Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Its happening to me now. [CLOSED]


  • This topic is locked This topic is locked

#1
evisu

evisu

    Member

  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.1
Scan saved at 16:15:53, on 14/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DC++\Ad-aware.6.Pro.Built.181.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\SITE_BACKUPS\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) -
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://81.86.29.25/c...adFile_7000.cab
O20 - Winlogon Notify: Reliability - C:\WINNT\system32\jtr4079qe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Let go!

L2MFIX find log 1.04a
These are the registry keys present
************************************************** ********************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\jtr4079qe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


************************************************** ********************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{B5BAAD29-6DC7-E423-2191-DDBEB6D64E74}"=""

************************************************** ********************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

************************************************** ********************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF}\InprocServer32]
@="C:\\WINNT\\system32\\wgi.dll"
"ThreadingModel"="Apartment"

************************************************** ********************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
child.dll Thu 10 Nov 2005 18:53:10 A.... 14,336 14.00 K
fpr403~1.dll Sun 13 Nov 2005 21:35:32 ..S.R 234,473 228.98 K
hpqnnkgo.dll Thu 10 Nov 2005 18:53:02 A.... 36,864 36.00 K
hr8605~1.dll Sat 12 Nov 2005 0:32:20 ..S.R 235,158 229.64 K
islzma.dll Mon 10 Oct 2005 9:30:48 A.... 102,912 100.50 K
j42q0e~1.dll Fri 11 Nov 2005 12:15:40 ..S.R 234,997 229.49 K
jtr407~1.dll Sat 12 Nov 2005 14:25:30 ..S.R 234,970 229.46 K
lncmfhnc.dll Thu 10 Nov 2005 18:53:04 A.... 45,056 44.00 K
mv6sl9~1.dll Sat 12 Nov 2005 0:01:52 ..S.R 236,242 230.70 K
o2ro0c~1.dll Thu 10 Nov 2005 20:39:46 ..S.R 234,664 229.16 K
pncrt.dll Fri 11 Nov 2005 19:23:26 A.... 278,528 272.00 K
pndx5016.dll Thu 20 Oct 2005 11:58:24 A.... 6,656 6.50 K
pndx5032.dll Thu 20 Oct 2005 11:58:24 A.... 5,632 5.50 K
px.dll Sat 27 Aug 2005 23:00:00 A.... 372,736 364.00 K
pxdrv.dll Sat 27 Aug 2005 23:00:00 A.... 421,888 412.00 K
pxmas.dll Sat 27 Aug 2005 23:00:00 A.... 172,032 168.00 K
pxwave.dll Sat 27 Aug 2005 23:00:00 A.... 339,968 332.00 K
pxwma.dll Sat 27 Aug 2005 23:00:00 A.... 151,552 148.00 K
rmoc3260.dll Thu 20 Oct 2005 11:58:46 A.... 176,167 172.04 K
s288lc~1.dll Mon 14 Nov 2005 0:50:24 ..S.R 236,852 231.30 K
vxblock.dll Sat 27 Aug 2005 23:00:00 A.... 28,672 28.00 K
wgi.dll Mon 14 Nov 2005 0:50:24 ..S.R 234,970 229.46 K
wrlogo~1.dll Tue 11 Oct 2005 9:19:50 A.... 492,032 480.50 K
wrlzma.dll Tue 11 Oct 2005 9:19:46 A.... 17,920 17.50 K

24 items found: 24 files (8 H/S), 0 directories.
Total of file sizes: 4,545,277 bytes 4.33 M
Locate .tmp files:

No matches found.
************************************************** ********************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 78A6-6A39

Directory of C:\WINNT\System32

14/11/2005 18:01 <DIR> dllcache
14/11/2005 00:50 234,970 wgi.dll
14/11/2005 00:50 236,852 s288lclu1fq8.dll
13/11/2005 21:35 234,473 fpr4039qe.dll
12/11/2005 14:25 234,970 jtr4079qe.dll
12/11/2005 00:32 235,158 hr8605lse.dll
12/11/2005 00:01 236,242 mv6sl9j71.dll
11/11/2005 12:15 234,997 j42q0ef5eh2.dll
10/11/2005 20:39 234,664 o2ro0c93ef.dll
25/10/2005 08:42 5 AuxDrv32ds_d.ods
25/10/2005 07:14 5 AuxDrv32ds_k.ods
05/05/1999 18:14 200,704 THREED32.OCX
26/03/1999 00:00 101,888 VB6STKIT.DLL
12 File(s) 2,184,928 bytes
1 Dir(s) 3,232,813,056 bytes free
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#5
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, the desktop icons didn't dissappear or the log did not pop up. I ran the second.bat file. The screen went blank in a flash. string.exe crashed twice. The screen then went blank with only the cursor. I ran c:\WINNT\explorer.exe from the task manager new task control to get back the explorer. Here is the log below.

C:\SITE_BACKUPS\l2mfix

Running From:
C:\SITE_BACKUPS\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 156 'smss.exe'
Error 0x6 : The handle is invalid.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 204 'winlogon.exe'
Error 0x6 : The handle is invalid.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 872 'explorer.exe'
Killing PID 872 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 128 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
zip warning: name not matched: *.dll

zip error: Nothing to do! (backup.zip)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
updating: clear.reg (92 bytes security) (deflated 21%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
updating: flag.txt (92 bytes security) (stored 0%)
updating: lo2.txt (92 bytes security) (deflated 66%)
updating: readme.txt (92 bytes security) (deflated 52%)
updating: report.txt (92 bytes security) (deflated 62%)
updating: test.txt (92 bytes security) (stored 0%)
updating: test2.txt (92 bytes security) (stored 0%)
updating: test3.txt (92 bytes security) (stored 0%)
updating: test5.txt (92 bytes security) (stored 0%)
adding: log.txt (92 bytes security) (deflated 79%)
updating: backregs/838DB5D1-0B77-4900-B3BD-5B5F4BAD47FF.reg (92 bytes security) (deflated 70%)
updating: backregs/notibac.reg (92 bytes security) (deflated 85%)
updating: backregs/shell.reg (92 bytes security) (deflated 74%)
adding: backregs/D38F5AB0-77B2-426B-92F2-478D5AAE5915.reg (92 bytes security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Warning (option /rga:(IO)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\k4no0e53eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D38F5AB0-77B2-426B-92F2-478D5AAE5915}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D38F5AB0-77B2-426B-92F2-478D5AAE5915}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Also post a new log from L2Mfix option #1.
  • 0

