WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Logfile of HijackThis. Infected with BlackWorm & other

Started by devotion , Mar 09 2006 10:26 AM

Page 4 of 6
2
3
4
5
6

This topic is locked

79 replies to this topic

#46 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 12:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:32:26 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\j8p0li7m18.dll (file missing)
O20 - Winlogon Notify: ICM - C:\WINNT\system32\guard.tmp (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\f2l00c~1.dll Sat Mar 11 2006 11:35:42a ..S.R 233,875 228.39 K
________________________________________________

1,042 items found: 1,042 files (1 H/S), 0 directories.
Total of file sizes: 189,753,273 bytes 180.96 M

Administrator Account = True

--------------------End log---------------------

Advertisements

Register to Remove

#47 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 12:47 PM

Lets see if Spysweeper will now kill off the last of them.
Open Spysweeper

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also another DLL compare scan please.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#48 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 01:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:38:51 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: ICM - C:\WINNT\system32\f2l00c3mef.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\f2l00c~1.dll Sat Mar 11 2006 11:35:42a ..S.R 233,875 228.39 K
C:\WINNT\SYSTEM32\jut.dll Sat Mar 11 2006 1:36:34p ..S.R 233,875 228.39 K
C:\WINNT\SYSTEM32\r46ule~1.dll Sat Mar 11 2006 1:36:34p ..S.R 235,839 230.31 K
________________________________________________

1,043 items found: 1,043 files (3 H/S), 0 directories.
Total of file sizes: 189,989,112 bytes 181.19 M

Administrator Account = True

--------------------End log---------------------

********
12:45 PM: | Start of Session, Saturday, March 11, 2006 |
12:45 PM: Spy Sweeper started
12:45 PM: Sweep initiated using definitions version 630
12:46 PM: Starting Memory Sweep
12:50 PM: Memory Sweep Complete, Elapsed Time: 00:04:37
12:50 PM: Starting Registry Sweep
12:51 PM: Found System Monitor: sc-keylog
12:51 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
12:51 PM: Registry Sweep Complete, Elapsed Time:00:00:49
12:51 PM: Starting Cookie Sweep
12:51 PM: Found Spy Cookie: addynamix cookie
12:51 PM: jones@ads.addynamix[1].txt (ID = 2062)
12:51 PM: Found Spy Cookie: bluestreak cookie
12:51 PM: jones@bluestreak[1].txt (ID = 2314)
12:51 PM: Found Spy Cookie: burstnet cookie
12:51 PM: jones@burstnet[2].txt (ID = 2336)
12:51 PM: Found Spy Cookie: casalemedia cookie
12:51 PM: jones@casalemedia[1].txt (ID = 2354)
12:51 PM: Found Spy Cookie: burstbeacon cookie
12:51 PM: jones@www.burstbeacon[1].txt (ID = 2335)
12:51 PM: Found Spy Cookie: adserver cookie
12:51 PM: jones@z1.adserver[1].txt (ID = 2142)
12:51 PM: Found Spy Cookie: zedo cookie
12:51 PM: jones@zedo[2].txt (ID = 3762)
12:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:51 PM: Starting File Sweep
12:58 PM: Found Adware: look2me
12:58 PM: wzpcd.dll (ID = 159)
1:11 PM: wzpcd.dll (ID = 159)
1:18 PM: pkdgen.dll (ID = 159)
1:22 PM: jmbexec.dll (ID = 159)
1:27 PM: File Sweep Complete, Elapsed Time: 00:35:50
1:27 PM: Full Sweep has completed. Elapsed time 00:41:30
1:27 PM: Traces Found: 18
1:29 PM: Removal process initiated
1:29 PM: Quarantining All Traces: look2me
1:29 PM: Quarantining All Traces: sc-keylog
1:29 PM: Quarantining All Traces: addynamix cookie
1:29 PM: Quarantining All Traces: adserver cookie
1:29 PM: Quarantining All Traces: bluestreak cookie
1:29 PM: Quarantining All Traces: burstbeacon cookie
1:29 PM: Quarantining All Traces: burstnet cookie
1:29 PM: Quarantining All Traces: casalemedia cookie
1:29 PM: Quarantining All Traces: zedo cookie
1:30 PM: Removal process completed. Elapsed time 00:01:07
********
2:04 PM: | Start of Session, Friday, March 10, 2006 |
2:04 PM: Spy Sweeper started
2:04 PM: Sweep initiated using definitions version 630
2:04 PM: Found Adware: quicklink search toolbar
2:04 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\inprocserver32\ (2 subtraces) (ID = 1190418)
2:04 PM: v9gcyb8xi.dll (ID = 1190418)
2:04 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\inprocserver32\ (2 subtraces) (ID = 1190420)
2:04 PM: v9gcyb8xi.dll (ID = 1190420)
2:04 PM: Starting Memory Sweep
2:06 PM: Warning: Failed to check file "C:\WINNT\system32\e6200gfme62a0.dll". Stream read error
2:07 PM: Found Adware: command
2:07 PM: Detected running threat: C:\WINNT\Sm9uZXM\command.exe (ID = 144946)
2:09 PM: Detected running threat: C:\WINNT\Sm9uZXM\asappsrv.dll (ID = 144945)
2:09 PM: Warning: Failed to check file "C:\WINNT\system32\pkdgen.dll". Stream read error
2:10 PM: Memory Sweep Complete, Elapsed Time: 00:05:22
2:10 PM: Starting Registry Sweep
2:11 PM: Found Adware: enbrowser
2:11 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
2:11 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064)
2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072)
2:11 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
2:11 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
2:11 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
2:11 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
2:11 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180476)
2:11 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180485)
2:11 PM: HKCR\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180496)
2:11 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
2:11 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
2:11 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
2:11 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
2:11 PM: HKLM\software\classes\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180539)
2:11 PM: HKLM\software\classes\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180548)
2:11 PM: HKLM\software\classes\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180559)
2:11 PM: HKU\S-1-5-21-1935655697-1677128483-1060284298-1000\software\system\sysuid\ (1 subtraces) (ID = 731748)
2:11 PM: Registry Sweep Complete, Elapsed Time:00:01:16

#49 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 01:57 PM

2:10 PM: Memory Sweep Complete, Elapsed Time: 00:05:22 2:10 PM: Starting Registry Sweep 2:11 PM: Found Adware: enbrowser 2:11 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808) 2:11 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670) 2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (8 subtraces) (ID = 1016064) 2:11 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (10 subtraces) (ID = 1016072) 2:11 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460) 2:11 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464) 2:11 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468) 2:11 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472) 2:11 PM: HKCR\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180476) 2:11 PM: HKCR\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180485) 2:11 PM: HKCR\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180496) 2:11 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510) 2:11 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514) 2:11 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518) 2:11 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522) 2:11 PM: HKLM\software\classes\clsid\{156afb23-6a31-443c-a1d0-fd418898c11b}\ (8 subtraces) (ID = 1180539) 2:11 PM: HKLM\software\classes\clsid\{f4c522e0-5bd5-407b-99a3-5a435db6694a}\ (8 subtraces) (ID = 1180548) 2:11 PM: HKLM\software\classes\typelib\{e3b39f3e-a325-48b2-a4b0-c27d8becf90d}\ (9 subtraces) (ID = 1180559) 2:11 PM: HKU\S-1-5-21-1935655697-1677128483-1060284298-1000\software\system\sysuid\ (1 subtraces) (ID = 731748) 2:11 PM: Registry Sweep Complete, Elapsed Time:00:01:16 2:11 PM: Starting Cookie Sweep 2:11 PM: Found Spy Cookie: 80503492 cookie 2:11 PM: jones@80503492[1].txt (ID = 2013) 2:11 PM: Found Spy Cookie: 888 cookie 2:11 PM: jones@888[1].txt (ID = 2019) 2:11 PM: Found Spy Cookie: websponsors cookie 2:11 PM: jones@a.websponsors[2].txt (ID = 3665) 2:11 PM: Found Spy Cookie: about cookie 2:11 PM: jones@about[2].txt (ID = 2037) 2:11 PM: Found Spy Cookie: yieldmanager cookie 2:11 PM: jones@ad.yieldmanager[1].txt (ID = 3751) 2:11 PM: Found Spy Cookie: adecn cookie 2:11 PM: jones@adecn[2].txt (ID = 2063) 2:11 PM: Found Spy Cookie: adknowledge cookie 2:11 PM: jones@adknowledge[2].txt (ID = 2072) 2:11 PM: Found Spy Cookie: hbmediapro cookie 2:11 PM: jones@adopt.hbmediapro[2].txt (ID = 2768) 2:11 PM: Found Spy Cookie: specificclick.com cookie 2:11 PM: jones@adopt.specificclick[2].txt (ID = 3400) 2:11 PM: Found Spy Cookie: adorigin cookie 2:11 PM: jones@adorigin[2].txt (ID = 2082) 2:11 PM: Found Spy Cookie: adprofile cookie 2:11 PM: jones@adprofile[2].txt (ID = 2084) 2:11 PM: Found Spy Cookie: cc214142 cookie 2:11 PM: jones@ads.cc214142[2].txt (ID = 2367) 2:11 PM: Found Spy Cookie: revenue.net cookie 2:11 PM: jones@ads1.revenue[1].txt (ID = 3258) 2:11 PM: Found Spy Cookie: 2o7.net cookie 2:11 PM: jones@americasnotenetwork.122.2o7[1].txt (ID = 1958) 2:11 PM: Found Spy Cookie: ask cookie 2:11 PM: jones@ask[1].txt (ID = 2245) 2:11 PM: Found Spy Cookie: atwola cookie 2:11 PM: jones@atwola[1].txt (ID = 2255) 2:11 PM: Found Spy Cookie: azjmp cookie 2:11 PM: jones@azjmp[1].txt (ID = 2270) 2:11 PM: Found Spy Cookie: banners cookie 2:11 PM: jones@banners[1].txt (ID = 2282) 2:11 PM: Found Spy Cookie: belnk cookie 2:11 PM: jones@belnk[1].txt (ID = 2292) 2:11 PM: Found Spy Cookie: bizrate cookie 2:11 PM: jones@bizrate[2].txt (ID = 2308) 2:11 PM: Found Spy Cookie: bluestreak cookie 2:11 PM: jones@bluestreak[1].txt (ID = 2314) 2:11 PM: Found Spy Cookie: burstnet cookie 2:11 PM: jones@burstnet[2].txt (ID = 2336) 2:11 PM: Found Spy Cookie: enhance cookie 2:11 PM: jones@c.enhance[1].txt (ID = 2614) 2:11 PM: Found Spy Cookie: cassava cookie 2:11 PM: jones@cassava[1].txt (ID = 2362) 2:11 PM: jones@compreviews.about[2].txt (ID = 2038) 2:11 PM: Found Spy Cookie: overture cookie 2:11 PM: jones@data1.perf.overture[2].txt (ID = 3106) 2:11 PM: Found Spy Cookie: delfinproject cookie 2:11 PM: jones@delfinproject[2].txt (ID = 2509) 2:11 PM: jones@dist.belnk[2].txt (ID = 2293) 2:11 PM: jones@entrepreneurs.about[1].txt (ID = 2038) 2:11 PM: Found Spy Cookie: exitexchange cookie 2:11 PM: jones@exitexchange[2].txt (ID = 2633) 2:11 PM: Found Spy Cookie: starware.com cookie 2:11 PM: jones@h.starware[1].txt (ID = 3442) 2:11 PM: jones@hbmediapro[1].txt (ID = 2767) 2:11 PM: Found Spy Cookie: clickandtrack cookie 2:11 PM: jones@hits.clickandtrack[1].txt (ID = 2397) 2:11 PM: Found Spy Cookie: hypertracker.com cookie 2:11 PM: jones@hypertracker[2].txt (ID = 2817) 2:11 PM: Found Spy Cookie: ic-live cookie 2:11 PM: jones@ic-live[1].txt (ID = 2821) 2:11 PM: Found Spy Cookie: nextag cookie 2:11 PM: jones@nextag[2].txt (ID = 5014) 2:11 PM: Found Spy Cookie: megago cookie 2:11 PM: jones@northalabamahomeeducators.freeservers[1].txt (ID = 2983) 2:11 PM: jones@partygaming.122.2o7[1].txt (ID = 1958) 2:11 PM: Found Spy Cookie: partypoker cookie 2:11 PM: jones@partypoker[2].txt (ID = 3111) 2:11 PM: Found Spy Cookie: paypopup cookie 2:11 PM: jones@paypopup[1].txt (ID = 3119) 2:11 PM: Found Spy Cookie: pricegrabber cookie 2:11 PM: jones@pricegrabber[2].txt (ID = 3185) 2:11 PM: jones@secure.adprofile[1].txt (ID = 2085) 2:11 PM: Found Spy Cookie: sirsearch cookie 2:11 PM: jones@sirsearch[1].txt (ID = 3379) 2:11 PM: Found Spy Cookie: dealtime cookie 2:11 PM: jones@stat.dealtime[1].txt (ID = 2506) 2:11 PM: Found Spy Cookie: reliablestats cookie 2:11 PM: jones@stats1.reliablestats[1].txt (ID = 3254) 2:11 PM: Found Spy Cookie: tacoda cookie 2:11 PM: jones@tacoda[1].txt (ID = 6444) 2:11 PM: Found Spy Cookie: upspiral cookie 2:11 PM: jones@upspiral[1].txt (ID = 3614) 2:11 PM: Found Spy Cookie: videodome cookie 2:11 PM: jones@videodome[1].txt (ID = 3638) 2:11 PM: Found Spy Cookie: burstbeacon cookie 2:11 PM: jones@www.burstbeacon[2].txt (ID = 2335) 2:11 PM: jones@www.nextag[1].txt (ID = 5015) 2:11 PM: Found Spy Cookie: redzip cookie 2:11 PM: jones@www.redzip[2].txt (ID = 3250) 2:11 PM: jones@www.upspiral[2].txt (ID = 3615) 2:11 