Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba

 

thanks alba...
hope so my comp problem can be solved ASAP....

 

Hello again meena Welcome to TSF!


Please read through the instructions carefully before starting the fix.


===============================================


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Please download Tool 1. KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download Tool 2. smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Tool 3. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Tool 4. Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Tool 5. Please download the trial version Webroot SpySweeper (Trial)
Install & launch - Webroot SpySweeper When SpySweeper starts, please accept any prompts to update definitions. After it has finished updating please close Spysweeper.

Tool 6. Place a shortcut to Panda ActiveScan on your desktop.

Tool 7. You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. This will add the l2mfix folder on your desktop. Do not do anything else yet!

Tool 8. Download CWShredder
===============================================


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

===============================================
Fix

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


Close any programs you have open since this step requires a reboot.

Tool 7. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Close the log as it's not needed yet.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Tool 8. After the reboot run CWShredder and allow it to reboot when it asks.

Once you reboot From the l2mfix folder on your desktop, double click l2mfix.bat again and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

===============================================

Next, reboot your computer in SafeMode :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

===============================================


From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

• SpySheriff

===============================================

Tool 1 . Launch KillBox.exe & select the following options:

• delete on Reboot
• end Explorer shell while killing file
• unregister dlll before deleting * if it's not grayed out

Select all the filenames below & then right-click & select Copy

• C:\WINDOWS\System32\paytime.exe
  C:\WINDOWS\tool2.exe
  C:\windows\adtech2005.exe
  C:\winstall.exe
  c:\secure32.html
  C:\windows\timessquare.exe
  C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
  C:\WINDOWS\System32\rascbeio.dll
  C:\WINDOWS\System32\nflkaljh.dll
  C:\WINDOWS\System32\acdaqlfj.dll
  C:\WINDOWS\System32\Dnlhabdq.dll
  C:\WINDOWS\system32\qmlceg32.dll
  C:\WINDOWS\TWVuYWdh\command.exe
  C:\WINDOWS\system32\ennul1591.dll

* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

===============================================


Reboot your computer in SafeMode :

• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{FFAF6ED1-218E-1635-FFE6-3859342C1A04} - (no file)
R3 - URLSearchHook: (no name) - {FFAF6ED1-218E-1635-FFE6-3859342C1A04} - C:\WINDOWS\system32\lumstrli.exe (file missing)
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe –FastScan
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O13 - WWW. Prefix: http://
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co...n/myv3/myv3.cab
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\ennul1591.dll
O20 - Winlogon Notify: mallocator - mscdmss.dll (file missing)
O21 - SSODL: SecurityUpdate - {BAF5E89D-7F87-413E-AACD-28C440FD9A4F} - C:\WINDOWS\System32\rascbeio.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\nflkaljh.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\System32\acdaqlfj.dll (file missing)
O21 - SSODL: CGCJBGF0 - {78C664B3-234D-0CD0-1B0A-20011258470D} - C:\WINDOWS\System32\Dnlhabdq.dll (file missing)
O21 - SSODL: mtklef - {EAA0917A-8027-439B-DEA4-597E27A26B9A} - C:\WINDOWS\system32\qmlceg32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVuYWdh\command.exe (file missing)




Please remember to close all other windows, including browsers then click Fix checked.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

• C:\freescan
  c:\spywarevanisher-free
  

Search for & delete ... using Start> Search... the following files:

• mscdmss.dll

===============================================

Click Start->Run - type SERVICES.MSC & then click on the OK button

• Locate the service - Command Service (cmdService)
  
• Double-click on it to open the Properties dialog.
  
• Stop the service by using the Stop button.
  
• Change the Startup type to Disabled & then click on the OK button

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...

• In the popup box that appears, type in Command Service & then click on the OK button

===============================================


Tool 2. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Tool 3. Open Ad-aware and do a full scan. Remove all it finds.

Tool 4. Run Ewido:

• Click on scanner
  
• Click on Complete System Scan and the scan will begin.
  
• NOTE: During some scans with ewido it is finding cases of false positives.
  
• You will need to step through the process of cleaning files one-by-one.
  
• If ewido detects a file you KNOW to be legitimate, select none as the action.
  
• DO NOT select "Perform action on all infections"
  
• If you are unsure of any entry found select none for now.
  
• When the scan is finished, click the Save report button at the bottom of the screen.
  
• Save the report to your desktop

Close Ewido

Tool 5. Launch Spysweeper.
Then configure it as followed:

* From the left pane, click Options
* Select the Sweep Options tab & ensure the following are ticked:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All Users accounts
o Do Not Sweep System Restore Folder
o Enable Direct Disk Sweeping
o Sweep For Rootkits
* After that's done, select Sweep from the left pane & click on the Start button
* Allow Spysweeper to reboot your machine to remove the infected files.

After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.
Copy the contents of this log into your next reply.

===============================================

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Tool 6. Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

===============================================



In your next post, please include fresh logs from:

1. HiJackThis
   [*] l2mfix log
   [*] smitfiles.txt
   [*] Ewido
   [*] Webroot SpySweeper
   [*] Panda scan report
   

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

 

Hello again…
I’ve followed ur instructions.i dunno whether what hv I done is correct or not…but this is wat I get…hope its rite…do check it out n correct me if theres any mistake!

l2mfix log
L2Mfix 1.04a

Running From:
C:\Documents and Settings\Menaga\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 9:51:21 PM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Bin\ibserver.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Menaga\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{FFAF6ED1-218E-1635-FFE6-3859342C1A04} - (no file)
R3 - URLSearchHook: (no name) - {FFAF6ED1-218E-1635-FFE6-3859342C1A04} - C:\WINDOWS\system32\lumstrli.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [lexplore] lexplore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Menaga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - WWW. Prefix: http://
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myv3/myv3.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4624/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\ivakui.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mallocator - mscdmss.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\l48m0el1ehq.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: SecurityUpdate - {BAF5E89D-7F87-413E-AACD-28C440FD9A4F} - C:\WINDOWS\System32\rascbeio.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\nflkaljh.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\System32\acdaqlfj.dll (file missing)
O21 - SSODL: CGCJBGF0 - {78C664B3-234D-0CD0-1B0A-20011258470D} - C:\WINDOWS\System32\Dnlhabdq.dll (file missing)
O21 - SSODL: mtklef - {EAA0917A-8027-439B-DEA4-597E27A26B9A} - C:\WINDOWS\system32\qmlceg32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVuYWdh\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Bin\ibserver.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

Hello meena,

Please post the logs as requested by alba for his review. :smile:

l2mfix log --look for log.txt in the l2mfix folder. If you still can't find it, do a search via Start>Search
smitfiles.txt
Ewido
Webroot SpySweeper
Panda scan report

 

here r da reports mr alba...

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 9:59:17 PM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Bin\ibserver.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Menaga\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [lexplore] lexplore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Menaga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4624/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\ivakui.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Bin\ibserver.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

L2MFIX

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Menaga\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

SMITFILES


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 11/18/2005
The current time is: 22:13:50.92

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!


EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:59:32 PM, 11/18/2005
+ Report-Checksum: 426F31ED

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{D6188A7D-376C-4970-91AD-675BFCF3762E}\TypeLib\\ -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
[648] C:\WINDOWS\system32\abdiosrv.dll -> Spyware.Look2Me : Error during cleaning
[1252] C:\WINDOWS\system32\abdiosrv.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\system32\appwiy.dll -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\WINDOWS\system32\slhannel.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lfcwmi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\psgfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kxdpl1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qmlceg32.dll_tobedeleted -> TrojanSpy.Qukart.s : Cleaned with backup
C:\WINDOWS\tool4.exe -> TrojanDownloader.Small.bwr : Cleaned with backup
C:\WINDOWS\tskmgr.exe -> TrojanDownloader.Small.bwk : Cleaned with backup
C:\WINDOWS\sstray.exe -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@e-2dj6wfkiaodpedo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Menaga\Cookies\menaga@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup


::Report End

 

PANDA SCAN REPORT


INCIDENT: Adware:Adware/Look2Me
STATUS: No disinfected
LOCATION: C:\WINDOWS\system32M0280afued280.dll
Virus:Trj/Qukart.I
Disinfected
C:\WINDOWS\system32Iigofjem.exe
Virus:Trj/Goldun.DD
Disinfected C:\WINDOWS\getb.exe
AND...I'M FACING PROB IN POSTING MY SPYSWEEPER RESULT...
bcos da file size vy big,and words amount goes beyond limited...so how do i suppose to send it to u?

pls do update me wit my computer's condition...is it ok now?

and lastly,can i remove/delete allthe programs that i was askedto download??

some of da problems i face are...drg using the killbox tool,notall of the file names appear in the dropdown menu.n then drg hijackthis,some of the file tat u asked me to check are not available.othr than dat evy was ok.computer quiteok now...is da problem solve?or i need another repair?

 

We're not done here yet. The l2mfix log is not complete. Are you sure you let it finish doing it's job first?

Here's what I suggest you do. Run it and let it restart and do its job. Leave it running overnight if you wish to make sure it runs through completely. We need the complete log for l2mfix since it will tell us which files and registry entries to remove.

 

Hi meena

To post the Spysweeper report do the following

1. Save the file on your desktop
2. When you go to post to this thread, Scroll down to Additional Options
3. Click on Manage Attachments and follow the instructions

Regards

alba

 

heres the spysweeper log...

neway...there was a comment from greyknight17 that l2mfix is not completed...i try to scan again...bt da same thg hppns...aft restart,no log appear....n my comp appears to be normal..theres no prob of diappearance of desktop...tats y i tool the lo log from the l2mfix folder n sendit to u all...
is it wrong?wat whouldi do instead?so hows my laptop condition?can i delete all the programs i downloaded...n 1 more...theres alot files by the name THUMB.DB n DESKTOP.INI...is this normal..can i delete it...?

neway thanks alba n others for the guide so far

 

Hi meena, your laptop is still infected. When we are through cleaning your system, we'll advise which programs and files can safely be deleted.

alba is unavailable and has asked me to continue for him. :smile:

**Disconnect this PC from ANY internet access.

Reboot into Safe Mode. (tapping F8 or F5)

Run another scan with Webroot SpySweeper.

• After it has finished scanning, click the Next button
• Allow Spysweeper to reboot your machine to remove the infected files.

## IMPORTANT - do not use your computer as you scan.

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If the log does not appear, search for log.txt in the L2MFix folder or on the C: drive and post it here.

Run another scan with HijackThis and post the log here.

So, I will need the following logs:

SpySweeper Session Log
log.txt
HijackThis log

 

hi ried...

this is da result...

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 10:31:02 AM, on 11/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Menaga\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [lexplore] lexplore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Menaga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4624/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\ivakui.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Bin\ibserver.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

L2MFIX

Setting Directory
C:\
C:\

Running From:
C:\

Killing Processes!

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: vx2cleaner.dll (deflated 57%)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
updating: clear.reg (deflated 2%)
updating: pltemp.ini (deflated 79%)
updating: vx2logs.txt (stored 0%)
updating: lo2.txt (deflated 43%)
updating: smitfiles.txt (deflated 66%)
updating: map.txt (stored 0%)
updating: flag.txt (stored 0%)
updating: test2.txt (stored 0%)
updating: test3.txt (stored 0%)
updating: test5.txt (stored 0%)
updating: test.txt (stored 0%)
adding: log.txt (deflated 75%)
zip warning: name not matched: backregs\*.reg

zip error: Nothing to do! (backup.zip)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ivakui.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


SO..HOWS MY LAPTOP CONDITION NOW?
can i remove da prgms tat i downloaded...since it takes alot of space in my computer...

 

You are still infected and you have not been following the instructions as they have been given. You must carry out the instructions exactly as listed below:

The L2Mfix tool has been updated to address the variant you are infected with so we need to download it again. First, delete the current L2Mfix from your PC.

Now download it again from one of the following links:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

*Note*

If you receive an error while running option #1 similar to this below..

''C:windowssystem32cmd.exe, C:windowssystem32autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications" please choose Close to terminate the application.

Then run Option 5 or the web page link in the l2mfix folder to solve this error condition. DO NOT run the fix portion (Option 2 or 6) without fixing this first.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password so please enter bye (lowercase) then hit enter. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder and post it.

 

L2MFIX (OPTION 5)

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ivakui.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is ACER
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32

06/23/2003 06:26 PM <DIR> Microsoft
06/23/2003 06:08 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 11,836,522,496 bytes free




L2MFIX (OPTION 2)

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Setting Directory
C:\Documents and Settings\Menaga\Desktop\l2mfix
C:\Documents and Settings\Menaga\Desktop\l2mfix

Running From:
C:\Documents and Settings\Menaga\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 636 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 732 'winlogon.exe'
Killing PID 732 'winlogon.exe'
Killing PID 732 'winlogon.exe'
Killing PID 732 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
zip warning: name not matched: *.dll

zip error: Nothing to do! (backup.zip)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
adding: echo.reg (deflated 11%)
adding: clear.reg (deflated 2%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: readme.txt (deflated 52%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 65%)
adding: lo2.txt (deflated 76%)
adding: sec.txt (stored 0%)
adding: flag.txt (stored 0%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)
adding: backregs/notibac.reg (deflated 88%)
adding: backregs/shell.reg (deflated 74%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ivakui.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:02:30 PM, on 11/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Bin\ibguard.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Bin\ibserver.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Menaga\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [lexplore] lexplore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Menaga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4624/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\ivakui.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Bin\ibserver.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

AM I RITE NOW?

 

Hi meena,

We're almost there. You ran the tool quite successfully, now we have to get rid of the trojan you picked up in the meantime.

Reboot into Safe Mode. (tapping F8 or F5)

1. Go to Start > Run and type in services.msc then click OK
2. Click the Extended tab.
3. Scroll down until you find the service.
===> Indexing Service (CiSvc)
4. Click once on the service to highlight it.
5. Click Stop
6. Right-Click on the service.
7. Click on 'Properties'
8. Select the 'General' tab
9. Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
10. From the drop-down menu, click on 'Disabled'
11. Click the 'Apply' tab, then click 'OK'

Open HijackThis>Config>Misc Tools>Delete an NT Service
*now copy/paste the cisvc in the box and click OK. Do not allow a reboot yet.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\ivakui.dll (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

Delete the following files: (if they still exist)

C:\WINDOWS\system32\ivakui.dll
C:\WINDOWS\system32\cisvc.exe

Run Webroot SpySweeper once again. Allow it to reboot.

From Normal Mode:

Run another scan with HijackThis and post the log here along with the results of SpySweeper. I think you'll be pleasantly surprised at how short that log will be now.

 

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 8:41:50 AM, on 11/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Bin\ibserver.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Menaga\Desktop\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [lexplore] lexplore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Menaga\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4624/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Bin\ibserver.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

********
8:56 AM: | Start of Session, Friday, November 25, 2005 |
8:56 AM: Spy Sweeper started
8:56 AM: Sweep initiated using definitions version 575
8:56 AM: Starting Memory Sweep
8:57 AM: Memory Sweep Complete, Elapsed Time: 00:00:58
8:57 AM: Starting Registry Sweep
8:57 AM: Registry Sweep Complete, Elapsed Time:00:00:09
8:57 AM: Starting Cookie Sweep
8:57 AM: Found Spy Cookie: casalemedia cookie
8:57 AM: menaga@casalemedia[2].txt (ID = 2354)
8:57 AM: Found Spy Cookie: revenue.net cookie
8:57 AM: menaga@revenue[2].txt (ID = 3257)
8:57 AM: Found Spy Cookie: ask cookie
8:57 AM: menaga@ask[1].txt (ID = 2245)
8:57 AM: Found Spy Cookie: belnk cookie
8:57 AM: menaga@belnk[1].txt (ID = 2292)
8:57 AM: menaga@dist.belnk[2].txt (ID = 2293)
8:57 AM: Found Spy Cookie: classmates cookie
8:57 AM: menaga@classmates[1].txt (ID = 2384)
8:57 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:57 AM: Starting File Sweep
8:57 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs74867493-30c8-4de9-abb8-189011174499.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs35469aa5-873b-4982-a7db-bc9a54e9f359.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbcf57758-be01-4c05-88ed-fcfc384111ed.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsa94d9cca-054b-4830-ab5f-aad6d5614fc9.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs59933384-9c9c-47b4-ab0e-ec7662de6965.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsaedbbd52-7ae4-4650-aa6d-e4e129c310d2.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsa384e392-f622-4fef-963e-2aadb3c03610.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs27e56f46-ac6f-419e-9d0b-dbea3f5a656f.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd1302ce2-06e6-4dd9-9150-cfe2ec7a1e31.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbb0793ff-c7ef-4a76-b726-8c7f8dfb1c7e.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsf1416384-60f3-43cf-979e-ff1b1831ccc7.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs0a051464-3729-47ab-a854-d60652a38c62.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs7583be7b-35fb-40d1-bc45-69bf37992d9b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs823650fe-8b26-424e-bc6c-4f460612c7f2.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs0139e50c-33e1-4385-887e-06fde543c6f4.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsa69cbfbd-f500-47bf-9db8-731691a503be.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsea3ea22c-569f-411d-b2b8-bcd8d351883e.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse8840838-0b84-45cf-b715-dea68a967765.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse982a3d4-e108-4c62-99bf-b75ed5fe6996.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs2521d1c3-41e9-4c15-be9e-233d0d41330e.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs3eae3876-0c2d-4453-8690-65ea4abb00e7.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs3cfe0392-20ba-448d-aec9-ef1c12326ae9.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs87d0416e-c7c5-4ba5-9bfd-98bc924aacd3.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs8c59180f-f8f7-4cbb-80bd-5216733693db.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs5d2ef8bb-a012-46a0-bd0b-3e89daebc9c5.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse7159991-3994-45bb-9d4a-b2af72d891b7.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbf2981eb-e6b1-40b8-b36f-7ffbb6ae11dc.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbfa57aea-47fc-4229-9dff-8c2c50f1fee6.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsb6300f0f-9ba5-4e7d-b54f-f7b06ff371a0.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd2bad938-9513-4bdb-be27-a312e04cec83.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs414b980f-2ebd-44a5-bced-bb26f8738c93.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsf4eb750d-509b-4f3c-b1e2-d40755e3b7d3.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs4557c8e8-0788-4af4-be33-b5684bf8d4fd.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs668d8104-7bce-4098-891e-2232255a435b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd363b98d-8435-4407-ba24-25acb4ea3320.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs691caafb-6b6e-4afa-879a-f19039e0388b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscseb55d690-c592-446b-8ab0-48497b0dd146.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs2b4ba403-3238-4446-a235-285c5273285b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs4c0ac6ac-db5d-4e75-9dab-a28d2aa5e848.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsed02f5ea-59f9-43fd-843e-5ca1ba2995d9.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs131b5e17-2ccc-49cf-8c6e-e73e4e5a725c.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse40151d9-436f-4d4c-8ce5-cd832c221a23.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbc239890-0cc1-4c20-b24f-091310049c03.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs4ac3528a-686d-4ce6-911d-56f09a2f6043.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd580dce6-f230-472a-a67d-56980d7a4169.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs840340e4-aa3f-4448-92bd-88f4fd6aa127.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsee73f2ff-e72c-42c6-a933-45def80da3dd.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd6380905-6dcb-4afc-b79e-a1cd5b86beb3.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs450cf748-1f38-47a5-b54d-3c7f876275b2.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbff67dc3-44e4-4d44-814c-1e63987e527d.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsffd75b7c-3f55-4f79-aa0b-6b63734de572.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs753081b2-25c7-438f-afa6-e437d6dc52a7.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsf5cd24cc-aa71-4201-8c8e-6b0549e0fef6.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs13d8eb40-60b2-4805-a48c-9418534440d5.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsaeb9c411-a6f5-476b-b414-a8b8e4197944.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs8182ca02-8324-4771-93d7-acaf3c54fc94.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs3cbc59a2-9f78-492b-913d-41bfd73c756b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbabba5db-5e4a-4edc-a7bd-3769f6371d80.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs4ea085c7-fc6d-463f-99e7-6c0aff31a673.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbeb2313a-4d98-4ead-8122-08ba38e46715.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs263c6067-2ca2-4064-ab88-1758a9001078.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsb38d277e-ecd5-40f3-8bed-38b4eacd3088.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd99c2b8c-c219-4542-8834-ce711b84fd2c.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsbb7ca402-0273-49ba-b2b7-c56126dfb6a9.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs5463c985-7f9f-4966-b519-9e69d7cf5955.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs0f563db4-7ef4-438b-974f-9f075931ecc5.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs19152d5b-0878-4273-bb91-5d12ac17b508.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs6f8d7f26-7a7f-452f-a354-54f226c2818f.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs6c038c81-b6a7-4789-b8a7-6426b840d8ec.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs88e37f2e-c1fb-4384-ad52-ad0d9f2a006a.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs219f0488-6134-4cb4-a25b-c4024aa126ec.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs9107c3d4-d00a-4f59-a807-c26e11368166.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsce797b97-a964-4895-a8d2-5b5b3c313ee8.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsa4957b5d-ca20-452f-94ca-aab6a511f2d3.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsac2aa2ea-c695-4fce-9b20-1b0017fb5018.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs169262f7-85c4-4077-93f9-c541f7e6a3ba.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs62a08c7e-c98a-468d-a4d0-5b95f64fda9c.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsae97e835-e172-40d4-aa70-b216ab6de6d9.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs23177e93-c0b9-4878-a327-ea8fe5be855a.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsd76ddab9-ac70-43a3-80d4-f96cc5616f73.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse0bfc832-5f83-4ebb-9d4a-76d03b4c591f.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsab947e67-728f-49c8-8e71-737b206860ea.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs52f83eaf-accb-41c0-98e4-cb6587d8c119.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs495911fd-5191-40a1-a412-48696ad1c57c.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs6e5132e5-8add-4c5d-8b9f-317573a156fd.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs8b790096-48c0-42b1-b030-f8b6944b82bf.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsdb556f2e-20eb-412f-aad9-53e1c044190e.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsaeb224b6-8c85-44c9-9b46-5ffb6449c3ef.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs92df6061-8f3d-4870-81d6-d6b60757bf3f.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse2a180ab-5f87-43f4-a429-06c38478b353.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsa7caefbd-4a4b-4439-bf78-a2242af41f13.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsef5a2b81-e01e-4bde-b8d6-ede3e93d1c6b.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs77931484-6ff7-48b2-ad34-c6bc8f89aa72.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs9f008298-cb97-4754-ad60-e3e083957bb7.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscsf2104b51-1f67-4fa5-974e-7da2d98e796d.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs2f7e9684-643a-4358-8956-379aca888798.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs93d93443-a413-4c65-805b-a72cf3036179.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscse93066a0-f198-4c9c-9637-4e9874240a6e.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs2a8f9480-db22-4761-b0f7-b44725b2ce27.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs3289ead4-a128-4d27-bf0c-d42202aa6ebe.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscscdc185c2-00fd-4a77-bcbe-f98ee85f5bad.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs966d4c8e-9ae4-49b6-9804-a33b3e327e8d.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs16ea3537-f487-4afd-8e98-83e53f376d1c.tmp". The process cannot access the file because it is being used by another process
8:59 AM: Warning: Failed to open file "c:\windows\system32\config\systemprofile\application data\webroot\spy sweeper\temp\sscs097e4303-8712-4413-ad3a-dde5b8fc94b6.tmp". The process cannot access the file because it is being used by another process
9:02 AM: Warning: Failed to open file "c:\documents and settings\menaga\ntuser.dat". The process cannot access the file because it is being used by another process
9:02 AM: Warning: Failed to open file "c:\documents and settings\menaga\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:05 AM: Warning: Failed to open file "c:\documents and settings\menaga\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:05 AM: Warning: Failed to open file "c:\documents and settings\menaga\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:05 AM: Warning: Failed to open file "c:\documents and settings\menaga\local settings\temp\~df885b.tmp". The process cannot access the file because it is being used by another process
9:12 AM: File Sweep Complete, Elapsed Time: 00:14:30
9:12 AM: Full Sweep has completed. Elapsed time 00:15:47
9:12 AM: Traces Found: 6
9:12 AM: Removal process initiated
9:12 AM: Quarantining All Traces: ask cookie
9:12 AM: Quarantining All Traces: belnk cookie
9:12 AM: Quarantining All Traces: casalemedia cookie
9:12 AM: Quarantining All Traces: classmates cookie
9:12 AM: Quarantining All Traces: revenue.net cookie
9:12 AM: Removal process completed. Elapsed time 00:00:02
(current Session Log taken from attachment)

 

Hi meena,

Your attachment included all Session logs from the past week. I pasted the current Session Log into your post above so you can see the difference.

Your logs are clean. Please complete these very important final instructions:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from any previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.:smile:

You can now remove any programs you downloaded during this fix. Please save any backups created during this time for 1 more week in case any problems arise. After that time has gone by, feel free to delete those as well.

 

hi guys(alba n reid)...
its me again....
jst drop by to say THANK U vy much to u all
u all have helped me alot...i'll nvr forget u 2 guys...
i guess my laptop is free from any viruses wit the help of u 2...
hope this will remain in future...n reid...thanks for some of da articles u posted 4 my references...i'll make sure myself,gets updated wit it...

neway...
i still got afew problems...but its nuthing related wit the viruses i guess...
1st of all...since i'm accounting student,i've installed a few of accounting softwares for my studies purpose...n now since it hv no more use,i plan to delete it...bt i cant make it...in my add n remove programs,the 2 softwares name is listed(AUTOCOUNT PROFESIONAL AND AUTOCOUNT PAYROLL)...bt when i click change/remove...it failed..instead a msg appears stating could not find INSTALL.LOG file...wat does tis mean...
and theres some other programs tat i couldnt delete...such as...macromedia dreamveawer...flash...cos when i click change/remove...theres no response...so i not sure how to delete it

and 1 more...my computer time runs evytime i swtich off n on da computer...how to fix it so tat it stays??

and lastly...how to make all da programs downloaded for the purpose of handling this virus matters is deleted....cos some of the programs like..killbox,smit,l2mfix are not listed in add n remove programs...will it be ok,if i jst delete it from dsktop...bt some of the logs are in c drive....

n lastly...is it k if i delete hijackthis n spysweeper prog??

thanks alot guysfor da help....if i got a chance...i'll repay tat to u alll
ur help r much more appreciated!!!

MEENA

 

(AUTOCOUNT PROFESIONAL AND AUTOCOUNT PAYROLL)...bt when i click change/remove...it failed..instead a msg appears stating could not find INSTALL.LOG file...wat does tis mean...

This means the programs require an Install log so add/remove can check were the program is located. If it's corrupt or missing windows can't start the process. Navigate to each of those programs folders and look for a file called uninstaller or something simular and click it. If you still can't...then we can manually remove this program and fix the add/remove entrys.

my computer time runs evytime i swtich off n on da computer...how to fix it so tat it stays??

Please clarify that. What do you mean the computer time runs?

cos some of the programs like..killbox,smit,l2mfix are not listed in add n remove programs...will it be ok,if i jst delete it from dsktop

Open add/remove programs and remove any that you find. Most will NOT be listed in there. Simply delete the file and any folders it created and any logs from the tools

n lastly...is it k if i delete hijackthis n spysweeper prog??

Yes you can remove Spysweeper. I would suggest you save Hijackthis and do a scan every now and then to check for any malware in the system.