#7
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
********
16:00: |··· Start of Session, 16 November 2005 ···|
16:00: Spy Sweeper started
16:00: Sweep initiated using definitions version 573
16:02: Starting Memory Sweep
16:04: Warning: Failed to check file "C:\WINNT\system32\k4no0e53eh.dll". Cannot open file "C:\WINNT\system32\k4no0e53eh.dll". The process cannot access the file because it is being used by another process
16:07: Warning: Failed to check file "C:\WINNT\system32\mlwstr10.dll". Cannot open file "C:\WINNT\system32\mlwstr10.dll". The process cannot access the file because it is being used by another process
16:08: Warning: Failed to check file "C:\WINNT\system32\mlwstr10.dll". Cannot open file "C:\WINNT\system32\mlwstr10.dll". The process cannot access the file because it is being used by another process
16:08: Found Trojan Horse: trojan-backdoor-superbgirlz
16:08: Detected running threat: C:\WINNT\system32\child.dll (ID = 183971)
16:12: Memory Sweep Complete, Elapsed Time: 00:09:43
16:12: Starting Registry Sweep
16:12: Found Trojan Horse: spamrelayer_alpiok
16:12: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
16:12: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
16:12: Found Trojan Horse: trojan-phisher-egold
16:12: HKCR\clsid\{2368d1fc-2f5c-4f1b-b124-e67214fc78e2}\ (3 subtraces) (ID = 888957)
16:12: HKLM\software\classes\clsid\{2368d1fc-2f5c-4f1b-b124-e67214fc78e2}\ (3 subtraces) (ID = 888962)
16:12: HKU\S-1-5-21-1757981266-813497703-854245398-500\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
16:12: Registry Sweep Complete, Elapsed Time:00:00:44
16:12: Starting Cookie Sweep
16:12: Found Spy Cookie: 888 cookie
16:12: administrator@888[1].txt (ID = 2020)
16:12: Found Spy Cookie: yieldmanager cookie
16:12: administrator@ad.yieldmanager[1].txt (ID = 3751)
16:12: Found Spy Cookie: hbmediapro cookie
16:12: administrator@adopt.hbmediapro[2].txt (ID = 2768)
16:12: Found Spy Cookie: cassava cookie
16:12: administrator@cassava[1].txt (ID = 2363)
16:12: Found Spy Cookie: paypopup cookie
16:12: administrator@paypopup[2].txt (ID = 3120)
16:12: Found Spy Cookie: realmedia cookie
16:12: administrator@realmedia[1].txt (ID = 3236)
16:12: Found Spy Cookie: rn11 cookie
16:12: administrator@rn11[2].txt (ID = 3262)
16:12: Found Spy Cookie: xiti cookie
16:12: administrator@xiti[1].txt (ID = 3718)
16:12: Cookie Sweep Complete, Elapsed Time: 00:00:01
16:12: Starting File Sweep
16:13: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 03 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\101-mooi-sway-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\03 new sector movement - the sun.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\cassius - au reve\09 - how do you see me now - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Found Adware: wefed
16:13: tool4.exe (ID = 184810)
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\05 phuturistix - 551 blues.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\10 danny byrd - changes (yukihiro fukutomi mix).mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\205-moments_of_soul-delicious-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\102-late_night_alumni-beautiful-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\cassius - au reve\07 - protection - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\203-lydia_rhodes-dreams-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\211-fac15-twisted_by_the_pool-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\109-playgroup-pressure-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\102-charles_webster-ready-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\202-the_rurals-sweet-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\09 gorodish - a time to listen.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\02 sequel ft shoany white - why.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\cassius - au reve\11 - barroco - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\103-slovo-killing_me-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\208-physics-deny_my_love_(full_vocal_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\cassius - au reve\01 - hi water - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\204-solu-the_way_i_feel-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\105-a_man_called_adam-no_distance-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\105-afterlife-cry_(brown_bear_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: lncmfhnc.dll (ID = 183982)
16:14: rtf32.exe (ID = 184968)
16:14: Found Adware: coolwebsearch (cws)
16:14: paytime.exe (ID = 183553)
16:15: Found Trojan Horse: trojan-backdoor-us15info
16:15: countrydial.exe (ID = 183857)
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\108-rupeski-dreaming_about_tomorrow-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\14 modern jazz quartet.mp3". System Error. Code: 2.
The system cannot find the file specified
16:15: Found Adware: effective-i toolbar
16:15: 84665271-738d-4366-80fb-f88139 (ID = 106574)
16:15: hpqnnkgo.dll (ID = 182718)
16:15: Warning: Failed to read file "c:\dc++\\salomé de bahia - theme from rio.mp3". System Error. Code: 2.
The system cannot find the file specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\206-mr_o-whats_on_your_mind_(main_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\04 loopoets - the foolosopher.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\101-fenomenon-cant_they_be_good-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\104-bonnie_bailey-2_little_2_late-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\massive_attack-spying_glass_(habersham_mix)-promo-2004-delta\01-massive_attack-spying_glass_(habersham_mix)-delta.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\cassius - au reve\13 - au rêve - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\06 raz ohara - reality (gush collective mix).mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\110-soulstice-all_right-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\207-mahogany_people-heart_of_mine-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\111-black_science_orchestra-soul_weekender_mix-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Found Trojan Horse: trojan-backdoor-zubox
16:16: tool1.exe (ID = 149671)
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\01 the beatfreaks - jazzflex.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\07 david martin - flow chart.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\201-onda_music-happiness_is_free-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:17: Warning: Failed to read file "c:\winnt\system32\mlwstr10.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:17: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\103-abraham-magpie_(morgan_geist_remix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\106-goldfrapp-forever-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\108-kinobe-slowmotion-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\04 - telephone - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\209-los_ladrones-las_luces_del_norte_(dave_warren_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Found Adware: look2me
16:19: bw2.com.tcf (ID = 65721)
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\02 - the sound of violence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\06 - im a woman feat. jocelyn brown - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: c55bad1e-4fa7-410a-b74f-e0a4ec (ID = 59843)
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\12 - on - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\the sunburst band - until the end of time\thumbs.db". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\08 matthew boone and tokee - solo in carbonid.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 04 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\cassius - au reve\08 - till we got you and me - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\10 - nothing - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\05 - thrilla feat. ghostface killah - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: child.dll (ID = 183971)
16:21: Warning: Failed to read file "c:\dc++\\miguel migs\109-miguel_migs-movin_on_(delightful_dub)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\03 - under influence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\winnt\system32\k4no0e53eh.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:21: Warning: Failed to read file "c:\winnt\system32\fp0s03d7e.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:21: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\106-miguel_migs-seacruise-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\tiefschwarz - acid soul.mp3". System Error. Code: 2.
The system cannot find the file specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\210-ad_finem-if_you_fall_(chilled_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\107-crazy_penis-mind_wide_open-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\104-shakedown-at_night_(afterlife_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: 4e6b61a3-9f7f-4d17-ad42-b91363 (ID = 59855)
16:22: 22f33e36-d66c-4b40-93f7-1f98f1 (ID = 59838)
16:22: File Sweep Complete, Elapsed Time: 00:09:55
16:22: Full Sweep has completed. Elapsed time 00:21:58
16:22: Traces Found: 42
16:23: Removal process initiated
16:26: Quarantining All Traces: trojan-backdoor-superbgirlz
16:26: Quarantining All Traces: spamrelayer_alpiok
16:26: Quarantining All Traces: trojan-phisher-egold
16:26: Quarantining All Traces: 888 cookie
16:26: Quarantining All Traces: yieldmanager cookie
16:26: Quarantining All Traces: hbmediapro cookie
16:26: Quarantining All Traces: cassava cookie
16:26: Quarantining All Traces: paypopup cookie
16:26: Quarantining All Traces: realmedia cookie
16:26: Quarantining All Traces: rn11 cookie
16:26: Quarantining All Traces: xiti cookie
16:26: Quarantining All Traces: wefed
16:26: Quarantining All Traces: coolwebsearch (cws)
16:27: Quarantining All Traces: trojan-backdoor-us15info
16:27: Quarantining All Traces: effective-i toolbar
16:27: Quarantining All Traces: trojan-backdoor-zubox
16:27: Quarantining All Traces: look2me
16:27: Removal process completed. Elapsed time 00:04:21
********
15:53: |··· Start of Session, 16 November 2005 ···|
15:53: Spy Sweeper started
15:56: Your spyware definitions have been updated.
16:00: |··· End of Session, 16 November 2005 ···|
********
16:00: |··· Start of Session, 16 November 2005 ···|
16:00: Spy Sweeper started
16:00: Sweep initiated using definitions version 573
16:02: Starting Memory Sweep
16:04: Warning: Failed to check file "C:\WINNT\system32\k4no0e53eh.dll". Cannot open file "C:\WINNT\system32\k4no0e53eh.dll". The process cannot access the file because it is being used by another process
16:07: Warning: Failed to check file "C:\WINNT\system32\mlwstr10.dll". Cannot open file "C:\WINNT\system32\mlwstr10.dll". The process cannot access the file because it is being used by another process
16:08: Warning: Failed to check file "C:\WINNT\system32\mlwstr10.dll". Cannot open file "C:\WINNT\system32\mlwstr10.dll". The process cannot access the file because it is being used by another process
16:08: Found Trojan Horse: trojan-backdoor-superbgirlz
16:08: Detected running threat: C:\WINNT\system32\child.dll (ID = 183971)
16:12: Memory Sweep Complete, Elapsed Time: 00:09:43
16:12: Starting Registry Sweep
16:12: Found Trojan Horse: spamrelayer_alpiok
16:12: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
16:12: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
16:12: Found Trojan Horse: trojan-phisher-egold
16:12: HKCR\clsid\{2368d1fc-2f5c-4f1b-b124-e67214fc78e2}\ (3 subtraces) (ID = 888957)
16:12: HKLM\software\classes\clsid\{2368d1fc-2f5c-4f1b-b124-e67214fc78e2}\ (3 subtraces) (ID = 888962)
16:12: HKU\S-1-5-21-1757981266-813497703-854245398-500\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
16:12: Registry Sweep Complete, Elapsed Time:00:00:44
16:12: Starting Cookie Sweep
16:12: Found Spy Cookie: 888 cookie
16:12: administrator@888[1].txt (ID = 2020)
16:12: Found Spy Cookie: yieldmanager cookie
16:12: administrator@ad.yieldmanager[1].txt (ID = 3751)
16:12: Found Spy Cookie: hbmediapro cookie
16:12: administrator@adopt.hbmediapro[2].txt (ID = 2768)
16:12: Found Spy Cookie: cassava cookie
16:12: administrator@cassava[1].txt (ID = 2363)
16:12: Found Spy Cookie: paypopup cookie
16:12: administrator@paypopup[2].txt (ID = 3120)
16:12: Found Spy Cookie: realmedia cookie
16:12: administrator@realmedia[1].txt (ID = 3236)
16:12: Found Spy Cookie: rn11 cookie
16:12: administrator@rn11[2].txt (ID = 3262)
16:12: Found Spy Cookie: xiti cookie
16:12: administrator@xiti[1].txt (ID = 3718)
16:12: Cookie Sweep Complete, Elapsed Time: 00:00:01
16:12: Starting File Sweep
16:13: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 03 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\101-mooi-sway-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\03 new sector movement - the sun.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\cassius - au reve\09 - how do you see me now - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Found Adware: wefed
16:13: tool4.exe (ID = 184810)
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\05 phuturistix - 551 blues.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\10 danny byrd - changes (yukihiro fukutomi mix).mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\205-moments_of_soul-delicious-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\102-late_night_alumni-beautiful-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\cassius - au reve\07 - protection - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\203-lydia_rhodes-dreams-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:13: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\211-fac15-twisted_by_the_pool-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\109-playgroup-pressure-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\102-charles_webster-ready-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\202-the_rurals-sweet-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\09 gorodish - a time to listen.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\02 sequel ft shoany white - why.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\cassius - au reve\11 - barroco - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\103-slovo-killing_me-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\208-physics-deny_my_love_(full_vocal_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\cassius - au reve\01 - hi water - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\204-solu-the_way_i_feel-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\105-a_man_called_adam-no_distance-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\105-afterlife-cry_(brown_bear_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:14: lncmfhnc.dll (ID = 183982)
16:14: rtf32.exe (ID = 184968)
16:14: Found Adware: coolwebsearch (cws)
16:14: paytime.exe (ID = 183553)
16:15: Found Trojan Horse: trojan-backdoor-us15info
16:15: countrydial.exe (ID = 183857)
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\108-rupeski-dreaming_about_tomorrow-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\14 modern jazz quartet.mp3". System Error. Code: 2.
The system cannot find the file specified
16:15: Found Adware: effective-i toolbar
16:15: 84665271-738d-4366-80fb-f88139 (ID = 106574)
16:15: hpqnnkgo.dll (ID = 182718)
16:15: Warning: Failed to read file "c:\dc++\\salomé de bahia - theme from rio.mp3". System Error. Code: 2.
The system cannot find the file specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\206-mr_o-whats_on_your_mind_(main_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\04 loopoets - the foolosopher.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\101-fenomenon-cant_they_be_good-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\104-bonnie_bailey-2_little_2_late-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:15: Warning: Failed to read file "c:\dc++\\massive_attack-spying_glass_(habersham_mix)-promo-2004-delta\01-massive_attack-spying_glass_(habersham_mix)-delta.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\cassius - au reve\13 - au rêve - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\06 raz ohara - reality (gush collective mix).mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\110-soulstice-all_right-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\207-mahogany_people-heart_of_mine-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\111-black_science_orchestra-soul_weekender_mix-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Found Trojan Horse: trojan-backdoor-zubox
16:16: tool1.exe (ID = 149671)
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\01 the beatfreaks - jazzflex.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\07 david martin - flow chart.mp3". System Error. Code: 3.
The system cannot find the path specified
16:16: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\201-onda_music-happiness_is_free-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:17: Warning: Failed to read file "c:\winnt\system32\mlwstr10.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:17: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\103-abraham-magpie_(morgan_geist_remix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\106-goldfrapp-forever-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:18: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\108-kinobe-slowmotion-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\04 - telephone - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\209-los_ladrones-las_luces_del_norte_(dave_warren_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Found Adware: look2me
16:19: bw2.com.tcf (ID = 65721)
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\02 - the sound of violence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\06 - im a woman feat. jocelyn brown - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:19: c55bad1e-4fa7-410a-b74f-e0a4ec (ID = 59843)
16:19: Warning: Failed to read file "c:\dc++\\cassius - au reve\12 - on - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\the sunburst band - until the end of time\thumbs.db". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\08 matthew boone and tokee - solo in carbonid.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 04 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
16:20: Warning: Failed to read file "c:\dc++\\cassius - au reve\08 - till we got you and me - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\10 - nothing - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\05 - thrilla feat. ghostface killah - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: child.dll (ID = 183971)
16:21: Warning: Failed to read file "c:\dc++\\miguel migs\109-miguel_migs-movin_on_(delightful_dub)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\cassius - au reve\03 - under influence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\winnt\system32\k4no0e53eh.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:21: Warning: Failed to read file "c:\winnt\system32\fp0s03d7e.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
16:21: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\106-miguel_migs-seacruise-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:21: Warning: Failed to read file "c:\dc++\\tiefschwarz - acid soul.mp3". System Error. Code: 2.
The system cannot find the file specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\210-ad_finem-if_you_fall_(chilled_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\107-crazy_penis-mind_wide_open-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\104-shakedown-at_night_(afterlife_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
16:22: 4e6b61a3-9f7f-4d17-ad42-b91363 (ID = 59855)
16:22: 22f33e36-d66c-4b40-93f7-1f98f1 (ID = 59838)
16:22: File Sweep Complete, Elapsed Time: 00:09:55
16:22: Full Sweep has completed. Elapsed time 00:21:58
16:22: Traces Found: 42
16:23: Removal process initiated
16:26: Quarantining All Traces: trojan-backdoor-superbgirlz
16:26: Quarantining All Traces: spamrelayer_alpiok
16:26: Quarantining All Traces: trojan-phisher-egold
16:26: Quarantining All Traces: 888 cookie
16:26: Quarantining All Traces: yieldmanager cookie
16:26: Quarantining All Traces: hbmediapro cookie
16:26: Quarantining All Traces: cassava cookie
16:26: Quarantining All Traces: paypopup cookie
16:26: Quarantining All Traces: realmedia cookie
16:26: Quarantining All Traces: rn11 cookie
16:26: Quarantining All Traces: xiti cookie
16:26: Quarantining All Traces: wefed
16:26: Quarantining All Traces: coolwebsearch (cws)
16:27: Quarantining All Traces: trojan-backdoor-us15info
16:27: Quarantining All Traces: effective-i toolbar
16:27: Quarantining All Traces: trojan-backdoor-zubox
16:27: Quarantining All Traces: look2me
16:27: Removal process completed. Elapsed time 00:04:21
16:33: Warning: Failed to check file "C:\WINNT\system32\k4no0e53eh.dll". Cannot open file "C:\WINNT\system32\k4no0e53eh.dll". The process cannot access the file because it is being used by another process
16:33: Warning: Failed to check file "C:\WINNT\system32\mlwstr10.dll". Cannot open file "C:\WINNT\system32\mlwstr10.dll". The process cannot access the file because it is being used by another process
********
15:53: |··· Start of Session, 16 November 2005 ···|
15:53: Spy Sweeper started
15:56: Your spyware definitions have been updated.
16:00: |··· End of Session, 16 November 2005 ···|
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're going to have to roll up our sleeves and get rough with this one. Please post a new log from l2mfix option #1 so that I can get an updated list of the bad files.
  • 0

#9
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\e6202gfmg62a2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B5BAAD29-6DC7-E423-2191-DDBEB6D64E74}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\InprocServer32]
@="C:\\WINNT\\system32\\ctodm.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
bszip.dll Wed 16 Nov 2005 10:36:44 A.... 62,464 61.00 K
ctodm.dll Wed 16 Nov 2005 17:26:08 ..S.R 234,970 229.46 K
e6202g~1.dll Wed 16 Nov 2005 16:46:30 ..S.R 234,970 229.46 K
fpr403~1.dll Sun 13 Nov 2005 21:35:32 ..S.R 234,473 228.98 K
hr8605~1.dll Sat 12 Nov 2005 0:32:20 ..S.R 235,158 229.64 K
j42q0e~1.dll Fri 11 Nov 2005 12:15:40 ..S.R 234,997 229.49 K
ktlsl7~1.dll Wed 16 Nov 2005 17:21:10 ..S.R 234,970 229.46 K
mv6sl9~1.dll Sat 12 Nov 2005 0:01:52 ..S.R 236,242 230.70 K
mvpql9~1.dll Tue 15 Nov 2005 17:38:36 ..S.R 236,549 231.00 K
o2ro0c~1.dll Thu 10 Nov 2005 20:39:46 ..S.R 234,664 229.16 K
pncrt.dll Fri 11 Nov 2005 19:23:26 A.... 278,528 272.00 K
pndx5016.dll Thu 20 Oct 2005 11:58:24 A.... 6,656 6.50 K
pndx5032.dll Thu 20 Oct 2005 11:58:24 A.... 5,632 5.50 K
px.dll Sat 27 Aug 2005 23:00:00 A.... 372,736 364.00 K
pxdrv.dll Sat 27 Aug 2005 23:00:00 A.... 421,888 412.00 K
pxmas.dll Sat 27 Aug 2005 23:00:00 A.... 172,032 168.00 K
pxwave.dll Sat 27 Aug 2005 23:00:00 A.... 339,968 332.00 K
pxwma.dll Sat 27 Aug 2005 23:00:00 A.... 151,552 148.00 K
rmoc3260.dll Thu 20 Oct 2005 11:58:46 A.... 176,167 172.04 K
szrialui.dll Tue 15 Nov 2005 17:38:38 ..S.R 234,970 229.46 K
vxblock.dll Sat 27 Aug 2005 23:00:00 A.... 28,672 28.00 K

21 items found: 21 files (10 H/S), 0 directories.
Total of file sizes: 4,368,258 bytes 4.16 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 78A6-6A39

Directory of C:\WINNT\System32

16/11/2005 17:27 <DIR> ..
16/11/2005 17:27 <DIR> .
16/11/2005 17:26 234,970 ctodm.dll
16/11/2005 17:21 234,970 ktlsl7371.dll
16/11/2005 16:46 234,970 e6202gfmg62a2.dll
15/11/2005 17:38 234,970 szrialui.dll
15/11/2005 17:38 236,549 mvpql9751.dll
14/11/2005 18:01 <DIR> dllcache
13/11/2005 21:35 234,473 fpr4039qe.dll
12/11/2005 00:32 235,158 hr8605lse.dll
12/11/2005 00:01 236,242 mv6sl9j71.dll
11/11/2005 12:15 234,997 j42q0ef5eh2.dll
10/11/2005 20:39 234,664 o2ro0c93ef.dll
25/10/2005 08:42 5 AuxDrv32ds_d.ods
25/10/2005 07:14 5 AuxDrv32ds_k.ods
05/05/1999 18:14 200,704 THREED32.OCX
26/03/1999 00:00 101,888 VB6STKIT.DLL
14 File(s) 2,654,565 bytes
3 Dir(s) 2,288,553,984 bytes free
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
This new variant of L2M is real nasty.
Please follow these steps.

STEP ONE
Download Pocket Killbox
  • Place it in a folder on your Desktop.
  • Extract Pocket KillBox from the zip file
  • Double-click on Killbox.exe to run the program.
  • At the bottom right of the main screen, click on the arrow to the right of System Process
    • (The area is to the left of the yellow triangle.)
    • Select the following entry: rundll32.exe
    • Now click the yellow triangle to End Task
    • Wait a few seconds, and check again for rundll32.exe, as it may reload!
      If so, End Task once again.
  • Next, select Standard File Kill
    • Highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:

      C:\WINNT\system32\e6202gfmg62a2.dll
      C:\WINNT\system32\ctodm.dll
      C:\WINNT\system32\szrialui.dll
      C:\WINNT\system32\mvpql9751.dll
      C:\WINNT\system32\fpr4039qe.dll
      C:\WINNT\system32\hr8605lse.dll
      C:\WINNT\system32\mv6sl9j71.dll
      C:\WINNT\system32\j42q0ef5eh2.dll
      C:\WINNT\system32\o2ro0c93ef.dll
      C:\WINNT\system32\guard.tmp

    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Use the down arrow to see the rest of the files.
    • Press the button with a red circle and a white X (Delete File button)
    • Click Yes at the confirmation message that files will be deleted on next reboot
    • Click Yes at the request to reboot.
  • If you get an error message at this time, reboot manually.


STEP TWO
Run Spysweeper.
In the interest of time, you can opt to only scan the C:\WINNT\System32 folder.
Do not reboot your computer once the scan has completed.
Please save the log and post it in your next reply.


STEP THREE
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.



Now we need to review the logs in order to see what we accomplished. Please post the following logs:

Spysweeper log
Hijackthis log
L2MFix Option #1 log

  • 0

Advertisements


#11
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Spysweeper log. Sorry, could not find the option to specify a particular scan area. Thanks for your help BTW.

********
09:44: |··· Start of Session, 17 November 2005 ···|
09:44: Spy Sweeper started
09:44: Sweep initiated using definitions version 573
09:44: Found Adware: look2me
09:44: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\syncmgr\ || dllname (ID = 129987)
09:44: ktlsl7371.dll (ID = 129987)
09:45: Starting Memory Sweep
09:46: Warning: Failed to check file "C:\WINNT\system32\ktlsl7371.dll". Cannot open file "C:\WINNT\system32\ktlsl7371.dll". The process cannot access the file because it is being used by another process
09:48: Warning: Failed to check file "C:\WINNT\system32\iqq.dll". Cannot open file "C:\WINNT\system32\iqq.dll". The process cannot access the file because it is being used by another process
09:50: Memory Sweep Complete, Elapsed Time: 00:05:12
09:50: Starting Registry Sweep
09:50: Registry Sweep Complete, Elapsed Time:00:00:31
09:50: Starting Cookie Sweep
09:50: Cookie Sweep Complete, Elapsed Time: 00:00:00
09:51: Starting File Sweep
09:51: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 03 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
09:51: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\101-mooi-sway-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:51: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\03 new sector movement - the sun.mp3". System Error. Code: 3.
The system cannot find the path specified
09:51: Warning: Failed to read file "c:\dc++\\cassius - au reve\09 - how do you see me now - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:51: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\05 phuturistix - 551 blues.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\10 danny byrd - changes (yukihiro fukutomi mix).mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\205-moments_of_soul-delicious-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\102-late_night_alumni-beautiful-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\cassius - au reve\07 - protection - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\203-lydia_rhodes-dreams-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\211-fac15-twisted_by_the_pool-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\109-playgroup-pressure-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\102-charles_webster-ready-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\202-the_rurals-sweet-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\09 gorodish - a time to listen.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\02 sequel ft shoany white - why.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\cassius - au reve\11 - barroco - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\103-slovo-killing_me-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\208-physics-deny_my_love_(full_vocal_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\cassius - au reve\01 - hi water - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\204-solu-the_way_i_feel-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\105-a_man_called_adam-no_distance-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:52: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\105-afterlife-cry_(brown_bear_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:53: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\108-rupeski-dreaming_about_tomorrow-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:53: Warning: Failed to read file "c:\dc++\\14 modern jazz quartet.mp3". System Error. Code: 2.
The system cannot find the file specified
09:53: Warning: Failed to read file "c:\dc++\\salomé de bahia - theme from rio.mp3". System Error. Code: 2.
The system cannot find the file specified
09:54: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\206-mr_o-whats_on_your_mind_(main_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\04 loopoets - the foolosopher.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\101-fenomenon-cant_they_be_good-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\104-bonnie_bailey-2_little_2_late-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\massive_attack-spying_glass_(habersham_mix)-promo-2004-delta\01-massive_attack-spying_glass_(habersham_mix)-delta.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\cassius - au reve\13 - au rêve - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\06 raz ohara - reality (gush collective mix).mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\110-soulstice-all_right-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:54: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\207-mahogany_people-heart_of_mine-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:55: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\111-black_science_orchestra-soul_weekender_mix-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:55: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\01 the beatfreaks - jazzflex.mp3". System Error. Code: 3.
The system cannot find the path specified
09:55: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\07 david martin - flow chart.mp3". System Error. Code: 3.
The system cannot find the path specified
09:55: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\201-onda_music-happiness_is_free-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:55: Warning: Failed to read file "c:\winnt\system32\gplol3331.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
09:55: Warning: Failed to read file "c:\winnt\system32\iqq.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
09:55: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\103-abraham-magpie_(morgan_geist_remix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\106-goldfrapp-forever-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\108-kinobe-slowmotion-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\winnt\system32\ktlsl7371.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
09:57: Warning: Failed to read file "c:\dc++\\cassius - au reve\04 - telephone - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:57: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\209-los_ladrones-las_luces_del_norte_(dave_warren_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
09:58: Warning: Failed to read file "c:\dc++\\cassius - au reve\02 - the sound of violence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:58: Warning: Failed to read file "c:\dc++\\cassius - au reve\06 - im a woman feat. jocelyn brown - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:58: Warning: Failed to read file "c:\dc++\\cassius - au reve\12 - on - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
09:59: Warning: Failed to read file "c:\dc++\\the sunburst band - until the end of time\thumbs.db". System Error. Code: 3.
The system cannot find the path specified
09:59: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\08 matthew boone and tokee - solo in carbonid.mp3". System Error. Code: 3.
The system cannot find the path specified
09:59: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 04 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
09:59: Warning: Failed to read file "c:\dc++\\cassius - au reve\08 - till we got you and me - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
10:00: Warning: Failed to read file "c:\dc++\\cassius - au reve\10 - nothing - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
10:00: Warning: Failed to read file "c:\dc++\\cassius - au reve\05 - thrilla feat. ghostface killah - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
10:01: Warning: Failed to read file "c:\dc++\\miguel migs\109-miguel_migs-movin_on_(delightful_dub)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
10:01: Warning: Failed to read file "c:\dc++\\cassius - au reve\03 - under influence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
10:01: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\106-miguel_migs-seacruise-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
10:01: Warning: Failed to read file "c:\dc++\\tiefschwarz - acid soul.mp3". System Error. Code: 2.
The system cannot find the file specified
10:01: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\210-ad_finem-if_you_fall_(chilled_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
10:01: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\107-crazy_penis-mind_wide_open-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
10:02: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\104-shakedown-at_night_(afterlife_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
10:02: File Sweep Complete, Elapsed Time: 00:11:28
10:02: Full Sweep has completed. Elapsed time 00:18:23
10:02: Traces Found: 2
10:16: Quarantining All Traces: look2me
10:16: An error occurred during quarantine:
10:16: Cannot open file "C:\WINNT\system32\ktlsl7371.dll". The process cannot access the file because it is being used by another process
********
17:04: |··· Start of Session, 16 November 2005 ···|
17:04: Spy Sweeper started
17:04: Sweep initiated using definitions version 573
17:05: Starting Memory Sweep
17:06: Warning: Failed to check file "C:\WINNT\system32\fp0s03d7e.dll". Cannot open file "C:\WINNT\system32\fp0s03d7e.dll". The process cannot access the file because it is being used by another process
17:07: Warning: Failed to check file "C:\WINNT\system32\czvfat.dll". Cannot open file "C:\WINNT\system32\czvfat.dll". The process cannot access the file because it is being used by another process
17:08: Warning: Failed to check file "C:\WINNT\system32\czvfat.dll". Cannot open file "C:\WINNT\system32\czvfat.dll". The process cannot access the file because it is being used by another process
17:08: Memory Sweep Complete, Elapsed Time: 00:03:03
17:08: Starting Registry Sweep
17:08: Registry Sweep Complete, Elapsed Time:00:00:22
17:08: Starting Cookie Sweep
17:08: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:08: Starting File Sweep
17:09: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 03 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
17:09: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\101-mooi-sway-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:09: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\03 new sector movement - the sun.mp3". System Error. Code: 3.
The system cannot find the path specified
17:09: Warning: Failed to read file "c:\dc++\\cassius - au reve\09 - how do you see me now - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:09: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\05 phuturistix - 551 blues.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\10 danny byrd - changes (yukihiro fukutomi mix).mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\205-moments_of_soul-delicious-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\102-late_night_alumni-beautiful-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\cassius - au reve\07 - protection - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\203-lydia_rhodes-dreams-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\211-fac15-twisted_by_the_pool-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\winnt\system32\e6202gfmg62a2.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\109-playgroup-pressure-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\102-charles_webster-ready-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\202-the_rurals-sweet-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\09 gorodish - a time to listen.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\02 sequel ft shoany white - why.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\cassius - au reve\11 - barroco - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\103-slovo-killing_me-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\208-physics-deny_my_love_(full_vocal_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\cassius - au reve\01 - hi water - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\204-solu-the_way_i_feel-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\105-a_man_called_adam-no_distance-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:10: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\105-afterlife-cry_(brown_bear_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\108-rupeski-dreaming_about_tomorrow-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\14 modern jazz quartet.mp3". System Error. Code: 2.
The system cannot find the file specified
17:11: Warning: Failed to read file "c:\dc++\\salomé de bahia - theme from rio.mp3". System Error. Code: 2.
The system cannot find the file specified
17:11: Warning: Failed to read file "c:\winnt\system32\czvfat.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
17:11: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\206-mr_o-whats_on_your_mind_(main_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\04 loopoets - the foolosopher.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\101-fenomenon-cant_they_be_good-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\104-bonnie_bailey-2_little_2_late-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:11: Warning: Failed to read file "c:\dc++\\massive_attack-spying_glass_(habersham_mix)-promo-2004-delta\01-massive_attack-spying_glass_(habersham_mix)-delta.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\cassius - au reve\13 - au rêve - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\06 raz ohara - reality (gush collective mix).mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\110-soulstice-all_right-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\207-mahogany_people-heart_of_mine-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\111-black_science_orchestra-soul_weekender_mix-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\01 the beatfreaks - jazzflex.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\07 david martin - flow chart.mp3". System Error. Code: 3.
The system cannot find the path specified
17:12: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\201-onda_music-happiness_is_free-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:13: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
17:14: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\103-abraham-magpie_(morgan_geist_remix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:14: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\106-goldfrapp-forever-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:14: Warning: Failed to read file "c:\program files\bitcomet\downloads\busty babe hardcore [bleep]ing\". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\hed kandi\va-hed_kandi_presents_winterchill_0603-2cd-2004-rns\108-kinobe-slowmotion-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\cassius - au reve\04 - telephone - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\209-los_ladrones-las_luces_del_norte_(dave_warren_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\cassius - au reve\02 - the sound of violence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\cassius - au reve\06 - im a woman feat. jocelyn brown - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:15: Warning: Failed to read file "c:\dc++\\cassius - au reve\12 - on - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:16: Warning: Failed to read file "c:\dc++\\the sunburst band - until the end of time\thumbs.db". System Error. Code: 3.
The system cannot find the path specified
17:16: Warning: Failed to read file "c:\dc++\\nu jazz - volume 2\cd2\08 matthew boone and tokee - solo in carbonid.mp3". System Error. Code: 3.
The system cannot find the path specified
17:16: Warning: Failed to read file "c:\dc++\\--rozne--\orbital - 04 - the box.mp3". System Error. Code: 3.
The system cannot find the path specified
17:16: Warning: Failed to read file "c:\dc++\\cassius - au reve\08 - till we got you and me - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\dc++\\cassius - au reve\10 - nothing - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\dc++\\cassius - au reve\05 - thrilla feat. ghostface killah - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\dc++\\miguel migs\109-miguel_migs-movin_on_(delightful_dub)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\dc++\\cassius - au reve\03 - under influence - simplemp3s.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\winnt\system32\fp0s03d7e.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
17:17: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\106-miguel_migs-seacruise-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:17: Warning: Failed to read file "c:\dc++\\tiefschwarz - acid soul.mp3". System Error. Code: 2.
The system cannot find the file specified
17:18: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd2\210-ad_finem-if_you_fall_(chilled_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:18: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\107-crazy_penis-mind_wide_open-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:18: Warning: Failed to read file "c:\dc++\\hed kandi\hed kandi - es vive ibiza\cd1\104-shakedown-at_night_(afterlife_mix)-rns.mp3". System Error. Code: 3.
The system cannot find the path specified
17:18: File Sweep Complete, Elapsed Time: 00:09:25
17:18: Full Sweep has completed. Elapsed time 00:13:53
17:18: Traces Found: 0
17:32: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:32: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:32: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:37: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:37: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:37: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:42: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:42: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:42: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:47: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:47: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:47: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:52: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:52: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:52: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:57: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
17:57: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
17:57: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:03: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:03: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:03: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:08: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:08: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:08: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:13: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:13: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:13: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:18: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:18: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:18: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:23: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:23: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:23: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:29: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:34: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:34: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:34: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:39: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:39: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:39: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:44: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:45: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:45: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:50: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:50: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:50: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:55: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
18:55: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
18:55: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:00: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:00: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:00: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:05: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:05: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:05: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:10: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:10: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:10: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:16: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:16: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:16: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:21: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:21: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:21: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:26: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:26: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:26: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:31: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:31: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:31: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:36: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:36: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:36: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:42: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:42: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:42: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:47: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:47: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:47: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:52: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:52: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:52: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:57: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
19:57: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
19:57: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:02: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:02: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:02: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:06: Processing Internet Explorer Favorites Alerts
20:06: Allowed IE Favorite: Welcome to Qmusic..
20:07: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:07: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:07: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:12: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:12: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:12: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:17: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:17: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:17: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:22: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:22: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:22: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:27: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:27: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:27: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:33: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:33: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:33: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:38: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:38: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:38: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:43: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:43: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:43: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:48: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:48: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:48: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:53: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:53: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:53: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:58: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
20:58: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
20:58: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
21:03: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
21:03: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
21:03: Warning: Failed to check file "C:\WINNT\system32\ctodm.dll". Cannot open file "C:\WINNT\system32\ctodm.dll". The process cannot access the file because it is being used by another process
21:08: Warning: Failed to check file "C:\WINNT\system32\e6202gfmg62a2.dll". Cannot open file "C:\WINNT\system32\e6202gfmg62a2.dll". The process cannot access the file because it is being used by another process
21:09: Warning: Failed t

Edited by evisu, 17 November 2005 - 04:22 AM.

  • 0

#12
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:23:32, on 17/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Enterprise 2005\aaserver.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SITE_BACKUPS\killbox\KillBox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\SITE_BACKUPS\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) -
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {32564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://81.86.29.25/c...adFile_7000.cab
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\ktlsl7371.dll
O23 - Service: Ad-Axis Server - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware SE Enterprise 2005\aaserver.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#13
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ktlsl7371.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2E733AEF-2E92-8274-4E6C-EB9B6EEC495B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{A3E09769-A807-4ADB-89EE-61A10A70C599}"=""
"{06549E7F-07DA-4765-9344-DB633932A484}"=""
"{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\InprocServer32]
@="C:\\WINNT\\system32\\ctodm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\InprocServer32]
@="C:\\WINNT\\system32\\iqq.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
bszip.dll Wed 16 Nov 2005 10:36:44 A.... 62,464 61.00 K
gplol3~1.dll Thu 17 Nov 2005 9:31:14 ..S.R 234,970 229.46 K
iqq.dll Thu 17 Nov 2005 9:36:30 ..... 234,970 229.46 K
ktlsl7~1.dll Wed 16 Nov 2005 17:21:10 ..... 234,970 229.46 K
pncrt.dll Fri 11 Nov 2005 19:23:26 A.... 278,528 272.00 K
pndx5016.dll Thu 20 Oct 2005 11:58:24 A.... 6,656 6.50 K
pndx5032.dll Thu 20 Oct 2005 11:58:24 A.... 5,632 5.50 K
px.dll Sat 27 Aug 2005 23:00:00 A.... 372,736 364.00 K
pxdrv.dll Sat 27 Aug 2005 23:00:00 A.... 421,888 412.00 K
pxmas.dll Sat 27 Aug 2005 23:00:00 A.... 172,032 168.00 K
pxwave.dll Sat 27 Aug 2005 23:00:00 A.... 339,968 332.00 K
pxwma.dll Sat 27 Aug 2005 23:00:00 A.... 151,552 148.00 K
rmoc3260.dll Thu 20 Oct 2005 11:58:46 A.... 176,167 172.04 K
vxblock.dll Sat 27 Aug 2005 23:00:00 A.... 28,672 28.00 K

14 items found: 14 files (1 H/S), 0 directories.
Total of file sizes: 2,721,205 bytes 2.59 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Thu 17 Nov 2005 9:42:32 ..S.R 234,970 229.46 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234,970 bytes 229.46 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 78A6-6A39

Directory of C:\WINNT\System32

17/11/2005 09:42 <DIR> ..
17/11/2005 09:42 <DIR> .
17/11/2005 09:42 234,970 guard.tmp
17/11/2005 09:31 234,970 gplol3331.dll
14/11/2005 18:01 <DIR> dllcache
25/10/2005 08:42 5 AuxDrv32ds_d.ods
25/10/2005 07:14 5 AuxDrv32ds_k.ods
05/05/1999 18:14 200,704 THREED32.OCX
26/03/1999 00:00 101,888 VB6STKIT.DLL
6 File(s) 772,542 bytes
3 Dir(s) 2,716,770,304 bytes free
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try something else.
  • Double-click on Killbox.exe to run the program.
  • At the bottom right of the main screen, click on the arrow to the right of System Process
    • (The area is to the left of the yellow triangle.)
    • Select the following entry: rundll32.exe
    • Now click the yellow triangle to End Task
    • Wait a few seconds, and check again for rundll32.exe, as it may reload!
      If so, End Task once again.
  • Next, select Standard File Kill
    • Highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:

      C:\WINNT\system32\ktlsl7371.dll
      C:\WINNT\system32\ctodm.dll
      C:\WINNT\system32\iqq.dll
      C:\WINNT\system32\bszip.dll
      C:\WINNT\system32\gplol3331.dll
      C:\WINNT\system32\guard.tmp

    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Use the down arrow to see the rest of the files.
    • Make sure C:\WINNT\System32\guard.tmp appears on the list.
      • If not, click on the arrow to the right of System Process
      • Once again select the following entry: rundll32.exe
      • Click the yellow triangle to End Task
      • End Task on rundll32.exe until C:\WINNT\SYSTEM32\guard.tmp is on the list!
    • Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard:
    • Click on the File menu of Pocket KillBox and select: Paste from Clipboard
    • In the Full Path of File to Delete box you should see the first entry.
    • Once again, use the down arrow to see the rest of the files.
      C:\WINNT\System32\guard.tmp must appear on the list!!
    • Press the button with a red circle and a white X (Delete File button)
    • Click Yes at the confirmation message that files will be deleted on next reboot
    • Click Yes at the request to reboot.
  • If you get an error message at this time, reboot manually.
Please post a new log from L2MFix - option #1.
  • 0

#15
evisu

evisu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\i2240cfqef2e0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2E733AEF-2E92-8274-4E6C-EB9B6EEC495B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{A3E09769-A807-4ADB-89EE-61A10A70C599}"=""
"{06549E7F-07DA-4765-9344-DB633932A484}"=""
"{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C10E5D2D-DBF5-4D41-8CC4-A8CBDC3CBE78}\InprocServer32]
@="C:\\WINNT\\system32\\ctodm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3E09769-A807-4ADB-89EE-61A10A70C599}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{06549E7F-07DA-4765-9344-DB633932A484}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF26B34C-A41E-47E9-81A6-AF8A9EC6A163}\InprocServer32]
@="C:\\WINNT\\system32\\wpnrnr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
gp44l3~1.dll Thu 17 Nov 2005 20:39:42 ..S.R 234,970 229.46 K
i2240c~1.dll Thu 17 Nov 2005 12:20:22 ..S.R 234,970 229.46 K
pncrt.dll Fri 11 Nov 2005 19:23:26 A.... 278,528 272.00 K
pndx5016.dll Thu 20 Oct 2005 11:58:24 A.... 6,656 6.50 K
pndx5032.dll Thu 20 Oct 2005 11:58:24 A.... 5,632 5.50 K
px.dll Sat 27 Aug 2005 23:00:00 A.... 372,736 364.00 K
pxdrv.dll Sat 27 Aug 2005 23:00:00 A.... 421,888 412.00 K
pxmas.dll Sat 27 Aug 2005 23:00:00 A.... 172,032 168.00 K
pxwave.dll Sat 27 Aug 2005 23:00:00 A.... 339,968 332.00 K
pxwma.dll Sat 27 Aug 2005 23:00:00 A.... 151,552 148.00 K
rmoc3260.dll Thu 20 Oct 2005 11:58:46 A.... 176,167 172.04 K
vxblock.dll Sat 27 Aug 2005 23:00:00 A.... 28,672 28.00 K
wpnrnr.dll Thu 17 Nov 2005 20:43:20 ..... 234,970 229.46 K

13 items found: 13 files (2 H/S), 0 directories.
Total of file sizes: 2,658,741 bytes 2.54 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Thu 17 Nov 2005 20:44:20 ..S.R 234,970 229.46 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234,970 bytes 229.46 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 78A6-6A39

Directory of C:\WINNT\System32

17/11/2005 20:48 <DIR> ..
17/11/2005 20:48 <DIR> .
17/11/2005 20:44 234,970 guard.tmp
17/11/2005 20:39 234,970 gp44l3hq1.dll
17/11/2005 18:40 <DIR> dllcache
17/11/2005 12:20 234,970 i2240cfqef2e0.dll
25/10/2005 08:42 5 AuxDrv32ds_d.ods
25/10/2005 07:14 5 AuxDrv32ds_k.ods
05/05/1999 18:14 200,704 THREED32.OCX
26/03/1999 00:00 101,888 VB6STKIT.DLL
7 File(s) 1,007,512 bytes
3 Dir(s) 2,483,957,760 bytes free
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP