findthewebsiteyouneed hijacker 2:32 PM: winsysupd11.exe (ID = 253754) 2:33 PM: Found Adware: surfsidekick 2:33 PM: sskupdater3.exe (ID = 251246) 2:34 PM: winsysupd11.exe (ID = 253754) 2:35 PM: asappsrv.dll (ID = 144945) 2:37 PM: atmtd.dll (ID = 166754) 2:41 PM: uni_eh.exe (ID = 245110) 2:44 PM: command.exe (ID = 144946) 2:45 PM: i98.tmp (ID = 253411) 2:45 PM: unin101.exe (ID = 245111) 2:46 PM: Found Adware: zenosearchassistant 2:46 PM: qrdsregj.exe (ID = 293) 2:47 PM: ttbitt.exe (ID = 252995) 2:47 PM: setup.exe (ID = 242102) 2:47 PM: v9gcyb8xi.dll (ID = 252997) 2:47 PM: kt06l7ds1.dll (ID = 159) 2:47 PM: win3208940983620.exe (ID = 254903) 2:47 PM: winantispyware2006setup.exe (ID = 242357) 2:47 PM: crmsvcs.dll (ID = 159) 2:47 PM: pf78.exe (ID = 244430) 2:47 PM: dgfgql.exe (ID = 257312) 2:47 PM: m2820cloefqc0.dll (ID = 159) 2:47 PM: gp82l3lo1.dll (ID = 159) 2:47 PM: wrgscuu.xrz (ID = 208796) 2:47 PM: e0jm0a11ed.dll (ID = 159) 2:49 PM: ma6rtrg.vbs (ID = 185675) 2:49 PM: Warning: Invalid Stream 2:50 PM: Warning: Invalid Stream 2:50 PM: uninstall cyber-detective toolkit.lnk (ID = 76299) 2:50 PM: File Sweep Complete, Elapsed Time: 00:38:57 2:50 PM: Full Sweep has completed. Elapsed time 00:46:12 2:50 PM: Traces Found: 231 2:54 PM: Removal process initiated 2:54 PM: Quarantining All Traces: adlogix 2:54 PM: Quarantining All Traces: look2me 2:54 PM: Quarantining All Traces: spion 2:54 PM: Quarantining All Traces: comet cursor 2:54 PM: Quarantining All Traces: elitemediagroup-mediamotor 2:54 PM: Quarantining All Traces: enbrowser 2:54 PM: Quarantining All Traces: quicklink search toolbar 2:54 PM: Quarantining All Traces: surfsidekick 2:55 PM: Quarantining All Traces: trojan-downloader-nextern 2:55 PM: Quarantining All Traces: command 2:55 PM: command is in use. It will be removed on reboot. 2:55 PM: asappsrv.dll is in use. It will be removed on reboot. 2:55 PM: C:\WINNT\Sm9uZXM\command.exe is in use. It will be removed on reboot. 2:55 PM: C:\WINNT\Sm9uZXM\asappsrv.dll is in use. It will be removed on reboot. 2:55 PM: Quarantining All Traces: effective-i toolbar 2:55 PM: Quarantining All Traces: findthewebsiteyouneed hijacker 2:55 PM: Quarantining All Traces: zenosearchassistant 2:55 PM: Quarantining All Traces: 2o7.net cookie 2:55 PM: Quarantining All Traces: 80503492 cookie 2:55 PM: Quarantining All Traces: 888 cookie 2:55 PM: Quarantining All Traces: about cookie 2:55 PM: Quarantining All Traces: adecn cookie 2:55 PM: Quarantining All Traces: adknowledge cookie 2:55 PM: Quarantining All Traces: adorigin cookie 2:55 PM: Quarantining All Traces: adprofile cookie 2:55 PM: Quarantining All Traces: ask cookie 2:55 PM: Quarantining All Traces: atwola cookie 2:55 PM: Quarantining All Traces: azjmp cookie 2:55 PM: Quarantining All Traces: banners cookie 2:55 PM: Quarantining All Traces: belnk cookie 2:55 PM: Quarantining All Traces: bizrate cookie 2:55 PM: Quarantining All Traces: bluestreak cookie 2:55 PM: Quarantining All Traces: burstbeacon cookie 2:55 PM: Quarantining All Traces: burstnet cookie 2:55 PM: Quarantining All Traces: cassava cookie 2:55 PM: Quarantining All Traces: cc214142 cookie 2:55 PM: Quarantining All Traces: clickandtrack cookie 2:55 PM: Quarantining All Traces: dealtime cookie 2:55 PM: Quarantining All Traces: delfinproject cookie 2:55 PM: Quarantining All Traces: enhance cookie 2:55 PM: Quarantining All Traces: exitexchange cookie 2:55 PM: Quarantining All Traces: hbmediapro cookie 2:55 PM: Quarantining All Traces: hypertracker.com cookie 2:55 PM: Quarantining All Traces: ic-live cookie 2:55 PM: Quarantining All Traces: megago cookie 2:55 PM: Quarantining All Traces: nextag cookie 2:55 PM: Quarantining All Traces: overture cookie 2:55 PM: Quarantining All Traces: partypoker cookie 2:55 PM: Quarantining All Traces: paypopup cookie 2:55 PM: Quarantining All Traces: pricegrabber cookie 2:55 PM: Quarantining All Traces: redzip cookie 2:55 PM: Quarantining All Traces: reliablestats cookie 2:55 PM: Quarantining All Traces: revenue.net cookie 2:55 PM: Quarantining All Traces: seeq cookie 2:55 PM: Quarantining All Traces: sirsearch cookie 2:55 PM: Quarantining All Traces: specificclick.com cookie 2:55 PM: Quarantining All Traces: starware.com cookie 2:55 PM: Quarantining All Traces: tacoda cookie 2:55 PM: Quarantining All Traces: upspiral cookie 2:55 PM: Quarantining All Traces: videodome cookie 2:55 PM: Quarantining All Traces: websponsors cookie 2:55 PM: Quarantining All Traces: winantispyware 2005 2:56 PM: Quarantining All Traces: winantiviruspro cookie 2:56 PM: Quarantining All Traces: yieldmanager cookie 2:57 PM: Removal process completed. Elapsed time 00:03:53 ******** 9:08 AM: | Start of Session, Friday, March 10, 2006 | 9:08 AM: Spy Sweeper started 9:08 AM: Sweep initiated using definitions version 630 9:08 AM: Found Adware: quicklink search toolbar 9:08 AM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\inprocserver32\ (2 subtraces) (ID = 1190418) 9:08 AM: v9gcyb8xi.dll (ID = 1190418) 9:08 AM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\inprocserver32\ (2 subtraces) (ID = 1190420) 9:08 AM: v9gcyb8xi.dll (ID = 1190420) 9:08 AM: Starting Memory Sweep 9:09 AM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 9:10 AM: Found Adware: command 9:10 AM: Detected running threat: C:\WINNT\Sm9uZXM\asappsrv.dll (ID = 144945) 9:11 AM: Warning: Failed to check file "C:\WINNT\system32\ctpbk32.dll". Stream read error 9:11 AM: Detected running threat: C:\WINNT\Sm9uZXM\command.exe (ID = 144946) 9:13 AM: Memory Sweep Complete, Elapsed Time: 00:05:19 9:13 AM: Starting Registry Sweep 9:14 AM: Found Adware: enbrowser 9:14 AM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808) 9:14 AM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670) 9:14 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064) 9:14 AM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072) 9:14 AM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460) 9:14 AM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464) 9:14 AM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468) 9:14 AM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472) 9:14 AM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180476) 9:14 AM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180485) 9:14 AM: HKCR\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180496) 9:14 AM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510) 9:14 AM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514) 9:14 AM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518) 9:14 AM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522) 9:14 AM: HKLM\software\classes\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180539) 9:14 AM: HKLM\software\classes\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180548) 9:14 AM: HKLM\software\classes\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180559) 9:14 AM: HKU\S-1-5-21-1935655697-1677128483-1060284298-1000\software\system\sysuid\ (1 subtraces) (ID = 731748) 9:14 AM: Registry Sweep Complete, Elapsed Time:00:01:09 9:14 AM: Starting Cookie Sweep 9:14 AM: Found Spy Cookie: 80503492 cookie 9:14 AM: jones@80503492[1].txt (ID = 2013) 9:14 AM: Found Spy Cookie: 888 cookie 9:14 AM: jones@888[1].txt (ID = 2019) 9:14 AM: Found Spy Cookie: websponsors cookie 9:14 AM: jones@a.websponsors[2].txt (ID = 3665) 9:14 AM: Found Spy Cookie: about cookie 9:14 AM: jones@about[2].txt (ID = 2037) 9:14 AM: Found Spy Cookie: yieldmanager cookie 9:14 AM: jones@ad.yieldmanager[2].txt (ID = 3751) 9:14 AM: Found Spy Cookie: adecn cookie 9:14 AM: jones@adecn[2].txt (ID = 2063) 9:14 AM: Found Spy Cookie: adknowledge cookie 9:14 AM: jones@adknowledge[2].txt (ID = 2072) 9:14 AM: Found Spy Cookie: hbmediapro cookie 9:14 AM: jones@adopt.hbmediapro[2].txt (ID = 2768) 9:14 AM: Found Spy Cookie: specificclick.com cookie 9:14 AM: jones@adopt.specificclick[2].txt (ID = 3400) 9:14 AM: Found Spy Cookie: adorigin cookie 9:14 AM: jones@adorigin[2].txt (ID = 2082) 9:14 AM: Found Spy Cookie: adprofile cookie 9:14 AM: jones@adprofile[2].txt (ID = 2084) 9:14 AM: Found Spy Cookie: cc214142 cookie 9:14 AM: jones@ads.cc214142[2].txt (ID = 2367) 9:14 AM: Found Spy Cookie: revenue.net cookie 9:14 AM: jones@ads1.revenue[1].txt (ID = 3258) 9:14 AM: Found Spy Cookie: 2o7.net cookie 9:14 AM: jones@americasnotenetwork.122.2o7[1].txt (ID = 1958) 9:14 AM: Found Spy Cookie: ask cookie 9:14 AM: jones@ask[1].txt (ID = 2245) 9:14 AM: Found Spy Cookie: atwola cookie 9:14 AM: jones@atwola[1].txt (ID = 2255) 9:14 AM: Found Spy Cookie: azjmp cookie 9:14 AM: jones@azjmp[1].txt (ID = 2270) 9:14 AM: Found Spy Cookie: banners cookie 9:14 AM: jones@banners[1].txt (ID = 2282) 9:14 AM: Found Spy Cookie: belnk cookie 9:14 AM: jones@belnk[1].txt (ID = 2292) 9:14 AM: Found Spy Cookie: bizrate cookie 9:14 AM: jones@bizrate[2].txt (ID = 2308) 9:14 AM: Found Spy Cookie: bluestreak cookie 9:14 AM: jones@bluestreak[1].txt (ID = 2314) 9:14 AM: Found Spy Cookie: burstnet cookie 9:14 AM: jones@burstnet[1].txt (ID = 2336) 9:15 AM: Found Spy Cookie: enhance cookie 9:15 AM: jones@c.enhance[1].txt (ID = 2614) 9:15 AM: Found Spy Cookie: cassava cookie 9:15 AM: jones@cassava[1].txt (ID = 2362) 9:15 AM: jones@compreviews.about[2].txt (ID = 2038) 9:15 AM: Found Spy Cookie: overture cookie 9:15 AM: jones@data1.perf.overture[2].txt (ID = 3106) 9:15 AM: Found Spy Cookie: delfinproject cookie 9:15 AM: jones@delfinproject[2].txt (ID = 2509) 9:15 AM: jones@dist.belnk[2].txt (ID = 2293) 9:15 AM: jones@entrepreneurs.about[1].txt (ID = 2038) 9:15 AM: Found Spy Cookie: exitexchange cookie 9:15 AM: jones@exitexchange[2].txt (ID = 2633) 9:15 AM: Found Spy Cookie: starware.com cookie 9:15 AM: jones@h.starware[1].txt (ID = 3442) 9:15 AM: jones@hbmediapro[1].txt (ID = 2767) 9:15 AM: Found Spy Cookie: clickandtrack cookie 9:15 AM: jones@hits.clickandtrack[1].txt (ID = 2397) 9:15 AM: Found Spy Cookie: hypertracker.com cookie 9:15 AM: jones@hypertracker[2].txt (ID = 2817) 9:15 AM: Found Spy Cookie: ic-live cookie 9:15 AM: jones@ic-live[1].txt (ID = 2821) 9:15 AM: Found Spy Cookie: nextag cookie 9:15 AM: jones@nextag[2].txt (ID = 5014) 9:15 AM: Found Spy Cookie: megago cookie 9:15 AM: jones@northalabamahomeeducators.freeservers[1].txt (ID = 2983) 9:15 AM: jones@partygaming.122.2o7[1].txt (ID = 1958) 9:15 AM: Found Spy Cookie: partypoker cookie 9:15 AM: jones@partypoker[2].txt (ID = 3111) 9:15 AM: Found Spy Cookie: paypopup cookie 9:15 AM: jones@paypopup[1].txt (ID = 3119) 9:15 AM: Found Spy Cookie: pricegrabber cookie 9:15 AM: jones@pricegrabber[2].txt (ID = 3185) 9:15 AM: jones@secure.adprofile[1].txt (ID = 2085) 9:15 AM: Found Spy Cookie: sirsearch cookie 9:15 AM: jones@sirsearch[1].txt (ID = 3379) 9:15 AM: Found Spy Cookie: dealtime cookie 9:15 AM: jones@stat.dealtime[1].txt (ID = 2506) 9:15 AM: Found Spy Cookie: reliablestats cookie 9:15 AM: jones@stats1.reliablestats[1].txt (ID = 3254) 9:15 AM: Found Spy Cookie: tacoda cookie 9:15 AM: jones@tacoda[1].txt (ID = 6444) 9:15 AM: Found Spy Cookie: upspiral cookie 9:15 AM: jones@upspiral[1].txt (ID = 3614) 9:15 AM: Found Spy Cookie: videodome cookie 9:15 AM: jones@videodome[1].txt (ID = 3638) 9:15 AM: Found Spy Cookie: burstbeacon cookie 9:15 AM: jones@www.burstbeacon[1].txt (ID = 2335) 9:15 AM: jones@www.nextag[1].txt (ID = 5015) 9:15 AM: Found Spy Cookie: redzip cookie 9:15 AM: jones@www.redzip[2].txt (ID = 3250) 9:15 AM: jones@www.upspiral[2].txt (ID = 3615) 9:15 AM: Found Spy Cookie: winantiviruspro cookie 9:15 AM: jones@www.winantiviruspro[1].txt (ID = 3690) 9:15 AM: Found Spy Cookie: seeq cookie 9:15 AM: jones@www48.seeq[1].txt (ID = 3332) 9:15 AM: jones@yieldmanager[1].txt (ID = 3749) 9:15 AM: Cookie Sweep Complete, Elapsed Time: 00:00:11 9:15 AM: Starting File Sweep 9:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:16 AM: atmtd.dll._ (ID = 166754) 9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:18 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:18 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:21 AM: Found Adware: effective-i toolbar 9:21 AM: glb8a.tmp (ID = 253666) 9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:21 AM: Found Adware: comet cursor 9:21 AM: csbho.dll (ID = 53512) 9:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:23 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:23 AM: Found Adware: adlogix 9:23 AM: gcllzf.exe (ID = 49210) 9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:24 AM: Found Trojan Horse: trojan-downloader-nextern 9:24 AM: aebcq9z5w.exe (ID = 252979) 9:25 AM: ms03836209409.exe (ID = 244278) 9:25 AM: Found Adware: winantispyware 2005 9:25 AM: uwasfsd.sys (ID = 242115) 9:29 AM: gcllzd.exe (ID = 49209) 9:31 AM: ms038362094092006.exe (ID = 254903) 9:34 AM: sysc00.exe (ID = 244277) 9:34 AM: Found Adware: elitemediagroup-mediamotor 9:34 AM: mcspy.exe (ID = 251295) 9:35 AM: Found Adware: look2me 9:35 AM: k2620cjoefoc0.dll (ID = 159) 9:35 AM: gcllzc.exe (ID = 49208) 9:35 AM: Found System Monitor: spion 9:35 AM: unistb32.exe (ID = 76299) 9:35 AM: u1um0id.exe (ID = 257313) 9:37 AM: Found Adware: findthewebsiteyouneed hijacker 9:37 AM: winsysupd11.exe (ID = 253754) 9:38 AM: Found Adware: surfsidekick 9:38 AM: sskupdater3.exe (ID = 251246) 9:38 AM: winsysupd11.exe (ID = 253754) 9:39 AM: asappsrv.dll (ID = 144945) 9:41 AM: atmtd.dll (ID = 166754) 9:45 AM: uni_eh.exe (ID = 245110) 9:48 AM: command.exe (ID = 144946) 9:49 AM: i98.tmp (ID = 253411) 9:49 AM: unin101.exe (ID = 245111) 9:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:50 AM: Found Adware: zenosearchassistant 9:50 AM: qrdsregj.exe (ID = 293) 9:51 AM: ttbitt.exe (ID = 252995) 9:51 AM: setup.exe (ID = 242102) 9:51 AM: v9gcyb8xi.dll (ID = 252997) 9:52 AM: win3208940983620.exe (ID = 254903) 9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:52 AM: winantispyware2006setup.exe (ID = 242357) 9:52 AM: crmsvcs.dll (ID = 159) 9:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:52 AM: pf78.exe (ID = 244430) 9:52 AM: dgfgql.exe (ID = 257312) 9:52 AM: m2820cloefqc0.dll (ID = 159) 9:52 AM: gp82l3lo1.dll (ID = 159) 9:52 AM: wrgscuu.xrz (ID = 208796) 9:52 AM: e0jm0a11ed.dll (ID = 159) 9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:54 AM: ma6rtrg.vbs (ID = 185675) 9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:54 AM: Warning: Invalid Stream 9:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:23 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:40 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:44 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:37 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 11:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 11:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 12:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 12:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:20 PM: Sweep Canceled 1:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: Memory Shield: Found: Memory-resident threat command, version 1.0.0.0 1:35 PM: Detected running threat: command 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:35 PM: Ignored memory-resident threat: command 1:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:35 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 1:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:40 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 1:40 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 1:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:45 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 1:45 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 1:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:50 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 1:50 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 1:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:55 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 1:55 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 1:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 1:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 1:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:00 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 2:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:00 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error 2:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 2:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 2:04 PM: | End of Session, Friday, March 10, 2006 | ******** 9:55 PM: | Start of Session, Thursday, March 09, 2006 | 9:55 PM: Spy Sweeper started 9:55 PM: Sweep initiated using definitions version 630 9:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:55 PM: Found Adware: quicklink search toolbar 9:55 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\inprocserver32\ (2 subtraces) (ID = 1190418) 9:55 PM: v9gcyb8xi.dll (ID = 1190418) 9:55 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\inprocserver32\ (2 subtraces) (ID = 1190420) 9:55 PM: v9gcyb8xi.dll (ID = 1190420) 9:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 PM: Starting Memory Sweep 9:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:57 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error 9:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:58 PM: Found Adware: command 9:58 PM: Detected running threat: C:\WINNT\Sm9uZXM\command.exe (ID = 144946) 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:00 PM: Detected running threat: C:\WINNT\Sm9uZXM\asappsrv.dll (ID = 144945) 10:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 PM: Memory Sweep Complete, Elapsed Time: 00:05:12 10:01 PM: Starting Registry Sweep 10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 PM: Found Adware: enbrowser 10:02 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808) 10:02 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670) 10:02 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064) 10:02 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072) 10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:02 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460) 10:02 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464) 10:02 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468) 10:02 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472) 10:02 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180476) 10:02 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180485) 10:02 PM: HKCR\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180496) 10:02 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510) 10:02 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514) 10:02 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518) 10:02 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522) 10:02 PM: HKLM\software\classes\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180539) 10:02 PM: HKLM\software\classes\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180548) 10:02 PM: HKLM\software\classes\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180559) 10:02 PM: HKU\S-1-5-21-1935655697-1677128483-1060284298-1000\software\system\sysuid\ (1 subtraces) (ID = 731748) 10:02 PM: Registry Sweep Complete, Elapsed Time:00:01:11 10:02 PM: Starting Cookie Sweep 10:02 PM: Found Spy Cookie: 80503492 cookie 10:02 PM: jones@80503492[1].txt (ID = 2013) 10:02 PM: Found Spy Cookie: 888 cookie 10:02 PM: jones@888[1].txt (ID = 2019) 10:02 PM: Found Spy Cookie: websponsors cookie 10:02 PM: jones@a.websponsors[2].txt (ID = 3665) 10:02 PM: Found Spy Cookie: about cookie 10:02 PM: jones@about[2].txt (ID = 2037) 10:02 PM: Found Spy Cookie: yieldmanager cookie 10:02 PM: jones@ad.yieldmanager[2].txt (ID = 3751) 10:02 PM: Found Spy Cookie: adecn cookie 10:02 PM: jones@adecn[2].txt (ID = 2063) 10:02 PM: Found Spy Cookie: adknowledge cookie 10:02 PM: jones@adknowledge[2].txt (ID = 2072) 10:02 PM: Found Spy Cookie: hbmediapro cookie 10:02 PM: jones@adopt.hbmediapro[2].txt (ID = 2768) 10:02 PM: Found Spy Cookie: specificclick.com cookie 10:02 PM: jones@adopt.specificclick[2].txt (ID = 3400) 10:02 PM: Found Spy Cookie: adorigin cookie 10:02 PM: jones@adorigin[2].txt (ID = 2082) 10:02 PM: Found Spy Cookie: adprofile cookie 10:02 PM: jones@adprofile[2].txt (ID = 2084) 10:02 PM: Found Spy Cookie: cc214142 cookie 10:02 PM: jones@ads.cc214142[2].txt (ID = 2367) 10:02 PM: Found Spy Cookie: revenue.net cookie 10:02 PM: jones@ads1.revenue[1].txt (ID = 3258) 10:02 PM: Found Spy Cookie: 2o7.net cookie 10:02 PM: jones@americasnotenetwork.122.2o7[1].txt (ID = 1958) 10:02 PM: Found Spy Cookie: ask cookie 10:02 PM: jones@ask[1].txt (ID = 2245) 10:02 PM: Found Spy Cookie: atwola cookie 10:02 PM: jones@atwola[1].txt (ID = 2255) 10:02 PM: Found Spy Cookie: azjmp cookie 10:02 PM: jones@azjmp[1].txt (ID = 2270) 10:02 PM: Found Spy Cookie: banners cookie 10:02 PM: jones@banners[1].txt (ID = 2282) 10:02 PM: Found Spy Cookie: belnk cookie 10:02 PM: jones@belnk[1].txt (ID = 2292) 10:02 PM: Found Spy Cookie: bizrate cookie 10:02 PM: jones@bizrate[2].txt (ID = 2308) 10:02 PM: Found Spy Cookie: bluestreak cookie 10:02 PM: jones@bluestreak[1].txt (ID = 2314) 10:02 PM: Found Spy Cookie: burstnet cookie 10:02 PM: jones@burstnet[1].txt (ID = 2336) 10:02 PM: Found Spy Cookie: enhance cookie 10:02 PM: jones@c.enhance[1].txt (ID = 2614) 10:02 PM: Found Spy Cookie: cassava cookie 10:02 PM: jones@cassava[1].txt (ID = 2362) 10:02 PM: jones@compreviews.about[2].txt (ID = 2038) 10:02 PM: Found Spy Cookie: overture cookie 10:02 PM: jones@data1.perf.overture[2].txt (ID = 3106) 10:02 PM: Found Spy Cookie: delfinproject cookie 10:02 PM: jones@delfinproject[2].txt (ID = 2509) 10:02 PM: jones@dist.belnk[2].txt (ID = 2293) 10:02 PM: jones@entrepreneurs.about[1].txt (ID = 2038) 10:02 PM: Found Spy Cookie: exitexchange cookie 10:02 PM: jones@exitexchange[2].txt (ID = 2633) 10:02 PM: Found Spy Cookie: starware.com cookie 10:02 PM: jones@h.starware[1].txt (ID = 3442) 10:02 PM: jones@hbmediapro[1].txt (ID = 2767) 10:02 PM: Found Spy Cookie: clickandtrack cookie 10:02 PM: jones@hits.clickandtrack[1].txt (ID = 2397) 10:02 PM: Found Spy Cookie: hypertracker.com cookie 10:02 PM: jones@hypertracker[2].txt (ID = 2817) 10:02 PM: Found Spy Cookie: ic-live cookie 10:02 PM: jones@ic-live[1].txt (ID = 2821) 10:02 PM: Found Spy Cookie: nextag cookie 10:02 PM: jones@nextag[2].txt (ID = 5014) 10:02 PM: Found Spy Cookie: megago cookie 10:02 PM: jones@northalabamahomeeducators.freeservers[1].txt (ID = 2983) 10:02 PM: jones@partygaming.122.2o7[1].txt (ID = 1958) 10:02 PM: Found Spy Cookie: partypoker cookie 10:02 PM: jones@partypoker[2].txt (ID = 3111) 10:02 PM: Found Spy Cookie: paypopup cookie 10:02 PM: jones@paypopup[1].txt (ID = 3119) 10:02 PM: Found Spy Cookie: pricegrabber cookie 10:02 PM: jones@pricegrabber[2].txt (ID = 3185) 10:02 PM: jones@secure.adprofile[1].txt (ID = 2085) 10:02 PM: Found Spy Cookie: sirsearch cookie 10:02 PM: jones@sirsearch[1].txt (ID = 3379) 10:02 PM: Found Spy Cookie: dealtime cookie 10:02 PM: jones@stat.dealtime[1].txt (ID = 2506) 10:02 PM: Found Spy Cookie: reliablestats cookie 10:02 PM: jones@stats1.reliablestats[1].txt (ID = 3254) 10:02 PM: Found Spy Cookie: tacoda cookie 10:02 PM: jones@tacoda[1].txt (ID = 6444) 10:02 PM: Found Spy Cookie: upspiral cookie 10:02 PM: jones@upspiral[1].txt (ID = 3614) 10:02 PM: Found Spy Cookie: videodome cookie 10:02 PM: jones@videodome[1].txt (ID = 3638) 10:02 PM: Found Spy Cookie: burstbeacon cookie 10:02 PM: jones@www.burstbeacon[1].txt (ID = 2335) 10:02 PM: jones@www.nextag[1].txt (ID = 5015) 10:02 PM: Found Spy Cookie: redzip cookie 10:02 PM: jones@www.redzip[2].txt (ID = 3250) 10:02 PM: jones@www.upspiral[2].txt (ID = 3615) 10:02 PM: Found Spy Cookie: winantiviruspro cookie 10:02 PM: jones@www.winantiviruspro[1].txt (ID = 3690) 10:02 PM: Found Spy Cookie: seeq cookie 10:02 PM: jones@www48.seeq[1].txt (ID = 3332) 10:02 PM: jones@yieldmanager[1].txt (ID = 3749) 10:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:11 10:02 PM: Starting File Sweep 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:03 PM: atmtd.dll._ (ID = 166754) 10:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: Found Adware: effective-i toolbar 10:08 PM: glb8a.tmp (ID = 253666) 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:08 PM: Found Adware: comet cursor 10:08 PM: csbho.dll (ID = 53512) 10:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 10:10 PM: Found Adware: adlogix 10:10 PM: gcllzf.exe (ID = 49210) 10:11 PM: Found Trojan Horse: trojan-downloader-nextern 10:11 PM: aebcq9z5w.exe (ID = 252979) 10:12 PM: ms03836209409.exe (ID = 244278) 10:12 PM: Found Adware: winantispyware 2005 10:12 PM: uwasfsd.sys (ID = 242115) 10:16 PM: gcllzd.exe (ID = 49209) 10:18 PM: ms038362094092006.exe (ID = 254903) 10:21 PM: sysc00.exe (ID = 244277) 10:21 PM: Found Adware: elitemediagroup-mediamotor 10:21 PM: mcspy.exe (ID = 251295) 10:21 PM: gcllzc.exe (ID = 49208) 10:21 PM: Found System Monitor: spion 10:21 PM: unistb32.exe (ID = 76299) 10:22 PM: u1um0id.exe (ID = 257313) 10:23 PM: Found Adware: findthewebsiteyouneed hijacker 10:23 PM: winsysupd11.exe (ID = 253754) 10:24 PM: Found Adware: surfsidekick 10:24 PM: sskupdater3.exe (ID = 251246) 10:24 PM: winsysupd11.exe (ID = 253754) 10:26 PM: asappsrv.dll (ID = 144945) 10:27 PM: atmtd.dll (ID = 166754) 10:31 PM: uni_eh.exe (ID = 245110) 10:35 PM: command.exe (ID = 144946) 10:35 PM: i98.tmp (ID = 253411) 10:35 PM: unin101.exe (ID = 245111) 10:36 PM: Found Adware: zenosearchassistant 10:36 PM: qrdsregj.exe (ID = 293) 10:37 PM: ttbitt.exe (ID = 252995) 10:37 PM: setup.exe (ID = 242102) 10:37 PM: v9gcyb8xi.dll (ID = 252997) 10:37 PM: win3208940983620.exe (ID = 254903) 10:38 PM: winantispyware2006setup.exe (ID = 242357) 10:38 PM: Found Adware: look2me 10:38 PM: crmsvcs.dll (ID = 159) 10:38 PM: pf78.exe (ID = 244430) 10:38 PM: dgfgql.exe (ID = 257312) 10:38 PM: m2820cloefqc0.dll (ID = 159) 10:38 PM: gp82l3lo1.dll (ID = 159) 10:38 PM: wrgscuu.xrz (ID = 208796) 10:38 PM: e0jm0a11ed.dll (ID = 159) 10:39 PM: ma6rtrg.vbs (ID = 185675) 10:39 PM: Warning: Invalid Stream 11:18 PM: Sweep Canceled ********

Back to top

#7 devotion

devotion

Authentic Member

Authentic Member

43 posts

Posted 10 March 2006 - 04:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:04:41 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wupnp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\e8jmli1118.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe

Back to top

#8 LDTate

LDTate

Grand Poobah

Root Admin

57,211 posts

Posted 10 March 2006 - 04:17 PM

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Post #1
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Back to top

#9 devotion

devotion

Authentic Member

Authentic Member

43 posts

Posted 10 March 2006 - 04:49 PM

LDTate, You are over my head now... I followed instructions.. have the 12mfix.exe file received error (An installable virtual Device Driver Failed DLL initialization) Used option 5, 3 files unzipped. Selectied option 1 again log appeared but received same error message again. Please advise L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\e8jmli1118.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{45B5A98C-115C-CB49-15FD-F7FAFBEB1572}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{E0D79300-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79301-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79302-84BE-11CE-9641-444553540000}"="WinZip" "{A7B10217-897B-4C21-9558-C59F4CD71664}"="" "{C8E7E460-060A-403A-A447-3F051D010518}"="" "{259B12F3-BC61-473A-B964-CB8266816CC7}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{B1ED9866-5642-4556-BCE0-1A76E244D5B5}"="" "{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\InprocServer32] @="C:\\WINNT\\system32\\wP2time.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\InprocServer32] @="C:\\WINNT\\system32\\fUxevent.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\InprocServer32] @="C:\\WINNT\\system32\\ifrtrmgr.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/10/2006 04:26p <DIR> .. 03/10/2006 04:26p <DIR> . 03/10/2006 03:02p 236,824 ifrtrmgr.dll 03/10/2006 02:55p 235,706 r86u0ij9e8o.dll 03/10/2006 01:27p 235,706 pkdgen.dll 03/10/2006 01:27p 236,824 e8jmli1118.dll 03/09/2006 09:14p 8,775 .exe 02/23/2006 10:03a 71,580 lsserv.exe 02/17/2006 07:11a 171,520 lserv.exe 02/04/2006 05:01p <DIR> Lavan 01/14/2006 06:19p <DIR> dllcache 7 File(s) 1,196,935 bytes 4 Dir(s) 8,109,340,160 bytes free

Back to top

#10 LDTate

LDTate

Grand Poobah

Root Admin

57,211 posts

Posted 10 March 2006 - 04:51 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Back to top

Advertisements

Register to Remove

#11 devotion

devotion

Authentic Member

Authentic Member

43 posts

Posted 10 March 2006 - 05:18 PM

C:\\WINNT\system32\cmd.exe C:\PROGRA-1\\Symantec\S32EVNT1.DLL. An installable virtual Device Driver failed Dll initialization. Error still appears Close or Ignore?

Back to top

#12 LDTate

LDTate

Grand Poobah

Root Admin

57,211 posts

Posted 10 March 2006 - 05:34 PM

Error still appears Close

We might end up neededing to disable Symantec, but lets try this first.

Double click "My Computer" then your hard drive (probably C drive) and open the C:\WINDOWS folder.

Go down to the "Repair" folder and double click. You should find "autoexec.nt" and "config.nt" in there. Copy these files (Ctrl+C) then go back to C:\Windows\SYSTEM32 and paste them there (Ctrl+V). It will ask you if you want to replace the old one—click "Yes".

That should do it. Now try running it.

Edited by LDTate, 10 March 2006 - 05:36 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Back to top

#13 devotion

devotion

Authentic Member

Authentic Member

43 posts

Posted 10 March 2006 - 06:00 PM

For some reason the windows file does not hold all of the folders and files you speak of. There is a folder WINNT that has the repair folder so I copied from there to the system 32 which is also under WINNT. In short, I have two folders WINDOWS and WINNT Why?? The error message still appears. Meantime a message appears that "sc" is not recgonized as an internal or external command, operable program or batch file.... When I close the error box the program prompts me for a password for L2MFIX. Please advise.

Back to top

#14 LDTate

LDTate

Grand Poobah

Root Admin

57,211 posts

Posted 10 March 2006 - 06:02 PM

OK. We will do a manual fix. Post a new HJT log please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Back to top

#15 devotion

devotion

Authentic Member

Authentic Member

43 posts

Posted 10 March 2006 - 06:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:59:18 PM, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wupnp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\e8jmli1118.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcmsvc) - Unknown owner - C:\WINNT\system32\rpcmsvc.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe

Back to top

Related Topics

Page 1 of 6

1

2

3

Next

»

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Reply to quoted posts Clear

What the Tech

→ Spyware / Malware / Virus Removal

→ Virus, Spyware & Malware Removal

Privacy Policy

Terms of Use ·

Body Background

skin color theme