Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware Infection [RESOLVED]

Started by MLeaper , Dec 03 2005 08:28 PM

  • This topic is locked This topic is locked

#1
MLeaper
Posted 03 December 2005 - 08:28 PM

MLeaper

    Member

  • Member
  • PipPip
  • 21 posts
I have downloaded and Ran Adware SE, Spybot S&D, CWShredder, Ewido and Trojan Hunter. All have removed items but return after reboot. I have also booted into safe mode and ran all programs but all items return after reboot.

Thanks in advance for any assistance.

Logfile of HijackThis v1.99.1
Scan saved at 9:03:43 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\o0480ahued480.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\irlol5331.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2lyc3Rlbg\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
Trevuren
Posted 03 December 2005 - 08:52 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi MLeaper and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

A. First you appear to be running 2 copies of HijackThis from your desktop

Please DELETE one of them for we can't afford to have you running one one time and one another time because we need all the backups in the same place for recovery purposes if required.


B. You have the latest version of Look2Me/VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts.
  • Then open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat
  • select option #1 for Run Find Log by typing "1" and then pressing ENTER.
  • This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar to "C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt, the system file is not suitable for running ms-dos and microsoft windows applications",
  • choose close to terminate the application.
  • Then please use option 5 or the web page link in the l2mfix folder to solve this error condition.
Do not run the fix portion without fixing this first.

Regards,

Trevuren
  • 0

#3
MLeaper
Posted 04 December 2005 - 11:59 AM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I got rid of the second copy of Hijackthis.

L2MFIX find log 120305
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o0480ahued480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irlol5331.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AF350416-C7AB-E378-AB1B-090419CEB03D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{16FF4B46-69C1-11D2-93ED-0080ADA686BB}"="Saitek Gaming Extensions"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="America Online"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{E0E2DF96-EEDB-4A3D-B072-27F54D6C3242}"=""
"{BED0A6D7-E276-4517-A040-DFDB57E92C11}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\InprocServer32]
@="C:\\WINDOWS\\system32\\crrtmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\InprocServer32]
@="C:\\WINDOWS\\system32\\hhzlnt07.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
hhzlnt07.dll Sat Dec 3 2005 1:52:32p ..S.R 234,395 228.90 K
crrtmgr.dll Sat Dec 3 2005 8:56:20p ..... 233,915 228.43 K
irlol5~1.dll Sat Dec 3 2005 5:32:56p ..S.R 233,915 228.43 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
k8440i~1.dll Sat Dec 3 2005 5:38:04p ..S.R 236,168 230.63 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
o0480a~1.dll Fri Nov 25 2005 12:17:20p ..S.R 0 0.00 K
gwfspi~1.dll Fri Nov 4 2005 4:27:18p A.... 23,304 22.76 K
legitc~1.dll Fri Nov 4 2005 4:27:24p A.... 534,280 521.76 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M

14 items found: 14 files (4 H/S), 0 directories.
Total of file sizes: 15,649,841 bytes 14.92 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
__dele~1.tmp Sat Dec 3 2005 9:01:24p A.... 233,915 228.43 K

1 item found: 1 file, 0 directories.
Total of file sizes: 233,915 bytes 228.43 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1052-B046

Directory of C:\WINDOWS\System32

12/03/2005 05:38 PM 236,168 k8440ihqe84e0.dll
12/03/2005 05:32 PM 233,915 irlol5331.dll
12/03/2005 01:52 PM 234,395 hhzlnt07.dll
11/25/2005 12:17 PM 0 o0480ahued480.dll
08/04/2004 03:56 AM 11,776 regsvr32.exe
08/04/2004 03:56 AM 343,040 msvcrt.dll
08/04/2004 03:56 AM 54,784 msvcirt.dll
08/04/2004 03:56 AM 413,696 msvcp60.dll
08/04/2004 03:56 AM 1,028,096 mfc42.dll
06/01/2002 07:04 PM <DIR> Microsoft
09/08/2001 10:55 AM <DIR> dllcache
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/10/1999 09:34 AM 24,848 msjter35.dll
06/10/1999 09:34 AM 123,664 msjint35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 252,176 Msrd2x35.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
19 File(s) 5,548,670 bytes
2 Dir(s) 22,985,867,264 bytes free
  • 0

#4
Trevuren
Posted 04 December 2005 - 01:47 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop
  • Double click l2mfix.bat
  • Select option #2 for Run Fix by typing "2" and then pressing ENTER. It will process, then start.
  • Your desktop and icons will disappear (this is normal).
  • L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
  • Press any key to reboot.
  • After the reboot, notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix fold

Regards,

Trevuren
  • 0

#5
MLeaper
Posted 04 December 2005 - 02:31 PM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Popups seem to have stopped. Let me know if I need to do anything else. Thanks a bunch.

