Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups gallore and found look2me plz help! [RESOLVED]


  • This topic is locked This topic is locked

#1
Tilia

Tilia

    New Member

  • Member
  • Pip
  • 6 posts
Hi I have been running Norton Antivirus (they found the "guard.tmp" cant remove it) and I also did the clean from the first thread, plus did scans w/ Spybot s&d and that CWShredder and it always seems to clean almost everything but still getting popups. Please help its been 3 days and I am ready to "boot" this system out my window!

Thanks in advance
edited:

Here is my hijack this logfile:



Logfile of HijackThis v1.99.1
Scan saved at 3:55:13 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jason & Rachel\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: ž
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - Winlogon Notify: WinFiles - C:\WINDOWS\system32\g6jolg1316.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Tilia, 03 November 2005 - 02:55 PM.

  • 0

Advertisements


#2
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi Tilia :)

Welcome to Geeks to Go. My name is infaddict and I will be helping you with your problem. I am currently analysing your log file and will post back with a fix when complete. Thanks for your patience.

:tazz:
  • 0

#3
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi Tilia :)

You have the Look2Me/VX2 infection. The latest variant of this infection is harder to remove, but we will try the normal approach first, to see if it works. If not then we can try the newer approach.

Please print these instructions for reference if you wish.

Preparation

You are running Norton AntiVirus Script Blocking and that could interfere with the fix. We will disable it and then re-enable it after you are clean.

To disable Norton AntiVirus Script Blocking :
  • Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
  • Click Options.
  • If you see a menu, click Norton AntiVirus.
  • In the left pane, click Script Blocking.
  • In the right pane, uncheck Enable Script Blocking (recommended).
  • Click OK
Download the Hoster Here. Unzip Hoster to your desktop. Please do not use program yet

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts to extract the files. Please do not run any L2MFix programs yet

The Fix

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • Then click Restore orginal host files
  • Close program
Open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.


:tazz:
  • 0

#4
Tilia

Tilia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok gonna do that right now, wanted to let ya know I was on give me a few min ok?
  • 0

#5
Tilia

Tilia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here is the log:



L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinFiles]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g6jolg1316.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{050043AF-37C0-113F-33E9-A1CA45C3C3A3}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Scripting Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{7850a720-705f-11d0-a9eb-0080488625e5}"="BestCrypt Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{E4CAA75E-9B5F-45EB-8E4E-8B743B44F171}"="Pop-Up Stopper Anti-Spyware Toolbar"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{70C4AAAC-D59D-4088-9CF9-94B7102199A2}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{70C4AAAC-D59D-4088-9CF9-94B7102199A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{70C4AAAC-D59D-4088-9CF9-94B7102199A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{70C4AAAC-D59D-4088-9CF9-94B7102199A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{70C4AAAC-D59D-4088-9CF9-94B7102199A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\wfashext.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
msrating.dll Fri Sep 2 2005 7:52:06p A.... 146,432 143.00 K
wznbrand.dll Thu Nov 3 2005 2:50:42p ..... 235,883 230.35 K
nvnt4cpl.dll Mon Oct 10 2005 9:49:00p A.... 286,720 280.00 K
nvmccs.dll Mon Oct 10 2005 9:49:00p A.... 229,376 224.00 K
nvhwvid.dll Mon Oct 10 2005 9:49:00p A.... 573,440 560.00 K
nvapi.dll Mon Oct 10 2005 9:49:00p A.... 45,056 44.00 K
wfashext.dll Thu Nov 3 2005 3:32:12p ..S.R 235,464 229.95 K
nvwdmcpl.dll Mon Oct 10 2005 9:49:00p A.... 1,662,976 1.59 M
nvwimg.dll Mon Oct 10 2005 9:49:00p A.... 1,019,904 996.00 K
wii.dll Thu Nov 3 2005 3:02:08p ..... 235,883 230.35 K
ennsl1~1.dll Thu Nov 3 2005 3:31:18p ..S.R 234,148 228.66 K
nvcodins.dll Mon Oct 10 2005 9:49:00p A.... 34,304 33.50 K
nvmccsrs.dll Mon Oct 10 2005 9:49:00p A.... 45,056 44.00 K
nvcod.dll Mon Oct 10 2005 9:49:00p A.... 34,304 33.50 K
cdfview.dll Fri Sep 2 2005 7:52:04p A.... 151,040 147.50 K
mstime.dll Fri Sep 2 2005 7:52:06p A.... 530,432 518.00 K
umpnpmgr.dll Mon Aug 22 2005 11:35:42p A.... 123,392 120.50 K
iepeers.dll Fri Sep 2 2005 7:52:04p A.... 251,392 245.50 K
browseui.dll Fri Sep 2 2005 7:52:04p A.... 1,019,904 996.00 K
cdosys.dll Fri Sep 9 2005 9:53:42p A.... 2,067,968 1.97 M
netman.dll Mon Aug 22 2005 2:29:46p A.... 197,632 193.00 K
quartz.dll Mon Aug 29 2005 11:54:26p A.... 1,287,168 1.23 M
wininet.dll Fri Sep 2 2005 7:52:06p A.... 658,432 643.00 K
urlmon.dll Fri Sep 2 2005 7:52:06p A.... 608,768 594.50 K
shdocvw.dll Fri Sep 2 2005 7:52:06p A.... 1,483,776 1.41 M
pngfilt.dll Fri Sep 2 2005 7:52:06p A.... 39,424 38.50 K
mshtmled.dll Fri Sep 2 2005 7:52:06p A.... 448,512 438.00 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
inseng.dll Fri Sep 2 2005 7:52:04p A.... 96,256 94.00 K
dxtrans.dll Fri Sep 2 2005 7:52:04p A.... 205,312 200.50 K
g6jolg~1.dll Thu Nov 3 2005 3:22:18p ..S.R 235,464 229.95 K
danim.dll Fri Sep 2 2005 7:52:04p A.... 1,053,696 1.00 M
extmgr.dll Fri Sep 2 2005 7:52:04p ..... 55,808 54.50 K
winsrv.dll Wed Aug 31 2005 9:41:54p A.... 291,840 285.00 K
shlwapi.dll Fri Sep 2 2005 7:52:06p A.... 473,600 462.50 K
shell32.dll Thu Sep 22 2005 11:05:30p A.... 8,450,560 8.06 M
linkinfo.dll Wed Aug 31 2005 9:41:54p A.... 19,968 19.50 K

37 items found: 37 files (3 H/S), 0 directories.
Total of file sizes: 27,784,458 bytes 26.50 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0000-0EEA

Directory of C:\WINDOWS\System32

11/03/2005 03:32 PM 235,464 wfashext.dll
11/03/2005 03:31 PM 234,148 ennsl1571.dll
11/03/2005 03:22 PM 235,464 g6jolg1316.dll
08/04/2004 02:56 AM 11,776 regsvr32.exe
08/28/2002 10:33 AM <DIR> Microsoft
4 File(s) 716,852 bytes
1 Dir(s) 20,045,889,536 bytes free
  • 0

#6
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi Tilia :)

From your L2MFix log, I believe you have the latest variant of Look2Me. I have created a fix which will hopefully remove the infection. If it doesn't we have some other options we can look at.

You should print these instructions for reference

1) Create a new folder on your hard drive called FIX. In other words, create C:\FIX.

2) Backup your registry
  • Click Start, and then click Run.
  • In the Open box, type regedit and then click OK.
  • Ensure that My Computer is highlighted, rather than any entry beneath it
  • On the File menu, click Export
  • In the Save in box, select the C:\FIX folder and in the File name box type backup and then click Save
  • The registry will be backed up - this could take up to 1 minute depending on your computer
  • Close regedit by clicking on File -> Exit
Do not modify or touch any settings in your registry. Doing so can render your computer useless.


3) Create fix batch file

Please select the blue text below and copy it into a blank Notepad screen. Then save the file and in the 'File Name' box, type fixbat.bat and choose the C:\FIX folder to save it in (ensure you change the 'Save as Type' box to 'All Files' before clicking Save).

echo Start of Fix
attrib -h -s -r -a c:\windows\system32\wfashext.dll
del c:\windows\system32\wfashext.dll
attrib -h -s -r -a c:\windows\system32\ennsl1571.dll
del c:\windows\system32\ennsl1571.dll
attrib -h -s -r -a c:\windows\system32\g6jolg1316.dll
del c:\windows\system32\g6jolg1316.dll
attrib -h -s -r -a c:\windows\system32\guard.tmp
del c:\windows\system32\guard.tmp
echo End of Fix



4) Create fix registry file

Please select the blue text below and copy it into a blank Notepad screen. Then save the file and in the 'File Name' box, type fixreg.reg and choose the C:\FIX folder to save it in (ensure you change the 'Save as Type' box to 'All Files' before clicking Save. Also ensure there is no blank line or spaces before the first text of REGEDIT4).

REGEDIT4

-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinFiles]

-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{70C4AAAC-D59D-4088-9CF9-94B7102199A2}"=-

-[HKEY_CLASSES_ROOT\CLSID\{70C4AAAC-D59D-4088-9CF9-94B7102199A2}]


5) Boot to Safe Mode with Command Prompt :
  • Restart you computer
  • As your computer is restarting, please tap F8 continously until a boot menu appears
  • From the list, select "Safe Mode with Command Prompt" and press Enter
  • You may see lots of text and some drivers are loaded. Eventually you should get a Command Prompt screen which is black in color with white text. The prompt should list a location starting with 'C:\'
6) Run the fixes :
  • At the prompt, type "CD \" (not including quotes) and press Enter (note the space between CD and \)
  • At the prompt, type "CD FIX" (not including quotes) and press Enter (note the space between CD and FIX)
  • At the prompt, type "fixbat > fixlog.txt" (not including quotes) and press Enter (note the spaces between fix and the greater than sign and the second space between the greater than sign and fixlog.txt)
  • At the prompt, type "regedit /S fixreg.reg" (not including quotes) and press Enter (note the space between regedit32 and /S and the second space between /S and fixreg.reg)
7) Reboot into Normal Windows. The easiest way to do this is to press the reset button on your PC, or to hold down the Control-Alt-Delete keys on your computer.


8) Re-run the L2MFix option #1

Open the l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.



9) Run HijackThis and perform a scan. Paste the log results into this thread.


Please reply with the following information :
  • fixlog.txt from the C:\FIX folder
  • the results from the L2Mfix option #2
  • a fresh HijackThis log from Normal mode (i.e. not Safe Mode)
:tazz:
  • 0

#7
Tilia

Tilia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ok i did what you said and here are the logs

l2mfix log

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnn0015me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{050043AF-37C0-113F-33E9-A1CA45C3C3A3}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Scripting Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{7850a720-705f-11d0-a9eb-0080488625e5}"="BestCrypt Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{E4CAA75E-9B5F-45EB-8E4E-8B743B44F171}"="Pop-Up Stopper Anti-Spyware Toolbar"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{8AC9D5E6-7263-4D6E-B256-DB0DD7884B88}"=""
"{ED84D87A-4140-407A-B8E7-ECA419AA726D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8AC9D5E6-7263-4D6E-B256-DB0DD7884B88}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC9D5E6-7263-4D6E-B256-DB0DD7884B88}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC9D5E6-7263-4D6E-B256-DB0DD7884B88}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AC9D5E6-7263-4D6E-B256-DB0DD7884B88}\InprocServer32]
@="C:\\WINDOWS\\system32\\lmpsd11n.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ED84D87A-4140-407A-B8E7-ECA419AA726D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED84D87A-4140-407A-B8E7-ECA419AA726D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED84D87A-4140-407A-B8E7-ECA419AA726D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED84D87A-4140-407A-B8E7-ECA419AA726D}\InprocServer32]
@="C:\\WINDOWS\\system32\\uclmon.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
msrating.dll Fri Sep 2 2005 7:52:06p A.... 146,432 143.00 K
wznbrand.dll Thu Nov 3 2005 2:50:42p ..... 235,883 230.35 K
nvnt4cpl.dll Mon Oct 10 2005 9:49:00p A.... 286,720 280.00 K
nvmccs.dll Mon Oct 10 2005 9:49:00p A.... 229,376 224.00 K
nvhwvid.dll Mon Oct 10 2005 9:49:00p A.... 573,440 560.00 K
nvapi.dll Mon Oct 10 2005 9:49:00p A.... 45,056 44.00 K
uclmon.dll Fri Nov 4 2005 11:23:52p ..S.R 234,148 228.66 K
nvwdmcpl.dll Mon Oct 10 2005 9:49:00p A.... 1,662,976 1.59 M
nvwimg.dll Mon Oct 10 2005 9:49:00p A.... 1,019,904 996.00 K
wii.dll Thu Nov 3 2005 3:02:08p ..... 235,883 230.35 K
lmpsd11n.dll Fri Nov 4 2005 9:51:36p ..S.R 234,148 228.66 K
mpsap.dll Fri Nov 4 2005 11:26:06p ..S.R 235,464 229.95 K
nvcodins.dll Mon Oct 10 2005 9:49:00p A.... 34,304 33.50 K
nvmccsrs.dll Mon Oct 10 2005 9:49:00p A.... 45,056 44.00 K
nvcod.dll Mon Oct 10 2005 9:49:00p A.... 34,304 33.50 K
cdfview.dll Fri Sep 2 2005 7:52:04p A.... 151,040 147.50 K
mstime.dll Fri Sep 2 2005 7:52:06p A.... 530,432 518.00 K
umpnpmgr.dll Mon Aug 22 2005 11:35:42p A.... 123,392 120.50 K
iepeers.dll Fri Sep 2 2005 7:52:04p A.... 251,392 245.50 K
browseui.dll Fri Sep 2 2005 7:52:04p A.... 1,019,904 996.00 K
enn6l1~1.dll Fri Nov 4 2005 11:26:06p ..S.R 237,115 231.55 K
dnn001~1.dll Fri Nov 4 2005 11:04:26p ..S.R 235,464 229.95 K
cdosys.dll Fri Sep 9 2005 9:53:42p A.... 2,067,968 1.97 M
netman.dll Mon Aug 22 2005 2:29:46p A.... 197,632 193.00 K
quartz.dll Mon Aug 29 2005 11:54:26p A.... 1,287,168 1.23 M
wininet.dll Fri Sep 2 2005 7:52:06p A.... 658,432 643.00 K
urlmon.dll Fri Sep 2 2005 7:52:06p A.... 608,768 594.50 K
shdocvw.dll Fri Sep 2 2005 7:52:06p A.... 1,483,776 1.41 M
pngfilt.dll Fri Sep 2 2005 7:52:06p A.... 39,424 38.50 K
mshtmled.dll Fri Sep 2 2005 7:52:06p A.... 448,512 438.00 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
inseng.dll Fri Sep 2 2005 7:52:04p A.... 96,256 94.00 K
dxtrans.dll Fri Sep 2 2005 7:52:04p A.... 205,312 200.50 K
danim.dll Fri Sep 2 2005 7:52:04p A.... 1,053,696 1.00 M
extmgr.dll Fri Sep 2 2005 7:52:04p ..... 55,808 54.50 K
winsrv.dll Wed Aug 31 2005 9:41:54p A.... 291,840 285.00 K
shlwapi.dll Fri Sep 2 2005 7:52:06p A.... 473,600 462.50 K
shell32.dll Thu Sep 22 2005 11:05:30p A.... 8,450,560 8.06 M
linkinfo.dll Wed Aug 31 2005 9:41:54p A.... 19,968 19.50 K

39 items found: 39 files (5 H/S), 0 directories.
Total of file sizes: 28,255,721 bytes 26.95 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0000-0EEA

Directory of C:\WINDOWS\System32

11/04/2005 11:26 PM 237,115 enn6l15s1.dll
11/04/2005 11:26 PM 235,464 mpsap.dll
11/04/2005 11:23 PM 234,148 uclmon.dll
11/04/2005 11:04 PM 235,464 dnn0015me.dll
11/04/2005 09:51 PM 234,148 lmpsd11n.dll
08/04/2004 02:56 AM 11,776 regsvr32.exe
08/28/2002 10:33 AM <DIR> Microsoft
6 File(s) 1,188,115 bytes
1 Dir(s) 19,872,284,672 bytes free


here is the fix file log


C:\FIX>echo Start of Fix
Start of Fix

C:\FIX>attrib -h -s -r -a c:\windows\system32\wfashext.dll
File not found - C:\windows\system32\wfashext.dll

C:\FIX>del c:\windows\system32\wfashext.dll

C:\FIX>attrib -h -s -r -a c:\windows\system32\ennsl1571.dll
File not found - C:\windows\system32\ennsl1571.dll

C:\FIX>del c:\windows\system32\ennsl1571.dll

C:\FIX>attrib -h -s -r -a c:\windows\system32\g6jolg1316.dll
File not found - C:\windows\system32\g6jolg1316.dll

C:\FIX>del c:\windows\system32\g6jolg1316.dll

C:\FIX>attrib -h -s -r -a c:\windows\system32\guard.tmp
File not found - C:\windows\system32\guard.tmp

C:\FIX>del c:\windows\system32\guard.tmp

C:\FIX>echo End of Fix
End of Fix


here is the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:31:34 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Jason & Rachel\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnn0015me.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



[b]Thanks in advance! *note* still getting popups
  • 0

#8
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#9
Tilia

Tilia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I am sooo happy! No popups since my reboot after this scan!! Here is the log...



********
3:06 PM: | Start of Session, Sunday, November 06, 2005 |
3:06 PM: Spy Sweeper started
3:06 PM: Sweep initiated using definitions version 567
3:06 PM: Starting Memory Sweep
3:06 PM: Found Adware: icannnews
3:06 PM: Detected running threat: C:\WINDOWS\SYSTEM32\dnn0015me.dll (ID = 83)
3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: Detected running threat: C:\WINDOWS\SYSTEM32\uorfaxa.dll (ID = 83)
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: Memory Sweep Complete, Elapsed Time: 00:02:56
3:09 PM: Starting Registry Sweep
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: Found Trojan Horse: 2nd-thought
3:09 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
3:09 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
3:09 PM: Found Trojan Horse: alwaysupdatednews
3:09 PM: HKCR\appid\aunbho.dll\ (1 subtraces) (ID = 103538)
3:09 PM: HKCR\appid\{b61f67f7-91f3-4a56-99a7-ab972f2318df}\ (1 subtraces) (ID = 103539)
3:09 PM: HKCR\aunbho.aun\ (1 subtraces) (ID = 103541)
3:09 PM: HKCR\interface\{032a2af0-ce7e-4ecb-908b-6a17d3d69a97}\ (8 subtraces) (ID = 103543)
3:09 PM: HKLM\software\classes\appid\aunbho.dll\ (1 subtraces) (ID = 103545)
3:09 PM: HKLM\software\classes\appid\{b61f67f7-91f3-4a56-99a7-ab972f2318df}\ (1 subtraces) (ID = 103546)
3:09 PM: HKLM\software\classes\aunbho.aun\ (1 subtraces) (ID = 103548)
3:09 PM: HKLM\software\classes\interface\{032a2af0-ce7e-4ecb-908b-6a17d3d69a97}\ (8 subtraces) (ID = 103550)
3:09 PM: Found Adware: freescratchandwin
3:09 PM: HKCR\clsid\{acc4dbff-71af-4227-a86d-8777429f56bd}\ (3 subtraces) (ID = 126647)
3:09 PM: HKLM\software\classes\support.application\ (1 subtraces) (ID = 126662)
3:09 PM: HKCR\support.application\ (1 subtraces) (ID = 126674)
3:09 PM: Found Adware: screensavers
3:09 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140550)
3:09 PM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (2 subtraces) (ID = 140551)
3:09 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140555)
3:09 PM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (2 subtraces) (ID = 140556)
3:09 PM: HKLM\software\screensavers.com\ (ID = 140569)
3:09 PM: Found Adware: winad
3:09 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (1 subtraces) (ID = 147191)
3:09 PM: Found Adware: clkoptimizer
3:09 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
3:09 PM: HKLM\software\qstat\ || brr (ID = 877670)
3:09 PM: Found Adware: multidial
3:09 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956093)
3:09 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956095)
3:09 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956097)
3:09 PM: Found Adware: desktoptraffic
3:09 PM: HKU\S-1-5-21-57989841-813497703-1060284298-1004\eeennn\ (280 subtraces) (ID = 124993)
3:09 PM: Found Adware: targetsaver
3:09 PM: HKU\S-1-5-21-57989841-813497703-1060284298-1004\software\tsl2\ (1 subtraces) (ID = 143616)
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:09 PM: Registry Sweep Complete, Elapsed Time:00:00:37
3:09 PM: Starting Cookie Sweep
3:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:09 PM: Starting File Sweep
3:09 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
3:09 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
3:10 PM: Found Adware: azsearch toolbar
3:10 PM: azesearch.bmp (ID = 50322)
3:10 PM: Found Adware: ieplugin
3:10 PM: kwv2.dat (ID = 63356)
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: Warning: Failed to open file "c:\windows\system32\uorfaxa.dll". The process cannot access the file because it is being used by another process
3:11 PM: Warning: Failed to open file "c:\windows\system32\dnn0015me.dll". The process cannot access the file because it is being used by another process
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:11 PM: Warning: Failed to open file "c:\windows\system32\k208lcdu1f08.dll". The process cannot access the file because it is being used by another process
3:12 PM: Found Adware: dialerplatform
3:12 PM: best casino experience!.ico (ID = 58328)
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
3:12 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:13 PM: Found Adware: tvmedia
3:13 PM: tvmk14.exe (ID = 81722)
3:13 PM: desktrf-fran-162813.exe (ID = 58092)
3:13 PM: Found Adware: searchpounders hijacker
3:13 PM: setup.exe (ID = 75154)
3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: fswinst.inf (ID = 61160)
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcsys.dll". The process cannot access the file because it is being used by another process
3:19 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: Found Adware: virtualbouncer
3:20 PM: 34a0a5b4-8744-4caf-ac9d-a1d566 (ID = 82806)
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:28 PM: c:\program files\screensavers.com (2 subtraces) (ID = -2147480365)
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: swpstart.exe (ID = 74759)
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: Found Adware: clearsearch
3:30 PM: 80095714.bin (ID = 160319)
3:30 PM: 99564265.bin (ID = 52530)
3:30 PM: 36812330.dat (ID = 160320)
3:30 PM: 85451358.txt (ID = 52534)
3:30 PM: 48483876.dat (ID = 160321)
3:30 PM: 27814440.dat (ID = 52511)
3:30 PM: 76671712.dat (ID = 52508)
3:30 PM: 64013624.txt (ID = 52526)
3:30 PM: 12658288.txt (ID = 160324)
3:30 PM: 32576368.bin (ID = 160325)
3:30 PM: 13869147.dat (ID = 52528)
3:30 PM: 13945512.txt (ID = 52522)
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: Found Adware: abcsearch
3:31 PM: c:\documents and settings\all users\application data\msw (ID = -2147481510)
3:31 PM: Warning: Failed to open file "c:\documents and settings\jason & rachel\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:31 PM: Warning: Failed to open file "c:\documents and settings\jason & rachel\ntuser.dat". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to open file "c:\documents and settings\jason & rachel\local settings\temp\temporary internet files\content.ie5\0z050lod\couch-slipcover_w0qqcatrefzc6qqcoactionzcompareqqcoentrypagezsearchqqcopagenumz1qqfromzr10qqfrtsz50qqfsooz1qqfsopz1qqftrtz1qqftrvz1qqsacatzq2d1qqsaprchizqqsaprcloz[1].htm". The system cannot find the path specified
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: Warning: Failed to open file "c:\documents and settings\jason & rachel\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:33 PM: Warning: Failed to open file "c:\documents and settings\jason & rachel\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa224b049-b2f9-4bd1-bb3d-bbed4cebd411.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3fd87208-317d-440a-a40a-16ebcbe0573c.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd0998043-f440-47ab-9342-f81978fe90e8.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3b0ed62c-659c-4ba7-b742-a78412febfa0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc776efa-a708-4700-be22-f7b0be0ec4bc.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse68ff9c5-94ee-48ae-b4f0-03f513190b45.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5dc255e3-7245-4735-ab89-736109696247.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseaa47abf-6490-4c8b-9115-124cec7ad608.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc2b4804-7937-4071-8b1f-d3d1f20c1631.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56ce0612-ea00-43a2-8a1a-26c3c3d4c39a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34649991-043a-47ef-9a56-6185d9debdc0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs81963040-2cf7-4b32-8621-d80bb2ba4ece.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc86ecd5b-0cf4-4e2b-9439-4cc36bb43163.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdcdd603c-47a6-49c7-9fd2-5c7c079f06e5.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaa77664c-cb9c-4a19-8e5c-13a0a445a89d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2b3b82ac-977e-4dd7-a32f-3a03dfcd14ec.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs188eb659-963b-483a-b8c5-d76ad581a59d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb6c1f7c6-ba2f-4a80-ba40-aca180e99635.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a75bc9d-bf36-4c7a-9a66-5b278d5ba71a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07223e14-5c9e-49f0-abd5-043c2bd46261.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsef0b62e9-1fb2-4d51-84a4-a30b107f9bb3.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb8e09e90-180e-4545-a456-20a501f05edf.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2aa32f8b-92b4-4092-8ee6-49328339645a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9b1dbe8a-e331-4903-a46d-dafe8dcbd177.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs633034a4-1898-4f8e-9f4b-74d8fa00a220.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs79caf7ec-b6e5-4676-8870-9fca59065a2e.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64c253e7-62b1-42fd-8610-8d657ca8c572.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0b987889-29d0-4ed6-951f-9a06d597fa89.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c53d192-09e2-4c8d-9f12-71de4b93e832.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse99303f0-21c4-4088-8ba5-fac03da1d108.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2d4f7ba7-2a0a-4816-9785-cd65bdacf72e.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4996ed89-7c58-4a1f-b33d-41b6d78016fa.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf6accb4c-716c-4534-a6b9-3d2475c82a80.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs192f3d7a-e25b-46e3-a7b5-8bca7fe8bf93.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbadd5489-91ed-45ea-a911-4f644dfba5f5.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d2fba08-70dd-4235-9dd0-35434afe6e5a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a962577-1f9e-4743-80dd-76589196d98b.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2b33b50-4ca6-40e2-acaf-5a07321c09a5.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0a163fb7-f517-4350-915b-1389ee627dec.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f1dac3b-bdf7-4c30-9176-24a8fbfccca5.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdbbbc33c-08e1-4e4b-b6d5-6ddb41a73f4a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs43215c54-8306-4455-8a57-d01b7240b6db.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs00b69ca4-99f5-4b7a-898d-a57d214397b7.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8b95fcfc-d8a3-4ce0-9a8c-af77dcd6c0d5.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3cb6ef24-0e94-4626-96d3-d3f43db5648f.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0ecc8583-1d8a-4dfb-9c8f-0c54c4ad284e.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscae806de-d48a-4db2-a1e0-94245b531af0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd685d7fe-7f14-41b9-be0f-405c40e2a58d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsde750b4b-6901-4b13-a682-ec0d8971d1f8.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs417c9905-cad2-41ef-bd30-ab272c51701d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsef9aa2ee-2726-457b-acb7-de5f4ec27f99.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0893ab3-62ce-4fc9-94c1-6af4aa905320.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs93e2d34b-0a55-4a7b-8dce-3f2ba3de6cb1.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs57825546-4046-4ec5-9f8d-75d08e441cdb.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2985b9fe-e64c-43c3-b09a-bd71d29c30b2.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8cd2e683-d305-470b-b80e-6b7a0abad3f4.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0e6f178a-c848-442f-bbcb-f100e3a1119a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0dcbd356-3edf-45f0-a6c5-cd7a34372500.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf6cf086e-6b9e-4fbb-86f5-9d804f961b95.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscd6b3bc6-0c9e-4369-b212-9133b04fb92e.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e8b5d9f-0023-4bb6-85ca-fa62ad7eaaed.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsae19cb88-1b29-4c7d-8029-17f6d49fb4a2.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs013fc618-3b76-4bc2-a5e2-764c64670708.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa630a9d1-678a-43cb-a4ec-f82a5afa0d59.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa68ff064-620f-48d7-973d-5027b00841b3.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c5cd074-5670-4d59-9531-0130e43c9afd.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc4dcae3-8828-4d99-a381-cfd42920733a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbf46094c-b71b-4436-807c-9c21cb493c8f.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs93d56fa2-b48a-4176-b93f-3d30b33dc79d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa82478e5-1296-4c83-8a47-577cee263b94.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa65a6e3f-8018-420c-90bf-3fa93e336303.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7838ef93-6511-4acc-9805-913447137408.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs05992a0e-b252-42fc-87fd-112974f3c6fb.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1a056111-d824-47d5-a1d3-7ab242c5fbec.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2cc90294-e312-479c-b411-ab43edee1d41.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8d8ffaf3-18c5-43eb-a482-41af4317c95f.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90cb4d13-b07f-43d6-a7dc-fba579f07d90.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs32ebaf36-99d3-4b45-a00d-615053266338.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs29bfe566-ec2c-4ace-b964-7ccea1bcc339.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4f239337-396b-48f3-a13e-83041e50890e.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse96009ab-63c6-4ff6-8dea-908d2ab14e27.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs098fba4a-fef5-4d00-ae96-e0a55dfdd10d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs695c5e38-75c6-4411-9f74-7559e7ff8c74.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs45fc4435-65cc-4e7e-9389-26c6f253708c.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs00779cd1-4ee7-4625-9105-7b07afeb90c0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6982bde-b6b3-4b03-9cb3-086df9783f8b.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e9687de-45a3-4c82-a2d6-05a5b54a1383.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecbfbba-f4fc-47b7-be47-821f5241abad.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs665b8bc6-b20c-42d8-a1cc-53ded774ccfb.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs88203346-779b-4e50-9ab1-6eecd5bbed17.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bf6cdd5-6c1f-403e-91a5-a007e380ca76.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs535277ab-9cd3-4b2f-a9e7-0e2b32a228cd.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb4d30a0b-25dd-4679-86dc-608ad1ed598d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf29c74dd-10a9-42fc-a399-c415d9f8a937.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa643167d-fe1f-4ffe-83f1-daffa0203531.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs09689a6d-1e51-4619-9776-8e9e1f2616fa.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf9b67382-f365-4b7e-9cec-6b0fed9b36f0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd6693869-8cfe-424c-94d5-a63dbde7dedd.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs24faaf85-e5aa-4bcd-ac4a-7149062893c0.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsacd67f4e-2031-486f-bde3-64345bc5a14d.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs606ddfef-1ed9-4004-a743-e24e7ade6f47.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5c3c8e97-78d1-4102-917f-307086ef6a2a.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd9287d8-fe9b-4a3f-8967-7956d0ac266b.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0474fca3-911a-440e-800b-6f7e200fb9b4.tmp". The process cannot access the file because it is being used by another process
3:34 PM: Found Adware: effective-i toolbar
3:34 PM: a0000014.lnk (ID = 59855)
3:34 PM: a0000015.lnk (ID = 59838)
3:34 PM: Found Adware: surf accuracy
3:34 PM: a0000024.cfg (ID = 162775)
3:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:34 PM: a0000745.dll (ID = 50344)
3:34 PM: a0000748.dll (ID = 50344)
3:35 PM: a0001720.dll (ID = 74752)
3:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:35 PM: Found Adware: directrevenue-abetterinternet
3:35 PM: a0002760.inf (ID = 83222)
3:35 PM: Found Trojan Horse: lzio
3:35 PM: a0002799.exe (ID = 153823)
3:35 PM: Found Adware: look2me
3:35 PM: a0002806.exe (ID = 168558)
3:35 PM: a0002810.cpl (ID = 150831)
3:35 PM: a0002813.dll (ID = 150833)
3:35 PM: a0004878.dll (ID = 163672)
3:35 PM: a0005122.dll (ID = 163672)
3:35 PM: a0005124.dll (ID = 163672)
3:35 PM: a0005253.dll (ID = 163672)
3:35 PM: a0005255.dll (ID = 163672)
3:35 PM: a0005282.dll (ID = 163672)
3:35 PM: a0006685.dll (ID = 163672)
3:35 PM: a0006695.dll (ID = 163672)
3:35 PM: a0006821.dll (ID = 163672)
3:35 PM: a0006825.dll (ID = 163672)
3:35 PM: a0006885.dll (ID = 163672)
3:35 PM: a0006889.dll (ID = 163672)
3:35 PM: a0006893.dll (ID = 163672)
3:35 PM: a0006897.dll (ID = 163672)
3:35 PM: a0006921.dll (ID = 163672)
3:35 PM: a0006925.dll (ID = 163672)
3:35 PM: a0006945.dll (ID = 163672)
3:35 PM: a0006949.dll (ID = 163672)
3:35 PM: a0006953.dll (ID = 163672)
3:35 PM: a0006957.dll (ID = 163672)
3:35 PM: a0006964.dll (ID = 163672)
3:35 PM: a0006968.dll (ID = 163672)
3:35 PM: Found Adware: netratings
3:35 PM: a0006970.dll (ID = 70902)
3:35 PM: a0006983.dll (ID = 163672)
3:35 PM: a0006987.dll (ID = 163672)
3:35 PM: a0006997.dll (ID = 163672)
3:35 PM: a0007001.dll (ID = 163672)
3:35 PM: a0007004.dll (ID = 163672)
3:35 PM: a0007008.dll (ID = 163672)
3:35 PM: a0009006.dll (ID = 163672)
3:35 PM: a0009007.dll (ID = 163672)
3:35 PM: a0009009.dll (ID = 163672)
3:35 PM: a0009165.inf (ID = 70907)
3:35 PM: a0009166.dll (ID = 70902)
3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:37 PM: Warning: Invalid file - not a PKZip file
3:37 PM: Warning: Invalid file - not a PKZip file
3:37 PM: Warning: Invalid file - not a PKZip file
3:37 PM: Warning: Invalid file - not a PKZip file
3:37 PM: Warning: Invalid file - not a PKZip file
3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:38 PM: File Sweep Complete, Elapsed Time: 00:28:23
3:38 PM: Full Sweep has completed. Elapsed time 00:32:04
3:38 PM: Traces Found: 434
3:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a
  • 0

#10
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi, great news !

Please post a fresh HijackThis log so i can confirm you are fully clean.

:tazz:
  • 0

#11
Tilia

Tilia

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is my new hijack this log
:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:33 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Jason & Rachel\Desktop\spyware help folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi Tilia,

Congratulations, your log is clean :tazz:

Please re-enable Norton AntiVirus Script Blocking :
  • Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
  • Click Options.
  • If you see a menu, click Norton AntiVirus.
  • In the left pane, click Script Blocking.
  • In the right pane, check Enable Script Blocking (recommended).
  • Click OK
Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free :)

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:

Spyware Blaster Spyware Guard

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE--Adaware Tutorial

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Sygate Kerio

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

To add to the performance of your computer, i suggest a weekly maintenance program. Run this tool. Ccleaner

Lastly a second opinion on the Antivirus that you have chosen. I suggest running these online virus scans periodically, just to make sure that the av is doing a proper job, of keeping you safe :

Rav Online Scan Housecall Online Scan Panda Activescan

Housecall Java Online Scan<---For those who use Firefox, or opera.

And finally a little Posted Image How did I get infected in the first place ? (by Mr. Tony Klein and dvk01)

Good luck and safe surfing :)
  • 0

#13
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP