Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91911 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

help removing morwill-hijack this log?


  • This topic is locked This topic is locked
15 replies to this topic

#1 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 11 November 2005 - 12:56 PM

I've got the morwill pop up coming up constantly and can not seem to remove it.I've ran spysweepr.ad aware se and have avg free on my computer.Any help would be greatly appreciated.Thanks.

Here's my log file,

Logfile of HijackThis v1.99.1
Scan saved at 1:54:06 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAVE&J~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho Class - {C04BA419-E55F-4cc7-944C-21C039F9F170} - C:\WINDOWS\system32\qpnnlwrh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129730179046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: ddccc - ddccc.dll (file missing)
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

    Advertisements

Register to Remove


#2 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 13 November 2005 - 03:06 PM

Can someone help me out please?

#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 13 November 2005 - 03:37 PM

Hello the_one, welcome to the TC.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 14 November 2005 - 11:42 AM

Here's the Spy Sweeper session log i saved after i ran it,

*****
12:09 PM: | Start of Session, Monday, November 14, 2005 |
12:09 PM: Spy Sweeper started
12:09 PM: Sweep initiated using definitions version 572
12:09 PM: Starting Memory Sweep
12:12 PM: Memory Sweep Complete, Elapsed Time: 00:02:27
12:12 PM: Starting Registry Sweep
12:13 PM: Registry Sweep Complete, Elapsed Time:00:00:43
12:13 PM: Starting Cookie Sweep
12:13 PM: Found Spy Cookie: fastclick cookie
12:13 PM: will@fastclick[1].txt (ID = 2651)
12:13 PM: Found Spy Cookie: 2o7.net cookie
12:13 PM: will@msnportal.112.2o7[1].txt (ID = 1958)
12:13 PM: Found Spy Cookie: advertising cookie
12:13 PM: will@advertising[1].txt (ID = 2175)
12:13 PM: Found Spy Cookie: servedby advertising cookie
12:13 PM: will@servedby.advertising[2].txt (ID = 3335)
12:13 PM: Found Spy Cookie: atlas dmt cookie
12:13 PM: will@atdmt[2].txt (ID = 2253)
12:13 PM: Found Spy Cookie: tribalfusion cookie
12:13 PM: will@tribalfusion[1].txt (ID = 3589)
12:13 PM: Found Spy Cookie: casalemedia cookie
12:13 PM: will@casalemedia[1].txt (ID = 2354)
12:13 PM: Found Spy Cookie: coremetrics cookie
12:13 PM: will@test.coremetrics[1].txt (ID = 2472)
12:13 PM: Found Spy Cookie: bravenet cookie
12:13 PM: will@bravenet[2].txt (ID = 2322)
12:13 PM: jon@fastclick[1].txt (ID = 2651)
12:13 PM: jon@casalemedia[1].txt (ID = 2354)
12:13 PM: jon@atdmt[2].txt (ID = 2253)
12:13 PM: jon@advertising[2].txt (ID = 2175)
12:13 PM: jon@msnportal.112.2o7[1].txt (ID = 1958)
12:13 PM: jon@servedby.advertising[2].txt (ID = 3335)
12:13 PM: Found Spy Cookie: realmedia cookie
12:13 PM: dave&judy@realmedia[1].txt (ID = 3235)
12:13 PM: Found Spy Cookie: gamespy cookie
12:13 PM: dave&judy@gamespy[1].txt (ID = 2719)
12:13 PM: Found Spy Cookie: 66.230.183 cookie
12:13 PM: dave&judy@66.230.183[1].txt (ID = 1993)
12:13 PM: dave&judy@bravenet[2].txt (ID = 2322)
12:13 PM: Found Spy Cookie: mygeek cookie
12:13 PM: dave&judy@mygeek[1].txt (ID = 3041)
12:13 PM: Found Spy Cookie: enhance cookie
12:13 PM: dave&judy@c.enhance[1].txt (ID = 2614)
12:13 PM: Found Spy Cookie: morwillsearch cookie
12:13 PM: dave&judy@morwillsearch[2].txt (ID = 3008)
12:13 PM: Found Spy Cookie: goclick cookie
12:13 PM: dave&judy@c.goclick[2].txt (ID = 2733)
12:13 PM: Found Spy Cookie: xren_cj cookie
12:13 PM: dave&judy@xren_cj[1].txt (ID = 3723)
12:13 PM: dave&judy@xren_cj[3].txt (ID = 3723)
12:13 PM: dave&judy@66.230.183[2].txt (ID = 1993)
12:13 PM: Found Spy Cookie: yieldmanager cookie
12:13 PM: dave&judy@ad.yieldmanager[2].txt (ID = 3751)
12:13 PM: Found Spy Cookie: aa cookie
12:13 PM: dave&judy@aa[2].txt (ID = 2029)
12:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
12:13 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
12:13 PM: Starting File Sweep
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
12:14 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
12:16 PM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{4c6a9fc3-711c-40a2-ad16-74fc8b8aa019}.bin". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs971a2bc2-e448-4e38-95d1-f2962ac17e0c.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6e70d28a-df5f-4e0a-9f76-72e1ac76fec0.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a49f045-89a1-49db-83ec-1af13540fb35.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d1582f1-7b80-4cd7-a35e-9d7f56451133.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsab44a6e8-48ae-43af-b0a2-6f1581b9ea02.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs24f5efff-1153-49d0-a15d-09b44959f1dc.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs191f9ac7-9c7e-465b-93ff-3af52ca49885.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0fa8e621-cdeb-4922-ba0f-c2a7b621ea98.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9007d315-d334-47ec-816e-0adad240148a.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse0c0242a-30de-4838-8775-5ea8fb404bba.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs48b18cfb-7a04-4474-8ff1-df6f4b6e40f5.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8ac2a9f3-40e7-4de6-b413-9e57d20badeb.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3668709c-e3ea-405f-9ab3-38e25fe8c090.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8291f901-6399-4a25-b579-613f734c56da.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7a991eb-f8da-48fe-9508-d2aff693c3f5.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbb54964d-d41f-417f-85b6-5529d62f7beb.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf23ccfe4-7c98-427f-afd5-f3df609642b6.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs316e732a-2339-477f-8c46-fe6e3191398e.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs884b3a67-0c30-41fb-8fb7-be4c33d14c82.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc38c7f4-5793-48a3-9f51-f6bb8a94a4dd.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs08ad2252-cf75-4c29-a6e7-101679711aa1.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2eef4c0d-99b0-47e9-ba11-7d8c56cfbcd4.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs363192ce-315e-4e77-9aff-9c44614bfc8d.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd81774fc-8698-437b-92c5-87c4df6bdb4b.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf16e48c9-675e-49de-adea-1d9a9e42875d.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1f0de8f1-8918-44ba-80f6-4b67b676962a.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs15ebbccf-6a2f-4ba1-aaf6-58f155f186d8.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2752e997-bc50-459e-9fd7-72231c66d7c2.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc98f8f5-1952-46ad-a93d-114c726af667.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsecf51442-4be0-475e-83bc-59507de1d9b5.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7615d248-5bc3-4f17-8b5f-48f37d5637ba.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a5adff2-ede8-4e4e-b5c4-d802371ca5bf.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd40dda7b-cf10-46ad-97ee-4bf5cedad3ce.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71cb7477-f3c0-42de-b06a-585e3bba5033.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8ad4c84b-abb7-49f7-b3a5-4157049ed645.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc414321d-bae0-4459-8190-9d6963415c80.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs45ce0841-a032-4cb7-a800-5e98b1606304.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs78ebe530-b50f-4570-9f81-887570467606.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5469938b-68d8-475f-b922-e43a4c2b0a64.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7b367ed2-f964-419b-bc5a-d89f35c6ac15.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27daf5f2-18f4-4171-858d-7e4476857bcd.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0954049b-ee17-4805-86a9-dc6b6375b5f7.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc2f8a229-4985-4c72-961b-5ea5c23d5699.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa4f4123f-efb2-44dc-983f-4aab06a4db63.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs68b30ade-ea55-48a9-bdb5-53340098a699.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18addc1b-bb09-4891-abb8-6fdcc881a4e7.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs917f51bb-77f8-44a7-9833-2494636b12e3.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e2644cb-e5d5-403d-83f2-d4fceaba893f.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90ae750e-99aa-4a3b-968f-d26b752fee8e.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb6be1565-799e-4419-a17e-15fda5cbe258.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1cb5a473-d2c0-4962-938e-7beda32be644.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc13dc5de-9f24-483e-97f6-496688db0472.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1e634f2a-9199-4810-9f66-914c3a31e051.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cbb0276-a645-4676-8891-e589c46f68e7.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs12ee8543-bb19-43dd-8a3b-1bc254cf8b7f.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs051e38e3-3962-4ed3-8ce0-1989c2cad361.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc4a01e2-9fe9-417d-85f4-b2c65f200e43.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbeae8d70-3ecb-486a-9254-9dca1c39d14b.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1c436385-4f79-40c0-b50d-c58fc07d6de7.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7607f957-ac0b-4f05-955b-c3e4e7a84ca9.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2541b2c2-9b50-4d8d-b63a-52cb764b9930.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8d4c263-9a22-41e5-81da-05f1084b0f7e.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs554154ae-1aea-425a-a9f7-39a45ecada7c.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs081f1ed5-1280-46ad-ae5f-d818936ce255.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse1e7e2a3-0733-402b-a63d-94c1555d1fbb.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs25d9685b-e950-4be9-b3cd-e938bd193b30.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9d97aaf0-3531-4d13-9ee2-55f060304ff4.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8e3c4c6e-41cb-495b-a9cb-b0d22c8c6bbb.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc039e33-0160-4263-bbc5-3f6372b663ba.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6a29906b-5bcb-413c-8e0d-7e7bdeeae09c.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs13470931-0858-4ac6-9c2b-13a2da8c5026.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsda9f4685-ffdf-4d9c-900c-b2f62a374145.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs57814592-e744-4460-ba28-640c3fbd1c53.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs441c04fd-814e-4f1d-aa06-c280453043d6.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd42e38fa-bcb7-4536-8c02-26b29553a328.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2b62ace8-39ff-4e9f-85f6-694c44d29f36.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdead1b9d-ed55-4ce4-8194-67f5d8e0928b.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs351559c2-e29b-4017-ac5b-aac8884d9e7d.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs68093794-8632-430f-96f9-99e2a8c9406d.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27f49392-43b1-4287-905f-473c93c97949.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa61536d2-db34-4523-8bde-62aa39e1643a.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseea053be-8291-40a2-87de-bb90f32a9254.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0fe3c8a3-1cf2-4974-81a1-dd086bf6af5e.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa2268bab-817f-4ada-ab3b-12be8d4a72c3.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5690943d-f331-4374-bef8-043b5de84d10.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs78d0680f-ec64-4719-be36-2f816db77567.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse4a6bcad-7f1c-4f7c-a511-eb3f47f10a68.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse0b4159c-f793-4185-8221-f435e7463fc8.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse4a07cd2-a5e6-4b51-bafa-995ef2d9971f.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37fea87c-a3bc-43ef-9f14-65357b2a6c6d.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs46f58271-3d34-4d6c-b763-0317b15f0deb.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd15bba5c-1998-447d-85a3-03cd0218ba89.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc2580bb2-c796-46ab-ae51-5c8ddab583ec.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd1e112b7-7185-4a9f-8616-6250edd3f466.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscd906128-3690-4e5b-9761-336f3258bb8e.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa1ff241c-1b73-4caf-9c57-6e87e3dfe320.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa85b5923-173a-422c-b078-0821da616b9b.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf5d3fbfa-06c0-4314-a784-2f439b988fc9.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs72e38688-4e43-4566-a8e7-db974bd2ead0.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfe0b3774-30a2-46e5-a0ba-50e02842f900.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e91f720-9c1b-43a6-b65b-8e4a82cee676.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse87bfb9d-6e19-4c22-8573-3136a8f883f4.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa01fde06-bd5f-4f9e-8bea-872f121f19af.tmp". The process cannot access the file because it is being used by another process
12:19 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9c0f4644-39de-4729-a912-8ff176c66b80.tmp". The process cannot access the file because it is being used by another process
12:22 PM: Found Adware: whenu savenow
12:22 PM: vvsninst.exe (ID = 74460)
12:23 PM: Warning: Failed to open file "c:\documents and settings\dave&judy\ntuser.dat". The process cannot access the file because it is being used by another process
12:23 PM: Warning: Failed to open file "c:\documents and settings\dave&judy\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:24 PM: Warning: Failed to open file "c:\documents and settings\dave&judy\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:24 PM: Warning: Failed to open file "c:\documents and settings\dave&judy\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:27 PM: File Sweep Complete, Elapsed Time: 00:14:08
12:27 PM: Full Sweep has completed. Elapsed time 00:17:25
12:27 PM: Traces Found: 29
12:28 PM: Removal process initiated
12:28 PM: Quarantining All Traces: whenu savenow
12:28 PM: Quarantining All Traces: 2o7.net cookie
12:28 PM: Quarantining All Traces: 66.230.183 cookie
12:28 PM: Quarantining All Traces: aa cookie

And here is the new HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 12:36:04 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAVE&J~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho Class - {C04BA419-E55F-4cc7-944C-21C039F9F170} - C:\WINDOWS\system32\qpnnlwrh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129730179046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: ddccc - ddccc.dll (file missing)
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks again for helping me out!

#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 14 November 2005 - 04:48 PM

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like:
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Edited by LDTate, 14 November 2005 - 04:50 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 15 November 2005 - 10:39 AM

I've downloaded L2mfix and ran it.Here is the log file L2MFIX find log 1.04a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccc] "Asynchronous"=dword:00000001 "DllName"="ddccc.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhe] "Asynchronous"=dword:00000001 "DllName"="jkhhe.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices" "{3c249f62-e26e-11d4-97f0-009027769c61}"="Format Shell" "{03FF3962-D823-11D4-97F0-009027769C61}"="Data Caching Shell Extension" "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension" "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ cdfview.dll Fri Sep 2 2005 7:52:04p A.... 151,040 147.50 K gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K umpnpmgr.dll Mon Aug 22 2005 11:35:42p A.... 123,392 120.50 K quartz.dll Mon Aug 29 2005 11:54:26p A.... 1,287,168 1.23 M winsrv.dll Wed Aug 31 2005 9:41:54p A.... 291,840 285.00 K islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K danim.dll Fri Sep 2 2005 7:52:04p A.... 1,053,696 1.00 M wrlzma.dll Mon Oct 24 2005 12:19:46p A.... 17,920 17.50 K mshtmled.dll Fri Sep 2 2005 7:52:06p A.... 448,512 438.00 K mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M dxtrans.dll Fri Sep 2 2005 7:52:04p A.... 205,312 200.50 K mstime.dll Fri Sep 2 2005 7:52:06p A.... 530,432 518.00 K iepeers.dll Fri Sep 2 2005 7:52:04p A.... 251,392 245.50 K browseui.dll Fri Sep 2 2005 7:52:04p A.... 1,019,904 996.00 K qpnnlwrh.dll Wed Oct 12 2005 12:15:10a A.... 118,804 116.02 K shell32.dll Thu Sep 22 2005 11:05:30p A.... 8,450,560 8.06 M linkinfo.dll Wed Aug 31 2005 9:41:54p A.... 19,968 19.50 K netman.dll Mon Aug 22 2005 2:29:46p A.... 197,632 193.00 K wininet.dll Fri Sep 2 2005 7:52:06p A.... 658,432 643.00 K urlmon.dll Fri Sep 2 2005 7:52:06p A.... 608,768 594.50 K shlwapi.dll Fri Sep 2 2005 7:52:06p A.... 473,600 462.50 K shdocvw.dll Fri Sep 2 2005 7:52:06p A.... 1,483,776 1.41 M pngfilt.dll Fri Sep 2 2005 7:52:06p A.... 39,424 38.50 K msrating.dll Fri Sep 2 2005 7:52:06p A.... 146,432 143.00 K inseng.dll Fri Sep 2 2005 7:52:04p A.... 96,256 94.00 K extmgr.dll Fri Sep 2 2005 7:52:04p ..... 55,808 54.50 K gwfspi~1.dll Mon Aug 29 2005 1:27:06p A.... 23,304 22.76 K legitc~1.dll Mon Aug 29 2005 1:27:12p A.... 520,968 508.76 K cdosys.dll Fri Sep 9 2005 9:53:42p A.... 2,067,968 1.97 M vchreg.dll Sat Oct 15 2005 11:39:22a A.... 671,744 656.00 K wrlogo~1.dll Mon Oct 24 2005 12:19:50p A.... 492,544 481.00 K 31 items found: 31 files, 0 directories. Total of file sizes: 24,904,740 bytes 23.75 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ sstwa.tmp Thu Oct 6 2005 10:31:42p ..SH. 122 0.12 K mcrh.tmp Thu Oct 27 2005 4:05:08p A.... 0 0.00 K 2 items found: 2 files (1 H/S), 0 directories. Total of file sizes: 122 bytes 0.12 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 3E75-13E8 Directory of C:\WINDOWS\System32 11/02/2005 12:18 PM 210,735 sstwa.ini2 11/01/2005 06:30 PM 207,951 sstwa.bak2 11/01/2005 07:16 AM 209,237 sstwa.bak1 10/07/2005 01:54 PM 336,147 sstwa.ini 10/06/2005 10:31 PM 122 sstwa.tmp 10/06/2005 04:25 PM 334,502 efhkj.ini 10/06/2005 04:22 PM 333,384 efhkj.bak1 08/18/2004 12:52 PM <DIR> Microsoft 08/18/2004 12:26 PM <DIR> dllcache 7 File(s) 1,632,078 bytes 2 Dir(s) 28,463,562,752 bytes free

#7 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 15 November 2005 - 12:13 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 16 November 2005 - 09:27 AM

I followed the steps and ran option #2 and when the computer rebooted it had a pop up that said,Windows cannot find C:\Documents and Settings\Dave\second.bat and that's it.Notepad did not pop up and there was no log file.
After those steps i've now run a new HJT log and here it is,


Logfile of HijackThis v1.99.1
Scan saved at 10:20:54 AM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAVE&J~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho Class - {C04BA419-E55F-4cc7-944C-21C039F9F170} - C:\WINDOWS\system32\qpnnlwrh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129730179046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: ddccc - ddccc.dll (file missing)
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

What should i do now?Thanks again.

Edited by the_one, 16 November 2005 - 09:27 AM.


#9 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 16 November 2005 - 02:09 PM

Try Option 2 again

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 16 November 2005 - 03:46 PM

I've tried it 2 more times with the same results as before?

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 16 November 2005 - 04:48 PM

Post a new HJT log please, we'll remove the bad guys manualy.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 17 November 2005 - 10:45 AM

Here is the most recent HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 11:42:52 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAVE&J~1\LOCALS~1\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: Bho Class - {C04BA419-E55F-4cc7-944C-21C039F9F170} - C:\WINDOWS\system32\qpnnlwrh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129730179046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: ddccc - ddccc.dll (file missing)
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 17 November 2005 - 04:18 PM

Important: Do this before any fix.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.



After the above:

Download the following programs.

a.
Download Killbox HERE and put it on your desktop

b.
Download CCleaner HERE and install it.

c.
Download Ewido security suite HERE



1. After the download of Ewido is complete, double click on the file to launch the install process.
2. During installation under the Additonal Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
3. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
4. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
5. Close Ewido.

Next:

Reboot into Safemode:
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

This can take a few minutes to get into Safe Mode.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)

O2 - BHO: Bho Class - {C04BA419-E55F-4cc7-944C-21C039F9F170} - C:\WINDOWS\system32\qpnnlwrh.dll

O20 - Winlogon Notify: ddccc - ddccc.dll (file missing)

O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)


Close ALL windows and browsers except HijackThis and click "Fix checked"


Next:
Open CCleaner.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button


Next:
Open Ewido

1. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
2. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
3. On the main screen, please select 'Complete System Scan' and the scan should begin.
4. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
5. When the scan is complete, click "Save Report". You scan results will be saved in a textfile. Please submit that with your next post.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions from step #8 again.

Exclamation Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Now close ewido security suite.

Next:
Then double-click on the killbox.exe program.


Start Killbox and click on Tools->Delete Temp Files.
Unregister .dll before deleting (unless it is greyed out)
Delete on Reboot

Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.



C:\WINDOWS\system32\qpnnlwrh.dll
ddccc.dll
jkhhe.dll


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

After Reboot, "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 the_one

the_one

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 18 November 2005 - 02:05 PM

I followed all your steps and did a few searches on msn and google and have no more morwill popping up.It seems to have worked and i can't thank you enough.I really appreciate the help!
Here's a new HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 2:59:28 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Documents and Settings\Dave&Judy\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129730179046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

and here is the text file after the scan with Ewido,

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:40:41 PM, 11/18/2005
+ Report-Checksum: 224828CB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Adminstrator\Cookies\adminstrator@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@www.cj[1].txt -> Spyware.Cookie.Cj : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wjmyckczmbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wjmighczaao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wjliomcjalo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wjnyohazwdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wfmyokc5ibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@e-2dj6wfligld5kfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Jon\Cookies\jon@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Dave&Judy\Cookies\dave&judy@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dave&Judy\Cookies\dave&judy@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP414\A0145956.exe -> Spyware.VB : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP419\A0149239.dll -> Spyware.Chiem : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP419\A0149290.exe -> Spyware.Casino : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP442\A0154151.exe -> TrojanSpy.Perfectkeylogger.Ad : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP442\A0154152.dll -> TrojanSpy.Perfectkeylogger.Ad : Cleaned with backup
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP373\A0126843.exe/1 -> Spyware.VB : Error during cleaning
C:\System Volume Information\_restore{BBBE6FBE-A79F-472F-8730-2EB6C46EC5EC}\RP381\A0130862.exe -> Spyware.WinAD : Cleaned with backup


::Report End


How does it look now?It seems to be running great.

#15 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,172 posts

Posted 18 November 2005 - 05:55 PM

Good Job :thumbup:


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users