PM: Found Spy Cookie: winantiviruspro cookie 2:11 PM: jones@www.winantiviruspro[1].txt (ID = 3690) 2:11 PM: Found Spy Cookie: seeq cookie 2:11 PM: jones@www48.seeq[1].txt (ID = 3332) 2:11 PM: jones@yieldmanager[1].txt (ID = 3749) 2:11 PM: Cookie Sweep Complete, Elapsed Time: 00:00:13 2:11 PM: Starting File Sweep 2:12 PM: atmtd.dll._ (ID = 166754) 2:17 PM: Found Adware: effective-i toolbar 2:17 PM: glb8a.tmp (ID = 253666) 2:17 PM: Found Adware: comet cursor 2:17 PM: csbho.dll (ID = 53512) 2:19 PM: Found Adware: adlogix 2:19 PM: gcllzf.exe (ID = 49210) 2:20 PM: Found Trojan Horse: trojan-downloader-nextern 2:20 PM: aebcq9z5w.exe (ID = 252979) 2:21 PM: ms03836209409.exe (ID = 244278) 2:21 PM: Found Adware: winantispyware 2005 2:21 PM: uwasfsd.sys (ID = 242115) 2:25 PM: gcllzd.exe (ID = 49209) 2:27 PM: ms038362094092006.exe (ID = 254903) 2:30 PM: sysc00.exe (ID = 244277) 2:30 PM: Found Adware: elitemediagroup-mediamotor 2:30 PM: mcspy.exe (ID = 251295) 2:31 PM: Found Adware: look2me 2:31 PM: k2620cjoefoc0.dll (ID = 159) 2:31 PM: gcllzc.exe (ID = 49208) 2:31 PM: Found System Monitor: spion 2:31 PM: unistb32.exe (ID = 76299) 2:31 PM: u1um0id.exe (ID = 257313) 2:32 PM: Found Adware: findthewebsiteyouneed hijacker 2:32 PM: winsysupd11.exe (ID = 253754) 2:33 PM: Found Adware: surfsidekick 2:33 PM: sskupdater3.exe (ID = 251246) 2:34 PM: winsysupd11.exe (ID = 253754) 2:35 PM: asappsrv.dll (ID = 144945) 2:37 PM: atmtd.dll (ID = 166754) 2:41 PM: uni_eh.exe (ID = 245110) 2:44 PM: command.exe (ID = 144946) 2:45 PM: i98.tmp (ID = 253411) 2:45 PM: unin101.exe (ID = 245111) 2:46 PM: Found Adware: zenosearchassistant 2:46 PM: qrdsregj.exe (ID = 293) 2:47 PM: ttbitt.exe (ID = 252995) 2:47 PM: setup.exe (ID = 242102) 2:47 PM: v9gcyb8xi.dll (ID = 252997) 2:47 PM: kt06l7ds1.dll (ID = 159) 2:47 PM: win3208940983620.exe (ID = 254903) 2:47 PM: winantispyware2006setup.exe (ID = 242357) 2:47 PM: crmsvcs.dll (ID = 159) 2:47 PM: pf78.exe (ID = 244430) 2:47 PM: dgfgql.exe (ID = 257312) 2:47 PM: m2820cloefqc0.dll (ID = 159) 2:47 PM: gp82l3lo1.dll (ID = 159) 2:47 PM: wrgscuu.xrz (ID = 208796) 2:47 PM: e0jm0a11ed.dll (ID = 159) 2:49 PM: ma6rtrg.vbs (ID = 185675) 2:49 PM: Warning: Invalid Stream 2:50 PM: Warning: Invalid Stream 2:50 PM: uninstall cyber-detective toolkit.lnk (ID = 76299) 2:50 PM: File Sweep Complete, Elapsed Time: 00:38:57 2:50 PM: Full Sweep has completed. Elapsed time 00:46:12 2:50 PM: Traces Found: 231 2:54 PM: Removal process initiated 2:54 PM: Quarantining All Traces: adlogix 2:54 PM: Quarantining All Traces: look2me 2:54 PM: Quarantining All Traces: spion 2:54 PM: Quarantining All Traces: comet cursor 2:54 PM: Quarantining All Traces: elitemediagroup-mediamotor 2:54 PM: Quarantining All Traces: enbrowser 2:54 PM: Quarantining All Traces: quicklink search toolbar 2:54 PM: Quarantining All Traces: surfsidekick 2:55 PM: Quarantining All Traces: trojan-downloader-nextern 2:55 PM: Quarantining All Traces: command 2:55 PM: command is in use. It will be removed on reboot. 2:55 PM: asappsrv.dll is in use. It will be removed on reboot. 2:55 PM: C:\WINNT\Sm9uZXM\command.exe is in use. It will be removed on reboot. 2:55 PM: C:\WINNT\Sm9uZXM\asappsrv.dll is in use. It will be removed on reboot. 2:55 PM: Quarantining All Traces: effective-i toolbar 2:55 PM: Quarantining All Traces: findthewebsiteyouneed hijacker 2:55 PM: Quarantining All Traces: zenosearchassistant 2:55 PM: Quarantining All Traces: 2o7.net cookie 2:55 PM: Quarantining All Traces: 80503492 cookie 2:55 PM: Quarantining All Traces: 888 cookie 2:55 PM: Quarantining All Traces: about cookie 2:55 PM: Quarantining All Traces: adecn cookie 2:55 PM: Quarantining All Traces: adknowledge cookie 2:55 PM: Quarantining All Traces: adorigin cookie 2:55 PM: Quarantining All Traces: adprofile cookie 2:55 PM: Quarantining All Traces: ask cookie 2:55 PM: Quarantining All Traces: atwola cookie 2:55 PM: Quarantining All Traces: azjmp cookie 2:55 PM: Quarantining All Traces: banners cookie 2:55 PM: Quarantining All Traces: belnk cookie 2:55 PM: Quarantining All Traces: bizrate cookie 2:55 PM: Quarantining All Traces: bluestreak cookie 2:55 PM: Quarantining All Traces: burstbeacon cookie 2:55 PM: Quarantining All Traces: burstnet cookie 2:55 PM: Quarantining All Traces: cassava cookie 2:55 PM: Quarantining All Traces: cc214142 cookie 2:55 PM: Quarantining All Traces: clickandtrack cookie 2:55 PM: Quarantining All Traces: dealtime cookie 2:55 PM: Quarantining All Traces: delfinproject cookie 2:55 PM: Quarantining All Traces: enhance cookie 2:55 PM: Quarantining All Traces: exitexchange cookie 2:55 PM: Quarantining All Traces: hbmediapro cookie 2:55 PM: Quarantining All Traces: hypertracker.com cookie 2:55 PM: Quarantining All Traces: ic-live cookie 2:55 PM: Quarantining All Traces: megago cookie 2:55 PM: Quarantining All Traces: nextag cookie 2:55 PM: Quarantining All Traces: overture cookie 2:55 PM: Quarantining All Traces: partypoker cookie 2:55 PM: Quarantining All Traces: paypopup cookie 2:55 PM: Quarantining All Traces: pricegrabber cookie 2:55 PM: Quarantining All Traces: redzip cookie 2:55 PM: Quarantining All Traces: reliablestats cookie 2:55 PM: Quarantining All Traces: revenue.net cookie 2:55 PM: Quarantining All Traces: seeq cookie 2:55 PM: Quarantining All Traces: sirsearch cookie 2:55 PM: Quarantining All Traces: specificclick.com cookie 2:55 PM: Quarantining All Traces: starware.com cookie 2:55 PM: Quarantining All Traces: tacoda cookie 2:55 PM: Quarantining All Traces: upspiral cookie 2:55 PM: Quarantining All Traces: videodome cookie 2:55 PM: Quarantining All Traces: websponsors cookie 2:55 PM: Quarantining All Traces: winantispyware 2005 2:56 PM: Quarantining All Traces: winantiviruspro cookie 2:56 PM: Quarantining All Traces: yieldmanager cookie 2:57 PM: Removal process completed. Elapsed time 00:03:53 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:09 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:14 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:19 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error

#50 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 01:58 PM

Can you try this again? Delete the one you downloaded earlier.

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Post #1
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#51 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 02:01 PM

3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:25 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:30 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:30 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:35 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:35 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 3:41 PM: Warning: Failed to check file "C:\WINNT\system32\e8jmli1118.dll". Stream read error 3:41 PM: Warning: Failed to check file "C:\WINNT\system32\ifrtrmgr.dll". Stream read error 3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com Continues for pages.......

#52 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 02:01 PM

Will Do

#53 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 02:10 PM

L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ICM] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\f2l00c3mef.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{45B5A98C-115C-CB49-15FD-F7FAFBEB1572}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{E0D79300-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79301-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79302-84BE-11CE-9641-444553540000}"="WinZip" "{A7B10217-897B-4C21-9558-C59F4CD71664}"="" "{C8E7E460-060A-403A-A447-3F051D010518}"="" "{259B12F3-BC61-473A-B964-CB8266816CC7}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{B1ED9866-5642-4556-BCE0-1A76E244D5B5}"="" "{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}"="" "{523CCD66-AA17-42EB-9C85-7B1A13889F33}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\InprocServer32] @="C:\\WINNT\\system32\\wP2time.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\InprocServer32] @="C:\\WINNT\\system32\\fUxevent.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\InprocServer32] @="C:\\WINNT\\system32\\jut.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/11/2006 01:59p <DIR> .. 03/11/2006 01:59p <DIR> . 03/11/2006 01:36p 233,875 jut.dll 03/11/2006 01:36p 235,839 r46ulej91ho.dll 03/11/2006 11:35a 233,875 f2l00c3mef.dll 03/09/2006 09:14p 8,775 .exe 02/04/2006 05:01p <DIR> Lavan 01/14/2006 06:19p <DIR> dllcache 4 File(s) 712,364 bytes 4 Dir(s) 8,182,158,848 bytes free

#54 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 02:13 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Note : Once the pc has restarted if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2mfix folder again.

After the fix portion is done. Please run the option to restore the winlogon defaults (menu option 4) as most of the notify key is missing. After you do that post an option 1 log again.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Edited by LDTate, 11 March 2006 - 02:14 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#55 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 02:33 PM

L2mfix 010406
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (152 bytes security) (deflated 86%)

Logfile of HijackThis v1.99.1
Scan saved at 2:21:25 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\f2l00c3mef.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Advertisements

Register to Remove

#56 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 02:39 PM

Option 1 log L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\f2l00c3mef.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{45B5A98C-115C-CB49-15FD-F7FAFBEB1572}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{E0D79300-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79301-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79302-84BE-11CE-9641-444553540000}"="WinZip" "{A7B10217-897B-4C21-9558-C59F4CD71664}"="" "{C8E7E460-060A-403A-A447-3F051D010518}"="" "{259B12F3-BC61-473A-B964-CB8266816CC7}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{B1ED9866-5642-4556-BCE0-1A76E244D5B5}"="" "{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}"="" "{523CCD66-AA17-42EB-9C85-7B1A13889F33}"="" "{B0B992B3-EB18-422D-A158-2FCB945ACA27}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{A7B10217-897B-4C21-9558-C59F4CD71664}\InprocServer32] @="C:\\WINNT\\system32\\wP2time.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C8E7E460-060A-403A-A447-3F051D010518}\InprocServer32] @="C:\\WINNT\\system32\\fUxevent.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{259B12F3-BC61-473A-B964-CB8266816CC7}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{523CCD66-AA17-42EB-9C85-7B1A13889F33}\InprocServer32] @="C:\\WINNT\\system32\\jut.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{B0B992B3-EB18-422D-A158-2FCB945ACA27}] @="" [HKEY_CLASSES_ROOT\CLSID\{B0B992B3-EB18-422D-A158-2FCB945ACA27}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{B0B992B3-EB18-422D-A158-2FCB945ACA27}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{B0B992B3-EB18-422D-A158-2FCB945ACA27}\InprocServer32] @="C:\\WINNT\\system32\\dhactfrm.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ dhactfrm.dll Sat Mar 11 2006 2:18:16p ..S.R 233,875 228.39 K f2l00c~1.dll Sat Mar 11 2006 11:35:42a ..S.R 233,875 228.39 K gcllz.dll Sun Feb 26 2006 2:32:38p A.... 65,537 64.00 K jtnm07~1.dll Sat Mar 11 2006 2:18:12p ..S.R 234,032 228.55 K jut.dll Sat Mar 11 2006 1:36:34p ..S.R 233,875 228.39 K r46ule~1.dll Sat Mar 11 2006 1:36:34p ..S.R 235,839 230.31 K sporder.dll Sun Feb 26 2006 9:48:06a A.... 8,464 8.27 K wrlogo~1.dll Wed Jan 25 2006 11:06:02a A.... 492,544 481.00 K wrlzma.dll Wed Jan 25 2006 11:05:58a A.... 17,920 17.50 K 9 items found: 9 files (5 H/S), 0 directories. Total of file sizes: 1,755,961 bytes 1.67 M Locate .tmp files: C:\WINNT\SYSTEM32\ 1.tmp Sun Jan 15 2006 10:17:08a A.... 150,528 147.00 K 10.tmp Tue Jan 17 2006 7:32:40p A.... 150,528 147.00 K 11.tmp Sun Feb 5 2006 12:42:54p A.... 19,401 18.95 K 12.tmp Sun Feb 5 2006 12:42:58p A.... 19,401 18.95 K 13.tmp Sat Feb 4 2006 9:17:30p A.... 19,401 18.95 K 14.tmp Sun Feb 5 2006 2:39:26p A.... 19,401 18.95 K 15.tmp Sun Feb 5 2006 2:44:44p A.... 19,401 18.95 K 16.tmp Sun Feb 5 2006 3:38:28p A.... 19,401 18.95 K 17.tmp Sun Feb 5 2006 8:15:28p A.... 19,401 18.95 K 17d.tmp Thu Mar 9 2006 11:57:48a A.... 0 0.00 K 18.tmp Sun Feb 5 2006 8:20:46p A.... 19,401 18.95 K 182.tmp Thu Mar 9 2006 12:31:54p A.... 0 0.00 K 18d.tmp Thu Mar 9 2006 12:37:30p A.... 20,737 20.25 K 19.tmp Mon Feb 6 2006 7:28:28a A.... 19,401 18.95 K 190.tmp Thu Mar 9 2006 12:46:26p A.... 20,737 20.25 K 1a.tmp Fri Jan 27 2006 1:38:48p A.... 0 0.00 K 1b.tmp Fri Jan 27 2006 1:39:08p A.... 0 0.00 K 1b0.tmp Thu Mar 9 2006 1:02:26p A.... 20,737 20.25 K 1b1.tmp Thu Mar 9 2006 1:02:28p A.... 0 0.00 K 1c.tmp Mon Feb 6 2006 7:33:50a A.... 19,401 18.95 K 1d.tmp Mon Feb 6 2006 8:48:38p A.... 19,401 18.95 K 1e.tmp Mon Feb 6 2006 8:54:20a A.... 19,401 18.95 K 1f.tmp Mon Feb 6 2006 12:10:46p A.... 19,401 18.95 K 2.tmp Sun Jan 15 2006 1:47:30p A.... 150,528 147.00 K 20.tmp Mon Feb 6 2006 12:10:56p A.... 19,401 18.95 K 21.tmp Mon Feb 6 2006 12:46:52p A.... 19,401 18.95 K 22.tmp Mon Feb 6 2006 12:47:20p A.... 19,401 18.95 K 23.tmp Mon Feb 6 2006 12:58:18p A.... 19,401 18.95 K 24.tmp Mon Feb 6 2006 1:04:00p A.... 19,401 18.95 K 25.tmp Mon Feb 6 2006 8:48:42p A.... 19,401 18.95 K 26.tmp Tue Feb 7 2006 6:54:38a A.... 19,401 18.95 K 27.tmp Tue Feb 7 2006 6:59:34a A.... 19,401 18.95 K 28.tmp Mon Feb 6 2006 1:27:50p A.... 19,401 18.95 K 29.tmp Mon Feb 6 2006 1:28:02p A.... 19,401 18.95 K 2a.tmp Tue Feb 7 2006 11:25:00a A.... 19,401 18.95 K 2b.tmp Tue Feb 7 2006 11:25:06a A.... 19,401 18.95 K 2c.tmp Tue Feb 7 2006 12:48:28p A.... 19,401 18.95 K 2d.tmp Tue Feb 7 2006 12:48:36p A.... 19,401 18.95 K 2e.tmp Tue Feb 7 2006 12:51:34p A.... 19,401 18.95 K 2f.tmp Tue Feb 7 2006 1:31:30p A.... 19,401 18.95 K 3.tmp Sun Jan 15 2006 2:20:48p A.... 150,528 147.00 K 30.tmp Tue Feb 7 2006 1:43:38p A.... 19,401 18.95 K 31.tmp Tue Feb 7 2006 8:05:12p A.... 19,401 18.95 K 32.tmp Tue Feb 7 2006 8:05:12p A.... 19,401 18.95 K 33.tmp Wed Feb 8 2006 8:17:10a A.... 19,401 18.95 K 34.tmp Wed Feb 8 2006 8:17:12a A.... 19,401 18.95 K 35.tmp Wed Feb 8 2006 11:50:50a A.... 19,401 18.95 K 36.tmp Wed Feb 8 2006 11:51:04a A.... 19,401 18.95 K 37.tmp Wed Feb 8 2006 1:55:46p A.... 19,401 18.95 K 38.tmp Wed Feb 8 2006 2:01:36p A.... 19,401 18.95 K 39.tmp Thu Feb 9 2006 10:13:42a A.... 8,708 8.50 K 3a.tmp Thu Feb 9 2006 10:13:42a A.... 19,401 18.95 K 3b.tmp Thu Feb 9 2006 5:01:58p A.... 19,401 18.95 K 3c.tmp Thu Feb 9 2006 7:37:52p A.... 19,401 18.95 K 3d.tmp Fri Feb 10 2006 8:37:36a A.... 19,401 18.95 K 3e.tmp Thu Feb 9 2006 8:05:40p A.... 19,401 18.95 K 3f.tmp Fri Feb 10 2006 7:41:52p A.... 0 0.00 K 4.tmp Sun Jan 15 2006 8:08:00a A.... 0 0.00 K 40.tmp Sat Feb 11 2006 12:28:20p A.... 19,401 18.95 K 41.tmp Sat Feb 11 2006 5:42:16p A.... 19,401 18.95 K 42.tmp Sun Feb 12 2006 11:30:04a A.... 19,401 18.95 K 43.tmp Sun Feb 12 2006 2:39:22p A.... 19,401 18.95 K 44.tmp Tue Feb 14 2006 11:28:36a A.... 19,401 18.95 K 45.tmp Fri Feb 10 2006 10:28:44a A.... 19,401 18.95 K 46.tmp Wed Feb 8 2006 3:25:52p A.... 19,401 18.95 K 47.tmp Wed Feb 8 2006 3:25:54p A.... 19,401 18.95 K 48.tmp Sun Feb 12 2006 3:54:02p A.... 19,401 18.95 K 49.tmp Wed Feb 8 2006 8:31:40p A.... 19,401 18.95 K 4a.tmp Tue Feb 14 2006 12:24:08p A.... 19,401 18.95 K 4b.tmp Tue Feb 14 2006 2:42:16p A.... 19,401 18.95 K 4c.tmp Wed Feb 15 2006 7:58:00a A.... 19,401 18.95 K 4d.tmp Sun Feb 12 2006 7:53:10p A.... 19,401 18.95 K 4e.tmp Mon Feb 13 2006 7:19:48a A.... 19,401 18.95 K 4f.tmp Mon Feb 13 2006 7:29:58a A.... 19,401 18.95 K 5.tmp Sun Jan 15 2006 3:52:08p A.... 150,528 147.00 K 50.tmp Mon Feb 13 2006 8:08:36a A.... 19,401 18.95 K 51.tmp Mon Feb 13 2006 9:51:24a A.... 19,401 18.95 K 52.tmp Tue Feb 14 2006 4:51:32p A.... 19,401 18.95 K 53.tmp Mon Feb 13 2006 10:00:22a A.... 19,401 18.95 K 54.tmp Mon Feb 13 2006 10:33:52a A.... 19,401 18.95 K 55.tmp Tue Feb 14 2006 8:13:16p A.... 19,401 18.95 K 56.tmp Tue Feb 14 2006 8:41:14p A.... 19,401 18.95 K 57.tmp Tue Feb 14 2006 9:54:14p A.... 19,401 18.95 K 58.tmp Wed Feb 15 2006 9:54:54a A.... 19,401 18.95 K 59.tmp Mon Feb 13 2006 11:32:18a A.... 19,401 18.95 K 5a.tmp Wed Feb 15 2006 11:18:26a A.... 19,401 18.95 K 5b.tmp Wed Feb 15 2006 3:31:50p A.... 19,401 18.95 K 5c.tmp Wed Feb 15 2006 5:11:44p A.... 19,401 18.95 K 5d.tmp Thu Feb 16 2006 6:46:50a A.... 19,401 18.95 K 5e.tmp Thu Feb 16 2006 7:32:12a A.... 19,401 18.95 K 5f.tmp Wed Feb 15 2006 6:54:30p A.... 19,401 18.95 K 6.tmp Mon Jan 16 2006 5:38:30a A.... 150,528 147.00 K 60.tmp Thu Feb 16 2006 9:13:16a A.... 19,401 18.95 K 61.tmp Fri Feb 17 2006 7:07:40a A.... 19,401 18.95 K 62.tmp Fri Feb 17 2006 7:53:46a A.... 19,401 18.95 K 63.tmp Fri Feb 17 2006 9:41:40a A.... 19,401 18.95 K 64.tmp Sat Feb 18 2006 6:57:14a A.... 19,401 18.95 K 65.tmp Sat Feb 18 2006 7:40:34p A.... 19,401 18.95 K 66.tmp Thu Feb 16 2006 11:03:24a A.... 19,401 18.95 K 67.tmp Thu Feb 16 2006 12:53:10p A.... 19,401 18.95 K 68.tmp Fri Feb 17 2006 11:09:58a A.... 19,401 18.95 K 69.tmp Fri Feb 17 2006 8:00:38p A.... 19,401 18.95 K 6a.tmp Sun Feb 19 2006 11:17:48a A.... 19,401 18.95 K 6b.tmp Mon Feb 20 2006 10:42:42a A.... 20,505 20.02 K 6c.tmp Tue Feb 21 2006 1:35:42p A.... 20,505 20.02 K 6d.tmp Tue Feb 21 2006 8:52:52p A.... 20,505 20.02 K 6e.tmp Tue Feb 21 2006 9:12:08p A.... 20,505 20.02 K 6f.tmp Mon Feb 13 2006 12:35:18p A.... 19,401 18.95 K 7.tmp Mon Jan 16 2006 6:45:56a A.... 150,528 147.00 K 70.tmp Mon Feb 13 2006 6:09:50p A.... 19,401 18.95 K 71.tmp Mon Feb 13 2006 7:50:14p A.... 19,401 18.95 K 72.tmp Mon Feb 13 2006 8:43:58p A.... 19,401 18.95 K 73.tmp Wed Feb 22 2006 8:01:18a A.... 20,505 20.02 K 74.tmp Wed Feb 22 2006 8:24:04p A.... 20,505 20.02 K 75.tmp Thu Feb 23 2006 9:40:58a A.... 20,505 20.02 K 76.tmp Thu Feb 23 2006 9:53:14a A.... 20,505 20.02 K 77.tmp Thu Feb 23 2006 12:43:04p A.... 20,505 20.02 K 78.tmp Fri Feb 24 2006 2:07:16p A.... 20,869 20.38 K 79.tmp Sun Feb 26 2006 9:27:10a A.... 20,737 20.25 K 7a.tmp Thu Feb 23 2006 2:38:56p A.... 20,505 20.02 K 7b.tmp Sun Feb 26 2006 1:24:22p A.... 20,737 20.25 K 7c.tmp Sun Feb 26 2006 4:41:20p A.... 20,737 20.25 K 7d.tmp Sun Feb 19 2006 12:19:26p A.... 19,401 18.95 K 7e.tmp Thu Feb 23 2006 4:36:38p A.... 20,505 20.02 K 7f.tmp Thu Feb 23 2006 8:10:10p A.... 20,505 20.02 K 8.tmp Mon Jan 16 2006 8:54:28a A.... 0 0.00 K 80.tmp Thu Feb 23 2006 9:09:06p A.... 20,505 20.02 K 81.tmp Fri Feb 24 2006 7:17:46a A.... 20,869 20.38 K 82.tmp Sun Feb 26 2006 4:58:50p A.... 20,737 20.25 K 83.tmp Sun Feb 26 2006 5:57:36p A.... 20,737 20.25 K 84.tmp Tue Feb 28 2006 9:08:52a A.... 20,737 20.25 K 85.tmp Fri Feb 24 2006 10:31:56a A.... 20,869 20.38 K 86.tmp Fri Feb 24 2006 12:13:52p A.... 20,869 20.38 K 87.tmp Fri Feb 24 2006 1:44:58p A.... 20,869 20.38 K 88.tmp Tue Feb 28 2006 1:07:48p A.... 20,737 20.25 K 89.tmp Tue Feb 28 2006 2:18:52p A.... 20,737 20.25 K 8a.tmp Sun Feb 19 2006 5:07:40p A.... 19,401 18.95 K 8b.tmp Tue Feb 28 2006 4:25:54p A.... 20,737 20.25 K 8c.tmp Tue Feb 28 2006 8:05:58p A.... 20,737 20.25 K 8d.tmp Wed Mar 1 2006 8:34:54a A.... 20,737 20.25 K 8e.tmp Wed Mar 1 2006 10:45:30a A.... 20,737 20.25 K 8f.tmp Wed Mar 1 2006 11:28:54a A.... 20,737 20.25 K 9.tmp Mon Jan 16 2006 2:15:18p A.... 150,528 147.00 K 90.tmp Thu Mar 2 2006 10:10:52a A.... 20,737 20.25 K 91.tmp Thu Mar 2 2006 8:39:44p A.... 20,737 20.25 K 92.tmp Wed Mar 1 2006 12:34:56p A.... 20,737 20.25 K 93.tmp Fri Mar 3 2006 8:37:36a A.... 20,737 20.25 K 94.tmp Fri Mar 3 2006 10:46:20a A.... 20,737 20.25 K 95.tmp Fri Mar 3 2006 12:04:36p A.... 20,737 20.25 K 96.tmp Fri Mar 3 2006 1:14:26p A.... 20,737 20.25 K 97.tmp Sat Mar 4 2006 6:37:46a A.... 20,737 20.25 K 98.tmp Sat Mar 4 2006 7:37:20a A.... 20,737 20.25 K 99.tmp Sat Mar 4 2006 8:29:56p A.... 20,737 20.25 K 9a.tmp Tue Feb 28 2006 10:22:00a A.... 20,737 20.25 K 9b.tmp Tue Feb 28 2006 12:24:12p A.... 20,737 20.25 K 9c.tmp Fri Mar 3 2006 8:04:36p A.... 20,737 20.25 K 9d.tmp Sat Mar 4 2006 9:51:54a A.... 20,737 20.25 K 9e.tmp Sun Mar 5 2006 8:39:12a A.... 20,737 20.25 K 9f.tmp Wed Mar 1 2006 3:51:36p A.... 20,737 20.25 K a.tmp Tue Jan 17 2006 7:38:04a A.... 2,529 2.47 K a0.tmp Wed Mar 1 2006 6:52:30p A.... 20,737 20.25 K a1.tmp Sun Mar 5 2006 11:36:40a A.... 20,737 20.25 K a2.tmp Sun Mar 5 2006 5:14:00p A.... 20,737 20.25 K a3.tmp Mon Mar 6 2006 12:17:34p A.... 20,737 20.25 K a4.tmp Sat Mar 4 2006 11:19:00a A.... 20,737 20.25 K a5.tmp Mon Mar 6 2006 2:06:02p A.... 20,737 20.25 K a6.tmp Tue Mar 7 2006 7:20:36a A.... 20,737 20.25 K a7.tmp Mon Mar 6 2006 8:17:30p A.... 20,737 20.25 K a8.tmp Tue Mar 7 2006 7:29:20a A.... 0 0.00 K a9.tmp Tue Mar 7 2006 6:52:32p A.... 20,737 20.25 K aa.tmp Sat Mar 4 2006 11:50:50a A.... 20,737 20.25 K ab.tmp Tue Mar 7 2006 7:00:46p A.... 20,737 20.25 K ac.tmp Tue Mar 7 2006 7:03:22p A.... 0 0.00 K ad.tmp Sat Mar 4 2006 2:43:22p A.... 20,737 20.25 K ae.tmp Tue Mar 7 2006 7:12:28p A.... 0 0.00 K af.tmp Sat Mar 4 2006 3:16:18p A.... 20,737 20.25 K b.tmp Tue Jan 17 2006 9:41:56p A.... 150,528 147.00 K b0.tmp Tue Mar 7 2006 8:02:14a A.... 20,737 20.25 K b1.tmp Sat Mar 4 2006 3:29:54p A.... 20,737 20.25 K b2.tmp Tue Mar 7 2006 8:02:16a A.... 0 0.00 K b3.tmp Tue Mar 7 2006 7:23:28p A.... 20,737 20.25 K b4.tmp Wed Mar 8 2006 10:00:42a A.... 20,737 20.25 K b5.tmp Wed Mar 8 2006 3:30:06p A.... 0 0.00 K b6.tmp Tue Mar 7 2006 4:19:54p A.... 20,737 20.25 K b7.tmp Thu Mar 9 2006 8:54:14a A.... 20,737 20.25 K b8.tmp Tue Mar 7 2006 4:25:22p A.... 0 0.00 K b9.tmp Wed Mar 8 2006 6:42:50p A.... 0 0.00 K ba.tmp Thu Mar 9 2006 2:29:10p A.... 0 0.00 K bb.tmp Thu Mar 9 2006 2:57:14p A.... 0 0.00 K bc.tmp Thu Mar 9 2006 3:02:44p A.... 0 0.00 K bd.tmp Thu Mar 9 2006 3:34:00p A.... 0 0.00 K be.tmp Thu Mar 9 2006 4:26:58p A.... 0 0.00 K bf.tmp Thu Mar 9 2006 3:59:48p A.... 0 0.00 K c.tmp Wed Jan 18 2006 7:59:32a A.... 150,528 147.00 K c0.tmp Thu Mar 9 2006 4:39:10p A.... 0 0.00 K c1.tmp Thu Mar 9 2006 4:44:04p A.... 0 0.00 K c2.tmp Thu Mar 9 2006 9:41:36p A.... 0 0.00 K c3.tmp Thu Mar 9 2006 9:41:36p A.... 0 0.00 K c4.tmp Fri Mar 10 2006 9:22:00a A.... 0 0.00 K c5.tmp Fri Mar 10 2006 1:33:52p A.... 0 0.00 K c6.tmp Fri Mar 10 2006 1:44:58p A.... 0 0.00 K c7.tmp Thu Mar 9 2006 9:20:02a A.... 20,737 20.25 K c8.tmp Fri Mar 10 2006 3:11:04p A.... 0 0.00 K c9.tmp Fri Mar 10 2006 3:11:04p A.... 0 0.00 K ca.tmp Wed Mar 8 2006 6:59:42p A.... 20,737 20.25 K cb.tmp Fri Mar 10 2006 10:01:16a A.... 0 0.00 K cc.tmp Fri Mar 10 2006 10:39:36a A.... 0 0.00 K cd.tmp Fri Mar 10 2006 6:34:10p A.... 0 0.00 K ce.tmp Fri Mar 10 2006 6:34:10p A.... 0 0.00 K cf.tmp Fri Mar 10 2006 7:06:38p A.... 0 0.00 K d.tmp Sat Feb 4 2006 9:44:20a A.... 0 0.00 K d0.tmp Thu Mar 9 2006 9:52:54a A.... 0 0.00 K d1.tmp Fri Mar 10 2006 7:07:06p A.... 0 0.00 K d2.tmp Wed Mar 8 2006 12:07:46p A.... 0 0.00 K d3.tmp Fri Mar 10 2006 7:13:02p A.... 0 0.00 K d4.tmp Wed Mar 8 2006 12:24:42p A.... 20,737 20.25 K d5.tmp Fri Mar 10 2006 5:12:56p A.... 0 0.00 K d6.tmp Fri Mar 10 2006 7:23:16p A.... 0 0.00 K d7.tmp Fri Mar 10 2006 7:23:16p A.... 0 0.00 K d8.tmp Fri Mar 10 2006 8:17:58p A.... 0 0.00 K d9.tmp Fri Mar 10 2006 8:38:00p A.... 0 0.00 K da.tmp Fri Mar 10 2006 11:12:40p A.... 0 0.00 K db.tmp Sat Mar 11 2006 7:50:54a A.... 0 0.00 K dc.tmp Sat Mar 11 2006 8:17:06a A.... 0 0.00 K dd.tmp Sat Mar 11 2006 9:23:16a A.... 0 0.00 K de.tmp Sat Mar 11 2006 10:53:00a A.... 0 0.00 K df.tmp Sat Mar 11 2006 12:06:56p A.... 0 0.00 K e.tmp Sat Feb 4 2006 8:52:30p A.... 19,401 18.95 K e0.tmp Sat Mar 11 2006 12:35:54p A.... 0 0.00 K e1.tmp Sat Mar 11 2006 2:03:46p A.... 0 0.00 K ec.tmp Wed Mar 8 2006 12:59:08p A.... 0 0.00 K f.tmp Sat Feb 4 2006 8:52:48p A.... 19,401 18.95 K 232 items found: 232 files, 0 directories. Total of file sizes: 4,830,919 bytes 4.61 M ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/11/2006 02:19p <DIR> .. 03/11/2006 02:19p <DIR> . 03/11/2006 02:18p 233,875 dhactfrm.dll 03/11/2006 02:18p 234,032 jtnm0751e.dll 03/11/2006 01:36p 233,875 jut.dll 03/11/2006 01:36p 235,839 r46ulej91ho.dll 03/11/2006 11:35a 233,875 f2l00c3mef.dll 03/09/2006 09:14p 8,775 .exe 02/04/2006 05:01p <DIR> Lavan 01/14/2006 06:19p <DIR> dllcache 6 File(s) 1,180,271 bytes 4 Dir(s) 8,178,667,520 bytes free

#57 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 02:41 PM

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\System32\r46ulej91ho.dll
C:\WINNT\System32\f2l00c3mef.dll
C:\WINNT\SYSTEM\JUT.DLL
C:\\WINNT\\system32\\guard.tmp
C:\\WINNT\\system32\\fUxevent.dll
C:\\WINNT\\system32\\wP2time.dll
C:\WINNT\SYSTEM\8,775 .exe
C:\WINNT\System32\dhactfrm.dll
C:\WINNT\System32\gcllz.dll
C:\WINNT\System32\jtnm07~1.dll
C:\WINNT\System32\r46ule~1.dll

Return to Killbox, go to the File menu and select Paste from Clipboard.

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

Edited by LDTate, 11 March 2006 - 02:45 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#58 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 03:03 PM

Getting any better???

Logfile of HijackThis v1.99.1
Scan saved at 2:52:42 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: ShellScrap - C:\WINNT\system32\gp02l3do1.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\gp02l3~1.dll Sat Mar 11 2006 2:38:32p ..S.R 235,235 229.72 K
C:\WINNT\SYSTEM32\jut.dll Sat Mar 11 2006 1:36:34p ..S.R 233,875 228.39 K
C:\WINNT\SYSTEM32\l26o0c~1.dll Sat Mar 11 2006 2:49:06p ..S.R 235,597 230.07 K
C:\WINNT\SYSTEM32\wrps2.dll Sat Mar 11 2006 2:49:08p ..S.R 235,235 229.72 K
________________________________________________

1,043 items found: 1,043 files (4 H/S), 0 directories.
Total of file sizes: 190,159,928 bytes 181.35 M

Administrator Account = True

--------------------End log---------------------

#59 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 March 2006 - 03:08 PM

Written by Atribune

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.

Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#60 devotion

Authentic Member

Authentic Member
43 posts

Posted 11 March 2006 - 03:30 PM

Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 3/11/2006 3:16:33 PM

Infected! C:\WINNT\system32\gp02l3do1.dll
Infected! C:\!KillBox\r46ulej91ho.dll
Infected! C:\WINNT\system32\gp02l3do1.dll
Infected! C:\WINNT\system32\jut.dll
Infected! C:\WINNT\system32\l26o0cj3efo.dll
Infected! C:\WINNT\system32\wrps2.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\gp02l3do1.dll
C:\WINNT\system32\gp02l3do1.dll Deleted successfully!

Attempting to delete: C:\!KillBox\r46ulej91ho.dll
C:\!KillBox\r46ulej91ho.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\gp02l3do1.dll
C:\WINNT\system32\gp02l3do1.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\jut.dll
C:\WINNT\system32\jut.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\l26o0cj3efo.dll
C:\WINNT\system32\l26o0cj3efo.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\wrps2.dll
C:\WINNT\system32\wrps2.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A7B10217-897B-4C21-9558-C59F4CD71664}"
HKCR\Clsid\{A7B10217-897B-4C21-9558-C59F4CD71664}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C8E7E460-060A-403A-A447-3F051D010518}"
HKCR\Clsid\{C8E7E460-060A-403A-A447-3F051D010518}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{259B12F3-BC61-473A-B964-CB8266816CC7}"
HKCR\Clsid\{259B12F3-BC61-473A-B964-CB8266816CC7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B1ED9866-5642-4556-BCE0-1A76E244D5B5}"
HKCR\Clsid\{B1ED9866-5642-4556-BCE0-1A76E244D5B5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}"
HKCR\Clsid\{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{523CCD66-AA17-42EB-9C85-7B1A13889F33}"
HKCR\Clsid\{523CCD66-AA17-42EB-9C85-7B1A13889F33}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B0B992B3-EB18-422D-A158-2FCB945ACA27}"
HKCR\Clsid\{B0B992B3-EB18-422D-A158-2FCB945ACA27}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 3:25:52 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Body Background

skin color theme