L2mfix Beta 120305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 596 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 740 'winlogon.exe'
Killing PID 740 'winlogon.exe'
Killing PID 740 'winlogon.exe'
Killing PID 740 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 720 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\crrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hhzlnt07.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irlol5331.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k8440ihqe84e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\crrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\crrtmgr.dll
deleting: C:\WINDOWS\system32\hhzlnt07.dll
Successfully Deleted: C:\WINDOWS\system32\hhzlnt07.dll
deleting: C:\WINDOWS\system32\irlol5331.dll
Successfully Deleted: C:\WINDOWS\system32\irlol5331.dll
deleting: C:\WINDOWS\system32\k8440ihqe84e0.dll
Successfully Deleted: C:\WINDOWS\system32\k8440ihqe84e0.dll
deleting: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
adding: Documents and Settings/Kirsten/Desktop/Spyware Removal/l2mfix/backregs/notibac.reg (deflated 88%)
adding: Documents and Settings/Kirsten/Desktop/Spyware Removal/l2mfix/backregs/shell.reg (deflated 73%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: crrtmgr.dll
deleting local copy: hhzlnt07.dll
deleting local copy: irlol5331.dll
deleting local copy: k8440ihqe84e0.dll
deleting local copy: __delete_on_reboot__guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o0480ahued480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irlol5331.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\crrtmgr.dll
C:\WINDOWS\system32\hhzlnt07.dll
C:\WINDOWS\system32\irlol5331.dll
C:\WINDOWS\system32\k8440ihqe84e0.dll
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}\InprocServer32]
@="C:\\WINDOWS\\system32\\crrtmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}\InprocServer32]
@="C:\\WINDOWS\\system32\\hhzlnt07.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E0E2DF96-EEDB-4A3D-B072-27F54D6C3242}"=-
"{BED0A6D7-E276-4517-A040-DFDB57E92C11}"=-
"{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E0E2DF96-EEDB-4A3D-B072-27F54D6C3242}]
[-HKEY_CLASSES_ROOT\CLSID\{BED0A6D7-E276-4517-A040-DFDB57E92C11}]
[-HKEY_CLASSES_ROOT\CLSID\{753C8B14-2E86-4FE7-B6C2-EB4D885BC693}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
C:\WINDOWS\System32\BED0A6D7-E276-4517-A040-DFDB57E92C11.reg
C:\WINDOWS\System32\753C8B14-2E86-4FE7-B6C2-EB4D885BC693.reg
Checking for L2MFix account(0=no 1=yes):
0
adding: dlls/crrtmgr.dll (deflated 4%)
adding: dlls/hhzlnt07.dll (deflated 4%)
adding: dlls/irlol5331.dll (deflated 4%)
adding: dlls/k8440ihqe84e0.dll (deflated 5%)





Logfile of HijackThis v1.99.1
Scan saved at 3:23:40 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\o0480ahued480.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\irlol5331.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2lyc3Rlbg\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
Trevuren
Posted 04 December 2005 - 02:44 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Well we got one variant of the VX2 infection. There is still the second variant to contend with.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply as well as a new HJT log.

Regards,

Trevuren
  • 0

#7
MLeaper
Posted 04 December 2005 - 03:31 PM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks again and let me know if there is anything else.

********
3:50 PM: | Start of Session, Sunday, December 04, 2005 |
3:50 PM: Spy Sweeper started
3:50 PM: Sweep initiated using definitions version 577
3:50 PM: Starting Memory Sweep
3:53 PM: Memory Sweep Complete, Elapsed Time: 00:02:26
3:53 PM: Starting Registry Sweep
3:53 PM: Found Adware: findthewebsiteyouneed hijacker
3:53 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
3:53 PM: Found Adware: delfin
3:53 PM: HKLM\software\vidmon\ (3 subtraces) (ID = 890155)
3:53 PM: Found Adware: dollarrevenue
3:53 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
3:53 PM: Found Adware: command
3:53 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
3:53 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
3:53 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
3:53 PM: Found Adware: maxifiles
3:53 PM: HKCR\typelib\{5279231e-fabe-4abf-83a8-7c7e17e3ce1a}\ (9 subtraces) (ID = 1020940)
3:53 PM: HKLM\software\classes\typelib\{5279231e-fabe-4abf-83a8-7c7e17e3ce1a}\ (9 subtraces) (ID = 1021009)
3:53 PM: HKU\WRSS_Profile_S-1-5-21-329068152-926492609-725345543-1006\software\xbtb07618\ (61 subtraces) (ID = 134858)
3:53 PM: Found Adware: cydoor
3:53 PM: HKU\WRSS_Profile_S-1-5-21-329068152-926492609-725345543-1006\software\cydoor\ (1162 subtraces) (ID = 639126)
3:53 PM: HKU\WRSS_Profile_S-1-5-21-329068152-926492609-725345543-1006\software\cydoor services\ (204 subtraces) (ID = 639128)
3:53 PM: HKU\WRSS_Profile_S-1-5-21-329068152-926492609-725345543-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
3:53 PM: HKU\S-1-5-21-329068152-926492609-725345543-1004\software\director\ || baseurl (ID = 980277)
3:53 PM: HKU\S-1-5-21-329068152-926492609-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
3:54 PM: HKU\S-1-5-18\software\xbtb07618\ (61 subtraces) (ID = 134858)
3:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
3:54 PM: HKU\S-1-5-18\software\vidmon\ (1 subtraces) (ID = 890125)
3:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
3:54 PM: Registry Sweep Complete, Elapsed Time:00:00:47
3:54 PM: Starting Cookie Sweep
3:54 PM: Found Spy Cookie: 2o7.net cookie
3:54 PM: [email protected][1].txt (ID = 1958)
3:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:54 PM: Starting File Sweep
3:54 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
3:54 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
3:54 PM: drsmartload.dat (ID = 198788)
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
3:56 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
3:57 PM: c:\windows\system32\nfomon (1 subtraces) (ID = -2147468684)
3:57 PM: c:\windows\system32\vidmon (ID = -2147468683)
4:06 PM: c:\documents and settings\all users\application data\nfo (16 subtraces) (ID = -2147468687)
4:06 PM: mon1204.ddx (ID = 57680)
4:06 PM: mon0315.ddx (ID = 57680)
4:06 PM: mon0204.ddx (ID = 57680)
4:06 PM: mon0504.ddx (ID = 57680)
4:06 PM: c:\documents and settings\all users\application data\vidmon (1 subtraces) (ID = -2147468685)
4:06 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc87caff8-b83a-4cfe-846f-9314ac123807.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8ba06737-9867-41ec-9290-c60499b6bf1d.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs224b39cb-cbf5-45d2-8fcb-78c7816e798b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8e543053-3296-446b-b463-8aeeb8da3857.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7ab3f7b0-6a7d-4066-b13e-da50b1c82416.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd90681e8-223c-4424-9cf6-e6c6173a8f4b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c301c62-aba3-4f9e-a4f5-a9753503d95d.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9c11b185-ce6a-48c2-9251-ff219aa635ac.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5af04734-f653-43f4-85c9-c2927396c91a.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfce1930-724b-4df1-9341-1c0b110a1677.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs20112a3f-c6e5-4836-9854-bff48deae564.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2b7807bf-2c01-4e81-abd2-bb040b1dd2dd.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa3054bc8-2522-41cb-a806-81e2a2fc9073.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb80f749d-00f6-4282-abde-8d2bf03012a9.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbaa2f9b5-f7ee-4bc3-a518-a16001241fe0.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs14a5cdc0-5ea0-4129-a8fb-78f267585836.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e83bdd2-a0b9-41c6-911d-0fec6e2523fb.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb57bc4f8-8535-4201-a1b1-42b637e2eaee.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2b2a22ba-3f57-4106-a944-426d62a00cb1.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbd25617f-dd53-4639-a250-18181c8eaa56.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb829d5ec-8463-4eb2-94a6-b401cf0e59e5.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse28e0940-cfe1-4aa5-bffe-a8ee0262b688.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsab62aee3-6e9e-4f3e-b3ed-b67fced30d67.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa442cbb8-45a2-4456-afac-b2517f3d2212.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsefb23ea3-34c5-4912-befe-345ebbf13d34.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73710fa6-9e93-445b-ada8-c5618748f2e6.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8e7b2a4e-e5c9-4162-ab19-1e8066687dc8.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc5c18010-c81e-4500-8ad4-84c33e50f771.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsae7c900c-eb49-4797-b050-22bbd2bdf308.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71504aa4-4570-4238-9a5b-556ba02f9b29.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8fe5f581-d3d0-4092-b1d8-505c17c17f2d.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs89ef477a-9fbd-41a1-a73c-a3cd3d652096.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37080901-d25e-491b-a986-30a384fbd99c.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7e09e368-2229-4103-887f-3286516f8f6b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4667f319-4362-418d-a8c7-8c93d7cc11ba.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse243c62e-0f1a-4019-9480-be152e43c392.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5f4cb7b2-40c2-458d-b14a-ca9727e08e36.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8d4c78b9-cad2-4ff7-91d7-6194e2ed1aea.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d07fd32-97bc-4457-808b-d93f7a712e23.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs190a52fb-9d3c-4e54-8b95-c4a4fd3f3dee.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsefbff5c0-b789-4c67-8936-478602934a80.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7317d9dc-1332-43fe-9c12-7401cd6c5a41.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf60242da-4489-49a8-a3aa-a635ad6fcd8a.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs038d78bc-789d-4b92-9fa5-e98a835e883b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9f82f102-cbfe-40f4-b654-1357d40e2fc3.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf16aed75-5dee-4424-8b23-d3578ad96d76.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7d7b8a6-9b6d-4490-a2f3-21a022e9cc14.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa66c3619-6124-472f-8bb6-999dd4a07183.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsad4f7593-88b9-40fb-9158-cd6953fd559c.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfdcfdc4-9c19-49e8-8f83-3576d6288ed2.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85de43bf-5a5f-43de-a459-5604b57904b7.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscb822816-3a6c-4e68-bb37-535f4df1e050.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4f3a7e3a-dc50-4465-89b2-de7d73a94fd2.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsce5d8e8a-958e-4c7e-8dc5-98c74353e423.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse7f8c10c-efce-4105-9d57-50a522e200be.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbd3b3852-b787-46b8-9e7d-6cd406b24b7e.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbcae9892-9d3f-45b1-858f-0d8dbf69e158.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0bf84e7-4c64-41f8-ba1e-fde19803de4d.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd91ba39c-f5de-4326-8f1c-06508fd26a47.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs16990403-c420-4981-930f-d69af2ac8ae2.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8495ffe8-a58d-419a-8f1d-a7b85af6e224.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsecb718de-8797-42d4-b5bb-9d712d0900d0.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb792ac93-7397-4970-b8ce-b28131096851.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs362e7eea-52e3-4452-9b52-a0b3d2b86a61.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc63aec92-697c-419d-af7a-b90d10311ca0.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb6f209d0-adae-4ad4-932f-4a43b3fc1506.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2c5dd14-e01b-4685-9023-53cb40cb4af0.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs25e44036-f4a7-4828-9a1e-217b8345e3e5.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbaac0d87-9fb7-479e-91d7-d4de4c5d1977.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsda67680d-5583-405a-a5a1-e93c3f4ee5c9.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d69e958-9681-4447-837b-bf0b3fca54bd.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf184bbb5-e514-40c3-8af7-c131dedde849.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsee9317c3-c267-456d-a049-1780b06c5f72.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsda6e0470-5bc6-42d9-a21e-f7815a34275b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf084d576-2418-43e3-bef2-473257f7f731.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs88cfa3d2-1bf7-455a-b38a-39e1bfab54de.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs955993db-a61c-412d-8df6-9b869cb5a904.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs451e18da-308c-4ae4-81c3-82869cd8d5d4.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs99ba9cc9-1544-43f7-bd8f-cc5bea331e27.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbf767228-f1b6-4620-940f-8be861102cfc.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2e64f202-fe14-431d-8172-d60b9d6fce51.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80a512af-7b22-444e-8646-9cb913ef8fc7.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c8a119f-eddd-4238-b441-d63b887c1823.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf8fd16ff-af6e-4f15-af4a-cb14185db596.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2eaa737b-b3a3-4ed6-8ac7-7eb3d8acddcf.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2020223c-ffc8-4ba6-adb9-96e0115db3cc.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs213cd78c-e098-4106-a72c-9f027e482d23.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs16d3d5da-9f72-40b5-b6a0-fa7a70b2723d.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3fb021b4-197f-4f68-b923-7a878aea68ea.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85a2d319-d0d3-43d7-9278-813f322ed601.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc1f0c942-8d87-4e0f-8b69-586438d84786.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e4fcc0a-c740-4dc4-9b06-65929897e5d3.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34be65de-0d94-4908-a481-94f45acd96b1.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2bf75fd9-99d5-4903-9c41-a2220e5acfa1.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7b46bc1d-1710-44e5-be09-a9be81be2abf.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5fec763e-c55e-4434-aea3-e16ae2f857d9.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse29e9e4c-e4a9-40e9-ab52-7d1d5142d491.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfca94a6-8ec2-49b3-b2ba-660e8d935e39.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsae2ec339-a5b9-4a7b-a417-9ed1225a3952.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs33c96273-b67f-4db8-bcad-56e2c145a95c.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb106450d-7c6b-460c-8eab-4b2c5677fd6b.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0a975618-825f-4605-8964-594f3cab10b7.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9f9a20c2-14b7-4565-a7dd-f173411539df.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2c60b004-3673-4237-9e37-7756ed7856db.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\kirsten\ntuser.dat". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\kirsten\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\kirsten\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\documents and settings\kirsten\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:06 PM: mon0904.ddx (ID = 57684)
4:06 PM: mon0412.ddx (ID = 57680)
4:06 PM: mon0106.ddx (ID = 57679)
4:06 PM: mon1125.ddx (ID = 57685)
4:06 PM: mon2007.dbd (ID = 57693)
4:06 PM: mon1909.ddx (ID = 57684)
4:06 PM: mon1920.dbd (ID = 57692)
4:06 PM: mon1215.dbd (ID = 57687)
4:06 PM: 538.dfn (ID = 133429)
4:07 PM: Found Adware: look2me
4:07 PM: __delete_on_reboot__guard.tmp (ID = 159)
4:07 PM: crrtmgr.dll (ID = 159)
4:07 PM: hhzlnt07.dll (ID = 159)
4:07 PM: irlol5331.dll (ID = 159)
4:07 PM: k8440ihqe84e0.dll (ID = 159)
4:08 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcsys.dll". The process cannot access the file because it is being used by another process
4:08 PM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
4:08 PM: Found Trojan Horse: trojan downloader matcash
4:08 PM: c:\program files\common files\inetget (ID = -2147477182)
4:08 PM: c:\program files\common files\inetget2 (ID = -2147471395)
4:08 PM: autoit3.exe (ID = 119348)
4:08 PM: Found Adware: targetsaver
4:08 PM: class-barrel (ID = 78229)
4:08 PM: vocabulary (ID = 78283)
4:15 PM: c:\program files\freeprod toolbar (8 subtraces) (ID = -2147463651)
4:15 PM: Found Trojan Horse: trojan-backdoor-surila
4:15 PM: webhost2.exe (ID = 184175)
4:17 PM: a0075677.dll (ID = 159)
4:17 PM: a0075678.dll (ID = 159)
4:17 PM: a0075679.dll (ID = 159)
4:17 PM: a0075680.dll (ID = 159)
4:17 PM: a0075681.dll (ID = 159)
4:17 PM: a0075682.dll (ID = 159)
4:17 PM: a0075685.exe (ID = 166181)
4:17 PM: Found Adware: adtech2005
4:17 PM: a0075686.exe (ID = 194580)
4:17 PM: a0075687.exe (ID = 65722)
4:17 PM: a0075689.dll (ID = 195129)
4:17 PM: a0075684.ocx.tcf (ID = 194608)
4:17 PM: a0075701.dll (ID = 159)
4:17 PM: a0075709.dll (ID = 159)
4:17 PM: a0075710.dll (ID = 159)
4:21 PM: Found Adware: effective-i toolbar
4:21 PM: ucmore tour.lnk (ID = 59855)
4:21 PM: how to uninstall.lnk (ID = 59838)
4:21 PM: File Sweep Complete, Elapsed Time: 00:27:44
4:21 PM: Full Sweep has completed. Elapsed time 00:31:13
4:21 PM: Traces Found: 1628
4:26 PM: Removal process initiated
4:26 PM: Quarantining All Traces: look2me
4:26 PM: Quarantining All Traces: trojan downloader matcash
4:26 PM: Quarantining All Traces: trojan-backdoor-surila
4:26 PM: Quarantining All Traces: maxifiles
4:26 PM: Quarantining All Traces: adtech2005
4:26 PM: Quarantining All Traces: command
4:26 PM: Quarantining All Traces: cydoor
4:26 PM: Quarantining All Traces: delfin
4:26 PM: Quarantining All Traces: dollarrevenue
4:26 PM: Quarantining All Traces: effective-i toolbar
4:26 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
4:26 PM: Quarantining All Traces: targetsaver
4:27 PM: Quarantining All Traces: 2o7.net cookie
4:28 PM: Removal process completed. Elapsed time 00:02:03
********
3:49 PM: | Start of Session, Sunday, December 04, 2005 |
3:49 PM: Spy Sweeper started
3:49 PM: Your spyware definitions have been updated.
3:49 PM: Updating spyware definitions
3:49 PM: Your definitions are up to date.
3:50 PM: | End of Session, Sunday, December 04, 2005 |



Logfile of HijackThis v1.99.1
Scan saved at 4:29:05 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\o0480ahued480.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\irlol5331.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
Trevuren
Posted 04 December 2005 - 03:39 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please run SpySweeper again but in Safe Mode.

2. Post the log like last time and a fresh HJT log


Regards,

Trevuren
  • 0

#9
MLeaper
Posted 04 December 2005 - 04:40 PM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks again and let me know if I need to run anything else.

********
4:51 PM: | Start of Session, Sunday, December 04, 2005 |
4:51 PM: Spy Sweeper started
4:51 PM: Sweep initiated using definitions version 577
4:51 PM: Starting Memory Sweep
4:53 PM: Memory Sweep Complete, Elapsed Time: 00:01:17
4:53 PM: Starting Registry Sweep
4:53 PM: Registry Sweep Complete, Elapsed Time:00:00:41
4:54 PM: Starting Cookie Sweep
4:54 PM: Found Spy Cookie: 2o7.net cookie
4:54 PM: [email protected][1].txt (ID = 1958)
4:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:54 PM: Starting File Sweep
4:54 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
4:56 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9d2a7453-28bc-4ac2-a7af-ba1a906925b4.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs4905715b-2317-431d-ac9c-4538f56bb78e.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs43121a0e-1fc1-4759-83d3-1fca3afe607d.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsbf9e4043-2538-494e-9ea1-6ab7d381c459.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsfdae0d14-cc72-4303-84ac-8d94a5709636.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs66138cb1-af04-49b6-91da-415503c53378.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsb3e332e8-a07a-41f4-b853-dd4bf4c5a618.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsadc9d32c-c611-4f50-ae7a-67ae793374d2.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs670db324-b29e-4003-946e-284340dbc372.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6abdfdf4-a99a-4a16-ac2e-c9ff824d34bb.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs331ca596-f3f0-444e-a8eb-2509a52b11b8.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsda3dbec8-9a2d-437a-bd5a-a19b343bbb11.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf6240792-cde8-4567-8213-fb7f83332def.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs23398373-c27c-4ad7-934b-7da420d3044f.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs0d72ecf7-f927-4cea-9f61-9872fb422202.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs950f243d-d0df-440b-a372-83338b7ef43f.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsddc53137-8398-48aa-a0bb-89f3a35d7808.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs7a723762-c4a1-4cd6-976d-df21db4528c4.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs1af88e8f-8080-4ea9-88e4-ed78e3652ec4.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsc9c46bef-77ea-4974-94ea-89a95cc6e882.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs33672e6d-607f-4c6d-ba94-1048f5efc4f1.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs430e2c6d-f175-4f95-80be-6dd6ce9660b8.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs2ffeeaaa-c563-4fc9-aab7-f9ff02a7e277.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs3c62cbc4-ffbd-4a18-939a-0689c0d7547f.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf870b1f6-5305-48ce-8899-c4067f4497d6.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsabbb15e0-b52a-445d-acba-c605d4d2f367.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6406a68f-1ec9-4ea3-869c-6fb33cdd3acf.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf24fb394-ec13-42a5-abbd-d57921d66286.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsa37f1438-0cb7-445f-9b91-7ed5bee58f67.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs70223719-b458-43ab-8259-149ca8b0e5ac.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9f10d17c-4437-411b-8b39-0694fe90fe96.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9fd453ce-717d-43ca-9d89-6c380ee2b6a0.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsab97f111-ce6a-4dfd-9624-d9cba8d06abb.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs4d4fc5bf-7557-4d3c-94d9-bce28421b542.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs3a955147-d4a1-415e-831b-448a8d8ead0a.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs35928792-dfeb-458b-8eae-d91a23ad843b.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9c3408f9-96c2-4325-b04a-08e5a041215b.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs68619450-eef7-41a8-93ce-ea6a624020b5.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs83c1c808-5da4-4984-ac13-3522d49c65df.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6fcc2d02-5ce5-4ec6-b400-c6da4561f8b1.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs8e6186f5-7b6f-47db-a83c-c6c9fb758b34.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs3c36e9de-eae9-47b1-bb80-4ccfa4ff575c.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6722e3cb-7b08-4ac9-a38c-1c0754c59464.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsbff7683e-9086-4acf-afd4-70c22c163efa.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsdfc9e71e-a59e-46ce-9df5-77c4f0d10082.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs5d274869-2fd2-43e5-914d-d777f4f621ad.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscseae2bb25-d323-4d41-8230-47b8076b1fdc.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs99b96628-d3ae-4168-be89-02c26e8e6afb.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscse4998018-3e12-4b1b-b2fe-5397f83dae11.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs814f5a04-5a9a-443a-aeed-40036f76e5d7.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf82c8d0d-7960-4ab1-8421-549c36d76dad.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs4578778e-eaee-45cd-bfa4-335e4866c114.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs699075f8-6d78-419d-aada-34dd2179a08d.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs515120ba-4e12-44bb-8af8-dc58432cbaf4.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscse1435ee9-a211-4de3-9b96-a2c28a8f6ea5.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf6b5bbac-b305-41cf-8e3c-f7795a33a06d.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs5279cf9f-b995-41d6-9f07-408e7b27ca02.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs09e5d642-db32-422a-b3c7-a1a0a765d2b9.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsce7c2d9f-77cc-4a4a-926d-ccd3fb640de2.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs23d836f4-15fa-4b48-9591-5c9b91738f09.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs4b6b1165-8b25-4766-8fd7-a77444aefe65.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsd82fa1fd-43ed-41c1-95c4-228702fb2522.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsad5daa0e-468f-4d73-a2c4-fdc03dac6b03.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsa0ece090-dbe7-4991-8c69-5e7c51355f70.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs869343c2-78ed-4bf6-bb03-ad22dc21ae5c.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsa2fec5aa-59a4-45b5-936b-5522d0509be5.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs233370e3-96cd-43b7-b95f-83c81ea71515.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6f0e1e19-d2a9-4981-b4e8-10be8c4cf90b.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs44ae0719-0a26-49ae-a64f-20f7000b0e60.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs7a53cd4f-1505-48d3-97ea-d1223b2faf91.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscscd6a156d-a3af-44d4-8b41-c059ba85e730.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsead1d569-94de-4317-9b60-c239e42d236f.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9612b292-0015-4644-bc7a-dbc4bc22dbed.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9b115953-15f5-4a96-8dbc-e45ec02da990.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs38c6dabe-b177-4beb-8dc0-c38f11e05a98.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs669dc0e9-f5c5-4119-a225-711639657506.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsb7fd1b26-b92e-4a7a-92fb-d990fbf2c102.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs2ed94755-b733-4d47-9eb0-4b1abccadaa4.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscse04a8757-c383-453b-9599-c2ffb67faaae.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsebd81a7c-cd61-446e-a10b-5ed656b16fe9.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsaca4adc8-755c-48aa-af27-80560d7877ad.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs9c1032cc-0994-4c54-ac98-4ae8a9d063d9.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs69fa73d2-4be0-48a0-b2ce-500210883153.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs05a5d88d-8eb9-4875-9b28-ed5e62f8d6cb.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscscd230082-baba-4e37-8f10-77c4e05186a6.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsab9f5f9c-a934-43fc-8112-0574aa8d1c1a.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs67c47add-a04c-46bc-915c-58cde015cda5.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsd1c81d3d-67ce-445e-a149-f93b8f9f133a.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs03d64d9d-642f-416b-9566-8d7e472a5734.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs165e2a53-0c28-4f45-ba03-6662bbc26d51.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs3bd66138-656f-4b4f-a4b4-0bbb54aa22f0.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsf5519f2a-bd27-4241-a9fb-68960e87fb6a.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs10b5e7a6-b2bc-45bc-b20c-5d508763a5e6.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs6e5781ae-e96c-4cad-bedf-3ea8bda7d4a2.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsc2abe659-4689-4c58-9670-a04795b5411f.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsa67a77dd-b503-4d62-b267-219ed55fc523.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs0a6f24bf-2e0a-455e-b2c2-aa07b9489461.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscse2f4d1ed-b602-4e50-a022-f409f6cda5a3.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs67ff38c0-76f9-4f6f-9bec-5b5d68f2417a.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsfd3bf71c-a112-46fa-afae-3101bec3e24b.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs3c7f779b-8468-4103-b808-97818a064b71.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscsae5c5ce9-05c9-4a66-b57b-e503c9cb2cba.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscse55b0680-58b5-4814-882f-35b6897117a7.tmp". The process cannot access the file because it is being used by another process
5:08 PM: Warning: Failed to open file "c:\documents and settings\networkservice\application data\webroot\spy sweeper\temp\sscs95f7c12a-eb6f-40d9-b1bd-d8f9b08681de.tmp". The process cannot access the file because it is being used by another process
5:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat.log". The process cannot access the file because it is being used by another process
5:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat". The process cannot access the file because it is being used by another process
5:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
5:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
5:27 PM: Found Adware: targetsaver
5:27 PM: 00095651.ini (ID = 193498)
5:27 PM: Found Adware: look2me
5:27 PM: 00096388.dll (ID = 159)
5:27 PM: 00096389.dll (ID = 159)
5:27 PM: 00096408.dll (ID = 159)
5:27 PM: 00096409.dll (ID = 159)
5:27 PM: 00096941.dll (ID = 159)
5:27 PM: 00096942.dll (ID = 159)
5:27 PM: 00096943.dll (ID = 159)
5:27 PM: 00096944.dll (ID = 159)
5:27 PM: 00097413.dll (ID = 159)
5:27 PM: 00097415.dll (ID = 159)
5:27 PM: 00097417.dll (ID = 159)
5:27 PM: 00097419.dll (ID = 159)
5:27 PM: Found Trojan Horse: trojan downloader matcash
5:27 PM: 00097422.exe (ID = 119348)
5:27 PM: Found Trojan Horse: trojan-backdoor-surila
5:27 PM: 00097426.exe (ID = 184175)
5:27 PM: Found Adware: delfin
5:27 PM: 00097442.dfn (ID = 133429)
5:27 PM: 00097444.dbd (ID = 57687)
5:27 PM: 00097446.dbd (ID = 57692)
5:27 PM: 00097448.ddx (ID = 57684)
5:27 PM: 00097450.dbd (ID = 57693)
5:27 PM: 00097452.ddx (ID = 57685)
5:27 PM: 00097454.ddx (ID = 57679)
5:27 PM: 00097456.ddx (ID = 57680)
5:27 PM: 00097458.ddx (ID = 57684)
5:27 PM: 00097462.ddx (ID = 57680)
5:27 PM: 00097464.ddx (ID = 57680)
5:27 PM: 00097466.ddx (ID = 57680)
5:27 PM: 00097468.ddx (ID = 57680)
5:27 PM: Found Adware: dollarrevenue
5:27 PM: 00095809.htm (ID = 198788)
5:27 PM: Found Adware: effective-i toolbar
5:27 PM: 00097479.lnk (ID = 59838)
5:27 PM: 00097481.lnk (ID = 59855)
5:27 PM: 00097484 (ID = 78283)
5:27 PM: 00097486 (ID = 78229)
5:29 PM: File Sweep Complete, Elapsed Time: 00:35:12
5:29 PM: Full Sweep has completed. Elapsed time 00:37:30
5:29 PM: Traces Found: 34
5:31 PM: Removal process initiated
5:31 PM: Quarantining All Traces: 2o7.net cookie
5:31 PM: Quarantining All Traces: targetsaver
5:31 PM: Quarantining All Traces: look2me
5:31 PM: Quarantining All Traces: trojan downloader matcash
5:31 PM: Quarantining All Traces: trojan-backdoor-surila
5:31 PM: Quarantining All Traces: delfin
5:31 PM: Quarantining All Traces: dollarrevenue
5:31 PM: Quarantining All Traces: effective-i toolbar
5:32 PM: Removal process completed. Elapsed time 00:01:43
********
4:51 PM: | Start of Session, Sunday, December 04, 2005 |
4:51 PM: Spy Sweeper started
4:51 PM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 577
4:51 PM: | End of Session, Sunday, December 04, 2005 |



Logfile of HijackThis v1.99.1
Scan saved at 5:39:08 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\o0480ahued480.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\irlol5331.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
Trevuren
Posted 04 December 2005 - 06:59 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We seem to he having a bit of difficulty getting rid of the second variant:


A. I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.
  • Open Microsoft AntiSpyware.
  • Click on Options, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

B. Please also disable Ewidoguard


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:


    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\o0480ahued480.dll
    O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\irlol5331.dll (file missing)

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    windir32.exe<==You may have to search for this one.
    C:\WINDOWS\system32\o0480ahued480.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren
  • 0

Advertisements

#11
MLeaper
Posted 04 December 2005 - 10:16 PM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here we go.
I could not find the windir32.exe but I did have to manually delete o0480ahued480.dll

Logfile of HijackThis v1.99.1
Scan saved at 11:14:40 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#12
Trevuren
Posted 04 December 2005 - 10:50 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. However I have a "feeling" that there is more junk hiding in your system.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren
  • 0

#13
MLeaper
Posted 05 December 2005 - 10:33 AM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here it is. Let me know what I need to do next.

Thanks again.

File C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
Object "adware.softomate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "unknown toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "casinoclient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor.topicks.a Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton Internet Security\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton SystemWorks\Password Manager\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\PowerQuest\PartitionMagic 8.0\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\PowerQuest\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".000". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lst". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".OEM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ieupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB821557". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823182". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823559". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824105". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824141". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824146". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB825119". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828028". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828035". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB837001". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839645". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840315". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840374". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB841873". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Media Gateway". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "oeupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q328310". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331953". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810565". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810833". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811493". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814033". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815021". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q819696". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q828026". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SaveNow". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "TSA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WebDP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "XBTB07618.XBTB07618Toolbar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "zango". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Zango Toolbar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A7F8DF6-5A3E-4CDF-BC82-BE26B407E21B}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2AFEB7E5-E963-4242-BD18-94F512C679AE}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{726C99D0-50C5-404F-9EFD-7B2834DFED50}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AFD2C5B5-BF78-47B6-9569-755448C0D0EE}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{01BF19C2-59D3-43E9-A2CC-C2D62D8878D3}" refers to invalid object "C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9EA38140-65A3-442B-A36E-88954B97AFAC}" refers to invalid object "C:\DOCUME~1\ROD\LOCALS~1\Temp\VBE\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B2F43A60-3CD5-49C1-96B2-A6D32F88A191}" refers to invalid object "C:\Program Files\Norton SystemWorks\Password Manager\ppWebWnd.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DCB43485-19FB-4D6D-BB3D-73C7F48D5F00}" refers to invalid object "C:\Program Files\Messenger\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\WINDOWS\dbg32hlp.exe infected by "Backdoor.Win32.SdBot.aad" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\FAGBNDKT\deliver46860[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\dbg32hlp.exe infected by "Backdoor.Win32.SdBot.aad" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Download\freeprodtb.exe.tcf tagged as "not-a-virus:AdWare.Win32.Maxifiles.o". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D0C2815.hta infected by "Trojan.JS.Seeker-based" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DC60148.hta infected by "Trojan.JS.Seeker-based" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0F0F7A05.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.u". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2D4A2CC0.exe infected by "Trojan-Proxy.Win32.Agent.gt" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2D4D56BD.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2D5100B9.exe infected by "Backdoor.Win32.Rbot.agq" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B9300D9.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.u". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7BD11E95.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7BD54891.exe infected by "Backdoor.Win32.Rbot.agg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66284AA0.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25CD1695.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C6A5E8B.exe infected by "Trojan-Downloader.Win32.INService.ja" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\061C077F.exe infected by "Trojan-Dropper.Win32.Small.yn" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75824E89.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\587E754E.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58C610FF.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58C93AFB.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F5807C4.com infected by "Backdoor.Win32.Rbot.agg" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62164AC0.exe infected by "Trojan-Dropper.Win32.Agent.mf" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4EB72762.exe infected by "Trojan-Downloader.Win32.VB.na" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\621974BC.exe infected by "Trojan-Dropper.Win32.Agent.mf" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\147F0562.exe infected by "Trojan-Dropper.Win32.Agent.mf" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\621C1EB8.exe infected by "Trojan-Dropper.Win32.Agent.mf" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\621F48B5.exe infected by "Trojan-Dropper.Win32.Agent.mf" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64FE2F8C.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65407744.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00CD38F2.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.u". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45E47CEB.com infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\460B74C0.exe infected by "Trojan.Win32.VB.afn" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\460E1EBC.exe tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\461148B9.exe infected by "Trojan.Win32.Crypt.t" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\461572B5.exe infected by "Trojan.Win32.Crypt.t" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46181CB2.exe infected by "Trojan-Downloader.Win32.VB.ri" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\461E70AA.exe infected by "Trojan-Downloader.Win32.VB.ri" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\462544A3.exe infected by "Trojan-Downloader.Win32.Delmed.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46286EA0.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46286EA0.exe tagged as not-a-virus:PSWTool.Win32.Messen.103. No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\462B189C.exe tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03A8065A.exe tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\462F4298.exe tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\49706459.exe infected by "Trojan-Downloader.Win32.INService.ja" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\462F4298.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46326C95.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46326C95.exe tagged as "not-a-virus:AdWare.Win32.WinAD.bo". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46351691.exe tagged as "not-a-virus:AdWare.Win32.WinAD.bo". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4638408E.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\463C6A8A.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46423E83.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4646687F.dll tagged as "not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4646687F.exe tagged as "not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4649127C.exe tagged as not-a-virus:PSWTool.Win32.PassView.162. No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\464C3C78.exe infected by "Trojan-Downloader.Win32.TSUpdate.l" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46563A6D.exe infected by "Trojan-Downloader.Win32.TSUpdate.n" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\465C0E66.exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3183004D.exe infected by "Trojan-Downloader.Win32.TSUpdate.o" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46700A51.exe infected by "Trojan-Downloader.Win32.TSUpdate.o" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46775E49.exe infected by "Trojan-Downloader.Win32.Adload.j" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48A4784A.exe infected by "Trojan.Win32.StartPage.aw" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\467A0846.exe infected by "Trojan.Win32.StartPage.aw" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E6C564A.exe infected by "Trojan-Downloader.Win32.TSUpdate.n" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B790C44.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B7D31C8.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B7D31C8.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.u". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B8405C1.exe tagged as "not-a-virus:AdWare.Win32.WinAD.bo". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B872FBE.fr7 tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B8A59BA.fr8 tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3CAB7073.jar infected by "Exploit.Java.ByteVerify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20566279.exe tagged as "not-a-virus:AdWare.Win32.WinAD.bo". Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20630A6A.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075676.EXE infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075683.exe infected by "Trojan-Dropper.Win32.Delf.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075692.exe infected by "Trojan-Dropper.Win32.Delf.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075693.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075694.exe infected by "Trojan-Downloader.Win32.Adload.j" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075695.EXE infected by "Trojan-Downloader.Win32.Adload.j" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075696.EXE infected by "Trojan-Dropper.Win32.Delf.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075659.exe.tcf tagged as "not-a-virus:AdWare.Win32.Maxifiles.o". Action Taken: No Action Taken.
  • 0

#14
Trevuren
Posted 05 December 2005 - 11:54 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
B. Reboot your machine.

4. Update your Ewido definitions. Run the program in Safe Mode. Save the log

5. REBOOT your system.

6. Post your Ewido log as well as a fresh HJT log for review.

Regards,

Trevuren
  • 0

#15
MLeaper
Posted 05 December 2005 - 06:03 PM

MLeaper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here's the latest logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:52:43 PM, 12/5/2005
+ Report-Checksum: 94366008

+ Scan result:

C:\WINDOWS\Temp\Cookies\kirsten@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned without backup
C:\WINDOWS\Temp\Cookies\kirsten@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned without backup
C:\WINDOWS\Temp\Cookies\kirsten@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned without backup
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned without backup
C:\WINDOWS\Temp\Cookies\kirsten@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned without backup
C:\WINDOWS\Temp\Cookies\kirsten@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Kirsten\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Kirsten\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Kirsten\Local Settings\Temporary Internet Files\Content.IE5\Z2VO01UN\mm[2].js -> Spyware.Chitika : Cleaned without backup
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip/dlls/crrtmgr.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip/dlls/hhzlnt07.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip/dlls/irlol5331.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\l2mfix\backup.zip/dlls/k8440ihqe84e0.dll -> Spyware.Look2Me : Cleaned without backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Kirsten\Cookies\kirsten@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075676.EXE -> Backdoor.Rbot : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075683.exe -> Dropper.Paradrop.a : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075690.EXE -> Dropper.Delf.fd : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075691.EXE -> Dropper.Delf.fd : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075692.exe -> Dropper.Paradrop.a : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075693.exe -> Backdoor.Rbot : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075694.exe/thanks.exe -> Downloader.VB.qr : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075695.EXE/thanks.exe -> Downloader.VB.qr : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075696.EXE -> Dropper.Paradrop.a : Cleaned without backup
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP393\A0075688.EXE.tcf -> Spyware.Maxifiles : Cleaned without backup
C:\Recycled\NPROTECT\00528628.TXT -> Spyware.Cookie.Com : Cleaned without backup
C:\Recycled\NPROTECT\00528629.TXT -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Recycled\NPROTECT\00528630.TXT -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Recycled\NPROTECT\00528631.TXT -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Recycled\NPROTECT\00528640.TXT -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Recycled\NPROTECT\00528665.TXT -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Recycled\NPROTECT\00528666.TXT -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Recycled\NPROTECT\00528667.TXT -> Spyware.Cookie.Questionmarket : Cleaned without backup
C:\Recycled\NPROTECT\00097488.TXT -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Recycled\NPROTECT\00098061.TXT -> Spyware.Cookie.2o7 : Cleaned without backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 7:01:21 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kirsten\Desktop\Spyware Removal\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133393680968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentra...oad/sonyctl.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP