Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky Adware


  • This topic is locked This topic is locked
19 replies to this topic

#1 KSAC

KSAC

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 20 October 2005 - 05:34 PM

I've got a new pop up every few minutes, sometimes two at a time or one may be a flash ad. I can't get rid of the things after running spyware removers and antivirus over and over. I restarted my computer, ran spybot and adaware. Then created this HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:43 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\eMule++\eMule.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\ir02l5do1.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


I'm desperate for some advice.

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 22 October 2005 - 12:42 PM

We'll require a different scanner for this infection.

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #1 - Run Find Log - by typing 1
This will scan your computer and it may appear as if nothing is happening for a period of few minutes. When it has finished, you will be presented with a log. Copy the contents of that log and paste it into this thread.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Edited by sUBs, 22 October 2005 - 12:43 PM.


#3 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 October 2005 - 02:28 PM

Ok, heres the log I got back:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\slellstyle.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g4jole131h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FB783ED3-E242-9678-2DF4-9E5F5BDD3954}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.04 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.04 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.04 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.04 Property Sheet Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{32A0273A-354F-4C3D-8254-7DDCF4F42D91}"=""
"{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{32A0273A-354F-4C3D-8254-7DDCF4F42D91}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32A0273A-354F-4C3D-8254-7DDCF4F42D91}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32A0273A-354F-4C3D-8254-7DDCF4F42D91}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32A0273A-354F-4C3D-8254-7DDCF4F42D91}\InprocServer32]
@="C:\\WINDOWS\\system32\\uurcntra.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}\InprocServer32]
@="C:\\WINDOWS\\system32\\mdxlegih.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cdosys.dll Fri Sep 9 2005 8:04:32p A.... 2,025,984 1.93 M
d8j00i~1.dll Mon Nov 21 2005 4:39:32p ..S.R 236,916 231.36 K
danim.dll Fri Sep 2 2005 11:06:58a A.... 986,112 963.00 K
ddvx_x~1.dll Sat Nov 19 2005 5:31:48p ..S.R 235,884 230.36 K
dfrpyi64.dll Fri Nov 18 2005 9:18:08p A.... 45,056 44.00 K
dxtrans.dll Fri Sep 2 2005 4:35:16p A.... 192,000 187.50 K
en60l1~1.dll Tue Nov 22 2005 8:57:04a ..S.R 233,905 228.42 K
f82mli~1.dll Sun Nov 20 2005 7:32:28p ..S.R 236,880 231.33 K
fp4m03~1.dll Sun Nov 20 2005 7:36:22p ..S.R 235,752 230.23 K
gpn2l3~1.dll Fri Nov 18 2005 10:11:58p ..S.R 236,167 230.63 K
h62o0g~1.dll Mon Nov 21 2005 9:59:00p ..S.R 234,231 228.74 K
irrql5~1.dll Sun Nov 20 2005 7:14:40p ..S.R 236,957 231.40 K
jtjq07~1.dll Mon Nov 21 2005 6:15:40p ..S.R 236,898 231.34 K
kldru1.dll Sun Nov 20 2005 7:32:30p ..S.R 235,752 230.23 K
ktrql7~1.dll Mon Nov 21 2005 5:51:12a ..S.R 234,046 228.56 K
kuduzb.dll Sun Nov 20 2005 7:08:40p ..S.R 236,957 231.40 K
l6n4lg~1.dll Sat Nov 19 2005 10:19:58p ..S.R 237,208 231.65 K
linkinfo.dll Wed Aug 31 2005 7:49:30p A.... 16,384 16.00 K
mbhcp.dll Sat Nov 19 2005 6:08:54p ..S.R 235,658 230.13 K
mdxlegih.dll Sat Nov 19 2005 5:34:32p ..S.R 234,007 228.52 K
mpcsubs.dll Tue Nov 22 2005 9:00:06a ..S.R 233,905 228.42 K
mshtml.dll Tue Oct 4 2005 12:19:14p A.... 2,700,288 2.57 M
mstime.dll Fri Sep 2 2005 4:35:12p A.... 496,128 484.50 K
mvnol9~1.dll Tue Nov 22 2005 1:07:00p ..S.R 235,264 229.75 K
pncrt.dll Wed Nov 16 2005 6:47:38p A.... 278,528 272.00 K
pndx5016.dll Wed Nov 16 2005 6:47:40p A.... 6,656 6.50 K
pndx5032.dll Wed Nov 16 2005 6:47:40p A.... 5,632 5.50 K
prflbm~1.dll Fri Nov 18 2005 8:18:40a A.... 65,536 64.00 K
qllib.dll Mon Oct 10 2005 4:33:56p A.... 200,704 196.00 K
quartz.dll Mon Aug 29 2005 10:02:46p A.... 1,158,656 1.10 M
rkcss.dll Sat Nov 19 2005 4:42:50p ..S.R 235,884 230.36 K
rmoc3260.dll Wed Nov 16 2005 6:47:58p A.... 176,167 172.04 K
shell32.dll Thu Sep 22 2005 9:27:32p A.... 8,348,672 7.96 M
shlwapi.dll Wed Aug 31 2005 6:49:30p A.... 409,088 399.50 K
slells~1.dll Mon Nov 21 2005 9:59:00p ..S.R 233,905 228.42 K
st3.dll Sat Nov 19 2005 6:47:24a A.... 319 0.31 K
t68ulg~1.dll Sat Nov 19 2005 9:28:34a ..S.R 234,024 228.54 K
urlmon.dll Fri Sep 2 2005 3:19:16p A.... 457,216 446.50 K
uurcntra.dll Tue Nov 22 2005 1:07:00p ..S.R 233,905 228.42 K
winsrv.dll Wed Aug 31 2005 7:49:32p A.... 278,016 271.50 K
xpsp2res.dll Mon Sep 26 2005 6:40:50p A.... 594,432 580.50 K

41 items found: 41 files (21 H/S), 0 directories.
Total of file sizes: 23,385,679 bytes 22.30 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 6818-7CA3

Directory of C:\WINDOWS\System32

11/22/2005 01:06 PM 233,905 uurcntra.dll
11/22/2005 01:06 PM 235,264 mvnol9531.dll
11/22/2005 09:00 AM 233,905 mpcsubs.dll
11/22/2005 08:57 AM 233,905 en60l1jm1.dll
11/21/2005 09:58 PM 233,905 slellstyle.dll
11/21/2005 09:58 PM 234,231 h62o0gf3e62.dll
11/21/2005 06:15 PM 236,898 jtjq0715e.dll
11/21/2005 04:39 PM 236,916 d8j00i1me8.dll
11/21/2005 05:51 AM 234,046 ktrql7951.dll
11/20/2005 07:36 PM 235,752 fp4m03h1e.dll
11/20/2005 07:32 PM 235,752 kldru1.dll
11/20/2005 07:32 PM 236,880 f82mlif1182.dll
11/20/2005 07:14 PM 236,957 irrql5951.dll
11/20/2005 07:13 PM <DIR> dllcache
11/20/2005 07:08 PM 236,957 kuduzb.dll
11/19/2005 10:19 PM 237,208 l6n4lg5q16.dll
11/19/2005 06:08 PM 235,658 mbhcp.dll
11/19/2005 05:34 PM 234,007 mdxlegih.dll
11/19/2005 05:31 PM 235,884 ddvx_xx0c.dll
11/19/2005 04:42 PM 235,884 rkcss.dll
11/19/2005 09:28 AM 234,024 t68ulgl916q.dll
11/18/2005 10:11 PM 236,167 gpn2l35o1.dll
10/14/2005 06:15 PM <DIR> Microsoft
21 File(s) 4,944,105 bytes
2 Dir(s) 14,095,724,544 bytes free

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 22 October 2005 - 06:53 PM

Close all open programs
Double click L2mfix.bat
Select option #2 - Run Fix - by typing 2
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED


You should see a green DOS windows as you reboot. Let me know if that doesnt happen

Edited by sUBs, 22 October 2005 - 06:54 PM.


#5 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 October 2005 - 08:02 PM

I never got a green dos window during reboot. I also wasn't given a log file, I'm assuming they are related.

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 22 October 2005 - 08:17 PM

If you did not see the green DOS window that would only mean that we're dealing with the new variant of L2M.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

#7 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 October 2005 - 12:21 PM

Here is the logs you requested. Its quite long. Spy Sweerper is still having to block acces to the same sites as it was during the session.


********
8:00 AM: | Start of Session, Sunday, October 23, 2005 |
8:00 AM: Spy Sweeper started
8:00 AM: Sweep initiated using definitions version 560
8:00 AM: Starting Memory Sweep
8:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 AM: Found Adware: icannnews
8:00 AM: Detected running threat: C:\WINDOWS\system32\nwmsdba.dll (ID = 83)
8:01 AM: Detected running threat: C:\WINDOWS\system32\q4nule591h.dll (ID = 83)
8:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 AM: Memory Sweep Complete, Elapsed Time: 00:01:38
8:02 AM: Starting Registry Sweep
8:02 AM: Found Adware: quicklink search toolbar
8:02 AM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
8:02 AM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
8:02 AM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
8:02 AM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
8:02 AM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
8:02 AM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
8:02 AM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:02 AM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
8:02 AM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
8:02 AM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
8:02 AM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
8:02 AM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
8:02 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
8:02 AM: Found Adware: instant access
8:02 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
8:02 AM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:02 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
8:02 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:02 AM: Found Trojan Horse: trojan-downloader-2pursuit
8:02 AM: HKCR\clsid\{7a7e6d97-b492-4884-9abb-c31281dcc4f2}\ (5 subtraces) (ID = 910454)
8:02 AM: HKLM\software\classes\clsid\{7a7e6d97-b492-4884-9abb-c31281dcc4f2}\ (5 subtraces) (ID = 910550)
8:02 AM: Found Adware: look2me
8:02 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\policies\ || dllname (ID = 911234)
8:02 AM: HKU\WRSS_Profile_S-1-5-21-854245398-2049760794-839522115-500\software\microsoft\style32\ (5 subtraces) (ID = 910485)
8:02 AM: Found Adware: targetsaver
8:02 AM: HKU\S-1-5-21-854245398-2049760794-839522115-1003\software\tsl2\ (1 subtraces) (ID = 143616)
8:02 AM: HKU\S-1-5-21-854245398-2049760794-839522115-1003\software\microsoft\style32\ (11 subtraces) (ID = 910485)
8:02 AM: Registry Sweep Complete, Elapsed Time:00:00:28
8:02 AM: Starting Cookie Sweep
8:02 AM: Found Spy Cookie: yieldmanager cookie
8:02 AM: owner@ad.yieldmanager[1].txt (ID = 3751)
8:02 AM: Found Spy Cookie: reliablestats cookie
8:02 AM: owner@stats1.reliablestats[2].txt (ID = 3254)
8:02 AM: Found Spy Cookie: winantiviruspro cookie
8:02 AM: owner@www.winantiviruspro[1].txt (ID = 3690)
8:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:02 AM: Starting File Sweep
8:02 AM: Found Trojan Horse: trojan-downloader-daily-weather
8:02 AM: c:\program files\information update (1 subtraces) (ID = -2147476399)
8:02 AM: c:\program files\quicklinks (2 subtraces) (ID = -2147468660)
8:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 AM: Found Adware: effective-i toolbar
8:03 AM: ucmoreiex.exe (ID = 59853)
8:03 AM: Found Adware: ist yoursitebar
8:03 AM: ysbinstall_1003585.exe (ID = 166206)
8:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 AM: qlutility.exe (ID = 168232)
8:03 AM: uninst.exe (ID = 73428)
8:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 AM: Found Adware: apropos
8:04 AM: wingenerics.dll (ID = 50187)
8:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:04 AM: Found Adware: sp2ms
8:04 AM: msresearch.exe (ID = 148760)
8:04 AM: sp2update00.exe (ID = 148759)
8:04 AM: qllib.dll (ID = 168233)
8:04 AM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
8:04 AM: contextplus.exe (ID = 168722)
8:05 AM: Found Trojan Horse: trojan-downloader-nextern
8:05 AM: drin.exe (ID = 168231)
8:05 AM: installer.exe (ID = 168558)
8:05 AM: Found System Monitor: potentially rootkit-masked files
8:05 AM: 0000390c_43833521_0009c671 (ID = 0)
8:05 AM: 0000468c_4381424f_0007a120 (ID = 0)
8:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 AM: 00005dd5_43800c83_000baeb9 (ID = 0)
8:05 AM: 00007eb7_4381c9f9_00090f56 (ID = 0)
8:05 AM: 000032e6_438007db_00053ec6 (ID = 0)
8:05 AM: 0000428b_437ea126_000cdfe6 (ID = 0)
8:05 AM: 00005f90_43836cce_00029f63 (ID = 0)
8:05 AM: 0000305e_43824f18_000a7d8c (ID = 0)
8:05 AM: 000018be_435b1e58_0007270e (ID = 0)
8:05 AM: 000064a0_437f288e_0001e848 (ID = 0)
8:05 AM: 00003a9e_437ff8bb_000dd40a (ID = 0)
8:05 AM: 00002db5_4381425f_000af79e (ID = 0)
8:05 AM: 00005af1_43839278_00016e36 (ID = 0)
8:05 AM: 0000591d_43814203_00090f56 (ID = 0)
8:05 AM: 00003e12_437ff8ba_0002dc6c (ID = 0)
8:05 AM: 0000301c_438105d7_000b34a7 (ID = 0)
8:05 AM: 0000323b_43810584_00090f56 (ID = 0)
8:05 AM: 00000ce1_437ecf52_000e1113 (ID = 0)
8:05 AM: 00007eb7_4380058c_0001ab3f (ID = 0)
8:05 AM: 00007e0e_437f2124_0004c4b4 (ID = 0)
8:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:05 AM: 0000759a_438002bb_000baeb9 (ID = 0)
8:05 AM: 0000428b_43835198_000d1cef (ID = 0)
8:06 AM: 00006b89_4381b749_00040d99 (ID = 0)
8:06 AM: 00006732_437fb263_00090f56 (ID = 0)
8:06 AM: 00000822_43833d67_000d59f8 (ID = 0)
8:06 AM: 00000588_437eac0e_00039387 (ID = 0)
8:06 AM: 00001e1f_437ff57f_0008d24d (ID = 0)
8:06 AM: 00004d67_437fb2e3_0006ea05 (ID = 0)
8:06 AM: 00006d4e_43814265_000ec82e (ID = 0)
8:06 AM: 00004d06_437f372f_000b71b0 (ID = 0)
8:06 AM: 00002528_437eb0c8_00003d09 (ID = 0)
8:06 AM: index (ID = 0)
8:06 AM: 00001238_43810253_00003d09 (ID = 0)
8:06 AM: 00004d06_43829e85_00040d99 (ID = 0)
8:06 AM: 0000797d_43833b7c_000a7d8c (ID = 0)
8:06 AM: 00004db7_4380fce5_0001e848 (ID = 0)
8:06 AM: 00004efe_43814268_00057bcf (ID = 0)
8:06 AM: 00003bf6_4380035b_000e1113 (ID = 0)
8:06 AM: 00003bf6_4381bcdf_0009c671 (ID = 0)
8:06 AM: 00004402_437fb153_0009c671 (ID = 0)
8:06 AM: 0000121f_437ea822_0001e848 (ID = 0)
8:06 AM: 000012db_43834e34_000c28cb (ID = 0)
8:06 AM: 00005f32_438106f1_0001312d (ID = 0)
8:06 AM: 00000de5_437fb310_0002dc6c (ID = 0)
8:06 AM: 000037be_437f2874_000c28cb (ID = 0)
8:06 AM: 00006443_437f397d_000ca2dd (ID = 0)
8:06 AM: 0000357e_437f28be_000632ea (ID = 0)
8:06 AM: 000006e3_437f2125_0002dc6c (ID = 0)
8:06 AM: 00000d66_437ea83d_000a037a (ID = 0)
8:06 AM: 00005e9d_438007d3_000a4083 (ID = 0)
8:06 AM: 000050a9_437fb397_000ec82e (ID = 0)
8:06 AM: 00000c1e_437f249d_00039387 (ID = 0)
8:06 AM: 000000eb_437f2875_000e4e1c (ID = 0)
8:06 AM: 00004402_437ea85e_000e8b25 (ID = 0)
8:06 AM: 000069d0_437eaece_0007a120 (ID = 0)
8:06 AM: 00007eb7_438108a2_0007de29 (ID = 0)
8:06 AM: 00006ad6_43810f99_000d59f8 (ID = 0)
8:06 AM: 00006d4e_437f1654_000a7d8c (ID = 0)
8:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:06 AM: 00001cd0_437ea816_000f0537 (ID = 0)
8:07 AM: 00005f90_43836ad4_00090f56 (ID = 0)
8:07 AM: 00006732_43800d50_000632ea (ID = 0)
8:07 AM: 00000099_43824eaa_000b34a7 (ID = 0)
8:07 AM: 00001ad4_437f4012_0007a120 (ID = 0)
8:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:07 AM: 0000153c_43834f7e_00031975 (ID = 0)
8:07 AM: 00003a9e_435aba02_0001312d (ID = 0)
8:07 AM: 00000822_4381cb7d_0006acfc (ID = 0)
8:07 AM: 0000139d_438254cb_000ca2dd (ID = 0)
8:07 AM: 00002079_437f1d24_000a7d8c (ID = 0)
8:07 AM: 000033ea_43825563_000f0537 (ID = 0)
8:07 AM: 00004657_437ea843_00057bcf (ID = 0)
8:07 AM: 00007346_437f1b42_000b34a7 (ID = 0)
8:07 AM: 00002059_438141f5_00094c5f (ID = 0)
8:07 AM: 0000390c_43824e76_0006acfc (ID = 0)
8:07 AM: 000079d1_437f08ea_000632ea (ID = 0)
8:07 AM: 000018be_438346f4_000d9701 (ID = 0)
8:07 AM: 000049f7_437fb29c_0007de29 (ID = 0)
8:07 AM: 000012db_4381b590_00031975 (ID = 0)
8:07 AM: 00001a49_4381334b_0003567e (ID = 0)
8:07 AM: 00000bdb_4381b9e3_0007a120 (ID = 0)
8:07 AM: 00007f96_43825120_000a7d8c (ID = 0)
8:07 AM: 00004ae1_435b94e4_0005b8d8 (ID = 0)
8:07 AM: 00000035_43811761_00094c5f (ID = 0)
8:07 AM: 00006be8_437ea867_00094c5f (ID = 0)
8:07 AM: 00002b0f_437f2644_000dd40a (ID = 0)
8:07 AM: 000046c2_4381425f_00040d99 (ID = 0)
8:07 AM: 000007cf_43811768_0008583b (ID = 0)
8:07 AM: 0000139d_4381f493_00053ec6 (ID = 0)
8:07 AM: 00003b97_437eade8_000c65d4 (ID = 0)
8:07 AM: 0000390c_4381b5a9_0008d24d (ID = 0)
8:07 AM: 00007bb9_4381f3a3_000e8b25 (ID = 0)
8:07 AM: 00004dc8_43825a46_00031975 (ID = 0)
8:08 AM: 00005dd5_4381164c_00003d09 (ID = 0)
8:08 AM: 000054de_437f379d_0007270e (ID = 0)
8:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 AM: 00002350_435ab80a_0003567e (ID = 0)
8:08 AM: 000069d0_437fb326_000bebc2 (ID = 0)
8:08 AM: 00006032_4382540e_00098968 (ID = 0)
8:08 AM: 000001e1_437f1655_00098968 (ID = 0)
8:08 AM: 00005422_438139ab_00094c5f (ID = 0)
8:08 AM: 00006df1_43836cde_0005b8d8 (ID = 0)
8:08 AM: 00004b40_437f42e2_000c65d4 (ID = 0)
8:08 AM: 0000491c_437faaa4_000e4e1c (ID = 0)
8:08 AM: 00001649_43829a3c_00039387 (ID = 0)
8:08 AM: 00005772_4381f3a4_0003567e (ID = 0)
8:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:08 AM: 00006e5d_438250ef_000e8b25 (ID = 0)
8:08 AM: 00004b40_437ea7f7_0000b71b (ID = 0)
8:08 AM: 00005af1_43826450_00029f63 (ID = 0)
8:08 AM: 00005f90_435ae07e_0004753b (ID = 0)
8:08 AM: 00007871_437f288d_0008583b (ID = 0)
8:08 AM: 000012db_437ea479_000e1113 (ID = 0)
8:08 AM: 0000798b_4382549e_0002dc6c (ID = 0)
8:08 AM: 00006b89_438251e4_00003d09 (ID = 0)
8:08 AM: 00005a9c_43814267_00076417 (ID = 0)
8:08 AM: 00006899_438261b9_000a4083 (ID = 0)
8:08 AM: 000039b3_43824ff2_000501bd (ID = 0)
8:08 AM: 00006bcb_4381145f_0000f424 (ID = 0)
8:08 AM: 000018d7_4381141a_0003d090 (ID = 0)
8:08 AM: 0000798b_438006b6_0005f5e1 (ID = 0)
8:08 AM: 0000798b_4381def4_000c65d4 (ID = 0)
8:08 AM: 00006e5d_43825d94_0007de29 (ID = 0)
8:09 AM: 00007ff5_43825121_00031975 (ID = 0)
8:09 AM: 00006d76_437fb39c_000cdfe6 (ID = 0)
8:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 AM: 00001850_437ea8a0_000cdfe6 (ID = 0)
8:09 AM: 00001649_43836aec_00076417 (ID = 0)
8:09 AM: 0000409d_4381ccc0_00044aa2 (ID = 0)
8:09 AM: 0000440d_437f36fc_00053ec6 (ID = 0)
8:09 AM: 000050bf_43814260_000aba95 (ID = 0)
8:09 AM: 00000bb3_43824e62_0002dc6c (ID = 0)
8:09 AM: 000066bb_43825074_0004c4b4 (ID = 0)
8:09 AM: 00002ba5_437f1700_0002625a (ID = 0)
8:09 AM: 0000440d_437ea7b8_0000b71b (ID = 0)
8:09 AM: 00006952_437ea1ce_00094c5f (ID = 0)
8:09 AM: 000026e9_4381279d_0004c4b4 (ID = 0)
8:09 AM: 00007eb7_438138fa_000ec82e (ID = 0)
8:09 AM: 00003bf6_438252a3_000d59f8 (ID = 0)
8:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:09 AM: 00006f3c_437fb310_0008583b (ID = 0)
8:09 AM: 00003b25_435b967e_00029f63 (ID = 0)
8:09 AM: 000041bb_438392a9_00022551 (ID = 0)
8:09 AM: 000049d0_437f2898_000a7d8c (ID = 0)
8:09 AM: 00007ac2_43814243_00040d99 (ID = 0)
8:09 AM: 000001eb_43824e4e_00066ff3 (ID = 0)
8:09 AM: 00003b25_43826f5a_00039387 (ID = 0)
8:09 AM: 0000767d_43837f94_000a7d8c (ID = 0)
8:09 AM: 000010d9_43814262_00016e36 (ID = 0)
8:09 AM: 00003807_437fb2b5_00029f63 (ID = 0)
8:09 AM: 0000441d_43814254_000bebc2 (ID = 0)
8:10 AM: 00006d22_43800d72_00081b32 (ID = 0)
8:10 AM: 000054de_4381b5e6_0000b71b (ID = 0)
8:10 AM: 000071f2_437f2875_00022551 (ID = 0)
8:10 AM: 000026e9_438392aa_00040d99 (ID = 0)
8:10 AM: 00006032_438005c4_0008583b (ID = 0)
8:10 AM: 0000520b_437fb31a_000baeb9 (ID = 0)
8:10 AM: 00005878_437ea7f7_000c28cb (ID = 0)
8:10 AM: 00000099_4380fce0_0001312d (ID = 0)
8:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 AM: 000079d1_43814262_0008583b (ID = 0)
8:10 AM: 00002ea6_438259dd_00000000 (ID = 0)
8:10 AM: 0000428b_43825086_0005f5e1 (ID = 0)
8:10 AM: 00002120_437f249f_0002625a (ID = 0)
8:10 AM: 00000902_4380079a_00040d99 (ID = 0)
8:10 AM: 0000123b_437f2899_0003d090 (ID = 0)
8:10 AM: 0000701f_438351db_0004c4b4 (ID = 0)
8:10 AM: 00002c3b_438005c9_0007de29 (ID = 0)
8:10 AM: 0000692c_43813a74_00066ff3 (ID = 0)
8:10 AM: 00005f90_4381b51f_0002dc6c (ID = 0)
8:10 AM: 000039b3_43837f23_00081b32 (ID = 0)
8:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:10 AM: 00001649_43836cd2_0001312d (ID = 0)
8:10 AM: 00001cd0_43810862_0001312d (ID = 0)
8:10 AM: 00002ea6_4383935e_0006acfc (ID = 0)
8:10 AM: 00000390_43814262_000baeb9 (ID = 0)
8:10 AM: 00004df2_43833c15_000b34a7 (ID = 0)
8:10 AM: 000063cb_43833725_0003d090 (ID = 0)
8:10 AM: 00006443_43825a47_00076417 (ID = 0)
8:10 AM: 00001e1f_437f3f20_0001ab3f (ID = 0)
8:10 AM: 00004e45_4382512e_00053ec6 (ID = 0)
8:10 AM: 0000721d_43814284_0007de29 (ID = 0)
8:10 AM: 00006048_438141fd_000501bd (ID = 0)
8:11 AM: 0000440d_43824f30_000c28cb (ID = 0)
8:11 AM: 00005422_438271d8_000bebc2 (ID = 0)
8:11 AM: 00001dcb_43814284_000aba95 (ID = 0)
8:11 AM: 00000fc9_4380081c_0004c4b4 (ID = 0)
8:11 AM: 0000368e_4382562e_00081b32 (ID = 0)
8:11 AM: 00001547_437faaa7_000a037a (ID = 0)
8:11 AM: 000026a6_43825094_0003567e (ID = 0)
8:11 AM: 00004cad_43825f58_000a7d8c (ID = 0)
8:11 AM: 00001366_43800415_000b71b0 (ID = 0)
8:11 AM: 000015a1_43826022_000632ea (ID = 0)
8:11 AM: 00004328_437f241e_0007de29 (ID = 0)
8:11 AM: 00004a80_43813a76_0002625a (ID = 0)
8:11 AM: 000012c2_43814284_000ec82e (ID = 0)
8:11 AM: 00002ea6_4380fc86_0008d24d (ID = 0)
8:11 AM: 00002350_437faae1_0009c671 (ID = 0)
8:11 AM: 00006732_438117f7_000af79e (ID = 0)
8:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 AM: 00000ddc_438107d8_00007a12 (ID = 0)
8:11 AM: 00003d6c_435b954c_0007de29 (ID = 0)
8:11 AM: 000001eb_43811c17_000ec82e (ID = 0)
8:11 AM: 00006b72_437fad92_0001ab3f (ID = 0)
8:11 AM: 000012db_438259dd_0009c671 (ID = 0)
8:11 AM: 00005cfd_43825ebd_000a037a (ID = 0)
8:11 AM: 00005f32_4380033b_00016e36 (ID = 0)
8:11 AM: 00002c3b_43825432_0007270e (ID = 0)
8:11 AM: 000022ee_437faae2_00022551 (ID = 0)
8:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:11 AM: 00001003_43814285_0002625a (ID = 0)
8:12 AM: 00006ea1_437f1639_000baeb9 (ID = 0)
8:12 AM: 0000323b_4382513e_0007de29 (ID = 0)
8:12 AM: 00003a9e_438252c5_000aba95 (ID = 0)
8:12 AM: 000001e1_437fb379_00044aa2 (ID = 0)
8:12 AM: 00000c7b_437fb2b1_000bebc2 (ID = 0)
8:12 AM: 0000773f_43814285_0003d090 (ID = 0)
8:12 AM: 00002d12_43825000_0001312d (ID = 0)
8:12 AM: 00000728_43814263_00029f63 (ID = 0)
8:12 AM: 00000a6c_437f21e6_000b71b0 (ID = 0)
8:12 AM: 00001a49_438339d4_000ec82e (ID = 0)
8:12 AM: 00002d12_43837f26_00057bcf (ID = 0)
8:12 AM: 00007e87_43812807_00081b32 (ID = 0)
8:12 AM: 00001289_437f1b43_00081b32 (ID = 0)
8:12 AM: 000066b4_437f18b1_000af79e (ID = 0)
8:12 AM: 00004c66_437f164d_000c28cb (ID = 0)
8:12 AM: 00000a41_43814285_0008583b (ID = 0)
8:12 AM: 000018be_43836a06_00066ff3 (ID = 0)
8:12 AM: 000063cb_438250f7_0007270e (ID = 0)
8:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:12 AM: 000036c2_437f1e23_00039387 (ID = 0)
8:12 AM: 00005c5e_437f164e_0007de29 (ID = 0)
8:12 AM: 00001e1f_43826f5c_000aba95 (ID = 0)
8:12 AM: 00004e55_437f08ea_0009c671 (ID = 0)
8:12 AM: 00005d03_43839596_0006ea05 (ID = 0)
8:13 AM: 0000428b_4381b621_0004c4b4 (ID = 0)
8:13 AM: 0000153c_438259de_000a037a (ID = 0)
8:13 AM: 0000701f_4382509d_00081b32 (ID = 0)
8:13 AM: 000066c4_43833cab_000e1113 (ID = 0)
8:13 AM: 0000721d_437f249f_000b71b0 (ID = 0)
8:13 AM: 00007e87_43834f7e_00089544 (ID = 0)
8:13 AM: 00004080_4382551f_00003d09 (ID = 0)
8:13 AM: 00001e1f_435b96b3_000f0537 (ID = 0)
8:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:13 AM: 00005d03_438250aa_0001ab3f (ID = 0)
8:13 AM: 00006b28_43814288_00090f56 (ID = 0)
8:13 AM: 00004509_43837f96_00007a12 (ID = 0)
8:13 AM: 0000139d_43826174_000d9701 (ID = 0)
8:13 AM: 000066bb_43825a47_000baeb9 (ID = 0)
8:13 AM: 0000401d_438007db_000a4083 (ID = 0)
8:13 AM: 00004cad_4381375a_000b71b0 (ID = 0)
8:13 AM: 00006747_437f18cb_00016e36 (ID = 0)
8:13 AM: 00004ae1_43836ab1_000d59f8 (ID = 0)
8:13 AM: 00006df1_43836b1d_000baeb9 (ID = 0)
8:13 AM: 000026b1_437f1f04_0008583b (ID = 0)
8:13 AM: 00001ad4_43825d96_00000000 (ID = 0)
8:13 AM: 00005af1_43836b21_00076417 (ID = 0)
8:13 AM: 00003305_43814288_00007a12 (ID = 0)
8:14 AM: 0000692c_4381f584_0000f424 (ID = 0)
8:14 AM: 00005af1_438333e4_000f0537 (ID = 0)
8:14 AM: 00005579_4381422e_0003567e (ID = 0)
8:14 AM: 00002e40_43833c37_00090f56 (ID = 0)
8:14 AM: 00006b89_43838400_000501bd (ID = 0)
8:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 AM: 00000099_437faa9b_0001e848 (ID = 0)
8:14 AM: 00001649_43833324_00076417 (ID = 0)
8:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:14 AM: 000012e1_438260a5_0000f424 (ID = 0)
8:14 AM: 00002213_43825de1_00031975 (ID = 0)
8:14 AM: 00000878_43814271_0004c4b4 (ID = 0)
8:14 AM: 00005d03_43825cad_000baeb9 (ID = 0)
8:14 AM: 00004b40_437faae5_000baeb9 (ID = 0)
8:14 AM: 00005e14_43825fc2_000a037a (ID = 0)
8:14 AM: 00004365_437f18cc_00022551 (ID = 0)
8:14 AM: 000026ca_43800780_000c28cb (ID = 0)
8:14 AM: 00006bc9_4381428a_00057bcf (ID = 0)
8:14 AM: 00001238_43837f9a_000e8b25 (ID = 0)
8:14 AM: 00007a5a_438250ab_0002625a (ID = 0)
8:14 AM: 0000549b_437f1872_000c65d4 (ID = 0)
8:14 AM: 00000124_43825a19_000501bd (ID = 0)
8:14 AM: 00000124_43811cde_0001312d (ID = 0)
8:14 AM: 000058c5_4381428a_000ca2dd (ID = 0)
8:14 AM: 00003a9e_43800370_000d9701 (ID = 0)
8:15 AM: 000041bb_43836b22_0001ab3f (ID = 0)
8:15 AM: 00001030_437f1674_000ca2dd (ID = 0)
8:15 AM: 0000458f_438141ff_0006acfc (ID = 0)
8:15 AM: 0000282d_437eae47_0005f5e1 (ID = 0)
8:15 AM: 00002350_4382706b_00039387 (ID = 0)
8:15 AM: 00000ddc_43825f57_0001ab3f (ID = 0)
8:15 AM: 00005772_438340d8_000501bd (ID = 0)
8:15 AM: 00000124_43824ebc_000bebc2 (ID = 0)
8:15 AM: 00000029_437ea19f_0000b71b (ID = 0)
8:15 AM: 00005991_43826074_0006acfc (ID = 0)
8:15 AM: 0000323b_43838328_000a037a (ID = 0)
8:15 AM: 000026e9_435b95e3_0004c4b4 (ID = 0)
8:15 AM: 00004df2_43825fc3_00053ec6 (ID = 0)
8:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 AM: 0000139d_438340d8_000b71b0 (ID = 0)
8:15 AM: 00001edc_43814292_000e1113 (ID = 0)
8:15 AM: 00006b72_438141d9_0002dc6c (ID = 0)
8:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:15 AM: 00004db7_43829e85_00053ec6 (ID = 0)
8:15 AM: 00000f3e_437faa9a_0007270e (ID = 0)
8:15 AM: 00002079_437fb399_0000f424 (ID = 0)
8:15 AM: 00005fa4_43811704_000ca2dd (ID = 0)
8:15 AM: 0000491c_437ea7ba_0008d24d (ID = 0)
8:15 AM: 000012db_4383936c_000d59f8 (ID = 0)
8:16 AM: 00002cd6_43836ab5_0002dc6c (ID = 0)
8:16 AM: 000015a1_43825432_000d59f8 (ID = 0)
8:16 AM: 0000212c_4381428f_0005b8d8 (ID = 0)
8:16 AM: 00005a9c_437f1675_00076417 (ID = 0)
8:16 AM: 0000139d_437ea824_000e8b25 (ID = 0)
8:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 AM: 00004b40_435ab814_00081b32 (ID = 0)
8:16 AM: 00004b40_43829edf_000ca2dd (ID = 0)
8:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:16 AM: 0000692c_437ea825_0005f5e1 (ID = 0)
8:16 AM: 0000767d_438250b0_000bebc2 (ID = 0)
8:16 AM: 0000491c_43824f50_0007de29 (ID = 0)
8:16 AM: 00000390_437f08ea_000d59f8 (ID = 0)
8:16 AM: 00005991_4381cbcc_0007a120 (ID = 0)
8:16 AM: 00001cdf_437f1f06_000e1113 (ID = 0)
8:17 AM: 000072ae_43836ab5_000d9701 (ID = 0)
8:17 AM: 0000578d_43814293_000c28cb (ID = 0)
8:17 AM: 00000822_43829f4b_00029f63 (ID = 0)
8:17 AM: 00003e12_437ea7f9_00044aa2 (ID = 0)
8:17 AM: 0000074d_43837f4b_0001312d (ID = 0)
8:17 AM: 00005878_43829ee0_00098968 (ID = 0)
8:17 AM: 00006da6_437f20ec_00066ff3 (ID = 0)
8:17 AM: 0000390c_435ae2a2_00043832 (ID = 0)
8:17 AM: 00003106_437f2899_000dd40a (ID = 0)
8:17 AM: 000071f2_43814294_0003d090 (ID = 0)
8:17 AM: 00007eb7_437ff8c9_000a7d8c (ID = 0)
8:17 AM: 00006899_438254e6_0003567e (ID = 0)
8:17 AM: 00005422_4382602e_0008d24d (ID = 0)
8:17 AM: 00006bfc_438250fd_00053ec6 (ID = 0)
8:17 AM: 00001af4_43800d76_00000000 (ID = 0)
8:17 AM: 00006e89_437f20ed_00000000 (ID = 0)
8:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 AM: 0000366b_43810864_000c65d4 (ID = 0)
8:17 AM: 00006952_438298d1_0007270e (ID = 0)
8:17 AM: 00000c1e_43814283_00044aa2 (ID = 0)
8:17 AM: 00005579_437eac26_00081b32 (ID = 0)
8:17 AM: 000056ae_43829ed2_000b71b0 (ID = 0)
8:17 AM: 000054de_438128de_00076417 (ID = 0)
8:17 AM: 0000249e_438115cb_000c65d4 (ID = 0)
8:17 AM: 00005478_437f28e3_00098968 (ID = 0)
8:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:17 AM: 00006d22_4381180e_000ca2dd (ID = 0)
8:17 AM: 0000121f_4381ed66_0000f424 (ID = 0)
8:18 AM: 00005422_43825432_000e4e1c (ID = 0)
8:18 AM: 00005f49_43825375_0008583b (ID = 0)
8:18 AM: 00000bdb_4383376d_000ec82e (ID = 0)
8:18 AM: 00005d24_437eabf2_000af79e (ID = 0)
8:18 AM: 0000121f_438254ae_00031975 (ID = 0)
8:18 AM: 00004efe_437f167f_000b34a7 (ID = 0)
8:18 AM: 0000366b_43833c95_00039387 (ID = 0)
8:18 AM: 00000124_437faa9b_000d1cef (ID = 0)
8:18 AM: 000012e1_4381cdb4_0003d090 (ID = 0)
8:18 AM: 00001649_438391f7_0009c671 (ID = 0)
8:18 AM: 000000eb_43814295_0003567e (ID = 0)
8:18 AM: 0000074d_4382500e_000cdfe6 (ID = 0)
8:18 AM: 000056ae_43833771_00057bcf (ID = 0)
8:18 AM: 00007ac2_437eaf17_0008d24d (ID = 0)
8:18 AM: 00000fbf_437ea834_0001312d (ID = 0)
8:19 AM: 00001bd9_437f1681_00003d09 (ID = 0)
8:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 AM: 00004027_43814240_000501bd (ID = 0)
8:19 AM: 00002db5_437eecc8_000bebc2 (ID = 0)
8:19 AM: 00003cd5_438261bc_0007270e (ID = 0)
8:19 AM: 00005f90_438298d2_0001ab3f (ID = 0)
8:19 AM: 0000182f_437eaba3_00089544 (ID = 0)
8:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:19 AM: 00001049_43814248_0002dc6c (ID = 0)
8:19 AM: 00007613_438142c4_0006ea05 (ID = 0)
8:19 AM: 0000008e_437f2831_000e8b25 (ID = 0)
8:19 AM: 00007871_43814295_0004c4b4 (ID = 0)
8:19 AM: 000026e9_43836b26_0007270e (ID = 0)
8:19 AM: 00000ddc_43825379_00000000 (ID = 0)
8:19 AM: 00004ad4_437eaba4_000a4083 (ID = 0)
8:19 AM: 00007e87_438259e3_000501bd (ID = 0)
8:19 AM: 000026ca_4381f16d_0001e848 (ID = 0)
8:19 AM: 00001dcb_437f24a5_00040d99 (ID = 0)
8:19 AM: 000026ca_435ac987_00090f56 (ID = 0)
8:19 AM: 000030a7_437edeb6_000ec82e (ID = 0)
8:19 AM: 00004944_4381c9ec_00066ff3 (ID = 0)
8:19 AM: 00000f3e_43837ced_00090f56 (ID = 0)
8:19 AM: 00004a80_4381f584_00090f56 (ID = 0)
8:19 AM: 00005a9b_43814256_0003d090 (ID = 0)
8:19 AM: 0000759a_43833819_00076417 (ID = 0)
8:19 AM: 0000366b_435abeb5_0008d24d (ID = 0)
8:20 AM: 000040a5_437eb05d_000a4083 (ID = 0)
8:20 AM: 000026e9_437ea6a4_00057bcf (ID = 0)
8:20 AM: 00003699_4381f2b5_0006acfc (ID = 0)
8:20 AM: 000001eb_43834bc3_0003567e (ID = 0)
8:20 AM: 000071f0_437fae84_0008583b (ID = 0)
8:20 AM: 000001eb_43836b2b_0003567e (ID = 0)
8:20 AM: 000009ce_437ead7c_0002dc6c (ID = 0)
8:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 AM: 00006c69_435adb87_00016e36 (ID = 0)
8:20 AM: 0000489c_438141d0_000d9701 (ID = 0)
8:20 AM: 00004cad_43829f16_0005f5e1 (ID = 0)
8:20 AM: 00003ee9_437fb356_000c65d4 (ID = 0)
8:20 AM: 00003a9e_4381bce3_0008d24d (ID = 0)
8:20 AM: 00004c85_4381421d_0007de29 (ID = 0)
8:20 AM: 0000030a_437ff8ac_000aba95 (ID = 0)
8:20 AM: 00004cff_43814295_000d1cef (ID = 0)
8:20 AM: 00006be8_43811446_000dd40a (ID = 0)
8:20 AM: 00005db2_43825521_0002dc6c (ID = 0)
8:20 AM: 00007983_437fab37_0005f5e1 (ID = 0)
8:20 AM: 00004d06_43837efa_000baeb9 (ID = 0)
8:20 AM: 000022ee_43825ea8_000d59f8 (ID = 0)
8:20 AM: 000045c5_437eadd8_00007a12 (ID = 0)
8:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:20 AM: 0000187e_4381f585_0005f5e1 (ID = 0)
8:20 AM: 00003b25_43837f9c_0004c4b4 (ID = 0)
8:20 AM: 0000086a_437eaf62_00040d99 (ID = 0)
8:20 AM: 00000bb3_43834bc4_00003d09 (ID = 0)
8:20 AM: 00000bb3_43826472_000e4e1c (ID = 0)
8:20 AM: 00002e40_4381c9ed_00053ec6 (ID = 0)
8:20 AM: 00000871_437f16ae_0004c4b4 (ID = 0)
8:20 AM: 000064a0_43814296_00022551 (ID = 0)
8:20 AM: 000078d4_437fb330_000ec82e (ID = 0)
8:20 AM: 00001643_437fb30f_00057bcf (ID = 0)
8:20 AM: 0000767d_4383959d_000bebc2 (ID = 0)
8:20 AM: 00001649_43824d28_000f0537 (ID = 0)
8:20 AM: 00004e45_4383375d_0000b71b (ID = 0)
8:20 AM: 00003ef6_43825433_000ca2dd (ID = 0)
8:21 AM: 00001bfc_438142c6_00040d99 (ID = 0)
8:21 AM: 000049d0_43814296_000a7d8c (ID = 0)
8:21 AM: 000064e0_437f20e7_000af79e (ID = 0)
8:21 AM: 00000fbf_438007cd_000dd40a (ID = 0)
8:21 AM: 000001d3_438141fb_00031975 (ID = 0)
8:21 AM: 00004230_43833cc6_00031975 (ID = 0)
8:21 AM: 00000f3e_437ea482_00076417 (ID = 0)
8:21 AM: 0000692c_43826190_00044aa2 (ID = 0)
8:21 AM: 0000658c_437eb3e7_00040d99 (ID = 0)
8:21 AM: 00003699_43800789_0001ab3f (ID = 0)
8:21 AM: 00001649_437e9ead_0002625a (ID = 0)
8:21 AM: 0000030a_4381b9a1_00040d99 (ID = 0)
8:21 AM: 0000123b_43814296_000e8b25 (ID = 0)
8:21 AM: 000012c2_437f24a5_000a037a (ID = 0)
8:21 AM: 000007cf_435ae0ef_000a037a (ID = 0)
8:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 AM: 00001c75_43814297_00031975 (ID = 0)
8:21 AM: 00004dc8_43837f51_000b71b0 (ID = 0)
8:21 AM: 00006486_4381425e_0000b71b (ID = 0)
8:21 AM: 000001eb_438392b0_000b34a7 (ID = 0)
8:21 AM: 00005c46_437ea8d9_00003d09 (ID = 0)
8:21 AM: 00006b28_437f282d_0008583b (ID = 0)
8:21 AM: 00005f45_43814235_000a7d8c (ID = 0)
8:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:21 AM: 000010d9_437fb370_00053ec6 (ID = 0)
8:21 AM: 0000159f_437f16af_00066ff3 (ID = 0)
8:21 AM: 00003cd6_43827ccc_0000b71b (ID = 0)
8:22 AM: 000054de_4383515b_00007a12 (ID = 0)
8:22 AM: 00006ad4_438141f1_00003d09 (ID = 0)
8:22 AM: 0000440d_4380fce1_00044aa2 (ID = 0)
8:22 AM: 000015a1_43829f44_000b71b0 (ID = 0)
8:22 AM: 00001547_4381b5d0_00076417 (ID = 0)
8:22 AM: 00003bf6_438270d7_000f0537 (ID = 0)
8:22 AM: 00005f49_43829f04_0003d090 (ID = 0)
8:22 AM: 000051d1_437f161c_0000f424 (ID = 0)
8:22 AM: 00006443_43837f51_000ec82e (ID = 0)
8:22 AM: 000026b1_43814272_0005b8d8 (ID = 0)
8:22 AM: 00000ddc_43829f04_000ec82e (ID = 0)
8:22 AM: 000072ae_43811a20_000d9701 (ID = 0)
8:22 AM: 0000428b_437ffcd1_000d1cef (ID = 0)
8:22 AM: 000028e2_437fb384_00081b32 (ID = 0)
8:22 AM: 000039b3_437ea7d0_0001e848 (ID = 0)
8:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 AM: 00005f34_43814279_000c28cb (ID = 0)
8:22 AM: 00000f3e_435ae305_0005695f (ID = 0)
8:22 AM: 0000030a_43839611_000b71b0 (ID = 0)
8:22 AM: 00007296_43814279_000632ea (ID = 0)
8:22 AM: 00005991_438005fa_000dd40a (ID = 0)
8:22 AM: 00005cfd_437ff8b8_000f0537 (ID = 0)
8:22 AM: 00004d06_43824f61_000bebc2 (ID = 0)
8:22 AM: 00002959_437eae46_0001e848 (ID = 0)
8:22 AM: 000019da_437ea8c5_000c28cb (ID = 0)
8:22 AM: 000056ae_437f41f5_000c65d4 (ID = 0)
8:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 AM: 00002833_438141ed_000dd40a (ID = 0)
8:23 AM: 00006512_43814279_0006acfc (ID = 0)
8:23 AM: 000027da_43814277_0007a120 (ID = 0)
8:23 AM: 00001003_437f24a8_00053ec6 (ID = 0)
8:23 AM: 000071f0_4381117a_000ca2dd (ID = 0)
8:23 AM: 00002c3b_43829f42_000baeb9 (ID = 0)
8:23 AM: 0000305e_438393b6_0001e848 (ID = 0)
8:23 AM: 00004fe2_437f16bf_000b34a7 (ID = 0)
8:23 AM: 00004ebf_43814279_000cdfe6 (ID = 0)
8:23 AM: 000054de_437ea7d0_00007a12 (ID = 0)
8:23 AM: 00006e5d_437f3f20_0007de29 (ID = 0)
8:23 AM: 00006df1_43811a6c_000af79e (ID = 0)
8:23 AM: 0000549b_4381426c_000bebc2 (ID = 0)
8:23 AM: 00000ddc_43833ba2_0006ea05 (ID = 0)
8:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 AM: 00000bdb_438105da_0005b8d8 (ID = 0)
8:24 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 AM: 000010d9_437f1621_0006acfc (ID = 0)
8:24 AM: 000015a1_438005cf_000aba95 (ID = 0)
8:24 AM: 00007014_437fb337_00081b32 (ID = 0)
8:24 AM: 00001030_437fb37a_00016e36 (ID = 0)
8:24 AM: 00003cd5_438254e8_000a4083 (ID = 0)
8:24 AM: 00002f14_437ea834_000af79e (ID = 0)
8:24 AM: 00003ef6_4382602f_000d59f8 (ID = 0)
8:24 AM: 00006c6c_437f1626_0005b8d8 (ID = 0)
8:24 AM: 00006952_43836ab6_00094c5f (ID = 0)
8:24 AM: 000057c2_438142a5_0003567e (ID = 0)
8:25 AM: 00005039_437ea868_00094c5f (ID = 0)
8:25 AM: 000053b1_437eb059_000487ab (ID = 0)
8:25 AM: 0000676d_437f1f08_000ec82e (ID = 0)
8:25 AM: 0000701f_438129c4_00090f56 (ID = 0)
8:25 AM: 00005ed0_437eabcf_0006acfc (ID = 0)
8:25 AM: 00003d6c_43836ab4_000ca2dd (ID = 0)
8:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 AM: 000039b3_4381b5e8_00066ff3 (ID = 0)
8:25 AM: 0000084d_438142a0_0001e848 (ID = 0)
8:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 AM: 00006479_437eafb7_000cdfe6 (ID = 0)
8:25 AM: 00004509_43812a77_0008d24d (ID = 0)
8:25 AM: 00000902_4382613d_000f0537 (ID = 0)
8:26 AM: 000018be_4381b4ea_0008583b (ID = 0)
8:26 AM: 000071f0_438007dc_00081b32 (ID = 0)
8:26 AM: 0000542c_437ea86b_0005b8d8 (ID = 0)
8:26 AM: 0000412f_437eb488_00053ec6 (ID = 0)
8:26 AM: 00005478_4381429f_0006acfc (ID = 0)
8:26 AM: 00000902_4381f2b5_000aba95 (ID = 0)
8:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 AM: 000067d0_438142a0_000cdfe6 (ID = 0)
8:26 AM: 00005f23_43814262_00053ec6 (ID = 0)
8:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 AM: 00005882_438142a2_00044aa2 (ID = 0)
8:26 AM: 000043db_438142a3_0003567e (ID = 0)
8:27 AM: 000073da_438254b0_000a7d8c (ID = 0)
8:27 AM: 00001246_438142aa_00003d09 (ID = 0)
8:27 AM: 0000797d_4381bd02_000bebc2 (ID = 0)
8:27 AM: 00000120_4381bae7_00000000 (ID = 0)
8:27 AM: 00001eca_438142d1_00066ff3 (ID = 0)
8:27 AM: 00003960_4381423d_0006acfc (ID = 0)
8:27 AM: 00000732_43825e76_0006ea05 (ID = 0)
8:27 AM: 00005c67_438255ca_0002625a (ID = 0)
8:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 AM: 000066bb_43837f52_0006ea05 (ID = 0)
8:27 AM: 000041bb_43826452_0001ab3f (ID = 0)
8:27 AM: 00000a87_4381429a_000a037a (ID = 0)
8:27 AM: 0000357e_4381429a_000632ea (ID = 0)
8:27 AM: 0000489c_438007d7_000ec82e (ID = 0)
8:28 AM: 00005d03_437ea7d2_00053ec6 (ID = 0)
8:28 AM: 000048cc_438255b8_000e1113 (ID = 0)
8:28 AM: 00007e87_437ffac2_00022551 (ID = 0)
8:28 AM: 00004087_437ea89a_0001312d (ID = 0)
8:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 AM: 00002cf7_437eaba9_000632ea (ID = 0)
8:28 AM: 00003699_437ea823_0003567e (ID = 0)
8:28 AM: 00003a61_437ea849_0007a120 (ID = 0)
8:28 AM: 00004027_437eadf5_0002625a (ID = 0)
8:28 AM: 00007a54_437eeccc_000a4083 (ID = 0)
8:28 AM: 00000099_4381b5ac_00039387 (ID = 0)
8:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 AM: 00007a5a_437ea7d2_00081b32 (ID = 0)
8:28 AM: 00001953_437ea86c_0001e848 (ID = 0)
8:28 AM: 000026a6_4381b622_00031975 (ID = 0)
8:28 AM: 00000035_438141f6_00090f56 (ID = 0)
8:28 AM: 00005c67_435acf59_000501bd (ID = 0)
8:28 AM: 00005f1e_438141e9_0007a120 (ID = 0)
8:28 AM: 000007cf_437fb259_000632ea (ID = 0)
8:28 AM: 00007eb7_43825ff8_0002dc6c (ID = 0)
8:29 AM: 0000798b_438260a8_0008d24d (ID = 0)
8:29 AM: 0000138a_43814241_000501bd (ID = 0)
8:29 AM: 00002959_43814241_000a4083 (ID = 0)
8:29 AM: 00000902_437ea823_0007a120 (ID = 0)
8:29 AM: 00006df1_43829aa8_0006acfc (ID = 0)
8:29 AM: 00007bb9_437ea823_000b34a7 (ID = 0)
8:29 AM: 00000786_438142b8_000e8b25 (ID = 0)
8:29 AM: 00000384_438007dd_0000b71b (ID = 0)
8:29 AM: 0000390c_43812823_000a7d8c (ID = 0)
8:29 AM: 00002d12_43829e90_0007270e (ID = 0)
8:29 AM: 00005d03_43835d70_0008d24d (ID = 0)
8:29 AM: 00005772_438007bf_00007a12 (ID = 0)
8:29 AM: 0000542c_438007e7_000ca2dd (ID = 0)
8:29 AM: 00000124_4381b5ac_00040d99 (ID = 0)
8:29 AM: 00002f14_438007cd_000ec82e (ID = 0)
8:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 AM: 00005d2b_438142ad_0006ea05 (ID = 0)
8:29 AM: 00004461_437f282f_00031975 (ID = 0)
8:29 AM: 000041bb_4381b520_0003567e (ID = 0)
8:29 AM: 00003699_438272d4_0006acfc (ID = 0)
8:29 AM: 00005a9f_438141f2_0000f424 (ID = 0)
8:29 AM: 00002833_437fb24c_0004c4b4 (ID = 0)
8:29 AM: 00006952_43811a23_0009c671 (ID = 0)
8:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 AM: 0000366b_437ea817_000dd40a (ID = 0)
8:29 AM: 0000409d_43827203_0009c671 (ID = 0)
8:29 AM: 000066c4_438271b4_000d9701 (ID = 0)
8:30 AM: 0000121f_43810a70_000d9701 (ID = 0)
8:30 AM: 00006172_438007d8_000c28cb (ID = 0)
8:30 AM: 0000701f_43826dbf_000ca2dd (ID = 0)
8:30 AM: 00001547_437ea7d0_00003d09 (ID = 0)
8:30 AM: 00003699_438260ff_000a7d8c (ID = 0)
8:30 AM: 000001eb_438127a5_000d59f8 (ID = 0)
8:30 AM: 00007f4f_438007dd_0007de29 (ID = 0)
8:30 AM: 00005f45_437fb311_00044aa2 (ID = 0)
8:30 AM: 00000d66_43810fa2_0008d24d (ID = 0)
8:30 AM: 00000fbf_43810ef9_000e4e1c (ID = 0)
8:30 AM: 00005f49_4381bd03_000f0537 (ID = 0)
8:30 AM: 00007b44_437ea89a_0002dc6c (ID = 0)
8:30 AM: 000015a1_437ea819_000b71b0 (ID = 0)
8:30 AM: 000078d4_437eaf38_000b71b0 (ID = 0)
8:30 AM: 00000a41_437f2539_000a037a (ID = 0)
8:30 AM: 00004944_43825fd3_0000b71b (ID = 0)
8:30 AM: 00007049_437ea824_000f0537 (ID = 0)
8:30 AM: 00006f3c_437ead42_00003d09 (ID = 0)
8:30 AM: 00002c3b_437ff8cc_0008d24d (ID = 0)
8:30 AM: 0000422d_438255f5_0007a120 (ID = 0)
8:30 AM: 00002cd6_437ea1c9_00089544 (ID = 0)
8:30 AM: 000058e6_438142c5_000c65d4 (ID = 0)
8:30 AM: 00000822_4382546a_000a4083 (ID = 0)
8:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 AM: 000013d3_43814236_000ec82e (ID = 0)
8:30 AM: 00000d66_438141c5_00000000 (ID = 0)
8:30 AM: 00004509_437ea131_0001ab3f (ID = 0)
8:31 AM: 000072ae_43811ebb_00090f56 (ID = 0)
8:31 AM: 00007b44_4381420b_00090f56 (ID = 0)
8:31 AM: 000068f5_437fb31b_0000b71b (ID = 0)
8:31 AM: 00002fff_43810ff8_00003d09 (ID = 0)
8:31 AM: 0000662a_437fb38d_00076417 (ID = 0)
8:31 AM: 00002d12_4381b5e8_0007a120 (ID = 0)
8:31 AM: 0000494a_438141e2_0009c671 (ID = 0)
8:31 AM: 00000035_437fb256_000c28cb (ID = 0)
8:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 AM: 000019d9_437fb291_000ec82e (ID = 0)
8:31 AM: 00004509_43829e9b_00076417 (ID = 0)
8:31 AM: 0000468c_437eb206_00040d99 (ID = 0)
8:31 AM: 00004ebf_437f20ec_00039387 (ID = 0)
8:31 AM: i80tdtcp.sys (ID = 0)
8:31 AM: 00006899_437fab1b_0006ea05 (ID = 0)
8:31 AM: 00003b25_4381b651_00039387 (ID = 0)
8:31 AM: 0000797d_4382713d_00089544 (ID = 0)
8:31 AM: 00006784_4381b4eb_0005f5e1 (ID = 0)
8:31 AM: 00000e12_43800832_00076417 (ID = 0)
8:31 AM: 0000390c_43811c68_000c28cb (ID = 0)
8:31 AM: 00001d3f_437f20ec_0006acfc (ID = 0)
8:31 AM: 0000314f_4381be7e_00003d09 (ID = 0)
8:31 AM: 00002d12_437f388e_00022551 (ID = 0)
8:31 AM: 00005815_437ec29b_0006ea05 (ID = 0)
8:31 AM: 000039b3_43812916_00003d09 (ID = 0)
8:31 AM: 00004df2_43827148_000c65d4 (ID = 0)
8:31 AM: 000013e9_438254eb_0003567e (ID = 0)
8:31 AM: 00004ae1_43826392_000b34a7 (ID = 0)
8:31 AM: 0000153c_438264e9_000a4083 (ID = 0)
8:31 AM: 00000099_43811c6b_0000b71b (ID = 0)
8:31 AM: 00004509_437f3d40_00003d09 (ID = 0)
8:31 AM: 00005fa4_437fb254_000f0537 (ID = 0)
8:31 AM: 0000314f_437ff8c4_000b71b0 (ID = 0)
8:31 AM: 00007b44_438012c5_000baeb9 (ID = 0)
8:32 AM: 00006443_4380ff1a_000baeb9 (ID = 0)
8:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 AM: 000066bb_4381b609_00057bcf (ID = 0)
8:32 AM: 00000120_43825227_00040d99 (ID = 0)
8:32 AM: 00003d6c_435b1e7d_000487ab (ID = 0)
8:32 AM: 00000bb3_438127a7_00090f56 (ID = 0)
8:32 AM: 00004ae1_4381b4eb_000a037a (ID = 0)
8:32 AM: 00000c15_43814214_000a037a (ID = 0)
8:32 AM: 00003807_43814216_00000000 (ID = 0)
8:32 AM: 00006ad4_4381166a_000d1cef (ID = 0)
8:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 AM: 00004823_435aee18_0007a120 (ID = 0)
8:32 AM: 000060bf_438255c5_00094c5f (ID = 0)
8:32 AM: 00004e45_4381b690_0007de29 (ID = 0)
8:32 AM: 0000260d_4381b6e1_00066ff3 (ID = 0)
8:32 AM: 000016d4_43814210_00090f56 (ID = 0)
8:32 AM: 00007f61_43814211_00016e36 (ID = 0)
8:32 AM: 00005a9f_438116dc_00094c5f (ID = 0)
8:32 AM: 0000759a_4381bae8_00000000 (ID = 0)
8:32 AM: data.bin (ID = 0)
8:32 AM: 00006f30_438142af_0006ea05 (ID = 0)
8:32 AM: 0000527f_438142b0_00007a12 (ID = 0)
8:32 AM: 00006a15_437fb2c9_000baeb9 (ID = 0)
8:32 AM: 00005d03_437f3c50_000dd40a (ID = 0)
8:32 AM: 00004e57_437eabee_00098968 (ID = 0)
8:32 AM: 00007cfe_437eac4e_00089544 (ID = 0)
8:32 AM: 000036a1_437f246f_000cdfe6 (ID = 0)
8:32 AM: 00002d12_437ea7d0_0005f5e1 (ID = 0)
8:32 AM: 000054de_43826c2b_00016e36 (ID = 0)
8:32 AM: 00001d11_437eb084_00057bcf (ID = 0)
8:32 AM: 00006ad4_43800c8f_00016e36 (ID = 0)
8:32 AM: 00004325_437eafe0_00040d99 (ID = 0)
8:32 AM: 00006bcb_437ea86c_0008d24d (ID = 0)
8:32 AM: 000058c5_437f2831_0007270e (ID = 0)
8:32 AM: 0000074d_437ea7d0_00066ff3 (ID = 0)
8:33 AM: 00003960_437eaddb_00029f63 (ID = 0)
8:33 AM: 00005a70_438142b4_0001ab3f (ID = 0)
8:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 AM: 00000607_437f2543_00089544 (ID = 0)
8:33 AM: 00004f68_437eabf2_00053ec6 (ID = 0)
8:33 AM: 000063cb_437ea7dd_0007de29 (ID = 0)
8:33 AM: 00005dd5_437ea877_00031975 (ID = 0)
8:33 AM: 00005876_437eabf2_00057bcf (ID = 0)
8:33 AM: 0000368e_437fab33_000d59f8 (ID = 0)
8:33 AM: 00003459_437eaddc_00022551 (ID = 0)
8:33 AM: 000012db_43811c4f_00022551 (ID = 0)
8:33 AM: 00006ad4_437ea877_0003d090 (ID = 0)
8:33 AM: 000032e7_437f2831_00098968 (ID = 0)
8:33 AM: 000066fa_437eabf2_0005b8d8 (ID = 0)
8:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 AM: 00007954_438142b8_0000f424 (ID = 0)
8:33 AM: 00002059_4381172f_00081b32 (ID = 0)
8:33 AM: 00006ad6_437ea835_0009c671 (ID = 0)
8:33 AM: 00002b00_437ea8a4_00016e36 (ID = 0)
8:33 AM: 000026e9_437e9fc8_00000000 (ID = 0)
8:33 AM: 00007983_437ea83f_000b34a7 (ID = 0)
8:33 AM: 0000263d_437eadde_0007de29 (ID = 0)
8:33 AM: 000068f5_437eada1_0007a120 (ID = 0)
8:33 AM: 00001316_437eabf2_00076417 (ID = 0)
8:33 AM: 00000099_435ae305_000b5f40 (ID = 0)
8:33 AM: 00007ff5_437f41f2_000ca2dd (ID = 0)
8:33 AM: 00002852_437eac51_000487ab (ID = 0)
8:33 AM: 0000456d_437f20ed_00094c5f (ID = 0)
8:33 AM: 000075ef_437ea840_000baeb9 (ID = 0)
8:33 AM: 00000ddc_435abafc_00076417 (ID = 0)
8:33 AM: 00000e90_438141fb_000cdfe6 (ID = 0)
8:33 AM: 000001d3_437ea887_000b34a7 (ID = 0)
8:33 AM: 0000288f_438141cf_00044aa2 (ID = 0)
8:34 AM: 000016d4_437ea8a5_00029f63 (ID = 0)
8:34 AM: 00000120_437ea7e6_000cdfe6 (ID = 0)
8:34 AM: 0000578d_437f2850_0004c4b4 (ID = 0)
8:34 AM: 00007a5a_437ffe84_000d59f8 (ID = 0)
8:34 AM: 00006172_437ea853_0000b71b (ID = 0)
8:34 AM: 00002c49_437ea845_00094c5f (ID = 0)
8:34 AM: 00003c61_438141cd_000501bd (ID = 0)
8:34 AM: 000072ae_43824ce4_000e4e1c (ID = 0)
8:34 AM: 0000440d_4381b5ba_00016e36 (ID = 0)
8:34 AM: 00004e08_437eaff3_00076417 (ID = 0)
8:34 AM: 00001f16_43814225_0003d090 (ID = 0)
8:34 AM: 0000182f_43814226_00003d09 (ID = 0)
8:34 AM: 0000113e_43814278_000a4083 (ID = 0)
8:34 AM: 00000fc9_437ea872_000baeb9 (ID = 0)
8:34 AM: 00007dd1_438141d0_00090f56 (ID = 0)
8:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 AM: 00002332_438142ba_00003d09 (ID = 0)
8:34 AM: 00005f49_43833ba1_0001312d (ID = 0)
8:34 AM: 0000249e_438141ef_0001312d (ID = 0)
8:34 AM: 00004db7_43837f09_00066ff3 (ID = 0)
8:34 AM: 000007cf_438141f7_000a037a (ID = 0)
8:34 AM: 00006732_438141f7_000d9701 (ID = 0)
8:34 AM: 00006df1_437ea1d5_000c65d4 (ID = 0)
8:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 AM: 00003308_437f2832_000a7d8c (ID = 0)
8:34 AM: xpopperf.exe (ID = 0)
8:34 AM: 00003f97_437eb3e6_000d59f8 (ID = 0)
8:34 AM: 00006784_435b1e5c_000632ea (ID = 0)
8:34 AM: 00003a61_435adc38_000ca2dd (ID = 0)
8:34 AM: 00002350_43833827_0007a120 (ID = 0)
8:35 AM: 0000323b_4383375e_0002dc6c (ID = 0)
8:35 AM: 00004a80_438340da_000b71b0 (ID = 0)
8:35 AM: 000054dc_438141b1_00076417 (ID = 0)
8:35 AM: 000000c1_43814256_0002625a (ID = 0)
8:35 AM: 0000153c_4381b59e_000e4e1c (ID = 0)
8:35 AM: 00003ee9_437ed0aa_0005b8d8 (ID = 0)
8:35 AM: 00001e1f_43837fa0_00066ff3 (ID = 0)
8:35 AM: 0000428b_43837f55_0006ea05 (ID = 0)
8:35 AM: 0000074d_435ae8a8_00038117 (ID = 0)
8:35 AM: 00000ddc_4381bd04_0005b8d8 (ID = 0)
8:35 AM: 00002213_43825162_0007de29 (ID = 0)
8:35 AM: ace.dll (ID = 0)
8:35 AM: 00006270_43814219_00090f56 (ID = 0)
8:35 AM: 0000153c_43811c56_0007de29 (ID = 0)
8:35 AM: 00004d06_4381b5bc_0006ea05 (ID = 0)
8:35 AM: 00007f96_43812cb1_0007de29 (ID = 0)
8:35 AM: 00004087_438012c5_00029f63 (ID = 0)
8:35 AM: 00001916_43811135_000bebc2 (ID = 0)
8:35 AM: 0000494a_438007de_000d59f8 (ID = 0)
8:35 AM: 0000456d_4381427d_0000f424 (ID = 0)
8:35 AM: 0000288f_438007d2_0004c4b4 (ID = 0)
8:35 AM: 0000390c_43834f7e_000d9701 (ID = 0)
8:35 AM: 000023c9_43810e5e_0000b71b (ID = 0)
8:35 AM: 0000047e_43810f9c_00000000 (ID = 0)
8:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 AM: 000012e1_438139ad_000a037a (ID = 0)
8:35 AM: 0000127e_438141f6_0005f5e1 (ID = 0)
8:35 AM: 000003fa_438142ae_00094c5f (ID = 0)
8:35 AM: 00005f49_43813759_00066ff3 (ID = 0)
8:36 AM: 00002725_43814232_00022551 (ID = 0)
8:36 AM: 00001643_43814232_0007a120 (ID = 0)
8:36 AM: 00001d5e_4381427c_00081b32 (ID = 0)
8:36 AM: 00004230_438271b6_00007a12 (ID = 0)
8:36 AM: 00003cd6_438255dd_000b71b0 (ID = 0)
8:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 AM: 00006443_438393d5_0004c4b4 (ID = 0)
8:36 AM: 0000486a_437fb2d5_00089544 (ID = 0)
8:36 AM: 00002ea6_438127cc_000c28cb (ID = 0)
8:36 AM: 000016c5_43813a77_000f0537 (ID = 0)
8:36 AM: 00004c66_43814264_000e4e1c (ID = 0)
8:36 AM: 00000bb3_437faa98_0003d090 (ID = 0)
8:36 AM: 0000442b_43814207_00089544 (ID = 0)
8:36 AM: 000050a9_4381426f_0001e848 (ID = 0)
8:36 AM: 000026a6_43829e97_0007de29 (ID = 0)
8:36 AM: 00006c6c_43814264_0005f5e1 (ID = 0)
8:36 AM: 00004d54_437fb2c3_00094c5f (ID = 0)
8:36 AM: 0000260d_437ff8ab_00098968 (ID = 0)
8:36 AM: 00005f32_43833a39_00066ff3 (ID = 0)
8:36 AM: 000060bf_438141a5_000d59f8 (ID = 0)
8:36 AM: 000016d4_438023ae_000e8b25 (ID = 0)
8:36 AM: 000012e1_43810a22_00003d09 (ID = 0)
8:36 AM: 00006b89_437ff8ac_00098968 (ID = 0)
8:36 AM: 000036c2_43814271_00090f56 (ID = 0)
8:36 AM: 00005f90_43811ebb_000f0537 (ID = 0)
8:36 AM: 0000701f_43829e98_00094c5f (ID = 0)
8:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 AM: 0000047e_437ea836_0001e848 (ID = 0)
8

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 23 October 2005 - 12:22 PM

May I have a new HJT log?

#9 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 October 2005 - 12:22 PM

Well, I can't post whole log at once. It continues the same way until end of sweep, which I have posted here.

11:22 AM: File Sweep Complete, Elapsed Time: 03:20:06
11:22 AM: Full Sweep has completed. Elapsed time 03:22:20
11:22 AM: Traces Found: 3291

11:23 AM to 11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com

11:56 AM: Removal process initiated
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:57 AM: Quarantining All Traces: look2me
11:57 AM: Quarantining All Traces: trojan-downloader-2pursuit
11:57 AM: Quarantining All Traces: trojan-downloader-daily-weather
11:57 AM: Quarantining All Traces: apropos
11:57 AM: apropos is in use. It will be removed on reboot.
11:57 AM: wingenerics.dll is in use. It will be removed on reboot.
11:57 AM: Quarantining All Traces: effective-i toolbar
11:57 AM: Quarantining All Traces: icannnews
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: icannnews is in use. It will be removed on reboot.
11:58 AM: C:\WINDOWS\system32\nwmsdba.dll is in use. It will be removed on reboot.
11:58 AM: C:\WINDOWS\system32\q4nule591h.dll is in use. It will be removed on reboot.
11:58 AM: Quarantining All Traces: instant access
11:58 AM: Quarantining All Traces: ist yoursitebar
11:58 AM: Quarantining All Traces: quicklink search toolbar
11:58 AM: Quarantining All Traces: sp2ms
11:58 AM: Quarantining All Traces: targetsaver
11:58 AM: Quarantining All Traces: trojan-downloader-nextern
11:58 AM: Quarantining All Traces: reliablestats cookie
11:58 AM: Quarantining All Traces: winantiviruspro cookie
11:58 AM: Quarantining All Traces: yieldmanager cookie
11:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:58 AM: Preparing to restart your computer. Please wait...
11:58 AM: Removal process completed. Elapsed time 00:02:05
12:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
********

Logfile of HijackThis v1.99.1
Scan saved at 12:07:42 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\g4jole131h.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\p08qlal51dq.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#10 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 23 October 2005 - 12:31 PM

You managed to kill one of the infections but another has taken's it's place.

You need to run SpySweeper again.

But this time, disconnect your computer from the internet while you're doing it.
Do not use your computer whilst it's scanning.
Try to close as many programs as possible before starting. The less you have running, the faster the scan will complete.

If the resultant log is overly lengthy, please use Winzip to zip/archieve it & place it as an attachment instead.

Edited by sUBs, 23 October 2005 - 12:32 PM.


#11 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 24 October 2005 - 06:00 AM

Wow, that too look a long time. I believe that my symptoms are gone. I'm not sure I can attach my spy sweeper log to this post, but here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 5:51:45 AM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\g4jole131h.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 24 October 2005 - 06:23 AM

If you can't attach SpySweeper's log here, please mail it to me

Edited by sUBs, 25 October 2005 - 03:59 AM.


#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 October 2005 - 03:59 AM

Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


You may want to print out the rest of these instructions for reference, since you will have to restart your computer during the fix. Please download hese additional files/programs. Do not run them until instructed to do so.

AproposFix.exe - do NOT run it yet.

CleanUp.exe - Install.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please disable Webroot SpySweeper & SpyBot's TeaTimer, as they hinders the removal of some entries. You can re-enable them after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction
~~~~~~~~~~
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose [Yes] at the Warning prompt.
  • Expand the [Tools] menu.
  • Click [Resident].
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • In the File menu click [Exit] to exit Spybot Search & Destroy.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O20 - Winlogon Notify: policies - C:\WINDOWS\
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\g4jole131h.dll (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, it will create a log, log.txt file in the aproposfix folder.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • WeatherBug
Then locate & delete this folder - C:\PROGRAM FILES\AWS



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • L2Mfix's log
  • Apropos Fix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#14 KSAC

KSAC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 25 October 2005 - 05:13 PM

I did everything you asked in order. I haven't noticed anything unusally about my computer's behavior. Here logs you need.


L2MFix Log:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1392 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1432 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\d8j00i1me8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ddvx_xx0c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dydskres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en60l1jm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f82mlif1182.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp4m03h1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fplq0335e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpn2l35o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h62o0gf3e62.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrn4055qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irrql5951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt6207joe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtjq0715e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldru1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktrql7951.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kuduzb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l6n4lg5q16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mbhcp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdxlegih.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgxml3.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpcsubs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvnol9531.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rkcss.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sseio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t68ulgl916q.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\d8j00i1me8.dll
Successfully Deleted: C:\WINDOWS\system32\d8j00i1me8.dll
deleting: C:\WINDOWS\system32\ddvx_xx0c.dll
Successfully Deleted: C:\WINDOWS\system32\ddvx_xx0c.dll
deleting: C:\WINDOWS\system32\dydskres.dll
Successfully Deleted: C:\WINDOWS\system32\dydskres.dll
deleting: C:\WINDOWS\system32\en60l1jm1.dll
Successfully Deleted: C:\WINDOWS\system32\en60l1jm1.dll
deleting: C:\WINDOWS\system32\f82mlif1182.dll
Successfully Deleted: C:\WINDOWS\system32\f82mlif1182.dll
deleting: C:\WINDOWS\system32\fp4m03h1e.dll
Successfully Deleted: C:\WINDOWS\system32\fp4m03h1e.dll
deleting: C:\WINDOWS\system32\fplq0335e.dll
Successfully Deleted: C:\WINDOWS\system32\fplq0335e.dll
deleting: C:\WINDOWS\system32\gpn2l35o1.dll
Successfully Deleted: C:\WINDOWS\system32\gpn2l35o1.dll
deleting: C:\WINDOWS\system32\h62o0gf3e62.dll
Successfully Deleted: C:\WINDOWS\system32\h62o0gf3e62.dll
deleting: C:\WINDOWS\system32\hrn4055qe.dll
Successfully Deleted: C:\WINDOWS\system32\hrn4055qe.dll
deleting: C:\WINDOWS\system32\irrql5951.dll
Successfully Deleted: C:\WINDOWS\system32\irrql5951.dll
deleting: C:\WINDOWS\system32\jt6207joe.dll
Successfully Deleted: C:\WINDOWS\system32\jt6207joe.dll
deleting: C:\WINDOWS\system32\jtjq0715e.dll
Successfully Deleted: C:\WINDOWS\system32\jtjq0715e.dll
deleting: C:\WINDOWS\system32\kldru1.dll
Successfully Deleted: C:\WINDOWS\system32\kldru1.dll
deleting: C:\WINDOWS\system32\ktrql7951.dll
Successfully Deleted: C:\WINDOWS\system32\ktrql7951.dll
deleting: C:\WINDOWS\system32\kuduzb.dll
Successfully Deleted: C:\WINDOWS\system32\kuduzb.dll
deleting: C:\WINDOWS\system32\l6n4lg5q16.dll
Successfully Deleted: C:\WINDOWS\system32\l6n4lg5q16.dll
deleting: C:\WINDOWS\system32\mbhcp.dll
Successfully Deleted: C:\WINDOWS\system32\mbhcp.dll
deleting: C:\WINDOWS\system32\mdxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mdxlegih.dll
deleting: C:\WINDOWS\system32\mgxml3.dll
Successfully Deleted: C:\WINDOWS\system32\mgxml3.dll
deleting: C:\WINDOWS\system32\mpcsubs.dll
Successfully Deleted: C:\WINDOWS\system32\mpcsubs.dll
deleting: C:\WINDOWS\system32\mvnol9531.dll
Successfully Deleted: C:\WINDOWS\system32\mvnol9531.dll
deleting: C:\WINDOWS\system32\rkcss.dll
Successfully Deleted: C:\WINDOWS\system32\rkcss.dll
deleting: C:\WINDOWS\system32\sseio.dll
Successfully Deleted: C:\WINDOWS\system32\sseio.dll
deleting: C:\WINDOWS\system32\t68ulgl916q.dll
Successfully Deleted: C:\WINDOWS\system32\t68ulgl916q.dll


Zipping up files for submission:
adding: d8j00i1me8.dll (188 bytes security) (deflated 5%)
adding: ddvx_xx0c.dll (188 bytes security) (deflated 5%)
adding: dydskres.dll (188 bytes security) (deflated 4%)
adding: en60l1jm1.dll (188 bytes security) (deflated 4%)
adding: f82mlif1182.dll (188 bytes security) (deflated 5%)
adding: fp4m03h1e.dll (188 bytes security) (deflated 5%)
adding: fplq0335e.dll (188 bytes security) (deflated 5%)
adding: gpn2l35o1.dll (188 bytes security) (deflated 5%)
adding: h62o0gf3e62.dll (188 bytes security) (deflated 4%)
adding: hrn4055qe.dll (188 bytes security) (deflated 5%)
adding: irrql5951.dll (188 bytes security) (deflated 6%)
adding: jt6207joe.dll (188 bytes security) (deflated 4%)
adding: jtjq0715e.dll (188 bytes security) (deflated 5%)
adding: kldru1.dll (188 bytes security) (deflated 5%)
adding: ktrql7951.dll (188 bytes security) (deflated 4%)
adding: kuduzb.dll (188 bytes security) (deflated 6%)
adding: l6n4lg5q16.dll (188 bytes security) (deflated 6%)
adding: mbhcp.dll (188 bytes security) (deflated 5%)
adding: mdxlegih.dll (188 bytes security) (deflated 4%)
adding: mgxml3.dll (188 bytes security) (deflated 5%)
adding: mpcsubs.dll (188 bytes security) (deflated 4%)
adding: mvnol9531.dll (188 bytes security) (deflated 5%)
adding: rkcss.dll (188 bytes security) (deflated 5%)
adding: sseio.dll (188 bytes security) (deflated 4%)
adding: t68ulgl916q.dll (188 bytes security) (deflated 4%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: lo2.txt (188 bytes security) (deflated 85%)
adding: test.txt (188 bytes security) (deflated 79%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)
adding: xfind.txt (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: d8j00i1me8.dll
deleting local copy: ddvx_xx0c.dll
deleting local copy: dydskres.dll
deleting local copy: en60l1jm1.dll
deleting local copy: f82mlif1182.dll
deleting local copy: fp4m03h1e.dll
deleting local copy: fplq0335e.dll
deleting local copy: gpn2l35o1.dll
deleting local copy: h62o0gf3e62.dll
deleting local copy: hrn4055qe.dll
deleting local copy: irrql5951.dll
deleting local copy: jt6207joe.dll
deleting local copy: jtjq0715e.dll
deleting local copy: kldru1.dll
deleting local copy: ktrql7951.dll
deleting local copy: kuduzb.dll
deleting local copy: l6n4lg5q16.dll
deleting local copy: mbhcp.dll
deleting local copy: mdxlegih.dll
deleting local copy: mgxml3.dll
deleting local copy: mpcsubs.dll
deleting local copy: mvnol9531.dll
deleting local copy: rkcss.dll
deleting local copy: sseio.dll
deleting local copy: t68ulgl916q.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\\Program Files\\Common Files\\Stardock\\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g4jole131h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\d8j00i1me8.dll
C:\WINDOWS\system32\ddvx_xx0c.dll
C:\WINDOWS\system32\dydskres.dll
C:\WINDOWS\system32\en60l1jm1.dll
C:\WINDOWS\system32\f82mlif1182.dll
C:\WINDOWS\system32\fp4m03h1e.dll
C:\WINDOWS\system32\fplq0335e.dll
C:\WINDOWS\system32\gpn2l35o1.dll
C:\WINDOWS\system32\h62o0gf3e62.dll
C:\WINDOWS\system32\hrn4055qe.dll
C:\WINDOWS\system32\irrql5951.dll
C:\WINDOWS\system32\jt6207joe.dll
C:\WINDOWS\system32\jtjq0715e.dll
C:\WINDOWS\system32\kldru1.dll
C:\WINDOWS\system32\ktrql7951.dll
C:\WINDOWS\system32\kuduzb.dll
C:\WINDOWS\system32\l6n4lg5q16.dll
C:\WINDOWS\system32\mbhcp.dll
C:\WINDOWS\system32\mdxlegih.dll
C:\WINDOWS\system32\mgxml3.dll
C:\WINDOWS\system32\mpcsubs.dll
C:\WINDOWS\system32\mvnol9531.dll
C:\WINDOWS\system32\rkcss.dll
C:\WINDOWS\system32\sseio.dll
C:\WINDOWS\system32\t68ulgl916q.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{32A0273A-354F-4C3D-8254-7DDCF4F42D91}"=-
"{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}"=-
"{F7C8159C-D1D0-4C68-BAEC-238D078DAC34}"=-
[-HKEY_CLASSES_ROOT\CLSID\{32A0273A-354F-4C3D-8254-7DDCF4F42D91}]
[-HKEY_CLASSES_ROOT\CLSID\{7386BCB8-7E3E-4C69-AD61-3A5E985B8620}]
[-HKEY_CLASSES_ROOT\CLSID\{F7C8159C-D1D0-4C68-BAEC-238D078DAC34}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CtPXEAHtHX5D]
@="aMR_5IGeffeffgf.G_Et J6effeuhfA 1v2A6f6cWXIQlkfHVMZIVWfMqiXHXGTgWcW"
"Device"="\\\\.\\Kc_aBIfS"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\i80tdtcp.sys"
"DriverName"="win_Rec"
"HideUninstallerName"="C:\\Program Files\\Reaintel\\tersfc.exe"
"HDll"="C:\\WINDOWS\\System32\\dfrpyi64.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X837a65b-6df6-41cf-b8b2-b047538d060a}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Reaintel\\xpopperf.exe"
"AutoUpdater"="C:\\WINDOWS\\System32\\dosmrnt5.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:11:22-00:14:55:906"

************

Removing hidden service:
Service win_Rec removed.

Removing hidden folder:
Deletion of folder Reaintel succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\i80tdtcp.sys succeeded!
Deletion of file C:\WINDOWS\System32\dosmrnt5.exe succeeded!
Deletion of file C:\WINDOWS\System32\dfrpyi64.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CtPXEAHtHX5D]
[-HKEY_LOCAL_MACHINE\Software\CtPXEAHtHX5D]

Done!

Finished!

Panda Activescan Log:

Incident Status Location

Adware:Adware/SearchNo No disinfected C:\WINDOWS\system32\prflbmsgp32.dll
Adware:Adware/Look2Me No disinfected C:\backup.zip[d8j00i1me8.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ddvx_xx0c.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dydskres.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[en60l1jm1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[f82mlif1182.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[fp4m03h1e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[fplq0335e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[gpn2l35o1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[h62o0gf3e62.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[hrn4055qe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[irrql5951.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[jt6207joe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[jtjq0715e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kldru1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ktrql7951.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kuduzb.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l6n4lg5q16.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mbhcp.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mdxlegih.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mgxml3.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mpcsubs.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mvnol9531.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[rkcss.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[sseio.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[t68ulgl916q.dll]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00108-507de6f6.zip[InstallerApplet.class]
Adware:Adware/Ucmore No disinfected C:\drsmartload.exe
Adware:Adware/Ucmore No disinfected C:\drsmartload45a.exe
Adware:Adware/SearchNo No disinfected C:\WINDOWS\system32\prflbmsgp32.dll


Logfile of HijackThis v1.99.1
Scan saved at 5:05:45 PM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 25 October 2005 - 05:39 PM

Good work!! We're almost there now.

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f00108-507de6f6.zip
    C:\drsmartload.exe
    C:\drsmartload45a.exeC:\WINDOWS\system32\prflbmsgp32.dll
Reboot & post a new HJT log so that I can verify you're clean :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users