Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

reappearing malware... [RESOLVED]


  • This topic is locked This topic is locked

#1
mattfili

mattfili

    Member

  • Member
  • PipPip
  • 26 posts
I don't have any idea how it got on here, and it just won't leave in peace. I can't open regedit, hijackthis, cmd, basically anything good that can help me get rid of the garbage, unless ofcourse i'm in safe mode, and even then, whenever i restart to normal mode, its back... ive even recovered the computer and it just simply is still on there... i tired deleteing what i think the issue is with killbox, and i'm just not gettin it all... please help me out...

Logfile of HijackThis v1.99.1
Scan saved at 6:19:44 PM, on 11/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VGATune] VGATune.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876029.exe
O4 - HKLM\..\Run: [jrm\] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [VGATune] VGATune.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunOnce: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\en04l1dq1.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe

Edited by mattfili, 07 November 2005 - 06:23 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
yeah i need help still, thanks for your time...

Logfile of HijackThis v1.99.1
Scan saved at 4:35:09 PM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\VGATune.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\msconfigx32.exe
C:\WINDOWS\System32\networknbh.exe
C:\WINDOWS\System32\up32.pif
C:\windows\system32\nlhfte.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\mswindll32.exe
C:\WINDOWS\shost.exe
C:\WINDOWS\msmedia32.exe
C:\WINDOWS\construct.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\system32\nlhfte.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VGATune] VGATune.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [jrm\] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [virD] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\Run: [Up Service] up32.pif
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [VGATune] VGATune.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [nlhfte] C:\windows\system32\nlhfte.exe
O4 - HKCU\..\Run: [Up Service] up32.pif
O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\RunOnce: [nlhfte] C:\windows\system32\nlhfte.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c11.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\p6p60g7se6.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: WinMedia - Unknown owner - C:\WINDOWS\msmedia32.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.

http://free.grisoft....E/lng/us/tpl/v5


==========


Once AVG is done, run this online virus scan.
Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#5
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I ran the AVG virus scan 3 times. The first time I had 27 viruses, the second time I had 45 viruses and the thrid time I had 0 viruses. Clearly, with all the popups I am still getting, the viruses/malware is not removed.

Panda ActiveScan would not run, AVG turned on/off. On the bottom of the window of Panda, it says "error on page."

I can still not acess hijackthis, cmd or regedit unless I am in safemod, which is where I got this hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 10:30:36 PM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [nlhfte] C:\windows\system32\nlhfte.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunServices: [Up Service] up32.pif
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o0ro0a93ed.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: WinMedia - Unknown owner - C:\WINDOWS\msmedia32.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.

  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
    O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
    O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
    O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
    O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
    O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
    O4 - HKLM\..\RunServices: [Up Service] up32.pif
    O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
    O4 - HKCU\..\Run: [nlhfte] C:\windows\system32\nlhfte.exe
    O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
    O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
    O4 - HKCU\..\RunServices: [Up Service] up32.pif
    O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o0ro0a93ed.dll
    O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe
    O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
    O23 - Service: WinMedia - Unknown owner - C:\WINDOWS\msmedia32.exe
    O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)


  • While in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    VGATune.exe
    disk64x.exe
    msconfigx32.exe
    networknbh.exe
    up32.pif
    C:\WINDOWS\system32\nlhfte.exe
    C:\WINDOWS\system32\o0ro0a93ed.dll
    C:\WINDOWS\mspath.exe
    C:\WINDOWS\mswindll32.exe
    C:\WINDOWS\shost.exe
    C:\WINDOWS\msmedia32.exe


  • Run a scan with AVG while still in Safe mode.
Reboot your computer to go back to normal mode and post a new log. If hijackthis still doesn't work in normal mode, post a log from Safe mode, just be sure to do it after a reboot.
  • 0

#7
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I ran AVG scan again, and it detected 2 viruses. When I loaded up in normal mode, I'm still gettin popups, but hijack this worked.

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o0ro0a93ed.dll
keeps changing I've noticed, and I cannot delete the file, and when I ran hijack this, it said it had to restart to make the changes, I did, and that file had changed to something different, and I tried again, and it changed again.


here is my log from nomal mode.

Logfile of HijackThis v1.99.1
Scan saved at 2:31:14 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\MSLs32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\shost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msls] C:\WINDOWS\System32\MSLs32.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\fp8803lue.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
The 020 line indicates a different type of infection(Look2Me) that we will deal with now that you can work in normal mode. You still have some viruses showing up in your log, but Look2Me will be most disruptive right now and is causing your popups. So we'll work on that first and then come back to whatever is left.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#9
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
it would not open in normal mode, so I ran it in safe mode.


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enlol1331.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E309DAAE-0E6B-5359-E2A9-300152AC4260}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{8FF43EAA-2BB1-4A53-8E18-D9221E56E593}"="CePMTab Property Sheet"
"{9ED66769-A198-41FE-8615-601691C68846}"="TouchPad Property Sheet"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{93FB88BF-8B24-4A55-86BE-7101C383019D}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{1757F144-0978-4A09-8BAA-B3FDA67D612C}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{93FB88BF-8B24-4A55-86BE-7101C383019D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93FB88BF-8B24-4A55-86BE-7101C383019D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93FB88BF-8B24-4A55-86BE-7101C383019D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93FB88BF-8B24-4A55-86BE-7101C383019D}\InprocServer32]
@="C:\\WINDOWS\\system32\\kudda.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1757F144-0978-4A09-8BAA-B3FDA67D612C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1757F144-0978-4A09-8BAA-B3FDA67D612C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1757F144-0978-4A09-8BAA-B3FDA67D612C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1757F144-0978-4A09-8BAA-B3FDA67D612C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
appmr.dll Mon Nov 7 2005 3:37:04p A.... 105 0.10 K
bpackbox.dll Thu Nov 10 2005 1:46:42p ..S.R 237,113 231.55 K
dnr801~1.dll Thu Nov 10 2005 2:29:28p ..S.R 233,479 228.00 K
enlol1~1.dll Fri Nov 11 2005 9:21:14a ..S.R 236,862 231.31 K
ennsl1~1.dll Tue Nov 8 2005 10:01:30p ..S.R 235,538 230.02 K
enp0l1~1.dll Fri Nov 11 2005 9:25:40a ..S.R 233,783 228.30 K
ftamebuf.dll Tue Nov 8 2005 9:57:46p ..S.R 236,690 231.14 K
gve_32.dll Mon Nov 7 2005 5:50:24p A.... 0 0.00 K
h20qlc~1.dll Wed Nov 9 2005 10:23:26p ..S.R 234,163 228.67 K
hrjo05~1.dll Fri Nov 11 2005 2:12:50a ..S.R 235,428 229.91 K
ir6ql5~1.dll Wed Nov 9 2005 9:56:42p ..S.R 235,728 230.20 K
irn4l5~1.dll Tue Nov 8 2005 9:59:56p ..S.R 235,242 229.73 K
ktpol7~1.dll Tue Nov 8 2005 8:40:34p ..S.R 233,936 228.45 K
kudda.dll Fri Nov 11 2005 9:25:40a ..S.R 236,862 231.31 K
lankinfo.dll Wed Nov 9 2005 10:28:00p ..S.R 235,290 229.77 K
lv0m09~1.dll Thu Nov 10 2005 1:39:52p ..S.R 237,222 231.66 K
px.dll Wed Sep 14 2005 1:17:44p A.... 462,848 452.00 K
pxdrv.dll Wed Sep 14 2005 1:17:44p A.... 319,488 312.00 K
pxmas.dll Wed Sep 14 2005 1:17:44p A.... 143,360 140.00 K
pxwave.dll Wed Sep 14 2005 1:17:44p A.... 286,720 280.00 K
rwlcpapi.dll Fri Nov 11 2005 9:22:00a ..S.R 237,004 231.45 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
vxblock.dll Wed Sep 14 2005 1:17:44p A.... 28,672 28.00 K
wdadmoe.dll Thu Nov 10 2005 1:39:52p ..S.R 237,113 231.55 K
winnb57.dll Tue Nov 8 2005 7:56:36p A.... 303,104 296.00 K

25 items found: 25 files (16 H/S), 0 directories.
Total of file sizes: 5,434,534 bytes 5.18 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is S3A1519D001
Volume Serial Number is F8F4-FFC8

Directory of C:\WINDOWS\System32

11/11/2005 09:25 AM 236,862 kudda.dll
11/11/2005 09:25 AM 233,783 enp0l17m1.dll
11/11/2005 09:21 AM 237,004 RWLCPAPI.dll
11/11/2005 09:21 AM 236,862 enlol1331.dll
11/11/2005 08:40 AM 47,104 SysRes.exe
11/11/2005 02:12 AM 235,428 hrjo0513e.dll
11/10/2005 02:29 PM 233,479 dnr8019ue.dll
11/10/2005 01:46 PM 237,113 bpackbox.dll
11/10/2005 01:39 PM 237,113 wdadmoe.dll
11/10/2005 01:39 PM 237,222 lv0m09d1e.dll
11/09/2005 10:27 PM 235,290 lankinfo.dll
11/09/2005 10:23 PM 234,163 h20qlcd51f0.dll
11/09/2005 09:56 PM 235,728 ir6ql5j51.dll
11/08/2005 10:01 PM 235,538 ennsl1571.dll
11/08/2005 09:59 PM 235,242 irn4l55q1.dll
11/08/2005 09:58 PM 101,376 networknbh.exe
11/08/2005 09:57 PM 236,690 ftamebuf.dll
11/08/2005 08:40 PM 233,936 ktpol7731.dll
11/06/2005 04:37 AM <DIR> dllcache
12/11/2003 03:46 PM <DIR> Microsoft
10/17/2003 05:34 PM 11,264 Thumbs.db
19 File(s) 3,931,197 bytes
2 Dir(s) 72,276,340,736 bytes free

Edited by mattfili, 11 November 2005 - 09:31 AM.

  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

Advertisements


#11
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I am having some difficulties with this step. The first time I ran L2mfix, I did it in normal mode, and it started to shut down, and all my desktop dissapeared except for the background - and it froze (I couldn't move my mouse). So I restarted manually, then clicked on the second file, and my desktop still vanished, but it did not freeze. I restarted after awhile, and tired running it in safe mode, but when it restarts nothing happenes. Now when I boot up my computer, a RUNDLL error occurs saying, An exception occured while trying to run "C:\WINDOWS\system32\vwajet32.dll, DllGetVersion".


here is my hijack this file...

Logfile of HijackThis v1.99.1
Scan saved at 5:29:59 PM, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VGATune] VGATune.exe
O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\Run: [SystemRestore] SysRes.exe
O4 - HKLM\..\Run: [mstgr32] C:\main.exe
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\RunServices: [SystemRestore] SysRes.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VGATune] VGATune.exe
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
O4 - HKCU\..\Run: [SystemRestore] SysRes.exe
O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunServices: [SystemRestore] SysRes.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\p86slij718o.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)

Edited by mattfili, 12 November 2005 - 05:33 PM.

  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You have the new variant. It's a real stinker! :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Reboot and post the log from Spysweeper and a new log from L2MFix option #1.
  • 0

#13
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
the spysweeper log...

********
11:37 PM: | Start of Session, Saturday, November 12, 2005 |
11:37 PM: Spy Sweeper started
11:37 PM: Sweep initiated using definitions version 572
11:37 PM: Starting Memory Sweep
11:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:38 PM: Found Adware: icannnews
11:38 PM: Detected running threat: C:\WINDOWS\system32\gp0ql3d51.dll (ID = 83)
11:39 PM: Detected running threat: C:\WINDOWS\system32\rFstls.dll (ID = 83)
11:39 PM: Memory Sweep Complete, Elapsed Time: 00:01:45
11:39 PM: Starting Registry Sweep
11:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39 PM: Found Adware: imgiant
11:39 PM: HKCR\clsid\{00000062-2e5f-4af7-986e-5b64e0951a96}\ (11 subtraces) (ID = 128535)
11:39 PM: HKCR\imgiantdll.imgiantdllobj.1\ (3 subtraces) (ID = 128536)
11:39 PM: HKCR\imgiantdll.imgiantdllobj\ (5 subtraces) (ID = 128537)
11:39 PM: HKCR\interface\{237cb7a2-e26e-443b-b16e-5da66584b05b}\ (8 subtraces) (ID = 128538)
11:39 PM: HKLM\software\classes\clsid\{00000062-2e5f-4af7-986e-5b64e0951a96}\ (11 subtraces) (ID = 128539)
11:39 PM: HKLM\software\classes\imgiantdll.imgiantdllobj.1\ (3 subtraces) (ID = 128540)
11:39 PM: HKLM\software\classes\imgiantdll.imgiantdllobj\ (5 subtraces) (ID = 128541)
11:39 PM: HKLM\software\classes\interface\{237cb7a2-e26e-443b-b16e-5da66584b05b}\ (8 subtraces) (ID = 128542)
11:39 PM: HKLM\software\classes\typelib\{c0168e40-6211-4113-9202-b9b852cb12fc}\ (9 subtraces) (ID = 128543)
11:39 PM: HKLM\software\microsoft\windows\currentversion\uninstall\imgiant\ (2 subtraces) (ID = 128549)
11:39 PM: HKCR\typelib\{c0168e40-6211-4113-9202-b9b852cb12fc}\ (9 subtraces) (ID = 128550)
11:39 PM: Found Adware: mirar webband
11:39 PM: HKCR\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135066)
11:39 PM: HKLM\software\classes\clsid\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}\ (6 subtraces) (ID = 135079)
11:39 PM: Found Adware: elitemediagroup-mediamotor
11:39 PM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
11:39 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
11:39 PM: HKLM\software\classes\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (18 subtraces) (ID = 140131)
11:39 PM: HKCR\typelib\{466c63ac-f26e-49f1-861a-e07da768a46a}\ (18 subtraces) (ID = 140223)
11:40 PM: Found Adware: targetsoft
11:40 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
11:40 PM: Found Adware: targetsaver
11:40 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
11:40 PM: Found Adware: winad
11:40 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
11:40 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
11:40 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
11:40 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
11:40 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
11:40 PM: Found Adware: 7adpower
11:40 PM: HKCR\progetto1.int_ver32\ (3 subtraces) (ID = 831501)
11:40 PM: HKCR\clsid\{0d62a517-e7c6-4e1f-a577-07d4ac549a48}\ (27 subtraces) (ID = 831505)
11:40 PM: HKCR\typelib\{391f0ac2-2cfc-4d56-a0e5-c7beb14f26e6}\ (9 subtraces) (ID = 831589)
11:40 PM: HKLM\software\classes\progetto1.int_ver32\ (3 subtraces) (ID = 831690)
11:40 PM: HKLM\software\classes\clsid\{0d62a517-e7c6-4e1f-a577-07d4ac549a48}\ (27 subtraces) (ID = 831694)
11:40 PM: HKLM\software\classes\typelib\{391f0ac2-2cfc-4d56-a0e5-c7beb14f26e6}\ (9 subtraces) (ID = 831778)
11:40 PM: Found Adware: look2me
11:40 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\policies\ || dllname (ID = 911234)
11:40 PM: Found Trojan Horse: trojan downloader popuppers
11:40 PM: HKCR\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960709)
11:40 PM: HKCR\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960733)
11:40 PM: HKCR\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960748)
11:40 PM: HKLM\software\classes\clsid\{62fba4e7-bd9e-4d8d-8fbb-3c32999cb7fc}\ (23 subtraces) (ID = 960771)
11:40 PM: HKLM\software\classes\clsid\{a03323d3-f649-4f16-a6e4-4fc53f917a83}\ (10 subtraces) (ID = 960795)
11:40 PM: HKLM\software\classes\typelib\{1942bebe-dce5-4148-868e-1250a2218b4c}\ (9 subtraces) (ID = 960810)
11:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40 PM: HKU\S-1-5-21-4228014880-3207979563-3975685197-1005\software\imgiant\ (3 subtraces) (ID = 128544)
11:40 PM: HKU\S-1-5-21-4228014880-3207979563-3975685197-1005\software\tsl2\ (1 subtraces) (ID = 143616)
11:40 PM: Registry Sweep Complete, Elapsed Time:00:01:11
11:40 PM: Starting Cookie Sweep
11:40 PM: Found Spy Cookie: yieldmanager cookie
11:40 PM: matt@ad.yieldmanager[2].txt (ID = 3751)
11:40 PM: Found Spy Cookie: advertising cookie
11:40 PM: matt@advertising[1].txt (ID = 2175)
11:40 PM: Found Spy Cookie: atlas dmt cookie
11:40 PM: matt@atdmt[2].txt (ID = 2253)
11:40 PM: Found Spy Cookie: azjmp cookie
11:40 PM: matt@azjmp[2].txt (ID = 2270)
11:40 PM: Found Spy Cookie: belnk cookie
11:40 PM: matt@belnk[1].txt (ID = 2292)
11:40 PM: Found Spy Cookie: 2o7.net cookie
11:40 PM: matt@chicagosuntimes.122.2o7[1].txt (ID = 1958)
11:40 PM: matt@dist.belnk[2].txt (ID = 2293)
11:40 PM: Found Spy Cookie: ru4 cookie
11:40 PM: matt@edge.ru4[1].txt (ID = 3269)
11:40 PM: Found Spy Cookie: starware.com cookie
11:40 PM: matt@h.starware[2].txt (ID = 3442)
11:40 PM: Found Spy Cookie: maxserving cookie
11:40 PM: matt@maxserving[2].txt (ID = 2966)
11:40 PM: Found Spy Cookie: paypopup cookie
11:40 PM: matt@paypopup[2].txt (ID = 3119)
11:40 PM: Found Spy Cookie: overture cookie
11:40 PM: matt@perf.overture[1].txt (ID = 3106)
11:40 PM: Found Spy Cookie: rn11 cookie
11:40 PM: matt@rn11[2].txt (ID = 3261)
11:40 PM: Found Spy Cookie: servedby advertising cookie
11:40 PM: matt@servedby.advertising[2].txt (ID = 3335)
11:40 PM: Found Spy Cookie: serving-sys cookie
11:40 PM: matt@serving-sys[2].txt (ID = 3343)
11:40 PM: matt@starware[2].txt (ID = 3441)
11:40 PM: Found Spy Cookie: tradedoubler cookie
11:40 PM: matt@tradedoubler[2].txt (ID = 3575)
11:40 PM: matt@www.starware[1].txt (ID = 3442)
11:40 PM: Found Spy Cookie: zedo cookie
11:40 PM: matt@zedo[1].txt (ID = 3762)
11:40 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:40 PM: Starting File Sweep
11:40 PM: a0013293.ocx (ID = 188117)
11:40 PM: a0030352.exe (ID = 133210)
11:40 PM: Found Adware: e2g
11:40 PM: a0005967.dll (ID = 180542)
11:40 PM: a0013265.exe (ID = 186212)
11:40 PM: a0013264.exe (ID = 186213)
11:40 PM: a0019998.exe (ID = 162574)
11:40 PM: a0013263.exe (ID = 133208)
11:40 PM: int_ver32b.ocx (ID = 156465)
11:40 PM: a0018475.exe (ID = 133198)
11:40 PM: a0018488.ocx (ID = 74058)
11:40 PM: a0013309.exe (ID = 188122)
11:40 PM: Found Adware: internetoptimizer
11:40 PM: a0013269.exe (ID = 125346)
11:40 PM: a0013275.exe (ID = 186212)
11:40 PM: a0013423.exe (ID = 186212)
11:40 PM: Found Adware: effective-i toolbar
11:40 PM: a0015436.dll (ID = 59843)
11:40 PM: int_ver32b.ocx (ID = 156465)
11:40 PM: a0009114.exe (ID = 186213)
11:40 PM: a0017464.dll (ID = 70014)
11:40 PM: a0013399.exe (ID = 125346)
11:40 PM: a0017463.exe (ID = 133210)
11:41 PM: a0021018.exe (ID = 65722)
11:41 PM: a0023013.ocx (ID = 74058)
11:41 PM: a0026180.exe (ID = 125346)
11:41 PM: a0026060.exe (ID = 162574)
11:41 PM: a0005917.exe (ID = 162574)
11:41 PM: a0020989.exe (ID = 186212)
11:41 PM: backup-20051108-184034-938.dll (ID = 156465)
11:41 PM: a0021017.exe (ID = 186213)
11:41 PM: a0015427.dll (ID = 59389)
11:41 PM: a0015472.exe (ID = 186213)
11:41 PM: a0019003.exe (ID = 133208)
11:41 PM: a0020992.dll (ID = 168367)
11:41 PM: a0015473.exe (ID = 186212)
11:41 PM: backup-20051107-171917-944.dll (ID = 156465)
11:41 PM: a0026221.dll (ID = 168367)
11:41 PM: a0026062.exe (ID = 133208)
11:41 PM: a0022023.exe (ID = 59402)
11:41 PM: a0013340.dll (ID = 168367)
11:41 PM: a0013277.dll (ID = 59389)
11:41 PM: a0029261.exe (ID = 133210)
11:41 PM: a0015475.exe (ID = 125346)
11:41 PM: backup-20051107-154649-112.dll (ID = 168367)
11:41 PM: backup-20051107-154649-403.dll (ID = 59389)
11:41 PM: a0013400.exe (ID = 125346)
11:41 PM: a0013392.ocx (ID = 188117)
11:41 PM: a0005919.ocx (ID = 74058)
11:41 PM: a0030350.dll (ID = 168367)
11:41 PM: a0008047.exe (ID = 188122)
11:41 PM: a0018481.ocx (ID = 188117)
11:41 PM: a0021023.exe (ID = 133208)
11:41 PM: a0013397.exe (ID = 188122)
11:41 PM: a0013276.dll (ID = 133227)
11:41 PM: backup-20051107-162859-606.dll (ID = 59389)
11:41 PM: a0013441.ocx (ID = 186211)
11:41 PM: a0017481.exe (ID = 188122)
11:41 PM: a0015426.dll (ID = 168367)
11:41 PM: a0007037.exe (ID = 125346)
11:41 PM: a0029336.exe (ID = 186212)
11:41 PM: a0026203.dll (ID = 180542)
11:41 PM: a0021002.dll (ID = 133227)
11:41 PM: a0015467.exe (ID = 188122)
11:41 PM: a0017487.ocx (ID = 186211)
11:41 PM: a0015474.ocx (ID = 186211)
11:41 PM: backup-20051107-160937-363.dll (ID = 59389)
11:41 PM: a0018487.exe (ID = 125346)
11:41 PM: a0029276.exe (ID = 59402)
11:41 PM: a0017460.dll (ID = 59389)
11:41 PM: a0018995.exe (ID = 188122)
11:41 PM: a0023041.exe (ID = 186212)
11:41 PM: a0013411.dll (ID = 133227)
11:41 PM: a0023043.exe (ID = 125346)
11:41 PM: a0026082.dll (ID = 180542)
11:41 PM: a0026174.dll (ID = 180542)
11:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41 PM: a0013440.exe (ID = 186213)
11:41 PM: a0009121.exe (ID = 188122)
11:41 PM: a0013442.exe (ID = 125346)
11:41 PM: a0005948.exe (ID = 162574)
11:41 PM: a0009047.exe (ID = 188122)
11:41 PM: a0018478.exe (ID = 186212)
11:41 PM: a0022027.exe (ID = 133208)
11:41 PM: a0009120.dll (ID = 180542)
11:41 PM: a0005971.exe (ID = 186213)
11:41 PM: a0015458.dll (ID = 163672)
11:41 PM: a0023017.dll (ID = 133227)
11:41 PM: a0013396.dll (ID = 180542)
11:41 PM: a0029273.exe (ID = 125346)
11:41 PM: a0022024.dll (ID = 180542)
11:41 PM: a0018477.exe (ID = 186213)
11:41 PM: backup-20051107-151900-400.dll (ID = 168367)
11:41 PM: a0026065.exe (ID = 186212)
11:41 PM: a0026056.exe (ID = 133210)
11:41 PM: a0026138.exe (ID = 188122)
11:41 PM: a0020988.exe (ID = 186213)
11:41 PM: a0019994.exe (ID = 188122)
11:41 PM: a0026091.exe (ID = 186213)
11:41 PM: a0022019.exe (ID = 162574)
11:41 PM: a0021003.exe (ID = 125346)
11:41 PM: a0013266.ocx (ID = 186211)
11:41 PM: a0013409.dll (ID = 168367)
11:41 PM: a0025039.dll (ID = 168367)
11:41 PM: a0026055.dll (ID = 70014)
11:41 PM: backup-20051107-151900-878.dll (ID = 59389)
11:41 PM: backup-20051107-151900-533.dll (ID = 133227)
11:41 PM: a0018494.dll (ID = 168367)
11:41 PM: a0005981.dll (ID = 59389)
11:41 PM: a0013398.exe (ID = 133208)
11:41 PM: backup-20051107-154649-999.dll (ID = 133227)
11:41 PM: a0026151.exe (ID = 133208)
11:41 PM: a0029237.exe (ID = 162574)
11:41 PM: a0019004.ocx (ID = 186211)
11:42 PM: a0029275.exe (ID = 125346)
11:42 PM: a0013282.dll (ID = 70014)
11:42 PM: a0013422.exe (ID = 125346)
11:42 PM: a0023010.exe (ID = 162574)
11:42 PM: a0023039.exe (ID = 186213)
11:42 PM: a0022022.ocx (ID = 74058)
11:42 PM: a0013395.exe (ID = 59402)
11:42 PM: a0020999.exe (ID = 65721)
11:42 PM: a0015447.exe (ID = 166444)
11:42 PM: a0015454.exe (ID = 78275)
11:42 PM: a0021001.dll (ID = 70014)
11:42 PM: a0029238.ocx (ID = 74058)
11:42 PM: a0018480.exe (ID = 162574)
11:42 PM: a0013298.ocx (ID = 186211)
11:42 PM: a0013401.exe (ID = 133210)
11:42 PM: a0026067.exe (ID = 125346)
11:42 PM: a0013281.exe (ID = 133210)
11:42 PM: a0015435.exe (ID = 125346)
11:42 PM: a0015452.exe (ID = 78256)
11:42 PM: a0015434.dll (ID = 70014)
11:42 PM: a0007036.exe (ID = 186213)
11:42 PM: a0019999.ocx (ID = 74058)
11:42 PM: a0005998.exe (ID = 186213)
11:42 PM: a0013297.exe (ID = 186213)
11:42 PM: a0023042.ocx (ID = 186211)
11:42 PM: a0008051.exe (ID = 186213)
11:42 PM: a0015450.exe (ID = 78254)
11:42 PM: a0005995.exe (ID = 188122)
11:42 PM: a0013419.exe (ID = 133210)
11:42 PM: a0006995.exe (ID = 162574)
11:42 PM: a0006996.ocx (ID = 74058)
11:42 PM: a0029257.exe (ID = 162574)
11:42 PM: a0007004.ocx (ID = 74058)
11:42 PM: a0020993.exe (ID = 125346)
11:42 PM: a0022028.ocx (ID = 186211)
11:42 PM: backup-20051107-215649-334.dll (ID = 59389)
11:42 PM: a0017461.ocx (ID = 74058)
11:42 PM: a0018479.exe (ID = 125346)
11:42 PM: a0013308.dll (ID = 180542)
11:42 PM: a0013274.exe (ID = 125346)
11:42 PM: a0013273.exe (ID = 125346)
11:42 PM: a0008032.ocx (ID = 74058)
11:42 PM: a0009105.exe (ID = 188122)
11:42 PM: a0017466.exe (ID = 125346)
11:42 PM: a0009127.dll (ID = 133227)
11:42 PM: a0026066.exe (ID = 186213)
11:42 PM: a0001864.exe (ID = 162574)
11:42 PM: a0001871.exe (ID = 162574)
11:42 PM: a0026175.exe (ID = 188217)
11:42 PM: a0009048.exe (ID = 162574)
11:42 PM: a0009050.ocx (ID = 74058)
11:42 PM: a0009062.ocx (ID = 74058)
11:42 PM: a0009079.exe (ID = 162574)
11:42 PM: a0026036.exe (ID = 162574)
11:42 PM: a0026103.dll (ID = 59389)
11:42 PM: a0009087.ocx (ID = 74058)
11:42 PM: a0026081.exe (ID = 188217)
11:42 PM: a0009084.exe (ID = 125346)
11:42 PM: a0023018.exe (ID = 125346)
11:42 PM: a0005910.exe (ID = 188122)
11:42 PM: a0010144.exe (ID = 188122)
11:42 PM: a0026051.exe (ID = 125346)
11:42 PM: a0007008.dll (ID = 133227)
11:42 PM: a0009092.exe (ID = 125346)
11:42 PM: a0009126.exe (ID = 133210)
11:42 PM: backup-20051106-175905-535.dll (ID = 168367)
11:42 PM: a0026125.dll (ID = 59389)
11:42 PM: a0029277.exe (ID = 188217)
11:42 PM: a0008037.dll (ID = 59389)
11:42 PM: a0015433.exe (ID = 133210)
11:42 PM: a0015470.exe (ID = 59402)
11:42 PM: a0015451.exe (ID = 78252)
11:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:42 PM: a0015453.dll (ID = 78253)
11:42 PM: a0023016.dll (ID = 70014)
11:42 PM: a0029278.dll (ID = 180542)
11:42 PM: a0013390.exe (ID = 162574)
11:42 PM: a0009065.dll (ID = 70014)
11:42 PM: a0021004.dll (ID = 59389)
11:42 PM: a0015429.exe (ID = 78255)
11:42 PM: a0023035.exe (ID = 59402)
11:42 PM: a0018474.exe (ID = 59383)
11:43 PM: a0009066.dll (ID = 133227)
11:43 PM: a0026154.exe (ID = 186212)
11:43 PM: a0005956.dll (ID = 59389)
11:43 PM: a0029279.exe (ID = 188217)
11:43 PM: a0018493.exe (ID = 186213)
11:43 PM: a0009128.dll (ID = 59389)
11:43 PM: a0026202.exe (ID = 59402)
11:43 PM: a0009115.exe (ID = 125346)
11:43 PM: a0013421.dll (ID = 70014)
11:43 PM: a0020997.exe (ID = 162574)
11:43 PM: backup-20051107-220032-110.dll (ID = 59389)
11:43 PM: a0015445.exe (ID = 162574)
11:43 PM: a0018496.exe (ID = 125346)
11:43 PM: a0008034.dll (ID = 70014)
11:43 PM: a0008033.exe (ID = 133210)
11:43 PM: Found Adware: 180search assistant/zango
11:43 PM: npclntax.dll (ID = 146239)
11:43 PM: a0018492.exe (ID = 186212)
11:43 PM: a0021020.exe (ID = 59402)
11:43 PM: a0005969.exe (ID = 59402)
11:43 PM: a0026187.exe (ID = 125346)
11:43 PM: a0021000.ocx (ID = 74058)
11:43 PM: a0005974.exe (ID = 125346)
11:43 PM: a0022016.exe (ID = 188122)
11:43 PM: a0026206.exe (ID = 133208)
11:43 PM: a0017484.exe (ID = 59402)
11:43 PM: a0028239.ocx (ID = 74058)
11:43 PM: a0023015.exe (ID = 133210)
11:43 PM: a0017465.dll (ID = 133227)
11:43 PM: a0015430.ocx (ID = 74058)
11:43 PM: Found Adware: dollarrevenue
11:43 PM: a0015441.exe (ID = 186184)
11:43 PM: int_ver32b.inf (ID = 156464)
11:43 PM: a0007014.exe (ID = 162574)
11:43 PM: a0026182.exe (ID = 162574)
11:43 PM: a0013435.exe (ID = 59402)
11:43 PM: a0019000.exe (ID = 59402)
11:43 PM: a0005999.exe (ID = 125346)
11:43 PM: a0015471.exe (ID = 133208)
11:43 PM: a0015446.exe (ID = 59853)
11:43 PM: a0013294.exe (ID = 59402)
11:43 PM: a0013262.exe (ID = 59402)
11:43 PM: a0008052.exe (ID = 125346)
11:43 PM: a0007009.exe (ID = 125346)
11:43 PM: a0026149.exe (ID = 162574)
11:43 PM: a0026092.exe (ID = 125346)
11:43 PM: a0026185.exe (ID = 186213)
11:43 PM: a0008036.exe (ID = 125346)
11:43 PM: a0026173.exe (ID = 59402)
11:43 PM: a0026156.ocx (ID = 74058)
11:43 PM: a0022025.exe (ID = 188122)
11:43 PM: a0009059.dll (ID = 163886)
11:43 PM: a0013272.exe (ID = 133208)
11:43 PM: a0007033.exe (ID = 59402)
11:43 PM: a0026095.exe (ID = 162574)
11:43 PM: a0015476.dll (ID = 163672)
11:43 PM: backup-20051108-184034-938.inf (ID = 156464)
11:43 PM: a0029280.exe (ID = 188217)
11:43 PM: a0008050.exe (ID = 133208)
11:43 PM: a0009068.dll (ID = 59389)
11:43 PM: a0018483.dll (ID = 59389)
11:43 PM: a0026178.ocx (ID = 186211)
11:43 PM: a0023020.exe (ID = 133208)
11:43 PM: a0010143.exe (ID = 188122)
11:43 PM: backup-20051106-165637-456.dll (ID = 168367)
11:43 PM: a0007010.dll (ID = 59389)
11:43 PM: a0005970.exe (ID = 133208)
11:43 PM: a0026080.exe (ID = 59402)
11:43 PM: a0012177.ocx (ID = 74058)
11:43 PM: a0005997.exe (ID = 133208)
11:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43 PM: backup-20051107-171917-944.inf (ID = 156464)
11:43 PM: a0023036.dll (ID = 168367)
11:43 PM: a0027237.exe (ID = 162574)
11:43 PM: a0009063.exe (ID = 133210)
11:43 PM: a0009082.exe (ID = 133208)
11:43 PM: a0009091.dll (ID = 133227)
11:43 PM: a0029274.dll (ID = 64043)
11:43 PM: a0013439.exe (ID = 133208)
11:43 PM: a0030361.dll (ID = 70014)
11:44 PM: a0026155.exe (ID = 186213)
11:44 PM: a0026146.exe (ID = 125346)
11:44 PM: a0026147.exe (ID = 133210)
11:44 PM: a0026098.exe (ID = 133210)
11:44 PM: a0027220.exe (ID = 162574)
11:44 PM: a0026085.ocx (ID = 186211)
11:44 PM: a0011142.exe (ID = 162574)
11:44 PM: winnb57.dll (ID = 133227)
11:44 PM: a0009109.exe (ID = 162574)
11:44 PM: a0029323.exe (ID = 188122)
11:44 PM: a0009117.exe (ID = 162574)
11:44 PM: a0026159.dll (ID = 59389)
11:44 PM: a0029319.exe (ID = 188122)
11:44 PM: a0012180.dll (ID = 180542)
11:44 PM: a0009093.dll (ID = 59389)
11:44 PM: a0009067.exe (ID = 125346)
11:44 PM: a0009055.exe (ID = 161148)
11:44 PM: a0029272.exe (ID = 188217)
11:44 PM: a0026064.dll (ID = 168367)
11:44 PM: a0023034.exe (ID = 162574)
11:44 PM: backup-20051107-220001-822.dll (ID = 59389)
11:44 PM: a0009113.exe (ID = 133208)
11:44 PM: a0026089.dll (ID = 168367)
11:44 PM: a0026087.exe (ID = 188217)
11:44 PM: a0007007.dll (ID = 70014)
11:44 PM: a0007006.exe (ID = 133210)
11:44 PM: a0009080.exe (ID = 59402)
11:44 PM: a0009112.exe (ID = 59402)
11:44 PM: a0012183.exe (ID = 133210)
11:44 PM: a0025042.exe (ID = 162574)
11:44 PM: backup-20051107-215837-219.dll (ID = 59389)
11:44 PM: a0026183.dll (ID = 168367)
11:44 PM: a0027221.ocx (ID = 74058)
11:44 PM: a0007035.exe (ID = 133208)
11:44 PM: a0012176.dll (ID = 168367)
11:44 PM: a0028237.exe (ID = 162574)
11:44 PM: a0009123.dll (ID = 59389)
11:44 PM: a0030354.exe (ID = 133208)
11:44 PM: a0001845.dll (ID = 70014)
11:44 PM: a0001827.exe (ID = 162574)
11:44 PM: a0017486.exe (ID = 133208)
11:44 PM: a0030351.exe (ID = 186213)
11:44 PM: a0026157.dll (ID = 168367)
11:44 PM: a0027239.ocx (ID = 74058)
11:44 PM: a0009083.exe (ID = 186213)
11:44 PM: a0000814.exe (ID = 162574)
11:44 PM: a0029303.ocx (ID = 188117)
11:44 PM: a0013410.dll (ID = 59389)
11:44 PM: a0029320.exe (ID = 188122)
11:44 PM: a0029321.exe (ID = 188122)
11:44 PM: a0026057.dll (ID = 133227)
11:44 PM: a0029286.exe (ID = 188217)
11:44 PM: a0005941.exe (ID = 188217)
11:44 PM: a0012184.dll (ID = 70014)
11:44 PM: a0012157.ocx (ID = 74058)
11:44 PM: a0008027.exe (ID = 162574)
11:44 PM: a0001849.dll (ID = 168367)
11:44 PM: a0001904.dll (ID = 59389)
11:44 PM: a0009090.dll (ID = 70014)
11:44 PM: backup-20051108-184034-546.dll (ID = 59389)
11:44 PM: a0012162.exe (ID = 162574)
11:44 PM: a0009089.exe (ID = 133210)
11:44 PM: a0023019.dll (ID = 59389)
11:44 PM: a0026222.exe (ID = 162574)
11:44 PM: a0013278.exe (ID = 162574)
11:44 PM: a0015439.dll (ID = 106574)
11:44 PM: a0001844.exe (ID = 125346)
11:44 PM: a0026070.dll (ID = 59389)
11:44 PM: a0005972.exe (ID = 188122)
11:44 PM: a0001897.exe (ID = 133210)
11:44 PM: a0008048.exe (ID = 59402)
11:44 PM: a0013416.exe (ID = 162574)
11:44 PM: a0029317.exe (ID = 188122)
11:44 PM: a0025043.ocx (ID = 74058)
11:44 PM: backup-20051107-220041-744.dll (ID = 59389)
11:44 PM: a0025035.exe (ID = 188122)
11:44 PM: a0015428.dll (ID = 133227)
11:44 PM: a0020990.exe (ID = 186213)
11:44 PM: a0030353.dll (ID = 59389)
11:44 PM: a0029324.exe (ID = 188122)
11:44 PM: a0001828.ocx (ID = 74058)
11:44 PM: a0001899.dll (ID = 133227)
11:44 PM: a0010147.exe (ID = 186213)
11:44 PM: a0020994.exe (ID = 133210)
11:44 PM: a0005994.exe (ID = 59402)
11:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45 PM: a0029283.exe (ID = 188217)
11:45 PM: a0018486.exe (ID = 162574)
11:45 PM: a0012186.exe (ID = 125346)
11:45 PM: a0013417.dll (ID = 64043)
11:45 PM: a0029308.exe (ID = 188122)
11:45 PM: a0029314.exe (ID = 188122)
11:45 PM: a0029309.exe (ID = 188122)
11:45 PM: a0029316.exe (ID = 188122)
11:45 PM: a0029310.exe (ID = 188122)
11:45 PM: a0029315.exe (ID = 188122)
11:45 PM: a0029284.exe (ID = 188217)
11:45 PM: a0001865.ocx (ID = 74058)
11:45 PM: a0009129.dll (ID = 168367)
11:45 PM: a0004915.exe (ID = 133208)
11:45 PM: a0008035.dll (ID = 133227)
11:45 PM: a0005923.dll (ID = 133227)
11:45 PM: a0005924.dll (ID = 70014)
11:45 PM: a0005977.exe (ID = 162574)
11:45 PM: a0004916.exe (ID = 186213)
11:45 PM: a0004917.exe (ID = 186212)
11:45 PM: a0004918.ocx (ID = 186211)
11:45 PM: a0004919.exe (ID = 125346)
11:45 PM: a0005926.exe (ID = 133210)
11:45 PM: a0029311.exe (ID = 188122)
11:45 PM: a0029312.exe (ID = 188122)
11:45 PM: a0004912.exe (ID = 162574)
11:45 PM: a0004913.exe (ID = 59402)
11:45 PM: a0011136.dll (ID = 168367)
11:45 PM: a0012185.dll (ID = 133227)
11:45 PM: a0001884.ocx (ID = 74058)
11:45 PM: a0029281.exe (ID = 188217)
11:45 PM: a0029285.exe (ID = 188217)
11:45 PM: a0026037.ocx (ID = 74058)
11:45 PM: a0029318.exe (ID = 188122)
11:45 PM: a0029338.exe (ID = 188122)
11:45 PM: a0029282.exe (ID = 188217)
11:45 PM: a0026224.ocx (ID = 74058)
11:45 PM: a0001861.dll (ID = 168367)
11:45 PM: a0013268.exe (ID = 188122)
11:45 PM: a0015444.exe (ID = 168558)
11:45 PM: a0013267.exe (ID = 188217)
11:45 PM: a0013246.exe (ID = 162574)
11:45 PM: a0013188.dll (ID = 59389)
11:45 PM: mm63.ocx (ID = 74058)
11:45 PM: iemonitor.ocx (ID = 186211)
11:45 PM: data.~ (ID = 188119)
11:45 PM: a0015468.inf (ID = 63590)
11:45 PM: a0015478.inf (ID = 63590)
11:45 PM: a0013436.inf (ID = 63590)
11:45 PM: a0026054.lnk (ID = 59855)
11:45 PM: a0026052.lnk (ID = 59838)
11:45 PM: a0017482.inf (ID = 63590)
11:45 PM: npclntax.xpt (ID = 146238)
11:45 PM: a0019995.inf (ID = 63590)
11:45 PM: a0019001.inf (ID = 63590)
11:45 PM: a0001846.inf (ID = 63590)
11:45 PM: a0001859.inf (ID = 63590)
11:45 PM: a0010145.inf (ID = 63590)
11:45 PM: a0012181.inf (ID = 63590)
11:45 PM: a0012174.inf (ID = 63590)
11:45 PM: a0013260.inf (ID = 63590)
11:45 PM: a0022017.inf (ID = 63590)
11:45 PM: a0021021.inf (ID = 63590)
11:45 PM: a0026136.inf (ID = 63590)
11:45 PM: a0026083.inf (ID = 63590)
11:45 PM: a0025037.inf (ID = 63590)
11:45 PM: a0023037.inf (ID = 63590)
11:45 PM: a0026200.inf (ID = 63590)
11:45 PM: a0026176.inf (ID = 63590)
11:45 PM: a0026219.inf (ID = 63590)
11:45 PM: a0026204.inf (ID = 63590)
11:45 PM: imgiant.inf (ID = 63590)
11:45 PM: a0026171.inf (ID = 63590)
11:45 PM: a0026139.inf (ID = 63590)
11:45 PM: Found System Monitor: potentially rootkit-masked files
11:45 PM: main.exe (ID = 0)
11:45 PM: main.exe-32d80905.pf (ID = 0)
11:45 PM: isa32.sys (ID = 0)
11:46 PM: Warning: Unhandled Archive Type
11:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46 PM: File Sweep Complete, Elapsed Time: 00:05:59
11:46 PM: Full Sweep has completed. Elapsed time 00:08:59
11:46 PM: Traces Found: 827
11:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:50 PM: Removal process initiated
11:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:53 PM: Quarantining All Traces: 180search assistant/zango
11:53 PM: Quarantining All Traces: icannnews
11:53 PM: icannnews is in use. It will be removed on reboot.
11:53 PM: C:\WINDOWS\system32\gp0ql3d51.dll is in use. It will be removed on reboot.
11:53 PM: C:\WINDOWS\system32\rFstls.dll is in use. It will be removed on reboot.
11:53 PM: Quarantining All Traces: look2me
11:53 PM: Quarantining All Traces: potentially rootkit-masked files
11:54 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
11:54 PM: main.exe is in use. It will be removed on reboot.
11:54 PM: Quarantining All Traces: internetoptimizer
11:54 PM: Quarantining All Traces: trojan downloader popuppers
11:54 PM: Quarantining All Traces: 7adpower
11:54 PM: Quarantining All Traces: dollarrevenue
11:54 PM: Quarantining All Traces: e2g
11:54 PM: Quarantining All Traces: effective-i toolbar
11:54 PM: Quarantining All Traces: elitemediagroup-mediamotor
11:55 PM: Quarantining All Traces: imgiant
11:55 PM: Quarantining All Traces: mirar webband
11:55 PM: Quarantining All Traces: targetsaver
11:55 PM: Quarantining All Traces: targetsoft
11:55 PM: Quarantining All Traces: winad
11:55 PM: Quarantining All Traces: 2o7.net cookie
11:55 PM: Quarantining All Traces: advertising cookie
11:55 PM: Quarantining All Traces: atlas dmt cookie
11:55 PM: Quarantining All Traces: azjmp cookie
11:55 PM: Quarantining All Traces: belnk cookie
11:55 PM: Quarantining All Traces: maxserving cookie
11:55 PM: Quarantining All Traces: overture cookie
11:55 PM: Quarantining All Traces: paypopup cookie
11:55 PM: Quarantining All Traces: rn11 cookie
11:55 PM: Quarantining All Traces: ru4 cookie
11:55 PM: Quarantining All Traces: servedby advertising cookie
11:55 PM: Quarantining All Traces: serving-sys cookie
11:55 PM: Quarantining All Traces: starware.com cookie
11:55 PM: Quarantining All Traces: tradedoubler cookie
11:55 PM: Quarantining All Traces: yieldmanager cookie
11:55 PM: Quarantining All Traces: zedo cookie
11:55 PM: Warning: Timed out waiting for explorer.exe
11:56 PM: Warning: Timed out waiting for explorer.exe
11:56 PM: Warning: Timed out waiting for explorer.exe
11:56 PM: Warning: Quarantine process could not restart Explorer.
11:56 PM: Preparing to restart your computer. Please wait...
11:56 PM: Removal process completed. Elapsed time 00:06:03
11:58 PM: Processing Startup Alerts
11:58 PM: Removed Startup entry: mstgr32
********
11:36 PM: | Start of Session, Saturday, November 12, 2005 |
11:36 PM: Spy Sweeper started
11:36 PM: Sweep initiated using definitions version 572
11:36 PM: Starting Memory Sweep
11:37 PM: Sweep Canceled
11:37 PM: Memory Sweep Complete, Elapsed Time: 00:00:16
11:37 PM: Traces Found: 0
11:37 PM: | End of Session, Saturday, November 12, 2005 |
********
11:32 PM: | Start of Session, Saturday, November 12, 2005 |
11:32 PM: Spy Sweeper started
11:35 PM: Your spyware definitions have been updated.
11:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36 PM: | End of Session, Saturday, November 12, 2005 |

the L2MFIX could not be run in normal mode after the restart after spysweeper... this log was taken from safe mode..

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C859AA82-2D9F-997F-A2CD-E7F3ACEFADBD}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C
  • 0

#14
mattfili

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
i noticed not everything pasted. here is the l2mfix log, taken in safemode

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C859AA82-2D9F-997F-A2CD-E7F3ACEFADBD}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{8FF43EAA-2BB1-4A53-8E18-D9221E56E593}"="CePMTab Property Sheet"
"{9ED66769-A198-41FE-8615-601691C68846}"="TouchPad Property Sheet"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{9161303C-C190-446C-995C-55334186BFCC}"=""
"{0A5BD8E9-CCE5-4A20-9365-0707DABA8BC1}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9161303C-C190-446C-995C-55334186BFCC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9161303C-C190-446C-995C-55334186BFCC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9161303C-C190-446C-995C-55334186BFCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9161303C-C190-446C-995C-55334186BFCC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
g2220c~1.dll Fri Nov 11 2005 6:06:28p ..S.R 234,005 228.52 K
g8040i~1.dll Sat Nov 12 2005 11:33:50p ..S.R 233,816 228.34 K
gve_32.dll Mon Nov 7 2005 5:50:24p A.... 0 0.00 K
ioput.dll Sat Nov 12 2005 11:31:50p ..S.R 233,816 228.34 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
j2j6lc~1.dll Fri Nov 11 2005 6:18:30p ..S.R 235,395 229.88 K
l02s0a~1.dll Sat Nov 12 2005 11:20:56p ..S.R 234,536 229.04 K
moisip.dll Sat Nov 12 2005 11:20:56p ..S.R 233,816 228.34 K
mvn6l9~1.dll Sat Nov 12 2005 5:14:04p ..S.R 235,442 229.92 K
px.dll Wed Sep 14 2005 1:17:44p A.... 462,848 452.00 K
pxdrv.dll Wed Sep 14 2005 1:17:44p A.... 319,488 312.00 K
pxmas.dll Wed Sep 14 2005 1:17:44p A.... 143,360 140.00 K
pxwave.dll Wed Sep 14 2005 1:17:44p A.... 286,720 280.00 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
vwajet32.dll Sat Nov 12 2005 5:24:32p ..S.R 233,783 228.30 K
vxblock.dll Wed Sep 14 2005 1:17:44p A.... 28,672 28.00 K
wrlogo~1.dll Mon Oct 24 2005 12:19:50p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:19:46p A.... 17,920 17.50 K

18 items found: 18 files (8 H/S), 0 directories.
Total of file sizes: 3,847,857 bytes 3.67 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is S3A1519D001
Volume Serial Number is F8F4-FFC8

Directory of C:\WINDOWS\System32

11/12/2005 11:33 PM 233,816 g8040idqe80e0.dll
11/12/2005 11:31 PM 233,816 ioput.dll
11/12/2005 11:20 PM 233,816 moisip.dll
11/12/2005 11:20 PM 234,536 l02s0af7ed2.dll
11/12/2005 05:24 PM 233,783 vwajet32.dll
11/12/2005 05:14 PM 235,442 mvn6l95s1.dll
11/11/2005 06:18 PM 235,395 j2j6lc1s1f.dll
11/11/2005 06:06 PM 234,005 g2220cfoef2c0.dll
11/11/2005 08:40 AM 47,104 SysRes.exe
11/08/2005 09:58 PM 101,376 networknbh.exe
11/06/2005 04:37 AM <DIR> dllcache
12/11/2003 03:46 PM <DIR> Microsoft
10/17/2003 05:34 PM 11,264 Thumbs.db
11 File(s) 2,034,353 bytes
2 Dir(s) 72,201,748,480 bytes free




i also though a hijackthis log may be useful, also taken in safemode.

Logfile of HijackThis v1.99.1
Scan saved at 12:03:14 AM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VGATune] VGATune.exe
O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\Run: [SystemRestore] SysRes.exe
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\RunServices: [SystemRestore] SysRes.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VGATune] VGATune.exe
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
O4 - HKCU\..\Run: [SystemRestore] SysRes.exe
O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunServices: [SystemRestore] SysRes.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)
  • 0

#15
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You're still heavily infected, but we are going to focus our attention on Look2me first. Once we get rid of that it will be much easier to clean up the rest of it.

This new variant of L2M is real nasty.
Please follow these steps.

STEP ONE
Download Pocket Killbox
  • Place it in a folder on your Desktop.
  • Extract Pocket KillBox from the zip file
  • Double-click on Killbox.exe to run the program.
  • At the bottom right of the main screen, click on the arrow to the right of System Process
    • (The area is to the left of the yellow triangle.)
    • Select the following entry: rundll32.exe
    • Now click the yellow triangle to End Task
    • Wait a few seconds, and check again for rundll32.exe, as it may reload!
      If so, End Task once again.
  • Next, select Standard File Kill
    • Highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:

      C:\WINDOWS\SYSTEM32\g8040idqe80e0.dll
      C:\WINDOWS\SYSTEM32\ioput.dll
      C:\WINDOWS\SYSTEM32\moisip.dll
      C:\WINDOWS\SYSTEM32\l02s0af7ed2.dll
      C:\WINDOWS\SYSTEM32\vwajet32.dll
      C:\WINDOWS\SYSTEM32\mvn6l95s1.dll
      C:\WINDOWS\SYSTEM32\j2j6lc1s1f.dll
      C:\WINDOWS\SYSTEM32\g2220cfoef2c0.dll
      C:\WINDOWS\SYSTEM32\SysRes.exe
      C:\WINDOWS\SYSTEM32\networknbh.exe
      C:\WINDOWS\SYSTEM32\guard.tmp

    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Use the down arrow to see the rest of the files.
    • Make sure C:\WINDOWS\SYSTEM32\guard.tmp appears on the list.
      • If not, click on the arrow to the right of System Process
      • Once again select the following entry: rundll32.exe
      • Click the yellow triangle to End Task
      • End Task on rundll32.exe until C:\WINDOWS\SYSTEM32\guard.tmp is on the list!
    • Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard:
    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Once again, use the down arrow to see the rest of the files.
      C:\WINDOWS\SYSTEM32\guard.tmp must appear on the list!!
    • Press the button with a red circle and a white X (Delete File button)
    • Click Yes at the confirmation message that files will be deleted on next reboot
    • Click Yes at the request to reboot.
  • If you get an error message at this time, reboot manually.



STEP TWO
As soon as you've rebooted run Spysweeper.
In the interest of time, you can opt to only scan the C:\WINDOWS\SYSTEM32 folder.
Do not reboot your computer once the scan has completed.
Please save the log and post it in your next reply.


STEP THREE
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.



Now we need to review the logs in order to see what we accomplished. Please post the following logs:

Spysweeper log
Hijackthis log
L2MFix Option #1 log

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP