Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Advise needed - all steps followed so far

Started by eleanorscott , Oct 25 2005 04:23 PM

  • This topic is locked This topic is locked

#1
eleanorscott
Posted 25 October 2005 - 04:23 PM

eleanorscott

    Member

  • Member
  • PipPip
  • 18 posts
The Silent runners log is attched below.

Kaspersky detected a TRjan dropper that I deleted. This does not seem to have stopped the problem.

In addition ot the popups descibed above, Kapersky is blocking a "Lovesan" attack




"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"Norton PasswordManager" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}" ["Symantec Corporation"]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]
"{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED444F}" = "Notmad Explorer Zen"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Red Chair Software\Notmad Explorer\notmadjz.dll" ["Red Chair Software, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
mtnsgfyg\(Default) = "{1016da52-ea6c-40e2-9c3d-de181310975c}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\eonrd.dll" [file not found]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\cabs\winzip\wzshlext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\sstext3d.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"Notmad Manager" -> shortcut to: "C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe" ["Red Chair Software, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 27 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 57 seconds)
  • 0

Advertisements

#2
coachwife6
Posted 31 October 2005 - 09:53 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please download WebRoot SpySweeper from HERE(It's a 2 week trial):

* Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
* Double-click the file to install it as follows:
o Click "Next", read the agreement, Click "Next"
o Choose "Custom" click "Next".
o Leave the default installation directory as it is, then click "Next".
o UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
o On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
o Finally, click "Install"
* Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also, please give me a new hijack this log. Are you using IE or firefox? If you are using IE, please download firefox and see if the problems with the pop-ups persist. :tazz:
  • 0

#3
eleanorscott
Posted 06 November 2005 - 12:22 PM

eleanorscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
HI

THanks for the help. Just a few notes before I post the logs.

1) I am currently using Mozilla
2) I have not been able to install Norton (the install process aborts half way through). Would you recommend that I persist with Norton or use a different virus programme.

The logs are as follows:

SPYSWEEPER

********
17:42: | Start of Session, 06 November 2005 |
17:42: Spy Sweeper started
17:42: Sweep initiated using definitions version 567
17:42: Starting Memory Sweep
17:44: Memory Sweep Complete, Elapsed Time: 00:02:00
17:44: Starting Registry Sweep
17:44: Found Adware: begin2search
17:44: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
17:44: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
17:44: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
17:44: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
17:44: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
17:44: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
17:44: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
17:44: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
17:44: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
17:44: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
17:44: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
17:44: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
17:44: Found Adware: elitebar
17:44: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
17:44: Found Adware: logih adware
17:44: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systemcheck2 (ID = 129814)
17:44: Found Adware: visfx
17:44: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
17:44: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
17:44: Found Adware: clkoptimizer
17:44: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
17:44: Found Adware: cas
17:44: HKCR\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820387)
17:44: HKLM\software\classes\typelib\{1b8b502e-465b-4022-be4f-fb6d9f808a18}\ (9 subtraces) (ID = 820540)
17:44: Found Adware: maxifiles
17:44: HKCR\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829231)
17:44: HKCR\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829237)
17:44: HKCR\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829241)
17:44: HKCR\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829253)
17:44: HKLM\software\classes\typelib\{fff24f28-3ae2-46cd-aebe-2f625133a1ca}\ (9 subtraces) (ID = 829282)
17:44: HKLM\software\classes\iecatcher.iewebcatcher\ (5 subtraces) (ID = 829292)
17:44: HKLM\software\classes\iecatcher.iewebcatcher.1\ (3 subtraces) (ID = 829298)
17:44: HKLM\software\classes\clsid\{fff4e223-7019-4ce7-be03-d7d3c8cce884}\ (11 subtraces) (ID = 829302)
17:44: HKLM\software\qstat\ || brr (ID = 877670)
17:44: Found Trojan Horse: trojan-downloader-pacisoft
17:44: HKU\S-1-5-21-746137067-706699826-725345543-500\software\psof1\ (15 subtraces) (ID = 136530)
17:44: Registry Sweep Complete, Elapsed Time:00:00:06
17:44: Starting Cookie Sweep
17:44: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:44: Warning: Failed to open file "c:\pagefile.sys". Access is denied
17:44: Starting File Sweep
17:44: pf78.exe (ID = 156523)
17:45: Found Adware: surfsidekick
17:45: repairs302972943.dll (ID = 158242)
17:45: Found Trojan Horse: trojan-downloader-mainstreamdollars
17:45: btnetw3-995329.exe (ID = 155333)
17:45: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\system.alt". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
17:45: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
17:47: c:\winnt\etb (15 subtraces) (ID = -2147476235)
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs73a4149e-015c-4068-aae3-27f3d16198a2.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs34cf7392-99de-4869-b610-164f530b972d.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscse51131cf-e10b-45c4-a7a5-028505783cb8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs452ca07d-acab-468b-84a4-9cbd6263a6d8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs1bdcea69-e76e-498c-a097-b315b95e76aa.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7a7c17e9-c739-4413-8029-f81dcd9588ee.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs78adb782-c601-46ea-bedc-a71630293cf8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs64619414-0226-484e-8c71-3fac29a7d2c0.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs233e2593-c346-4afe-a932-b99b8c790fc9.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5a2f9541-2f52-40c9-ae9e-dcf9cbc142c7.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs10488fc7-6e93-4fd4-b2fb-f11b56578d6f.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs1e0c8c5c-a0ec-4409-ac16-3c41a54c4859.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs285e275d-a6c9-4fcc-8121-860fb69aa246.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf796ba6f-bec5-4bf2-ab54-9b3bbd99fbe4.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs69051158-cfd6-43b7-81aa-c33845d02150.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs6b51192e-801a-4efb-a0cf-5d4a1053d414.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfdb8ee3c-c027-46bf-8d8c-6de7db6367db.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs31c34bf4-e126-45c9-b6f6-56cda775e10b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs83b78de4-02e7-414b-8243-3c88ba209d3e.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsd5153b91-7c29-4c44-bf19-5813ad4bae7e.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa21fc029-021b-4015-b522-5751149e98a6.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs607a2194-8303-492d-a5e6-563a0a597dc5.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5b10e520-f85f-4225-b04b-5aad1fd9ada0.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscscc7083af-090f-4dbf-b6f4-a1dcaad56787.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsedaf638c-eb88-476b-82b7-89fa0ffdc53a.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9d53f3c4-0e8a-447d-99a5-6a668be61609.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs26d38b08-41ac-42c7-a6ec-ef61ef7ead00.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8138329f-27df-4ff1-90f6-ff46879cda85.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs96078cd6-857c-4301-b986-27580a6d72f0.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs357b5f15-4280-45af-a77b-528b3af6f770.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs519d11b5-d669-433a-bcce-085b477fabcc.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs52f69eb7-76cd-4329-a656-a255eedb52cf.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs429749c8-3113-4441-981b-34f20e87738d.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs6b899d86-4bc1-4891-a404-58959898fedf.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsd965c0f8-85d7-4059-a993-1709348f90fa.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs35d6b5ca-c4c1-4d3e-8827-bb72eb5f11ff.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa3bf2e08-9927-4f21-ba9f-a08212494d7b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc33b27a2-d1c0-4379-86a9-8a0bf2fe7989.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc9421f2c-4ccf-43d0-be75-106760f603fd.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5bb83fd7-56f0-4258-a783-a34ed15bcd32.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7917ff25-8c23-4d6c-a850-55f81c40e93e.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs0c4706b8-bbba-43a1-8978-65a4ab8ecc46.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf618bc9a-4c2e-4668-8c36-60a3066ebdd7.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5b956910-7c28-4caf-977d-75fdc4a8df79.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7a177ab3-3dcf-4f56-b997-db58094a68ee.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa7633aee-cf02-43ba-9bb4-b0cc4b12883b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsd6bde5f6-8974-4a13-a665-c3400a24e46c.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs20367355-1f62-4b74-8045-ed3f282173cf.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf0840f04-216b-4557-829d-b058ebab8efe.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf74ec809-7c41-4245-9fc9-943a1c698359.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsde0db90e-6f1c-4fc2-a653-719d58bc841c.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc91e712e-63a7-4a29-a6c2-aac23a1893f3.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9a5af9af-9820-4792-912b-c1bb77ff6d6b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5a4808ea-2780-4553-8147-44b2b036d846.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs829056b4-24f3-47dd-8ba3-c2c806764051.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs43fffff0-faab-409d-984b-487aba254403.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf69fd9ec-8872-42c0-b351-40359d7a8ca6.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb3683ce7-a917-4834-ad7c-1c54307dedaf.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa9344863-6b3b-4f4b-b835-4145006a0e85.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsd0dd4460-316b-4eda-b8f8-ae5d8f4cff14.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsad59efd2-f40d-46bc-a267-698332037804.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc841e342-3060-4b2e-813a-59853b2747b8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs046b4bcd-3bd9-412c-a42a-bc71d592b292.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf75482e3-064b-48a6-b8b4-e95284e046e7.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs6d6700f6-0719-48e6-b3d3-b8d89001c942.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs497e7509-20ac-4982-ba82-5ca9ad9213ad.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs128d5b56-318b-42ae-8bff-9dd4f7f31f50.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5bbc4efb-6df3-4069-97fd-6680b44e90c8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsad4c35ae-ae65-46d8-ad23-d877e6fb7f88.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8db8d043-f8e4-406e-9040-a154719434ee.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs3fc21bc2-644d-4269-89fa-5230dd684105.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs75b69996-95a8-4f97-b95d-c8ee2fe19f48.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4a4172ed-b0c7-4235-844b-57d0a67ef446.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsbd00abb5-aa6b-46ee-9446-981e65978f0d.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7f4535e4-9d74-4433-97d0-7c8bf6a7ecd1.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5fa8a318-09ba-4399-a83d-d8f6f7c199fe.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs999f3aed-8f08-4286-8d0c-13597e66874b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7033fe5d-6bf0-42f6-87b5-6d12add49eae.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9562ba3b-bc58-41d1-b6f8-0a1f6c9192de.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9c335b12-4060-4e96-9af0-04f3cf5fddf1.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb16d8045-cf7d-431d-a5ce-3954755e9a51.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs96934f65-8089-45d6-97ba-362464f5a030.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf92348c8-fa8d-4c04-b5e4-411908b147b7.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4564339f-4f51-4f1b-8625-19479193be57.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs18c64525-af9b-427f-8a32-8392dbf2f859.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7a60fd91-121d-4905-86cd-265f65209c55.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa3c24874-19e8-433f-b26d-4cf3619ed41b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs750e1ee4-80ae-4ab4-96f6-672485074f0b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscscc322504-87aa-4816-9e63-cce3b3bbe19c.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb17b1c0e-eb36-4e16-8eea-44723d3991fc.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsffd7d290-6d0b-4b76-a01d-8dda32229f96.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs76fae2af-b152-4c5e-9c26-75d7d6e2d774.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc1f58f73-5079-4a3b-9e03-9ad318bb853e.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8365329e-bccb-4f22-9e8d-a6e494a4c5e7.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfa3d7885-dbc0-4ef0-84ea-223fc3abd640.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsdfc86d62-9828-451b-bbeb-8eda0a39edc6.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb3a693be-d4ae-4f59-8506-143880bcf1cc.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7c3e7e68-f7d6-4067-a7b4-f8801e2f93e8.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9099b053-38a2-4447-b597-851986aa835c.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscse211df81-9561-492f-9450-e95db12a4125.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs13e475e2-5e3f-4aaa-8695-423883239a8b.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfb66a0a1-b38c-465f-a275-79e1604e93aa.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs1c4c9b88-98c9-4e13-a7e1-24f0db97251f.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs57434588-cc67-452b-ab05-b4cbbf9ec809.tmp". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat.log". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
17:48: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
17:51: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
17:51: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcsys.dll". The process cannot access the file because it is being used by another process
17:51: Found Trojan Horse: trojan downloader matcash
17:51: c:\program files\common files\inetget (ID = -2147477182)
17:51: c:\program files\common files\inetget2 (ID = -2147471395)
17:51: autoit3.exe (ID = 119348)
17:51: catcher.dll (ID = 156267)
17:51: x.bmp (ID = 69314)
17:51: cwebpage.dll (ID = 69301)
17:54: backup-20051016-115820-416.inf (ID = 65702)
17:58: File Sweep Complete, Elapsed Time: 00:13:54
17:58: Full Sweep has completed. Elapsed time 00:16:01
17:58: Traces Found: 259
18:12: Removal process initiated
18:12: Quarantining All Traces: clkoptimizer
18:12: Quarantining All Traces: elitebar
18:12: Quarantining All Traces: surfsidekick
18:12: Quarantining All Traces: trojan downloader matcash
18:12: Quarantining All Traces: visfx
18:12: Quarantining All Traces: begin2search
18:12: Quarantining All Traces: cas
18:12: Quarantining All Traces: trojan-downloader-mainstreamdollars
18:12: Quarantining All Traces: trojan-downloader-pacisoft
18:12: Quarantining All Traces: logih adware
18:12: Quarantining All Traces: maxifiles
18:13: Removal process completed. Elapsed time 00:00:48
********
17:39: | Start of Session, 06 November 2005 |
17:39: Spy Sweeper started
17:39: Messenger service has been disabled.
17:40: Your spyware definitions have been updated.
17:42: | End of Session, 06 November 2005 |
------------------------------------------------------------------------------------

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 18:16:21, on 06/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\My Documents\Applications\Virus Programmes\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akama...ol/SymDlBrg.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7610BF65-6F83-4DD3-8FB9-EB82BC9A93C8}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: RMOQQDIFPNJ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RMOQQDIFPNJ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
coachwife6
Posted 06 November 2005 - 08:09 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Have you paid for Norton?

Let's get rid of all traces of it first before we try to reinstall Norton. You have AVG. Once you get Norton installed, you need to get rid of AVG.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akama...ol/SymDlBrg.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7610BF65-6F83-4DD3-8FB9-EB82BC9A93C8}: NameServer = 194.72.0.98 194.72.9.38

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: RMOQQDIFPNJ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RMOQQDIFPNJ.exe (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.
  • 0

#5
eleanorscott
Posted 08 November 2005 - 04:48 PM

eleanorscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I have paid for Norton (although the 30 day window for installing may have expired because of the ongoing issues I have had)

I have gone through the HiJack this process and attempted to reinstall Norton (I have downloaded and attempted to load NISAS05ENG_IN.exe).

Again the process aborts. When I rerun HiJack this, the Norton lines are still there despite me deleting them again and going through CleanUp steps, I am still not able to load Norton.

I have gone back and uninstalled Norton Password Manager but in the uninstall programmes in control panel, when I click on unistall Norton Internet Security 2005, there is no response. The files remain on my C: drive and the option to uniunstall/change the programme remains.

I suspect that on previous attempts to install Norton it has gone part way through the process and aborted, damaging the logs in some way.

Here is the Hijack this Log
-------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:36:23, on 08/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7610BF65-6F83-4DD3-8FB9-EB82BC9A93C8}: NameServer = 194.72.0.98 194.72.9.38
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#6
coachwife6
Posted 08 November 2005 - 04:53 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am so sorry. I haven't come across this. I am about to leave for awhile but when I get back, I will search for an answer and ask some of my colleagues what they think. Hang in there. We will get this fixed. :tazz:
  • 0

#7
coachwife6
Posted 09 November 2005 - 08:59 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
For some reason, I can't post a reply to this thread, so I PMed you a fix. :tazz:
  • 0

#8
admin
Posted 15 November 2005 - 11:15 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Sorry, just making a test post here. :tazz:
  • 0

#9
coachwife6
Posted 15 November 2005 - 02:53 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
test
  • 0

#10
coachwife6
Posted 15 November 2005 - 03:59 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
test
  • 0

#11
eleanorscott
Posted 16 November 2005 - 01:50 PM

eleanorscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi there

Not sure my last reply made it through

I have gone through your suggestion below and attach the log as follows

You should also be aware that I did get the error message noted in your post and ran the fix

Many thanks


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"BTopenworld"="IEAKBTopenworld"
"acc=ventura5"=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79300-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79301-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79302-84BE-11CE-9641-444553540000}"="WinZip"
"{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED444F}"="Notmad Explorer Zen"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
px.dll Sat 27 Aug 2005 10:13:02 ..... 360,448 352.00 K
pxmas.dll Sat 27 Aug 2005 10:14:30 ..... 155,648 152.00 K
pxwave.dll Sat 27 Aug 2005 10:16:00 ..... 339,968 332.00 K
vxblock.dll Sat 27 Aug 2005 10:19:52 ..... 28,672 28.00 K
pxdrv.dll Sat 27 Aug 2005 10:13:30 ..... 397,312 388.00 K
pxsfs.dll Sat 27 Aug 2005 10:19:46 ..... 1,093,632 1.04 M
islzma.dll Fri 21 Oct 2005 15:50:14 A.... 102,912 100.50 K
wrlzma.dll Mon 24 Oct 2005 12:19:46 A.... 17,920 17.50 K
sporder.dll Sat 1 Oct 2005 16:58:48 A.... 8,464 8.27 K
wrlogo~1.dll Mon 24 Oct 2005 12:19:50 A.... 492,544 481.00 K

10 items found: 10 files, 0 directories.
Total of file sizes: 2,997,520 bytes 2.86 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D4BD-D358

Directory of C:\WINNT\System32

22/10/2003 02:39 <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 15,164,325,888 bytes free




-------------------------------------------------------------------------------------------


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#12
coachwife6
Posted 16 November 2005 - 03:26 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Sorry, we've been having some forum issues, and it only seemed to affect this topic. :) We're working on it. :tazz:
  • 0

#13
admin
Posted 17 November 2005 - 11:02 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Relevant posts split into a new topic here: http://www.geekstogo...showtopic=79358

This topic closed due to unidentified problem with posting replies.

Edited by admin, 17 November 2005 - 11:02 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP