can you analyze......

[robflynn]

I have been trying to research my processes and I know some of these are bad PLease Help me. Also check my last post.. I need help there also.. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:04:55 PM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\U3Bpcm8A\command.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Spiro\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*[url]http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...dsl/*[url]http://www.yahoo.com/search/ie.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*[url]http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*[url]http://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124209795090
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12783407-1560-4FAF-9F3B-0519F48F68CC}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12783407-1560-4FAF-9F3B-0519F48F68CC}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12783407-1560-4FAF-9F3B-0519F48F68CC}: NameServer = 68.94.156.1 68.94.157.1
O18 - Filter: text/html - {E225AB73-4D7E-45f7-9425-47D2F7C7A8AB} - (no file)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\p46slej71ho.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3Bpcm8A\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

[MicroBell]

Hi and Welcome to TF

You have a few infections...so we need to attack them in steps.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)


STEP 1
====================

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and save it..as I will ask for it later.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!




STEP 2
=========================

Download and install Cleanup but DO NOT run it yet!

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download and run the ISTsvc Removal Tool

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following IF listed.

AZE Search
Media Access


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\U3Bpcm8A\command.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O18 - Filter: text/html - {E225AB73-4D7E-45f7-9425-47D2F7C7A8AB} - (no file)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\p46slej71ho.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3Bpcm8A\command.exe


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for themÂ…make sure you have search hidden files, folders, sub directoryÂ’s ect enabled if it applyÂ’s to your OS)

C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\U3Bpcm8A\command.exe
C:\WINDOWS\system32\p46slej71ho.dll
C:\WINDOWS\system32\azesearch4.ocx

Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Once back in normal windows.....

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the ”Free Online Virus Scan” in the upper right hand corner of the page under the Free use Activescan header.

We do NOT want the default spyXposer scan. Once it has finished save the activescan log. Then post that log in your next post along with the follow...

So I need...

Hijackthis log
Ewido log
Panda log
L2MFIx log

 

[robflynn]

after L2mfix reboot, no logfile showed after reboot. What do i do?

 

[MicroBell]

Continue with the Fix...but skip posting that L2MFix log. You may have the new version of the L2Me infection...which that fix won't work on. We will attack it another way...if so.

 

[robflynn]

Well I think that I deleted 99% of the bad stuff on my PC. Thank you. Now I dont no how to give you the Panda log? What is this?
If you can send me directions on how to retrieve this, I will.

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:13:44 PM, 10/28/2005
+ Report-Checksum: 1F41A07C

+ Scan result:

HKLM\SOFTWARE\AZESearchCo -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\AZESearchCo\AZESearch -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\AZESearchCo\AZESearch\popup -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\AZESearchCo\AZESearch\times -> Spyware.Azsearch : Cleaned with backup
[684] C:\WINDOWS\system32\iBsrad.dll -> Spyware.Look2Me : Error during cleaning
[816] C:\WINDOWS\system32\iBsrad.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\ISTsvc -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\Media Access -> Adware.MediaAccess : Cleaned with backup
C:\RECYCLER\NPROTECT\00100057.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100345.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100422.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100473.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100474.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100612.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100613.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100638.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100685.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100687.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100904.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100960.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00100961.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00101024.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00101067.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00101654.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00102706.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00102872.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00102940.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00102996.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103072.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103073.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103140.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103141.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103209.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103210.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103693.EXE -> Trojan.Crypt.t : Cleaned with backup
C:\RECYCLER\NPROTECT\00103698.DLL -> Spyware.WinAD : Cleaned with backup
C:\RECYCLER\NPROTECT\00103702.exe -> Adware.SaveNow : Cleaned with backup
C:\RECYCLER\NPROTECT\00103706.dll -> Spyware.SideFind : Cleaned with backup
C:\RECYCLER\NPROTECT\00103707.exe -> Trojan.Small.cy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103708.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
C:\RECYCLER\NPROTECT\00103709.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\RECYCLER\NPROTECT\00103710.EXE -> TrojanDownloader.IstBar.lu : Cleaned with backup
C:\RECYCLER\NPROTECT\00103711.dll -> Spyware.MoneyGainer : Cleaned with backup
C:\RECYCLER\NPROTECT\00103712.EXE -> TrojanDownloader.VB.nh : Cleaned with backup
C:\RECYCLER\NPROTECT\00103713.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103714.OCX -> Spyware.AzSearch : Cleaned with backup
C:\RECYCLER\NPROTECT\00103715.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103716.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103717.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103718.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103719.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103720.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103721.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103722.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103723.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103724.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103725.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103726.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103727.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103728.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103729.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103730.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103731.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103732.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103733.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103734.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103735.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103736.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103737.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103738.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103739.dll -> Spyware.AzSearch : Cleaned with backup
C:\RECYCLER\NPROTECT\00103740.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103741.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103742.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103743.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103744.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103745.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103746.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103747.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103748.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103749.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103750.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103751.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103752.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103753.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103754.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103755.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103756.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00103757.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103758.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103759.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103760.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103761.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00103762.dll -> Spyware.Look2Me : Cleaned with backup

Symantec Adware.Istbar / Trojan.ISTsvc Removal Tool 1.1.0


registry: HKEY_USERS\S-1-5-21-1292428093-2000478354-725345543-1003\Software\Microsoft\Internet Explorer\Main: BandRest (value deleted)
registry: HKEY_USERS\S-1-5-21-1292428093-2000478354-725345543-1003\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_USERS\S-1-5-21-1292428093-2000478354-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks: _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: BandRest (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: IST Service (value deleted)

C:\Documents and Settings\Spiro\Local Settings\Temp\Temporary Internet Files\Content.IE5\KWGGXOJU\Type=click&FlightID=6958&AdID=11976&TargetID=1648&Segments=3,7,26,36,43,116,277,337,594,626,674,824,840,870&Targets=4,242,157,12,32,576,1481,1648,1718&Values=25,31,43,51,60[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\Spiro\Local Settings\Temp\Temporary Internet Files\Content.IE5\KWGGXOJU\Type=click&FlightID=6958&AdID=11976&TargetID=1648&Segments=3,7,26,36,43,116,277,337,594,626,674,824,840,870&Targets=4,242,157,12,32,576,1481,1648,1718&Values=25,31,43,51,60[1].htm (WARNING: not scanned, path to long)
C:\System Volume Information: (not scanned)
Adware.Istbar has not been found on your computer.


Thanks again!!!!

I keeps on making my browser try to open, and when my browser is open, it will oopen up as a pop-up with this page.

I still haven't gotten rid of this:

http://%1 http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={29547AD6-8430-B2DD-ECEC-BF0224ABFA2E}&type=normal&mSkip=1&rnd=4748

 

[MicroBell]

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

 

[robflynn]

It scanned, but no viruses. Didn't offer report.

 

[MicroBell]

Ok..let's continue as I'm sure L2Me infection is still present...

First Empty that Norton Recycle bin!

C:\RECYCLER\NPROTECT <--we need to delete ALL files in that folder.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:

• From the left pane, click Options
• Select the Sweep Options tab & ensure the following are ticked:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All Users accounts
  • Do Not Sweep System Restore Folder
  • Enable Direct Disk Sweeping
  • Sweep For Rootkits
• After that's done, select Sweep from the left pane & click on the Start button
• Allow Spysweeper to reboot your machine to remove the infected files.

After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

 

[robflynn]

********
8:22 PM: | Start of Session, Saturday, October 29, 2005 |
8:22 PM: Spy Sweeper started
8:22 PM: Sweep initiated using definitions version 564
8:22 PM: Starting Memory Sweep
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:23 PM: Found Adware: icannnews
8:23 PM: Detected running threat: C:\WINDOWS\system32\jrj0251mg.dll (ID = 83)
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:26 PM: Detected running threat: C:\WINDOWS\system32\kmdhe220.dll (ID = 83)
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:29 PM: Memory Sweep Complete, Elapsed Time: 00:07:15
8:29 PM: Starting Registry Sweep
8:29 PM: Found Adware: azsearch toolbar
8:29 PM: HKCR\addressbar.loader.1\ (3 subtraces) (ID = 103884)
8:29 PM: HKCR\addressbar.loader\ (5 subtraces) (ID = 103885)
8:29 PM: HKCR\azentretien.loader\ (5 subtraces) (ID = 103886)
8:29 PM: HKCR\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103887)
8:29 PM: HKCR\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103891)
8:29 PM: HKCR\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103893)
8:29 PM: HKCR\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103895)
8:29 PM: HKCR\clsid\{f65b197f-8260-4d52-909a-f70118e646eb}\ (11 subtraces) (ID = 103896)
8:29 PM: HKLM\software\azentretienco\ (3 subtraces) (ID = 103905)
8:29 PM: HKLM\software\classes\addressbar.loader.1\ (3 subtraces) (ID = 103907)
8:29 PM: HKLM\software\classes\addressbar.loader\ (5 subtraces) (ID = 103908)
8:29 PM: HKLM\software\classes\azentretien.loader.1\ (3 subtraces) (ID = 103909)
8:29 PM: HKLM\software\classes\azentretien.loader\ (5 subtraces) (ID = 103910)
8:29 PM: HKLM\software\classes\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103911)
8:29 PM: HKLM\software\classes\clsid\{a19ef336-01d4-48e6-926a-fe7e1c747aed}\ (11 subtraces) (ID = 103915)
8:29 PM: HKLM\software\classes\clsid\{ba048011-957f-4ba0-a804-62c28d96f878}\ (20 subtraces) (ID = 103917)
8:29 PM: HKLM\software\classes\clsid\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\ (11 subtraces) (ID = 103919)
8:29 PM: HKLM\software\classes\clsid\{f65b197f-8260-4d52-909a-f70118e646eb}\ (11 subtraces) (ID = 103920)
8:29 PM: HKLM\software\classes\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103932)
8:29 PM: HKLM\software\classes\typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}\ (9 subtraces) (ID = 103934)
8:29 PM: HKLM\software\loaderco\ (3 subtraces) (ID = 103942)
8:29 PM: HKLM\software\microsoft\code store database\distribution units\{d7bf3304-138b-4dd5-86ee-491bb6a2286c}\ (9 subtraces) (ID = 103943)
8:29 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {a19ef336-01d4-48e6-926a-fe7e1c747aed} (ID = 103945)
8:29 PM: HKCR\typelib\{42fc3840-020c-4e93-a34c-4df1a6330fbb}\ (9 subtraces) (ID = 103955)
8:29 PM: HKCR\typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}\ (9 subtraces) (ID = 103957)
8:29 PM: Found Trojan Horse: bho_moneygainer
8:29 PM: HKCR\bookmark.bhomoneygainer\ (5 subtraces) (ID = 104346)
8:29 PM: HKCR\bookmark.bhomoneygainer.1\ (3 subtraces) (ID = 104347)
8:29 PM: HKLM\software\iasadc\ (46 subtraces) (ID = 104351)
8:29 PM: HKLM\software\classes\bookmark.bhomoneygainer\ (5 subtraces) (ID = 104352)
8:29 PM: HKLM\software\classes\bookmark.bhomoneygainer.1\ (3 subtraces) (ID = 104353)
8:29 PM: Found Adware: cws-aboutblank
8:29 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
8:29 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: Found Adware: internetoptimizer
8:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\wsem update\ (2 subtraces) (ID = 128927)
8:30 PM: Found Adware: whenu
8:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\whenusavemsg\ (7 subtraces) (ID = 140451)
8:30 PM: Found Adware: whenu savenow
8:30 PM: HKCR\wusn.1\ (1 subtraces) (ID = 140463)
8:30 PM: Found Adware: targetsoft
8:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:30 PM: Found Adware: targetsaver
8:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:30 PM: Found Adware: winad
8:30 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
8:30 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
8:30 PM: HKCR\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147153)
8:30 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:30 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
8:30 PM: HKLM\software\classes\clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}\ (14 subtraces) (ID = 147167)
8:30 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
8:30 PM: HKLM\software\media access\ (4 subtraces) (ID = 147182)
8:30 PM: HKLM\software\microsoft\windows\currentversion\run\ || media access (ID = 147202)
8:30 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
8:30 PM: Found Adware: quicklink search toolbar
8:30 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
8:30 PM: HKCR\wusn.1\ (1 subtraces) (ID = 635412)
8:30 PM: HKLM\software\whenusave\ (44 subtraces) (ID = 635463)
8:30 PM: HKLM\software\classes\wusn.1\ (1 subtraces) (ID = 635554)
8:30 PM: Found Adware: whenu save
8:30 PM: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
8:30 PM: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
8:30 PM: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
8:30 PM: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
8:30 PM: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
8:30 PM: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
8:30 PM: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
8:30 PM: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
8:30 PM: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
8:30 PM: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
8:30 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
8:30 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
8:30 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
8:30 PM: Found Adware: dapsol dialer
8:30 PM: HKU\S-1-5-21-1292428093-2000478354-725345543-1003\software\microsoft\internet explorer\main\ || conc (ID = 124673)
8:30 PM: HKU\S-1-5-21-1292428093-2000478354-725345543-1003\software\tsl2\ (1 subtraces) (ID = 143616)
8:30 PM: Found Adware: findthewebsiteyouneed hijacker
8:30 PM: HKU\S-1-5-21-1292428093-2000478354-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
8:30 PM: HKU\S-1-5-21-1292428093-2000478354-725345543-1003\software\microsoft\windows\currentversion\run\ || whenusave (ID = 773978)
8:30 PM: Registry Sweep Complete, Elapsed Time:00:01:17
8:30 PM: Starting Cookie Sweep
8:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:31 PM: Starting File Sweep
8:31 PM: c:\program files\quicklinks (1 subtraces) (ID = -2147468660)
8:31 PM: Found Adware: ist sidefind
8:31 PM: c:\program files\sidefind (ID = -2147480325)
8:31 PM: Found Adware: ist yoursitebar
8:31 PM: c:\program files\yoursitebar (5 subtraces) (ID = -2147479984)
8:31 PM: c:\documents and settings\spiro\start menu\programs\whenu (3 subtraces) (ID = -2147480383)
8:31 PM: c:\program files\save (6 subtraces) (ID = -2147480378)
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: Found Adware: exact software
8:35 PM: exclean.exe (ID = 93622)
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:35 PM: 00103699.txt (ID = 127161)
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: tsuninst.exe (ID = 78276)
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: Found Adware: apropos
8:42 PM: wingenerics.dll (ID = 50187)
8:42 PM: atmtd.dll (ID = 166754)
8:42 PM: atmtd.dll._ (ID = 166754)
8:42 PM: qlutility.exe (ID = 168232)
8:42 PM: yoursitebar.xml (ID = 144059)
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:42 PM: 00103697.txt (ID = 90430)
8:42 PM: 00103704.exe (ID = 125357)
8:42 PM: uninst.exe (ID = 73428)
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: vvsninst.exe (ID = 74460)
8:44 PM: azesearch.inf (ID = 50329)
8:44 PM: File Sweep Complete, Elapsed Time: 00:13:21
8:44 PM: Full Sweep has completed. Elapsed time 00:22:01
8:44 PM: Traces Found: 570
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: Removal process initiated
8:45 PM: Quarantining All Traces: bho_moneygainer
8:45 PM: Quarantining All Traces: cws-aboutblank
8:45 PM: Quarantining All Traces: apropos
8:45 PM: apropos is in use. It will be removed on reboot.
8:45 PM: wingenerics.dll is in use. It will be removed on reboot.
8:45 PM: Quarantining All Traces: azsearch toolbar
8:45 PM: Quarantining All Traces: dapsol dialer
8:45 PM: Quarantining All Traces: exact software
8:45 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
8:45 PM: Quarantining All Traces: icannnews
8:45 PM: icannnews is in use. It will be removed on reboot.
8:45 PM: C:\WINDOWS\system32\jrj0251mg.dll is in use. It will be removed on reboot.
8:45 PM: C:\WINDOWS\system32\kmdhe220.dll is in use. It will be removed on reboot.
8:45 PM: Quarantining All Traces: internetoptimizer
8:45 PM: Quarantining All Traces: ist sidefind
8:45 PM: Quarantining All Traces: ist yoursitebar
8:45 PM: Quarantining All Traces: quicklink search toolbar
8:45 PM: Quarantining All Traces: targetsaver
8:45 PM: Quarantining All Traces: targetsoft
8:45 PM: Quarantining All Traces: whenu savenow
8:46 PM: whenu savenow is in use. It will be removed on reboot.
8:46 PM: c:\program files\save is in use. It will be removed on reboot.
8:46 PM: Quarantining All Traces: whenu save
8:46 PM: Quarantining All Traces: whenu
8:46 PM: Quarantining All Traces: winad
8:46 PM: Warning: Launched explorer.exe
8:46 PM: Warning: Quarantine process could not restart Explorer.
8:46 PM: Preparing to restart your computer. Please wait...
8:46 PM: Removal process completed. Elapsed time 00:01:55
********
8:18 PM: | Start of Session, Saturday, October 29, 2005 |
8:18 PM: Spy Sweeper started
8:20 PM: Your spyware definitions have been updated.
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:22 PM: Updating spyware definitions
8:22 PM: Your definitions are up to date.
8:22 PM: | End of Session, Saturday, October 29, 2005 |

 

[MicroBell]

Excellent. Reboot back to safe mode and run Ewido again saving it's log. Run the Cleanup utility again using the same settings and reboot/logoff when prompted.

Now post both the Ewido log..and a new hijackthis log. Report any issues your still having.