28 replies to this topic

[pskelley]

Not completely sure how to proceed here? I don't need a picture to know the infection is on the computer, I can see it in the 020 winlogon items. It seems everything I try, there is a reason why it will not work??

I asked you to do this:

This item is new to us: C:\Program Files\Windows Defender\MsMpEng.exe it very well may be blocking the Destroyer fix. Try disabling it and run the fix. In fact as a second thought, be offline for safety then disable all spyware programs including Spysweeper before trying to run Destroyer.

You tell me this:

I was unable to disable the Windows Defender task or the ewidos (ewidoctrl.exe) with task manager or killbox. I ran L2M Destroyer after disconnecting my modem, disabling AV and killing Spy Sweeper. Still the bluescreen.
Do you want this cleaned or not, if you have to uninstall the stuff, and reinstall it later. Something is blocking that fix and I can't do this for you.

Let me ask you this questions, did you download:
Please download Look2Me-Destroyer.exe to your desktop. <<< to the desktop as requested?
I will give this some thought overnight, if you think of anything that might help, please post it.

Thanks.

Edited by pskelley, 05 March 2006 - 07:26 PM.

[OnN2nN5]

I uninstalled Widows Defender and ewidos...rebooted...confirmed Windows Defender and ewidos not present...disabled Norton and SpySweeper...deleted L2M Destroyer and re-downloaded to my desktop (it was already there)...closed all windows...disconnected my modem...ran L2M Destroyer. Bluescreen.

Edited by OnN2nN5, 05 March 2006 - 09:09 PM.

[pskelley]

Well, it seems we have done all we can and the tool is not going to work. It will be the first time it has failed for me and I have no idea why. I know the evil people who put this junk on folks computers are constantly changing it to make it harder to detect and remove. These are the folks you can thank for these problems. Let's see if we can get this fix to run. Please remove the Look2Me-Destroyer so it can't interfere with this fix.

This fix will be run in two stages and it is very important that you follow the directions exactly.

Thanks to shadowwar and any others who helped with this fix


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.


Thanks

[OnN2nN5]

Here is the log. I hate to be a half full kinda guy but as I referenced in post #11 of this thread I have tried this version and received the dreaded bluescreen. Perhaps I did something wrong in the process. I will wait for your instruction and hope for the best. L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\g022lafo1d2c.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r6p8lg7u16.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{A1735FD6-4AF0-76C2-192C-AB98D1FBF22C}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension" "{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension" "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension" "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension" "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{26E892A0-76A2-11D0-AF20-444553540000}"="FileTargets Shell Extension" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{5EAD7640-20E7-43D7-989C-0181FE56228C}"="Delete file(s) on next system boot" "BPFSShell extension"="{56160A70-D083-4856-9998-F565ABC03F86}" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper" "{211353D9-A638-4E59-8051-5E3407B79D20}"="" "{158E54C6-7E91-4E24-AE7E-AD7F2C376EC1}"="" "{AA20E02E-D4C0-413B-9C30-ABEFEA8BA191}"="" "{DF63299B-6DD2-40B5-9F91-CF327CC50E43}"="" "{1F8F1989-0810-466B-98BE-F93B03B96ACC}"="" "{CCA60260-A2C9-11D2-BA62-0020188191B2}"="Registrar Registry Manager SHell Extension" "{81B78480-C83C-4CB0-BD45-0CC5D9B96BFC}"="" "{6DF7B39A-0D1B-4CDE-8902-28E9B46AF6AA}"="" "{8535C24F-AF54-4AE4-B985-A27D8EB2D8F0}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{158E54C6-7E91-4E24-AE7E-AD7F2C376EC1}] @="" [HKEY_CLASSES_ROOT\CLSID\{158E54C6-7E91-4E24-AE7E-AD7F2C376EC1}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{158E54C6-7E91-4E24-AE7E-AD7F2C376EC1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{158E54C6-7E91-4E24-AE7E-AD7F2C376EC1}\InprocServer32] @="C:\\WINDOWS\\system32\\mrexch40.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{AA20E02E-D4C0-413B-9C30-ABEFEA8BA191}] @="" [HKEY_CLASSES_ROOT\CLSID\{AA20E02E-D4C0-413B-9C30-ABEFEA8BA191}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{AA20E02E-D4C0-413B-9C30-ABEFEA8BA191}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{AA20E02E-D4C0-413B-9C30-ABEFEA8BA191}\InprocServer32] @="C:\\WINDOWS\\system32\\mglbui.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{DF63299B-6DD2-40B5-9F91-CF327CC50E43}] @="" [HKEY_CLASSES_ROOT\CLSID\{DF63299B-6DD2-40B5-9F91-CF327CC50E43}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{DF63299B-6DD2-40B5-9F91-CF327CC50E43}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{DF63299B-6DD2-40B5-9F91-CF327CC50E43}\InprocServer32] @="C:\\WINDOWS\\system32\\byowsewm.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{1F8F1989-0810-466B-98BE-F93B03B96ACC}] @="" [HKEY_CLASSES_ROOT\CLSID\{1F8F1989-0810-466B-98BE-F93B03B96ACC}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{1F8F1989-0810-466B-98BE-F93B03B96ACC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{1F8F1989-0810-466B-98BE-F93B03B96ACC}\InprocServer32] @="C:\\WINDOWS\\system32\\scmapi.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{81B78480-C83C-4CB0-BD45-0CC5D9B96BFC}] @="" [HKEY_CLASSES_ROOT\CLSID\{81B78480-C83C-4CB0-BD45-0CC5D9B96BFC}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{81B78480-C83C-4CB0-BD45-0CC5D9B96BFC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{81B78480-C83C-4CB0-BD45-0CC5D9B96BFC}\InprocServer32] @="C:\\WINDOWS\\system32\\Iwterop.ComctlLib.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6DF7B39A-0D1B-4CDE-8902-28E9B46AF6AA}] @="" [HKEY_CLASSES_ROOT\CLSID\{6DF7B39A-0D1B-4CDE-8902-28E9B46AF6AA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6DF7B39A-0D1B-4CDE-8902-28E9B46AF6AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6DF7B39A-0D1B-4CDE-8902-28E9B46AF6AA}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8535C24F-AF54-4AE4-B985-A27D8EB2D8F0}] @="" [HKEY_CLASSES_ROOT\CLSID\{8535C24F-AF54-4AE4-B985-A27D8EB2D8F0}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8535C24F-AF54-4AE4-B985-A27D8EB2D8F0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8535C24F-AF54-4AE4-B985-A27D8EB2D8F0}\InprocServer32] @="C:\\WINDOWS\\system32\\MOSDM.DLL" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ aui2dvag.dll Sun Mar 5 2006 1:31:08p ..S.R 234,060 228.57 K divx.dll Wed Dec 7 2005 9:05:52a A.... 573,952 560.50 K gdi32.dll Wed Dec 28 2005 6:54:36p A.... 280,064 273.50 K lxrt.dll Sun Mar 5 2006 1:12:40p ..S.R 234,060 228.57 K mosdm.dll Mon Mar 6 2006 5:57:12a ..S.R 235,430 229.91 K nv4_disp.dll Sat Dec 10 2005 3:06:00a A.... 3,955,456 3.77 M nvapi.dll Sat Dec 10 2005 3:06:00a A.... 110,592 108.00 K nvcod.dll Sat Dec 10 2005 3:06:00a A.... 35,840 35.00 K nvcodins.dll Sat Dec 10 2005 3:06:00a A.... 35,840 35.00 K nvcpl.dll Sat Dec 10 2005 3:06:00a A.... 7,311,360 6.97 M nvhwvid.dll Sat Dec 10 2005 3:06:00a A.... 573,440 560.00 K nview.dll Sat Dec 10 2005 3:06:00a A.... 1,466,368 1.40 M nvmccs.dll Sat Dec 10 2005 3:06:00a A.... 229,376 224.00 K nvmccsrs.dll Sat Dec 10 2005 3:06:00a A.... 45,056 44.00 K nvmctray.dll Sat Dec 10 2005 3:06:00a A.... 86,016 84.00 K nvnt4cpl.dll Sat Dec 10 2005 3:06:00a A.... 286,720 280.00 K nvoglnt.dll Sat Dec 10 2005 3:06:00a A.... 5,402,624 5.15 M nvshell.dll Sat Dec 10 2005 3:06:00a A.... 466,944 456.00 K nvwddi.dll Sat Dec 10 2005 3:06:00a A.... 81,920 80.00 K nvwdmcpl.dll Sat Dec 10 2005 3:06:00a A.... 1,662,976 1.59 M nvwimg.dll Sat Dec 10 2005 3:06:00a A.... 1,019,904 996.00 K openal32.dll Fri Jan 13 2006 11:45:58p A.... 86,016 84.00 K pncrt.dll Wed Jan 4 2006 5:48:30a A.... 278,528 272.00 K pndx5016.dll Wed Jan 4 2006 5:48:30a A.... 6,656 6.50 K pndx5032.dll Wed Jan 4 2006 5:48:30a A.... 5,632 5.50 K rmoc3260.dll Wed Jan 4 2006 5:48:36a A.... 176,167 172.04 K s32evnt1.dll Tue Jan 3 2006 3:31:44p A.... 91,904 89.75 K spmsg.dll Mon Feb 13 2006 7:03:38p ..... 8,632 8.43 K sporder.dll Wed Mar 1 2006 3:33:02p A.... 8,464 8.27 K w95inf16.dll Sun Jan 22 2006 5:07:02p A.... 2,272 2.22 K w95inf32.dll Sun Jan 22 2006 5:07:02p A.... 4,608 4.50 K webclnt.dll Tue Jan 3 2006 7:35:06p A.... 68,096 66.50 K wmp.dll Tue Dec 6 2005 6:02:16a A.... 5,533,696 5.28 M wrlzma.dll Fri Feb 3 2006 2:52:52p A.... 17,920 17.50 K 34 items found: 34 files (3 H/S), 0 directories. Total of file sizes: 30,616,589 bytes 29.20 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ guard.tmp Mon Mar 6 2006 5:58:12a ..S.R 235,430 229.91 K 1 item found: 1 file (1 H/S), 0 directories. Total of file sizes: 235,430 bytes 229.91 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 24ED-3AB5 Directory of C:\WINDOWS\System32 03/06/2006 05:58 AM 235,430 guard.tmp 03/06/2006 05:57 AM 235,430 MOSDM.DLL 03/05/2006 09:26 PM 234,210 hrrq0595e.dll 03/05/2006 07:16 PM 235,430 g022lafo1d2c.dll 03/05/2006 06:45 PM 233,732 lv6u09j9e.dll 03/05/2006 06:39 PM 233,960 i424lefq1h2e.dll 03/05/2006 01:47 PM 235,463 Iwterop.ComctlLib.dll 03/05/2006 01:31 PM 234,060 aui2dvag.dll 03/05/2006 01:12 PM 234,060 lxrt.dll 01/22/2006 08:28 PM <DIR> dllcache 11/12/2005 07:24 PM 32 {80C7EFF3-C821-4FC0-A72A-77195DCA32C0}.dat 11/12/2005 06:26 PM <DIR> Microsoft 10 File(s) 2,111,807 bytes 2 Dir(s) 105,056,763,904 bytes free

[pskelley]

OK and thanks for calling my attention to that. I would say we have nothing to lose, perhaps all of the junk we have removed will help? I am out of ideas at this point, so here is the second part of the fix, it looks like the first part ran ok. Please follow the directions carefully.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

Thanks

[OnN2nN5]

I am at work now so I will be unable to attempt the second option until this evening. New Info: Before receiving your last instruction to use option 2 I located a previous trial version of Spy Sweeper (4.5.9 709 vs 4.5.9 711) that allows removal during the 14 day period. I managed to run a complete sytem scan before work (archives, zips, etc...) but was unable to confirm much after the post removal process reboot since I was already 1/2 hr late for work. I will say that the Spy Sweeper real time protection did not identify that it was blocking L2M activity like it usually does but I only had my system up for a short time before having to leave the house. Would you like to see another HJT log or something before I run option 2 from the batch file, or just continue with your instructions?

[pskelley]

Yes please, post a HJT log and I can tell you more. If Spysweeper was able to remove the infection you should see the popups stop even though the line may still be there. HJT will then remove the line. No reason to attempt the l2mfix if SS already killed it. Thanks for the information...Phil

[OnN2nN5]

Logfile of HijackThis v1.99.1
Scan saved at 3:28:24 PM, on 3/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Tools\SpySweeper\SpySweeper.exe
C:\Tools\ClipCache\clipc.exe
C:\tools\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\tools\Alarm\Alarm Tray.exe
C:\Tools\HotKeyz\HotKeyz.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Tools\SnagIt 7\SnagIt32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Tools\RemindMe\RemindMe.exE
C:\Tools\Traybar\Traybar.exe
C:\Tools\SnagIt 7\TSCHelp.exe
C:\tools\CompuPicPro\ScsiAccess.exe
C:\tools\SpySweeper\WRSSSDK.exe
C:\tools\Alarm\AlarmMonitor.exe
C:\tools\PerfectDisk\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Tools\Spyware Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://crackspider.net/"); (C:\Documents and Settings\Theurich Family\Application Data\Mozilla\Profiles\default\0lnqtvhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Theurich Family\Application Data\Mozilla\Profiles\default\0lnqtvhv.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Tools\RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\tools\Alarm\Alarm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Tools\SpySweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ClipCache] C:\Tools\ClipCache\clipc.exe /wait 3
O4 - HKCU\..\Run: [FreeRAM XP] "C:\tools\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [HotKeyz.exe Startup] C:\Tools\HotKeyz\HotKeyz.exe Startup
O4 - Startup: RemindMe.lnk = C:\Tools\RemindMe\RemindMe.exE
O4 - Startup: Traybar.lnk = C:\Tools\Traybar\Traybar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Tools\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Tools\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\jtp8077ue.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\r6p8lg7u16.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Talking Alarm Clock user logon monitor (AlarmClockMonitor) - Cinnamon Software Inc. - C:\tools\Alarm\AlarmMonitor.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\tools\PerfectDisk\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\tools\PerfectDisk\PerfectDisk\PDSched.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\tools\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\tools\SpySweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\tools\TuneUp 2006\WinStylerThemeSvc.exe

[pskelley]

Looks like SpySweeper killed it, please do this: Remember spyware programs can block HJT, try it once, if the lines are gone in the next log, post it for me. If not, you may have to turn off active spyware programs. Have the popups stopped? Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\jtp8077ue.dll (file missing) O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\r6p8lg7u16.dll (file missing) Close all programs but HJT and all browser windows, then click on "Fix Checked" Thanks

[OnN2nN5]

I sent that last log when I popped by the house to drop the kids off from school. I deactivated SpySweeper and was able to surf around for about 10 mins with no pop-ups or redirects. I was really encouraged when I saw that the 020 entries (besides the SS one) were showing "file missing". I will attempt the HJT fix when I get home in a couple hours.

[pskelley]

That sounds great keep in mind the HJT work is cosmetic. That infection taxed both our nerves! I have some closing information that will be valuable, so let me know if all continues to run well as soon as possible, some of the information will help you stay clean and safe Thanks...Phil

[OnN2nN5]

Here is the latest HJT log. Looks like success.

Yes, this was taxing to say the least. I sincerely appreciate all your time and effort. I definitely learned much in the process.

I look forward to the additional info you mentioned on helping to set up a better defense.

Again...Thank You!

Brad

****


Logfile of HijackThis v1.99.1
Scan saved at 5:50:46 PM, on 3/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Tools\ClipCache\clipc.exe
C:\tools\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\tools\Alarm\Alarm Tray.exe
C:\Tools\HotKeyz\HotKeyz.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Tools\SnagIt 7\SnagIt32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Tools\RemindMe\RemindMe.exE
C:\Tools\Traybar\Traybar.exe
C:\Tools\SnagIt 7\TSCHelp.exe
C:\tools\CompuPicPro\ScsiAccess.exe
C:\tools\SpySweeper\WRSSSDK.exe
C:\tools\Alarm\AlarmMonitor.exe
C:\tools\PerfectDisk\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Tools\SpySweeper\SpySweeper.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Tools\Spyware Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://crackspider.net/"); (C:\Documents and Settings\Theurich Family\Application Data\Mozilla\Profiles\default\0lnqtvhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Theurich Family\Application Data\Mozilla\Profiles\default\0lnqtvhv.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Tools\RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\tools\Alarm\Alarm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Tools\SpySweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ClipCache] C:\Tools\ClipCache\clipc.exe /wait 3
O4 - HKCU\..\Run: [FreeRAM XP] "C:\tools\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [HotKeyz.exe Startup] C:\Tools\HotKeyz\HotKeyz.exe Startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: RemindMe.lnk = C:\Tools\RemindMe\RemindMe.exE
O4 - Startup: Traybar.lnk = C:\Tools\Traybar\Traybar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Tools\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Tools\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Tools\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Talking Alarm Clock user logon monitor (AlarmClockMonitor) - Cinnamon Software Inc. - C:\tools\Alarm\AlarmMonitor.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\tools\PerfectDisk\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\tools\PerfectDisk\PerfectDisk\PDSched.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\tools\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\tools\SpySweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\tools\TuneUp 2006\WinStylerThemeSvc.exe

[pskelley]

Yep Brad, that one had me scratching my head, would be better if 50 or so others were not hitting me at the same time. This log looks good, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html
http://cybercoyote.o...not-admin.shtml

You have to think about Spysweeper, once that trial is over, unless you purchase it, it is using resources and giving nothing I can see in return. You will probably want to uninsall it.

System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.syma...src=sec_doc_nam

Safe surfing...Phil

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[pskelley]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php