Tech Support banner

Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter #1
Hi,

I am writing because it appears that my browser has been hijacked by a rogue site. I continually get popups from stopresults.com, c.azjmp, e.rn11.com, www.ezsavings.com and a number of others. I also frequently get macromedia flash player images about once every 5 minutes whilst online. I have run adaware, spybot, spyware doctor and trojan hunter and none of them seem to be able to remove the pop-ups.

A copy of my hijack this log file is below. To me the O23 command service entry seems dodgy....it cant be deleted whenever I use hijack this to fix it. Also, the O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\DPORMD.DLL is a little strange. I have run hijack this a few times now and the filename changes every time. Sometimes it is a series of random letters, sometimes numbers, sometimes longer sometimes shorter.

Any help with this problem would be greatly appreciated.

Any ideas what could be causing it?

Thanks in advance,
Leeroy

Logfile of HijackThis v1.99.1
Scan saved at 8:09:29 PM, on 17/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\DPORMD.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
Administrator
Joined
·
4,870 Posts
Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If necessary, please ask any questions before proceeding with the procedures below.
_________________________________________________

Download and immediately run - L2MFix.exe
Click Install to extract the contents to a newly created folder.

Close all other opened programs before running this tool

* From within the newly created folder, locate and run L2mfix.bat
* Select Option #1 - Run Find Log - by typing 1

This will scan your computer and it may appear as if nothing is happening for a period of few minutes. When it has finished, you will be presented with a log. Copy the contents of that log and paste it into this thread.

*If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files*

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________________________________________


Click Start > Run - type SERVICES.MSC and then click on the OK button
  1. Locate the service - Command Service
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of Service name. We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button

  3. Then start HiJack This and go to Config > Misc.Tools > Delete an NT service.
  4. In the popup box that appears, type in Service name & then click on the OK button
_________________________________________________

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
  • O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\DPORMD.DLL
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
_________________________________________________

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).
_________________________________________________

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools > Folder Options > View tab.
  • Check - Show hidden files and folder
  • Uncheck - Hide file extensions for known types
  • Uncheck - Hide protected operating system files

Click Yes to confirm and then click OK
_________________________________________________

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
  • C:\WINDOWS\system32\DPORMD.DLL
    C:\WINDOWS\T3duZXIA
_________________________________________________

Reboot your system in Normal Mode.

Please paste the results of the L2MFix log here together with a new HiJack This log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #3
RE: Pop up problems

Thanks for your prompt reply horse and for the easy to follow advice!!!

I followed all of your instructions word for word. At this stage the pop-ups seem to have stopped but after startup, I still get spybot messages regarding registry changes that I continue to reject (See below).

18/10/2005 12:43:31 PM Denied value "{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}" (new data: "") added in Browser Helper Object!

18/10/2005 12:43:32 PM Denied value "{B56A7D7D-6927-48C8-A975-17DF180C71AC}" (new data: "") added in Browser Helper Object!

A copy of the L2Mfix log and HijackThis log are below.

Thanks again for your help, if you could please advise the next steps to take I'd be most thankful.

Regards,
Leeroy

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\DPORMD.DLL"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5465DB88-8B0F-B197-41C0-2673124EAD2F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79300-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79301-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79302-84BE-11CE-9641-444553540000}"="WinZip"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A56D7B9C-AAED-4C50-99BC-2438BB822B75}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A56D7B9C-AAED-4C50-99BC-2438BB822B75}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A56D7B9C-AAED-4C50-99BC-2438BB822B75}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A56D7B9C-AAED-4C50-99BC-2438BB822B75}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A56D7B9C-AAED-4C50-99BC-2438BB822B75}\InprocServer32]
@="C:\\WINDOWS\\system32\\wmavusd.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Thu 13 Oct 2005 16:26:36 A.... 687,592 671.48 K
dpormd.dll Mon 17 Oct 2005 18:31:10 ..... 233,549 228.07 K
dsnput8.dll Sat 15 Oct 2005 16:52:28 ..S.R 236,997 231.44 K
igrtprio.dll Mon 17 Oct 2005 15:26:24 ..S.R 237,020 231.46 K
ilagxpr5.dll Sun 16 Oct 2005 16:37:06 ..S.R 237,206 231.64 K
j80s0i~1.dll Mon 17 Oct 2005 19:49:10 ..S.R 233,549 228.07 K
kndpl1.dll Fri 14 Oct 2005 21:23:14 ..... 234,614 229.11 K
lvr009~1.dll Mon 17 Oct 2005 18:31:10 ..S.R 233,648 228.17 K
mmpmsnsv.dll Sun 16 Oct 2005 17:21:34 ..S.R 237,210 231.65 K
mpwdat10.dll Sun 16 Oct 2005 17:41:58 ..S.R 234,413 228.92 K
s32evnt1.dll Thu 28 Jul 2005 14:52:18 A.... 91,856 89.70 K
sfcurity.dll Fri 14 Oct 2005 22:26:50 ..S.R 234,614 229.11 K
vbwwdm32.dll Sun 16 Oct 2005 18:51:32 ..S.R 235,359 229.84 K
wmavusd.dll Tue 18 Oct 2005 12:15:50 ..S.R 233,549 228.07 K
xyctsrv.dll Sun 16 Oct 2005 18:45:54 ..S.R 235,181 229.67 K

15 items found: 15 files (11 H/S), 0 directories.
Total of file sizes: 3,836,357 bytes 3.66 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8470-E882

Directory of C:\WINDOWS\System32

18/10/2005 12:15 PM 233,549 wmavusd.dll
17/10/2005 07:49 PM 233,549 j80s0id7e80.dll
17/10/2005 06:31 PM 233,648 lvr0099me.dll
17/10/2005 03:27 PM <DIR> dllcache
17/10/2005 03:26 PM 237,020 igrtprio.dll
16/10/2005 06:51 PM 235,359 vbwwdm32.dll
16/10/2005 06:45 PM 235,181 xYctsrv.dll
16/10/2005 05:41 PM 234,413 mpwdat10.dll
16/10/2005 05:21 PM 237,210 MmPMSNSv.dll
16/10/2005 04:37 PM 237,206 IlagXpr5.dll
15/10/2005 04:52 PM 236,997 dsnput8.dll
14/10/2005 10:26 PM 234,614 sfcurity.dll
18/12/2004 01:23 PM 32 {DC43B16E-72E3-4D18-968B-724C69CEF426}.dat
23/06/2004 05:02 PM <DIR> Microsoft
12 File(s) 2,588,778 bytes
2 Dir(s) 72,614,129,664 bytes free


Logfile of HijackThis v1.99.1
Scan saved at 12:45:11 PM, on 18/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
Administrator
Joined
·
4,870 Posts
Hi Leeroy

Still got a little work to do on this log.

Download CWShredder 2.15 but don't run it now
_________________________________________________

Close any programs you have open since this step requires a reboot.
_________________________________________________

From the L2MFix folder you created, double click L2MFfix.bat and select Option #2 for Run Fix by typing 2 and then pressing enter. Press any key to reboot your computer. After you reboot, your desktop and icons will appear, then disappear (this is normal). L2Mfix will continue to scan your computer and when it's finished, Notepad will open with a log but close it as it's not needed yet.

IMPORTANT - DO NOT run any other files in the l2mfix folder unless you are asked to do so.
_________________________________________________

After the reboot run CWShredder and allow it to reboot when it asks.
_________________________________________________

Once you reboot from the L2MFix folder you created, double click L2MFix.bat again and select Option #2 for Run Fix by typing 2 and then pressing enter. Press any key to reboot your computer. After you reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, Notepad will open with a log.
_________________________________________________

Copy the contents of that log and paste it back into this thread, along with a new Hijack This log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #5
Pop up's continue!!

Hi Again Horse,

Thanks again for your fast reply!

Did all as asked, I ran CWShredder and it said VX2.Look2Me removed. However, after reboot the same pop-ups started again!

One problem I did notice though is that both times when I ran L2MFix.bat, the icons never appeared then disappeared as expected and no notepad log appeared (once I waited 15 mins and nothing happened). Any reason why this may have happened?

Despite this, I ran Hijack this again and have posted the logfile below. The pesky dll file in O20 has reappeared and changed names again. I am also getting the same spybot registry change notifications after re-boot.

Is this all normal?

Any further advice would be greatly appreciated!

Thanks again and sorry for the trouble.

Leeroy.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:32 PM, on 18/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\m0rm0a91ed.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
Administrator
Joined
·
4,870 Posts
Hi again Leeroy

My apologies, it is entirely possible that TeaTimer may be blocking the registry fixes and I should have asked you to disable it. Please disable it now for the duration of the fix as follows:-

It can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
_________________________________________________

Please download the trial version of Webroot Spysweeper. Once you have downloaded the program, install and update it and do a full system scan.
_________________________________________________

Please do an online scan at Panda ActiveScan

  1. Click on the Scan your PC button & a pop up window shall appear. *Ensure that your pop up blocker doesn't block it*
  2. Click On Next
  3. Enter your e-mail address & click Send. *It will begin downloading Panda's ActiveX controls which are about 8MB in size*
  4. In the next window, & checkmark the following:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Detect unknown viruses (Heuristic)
    • Detect spyware
  5. Begin the scan by selecting All My Computer

    You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

  6. If it finds any malware, it will offer you a report. Click on see report
  7. Then click Save report
  8. Post the contents of the report in your next reply

  • If it finds any malware, it will offer you a report. Click on see report
  • Then click Save report
  • Post the contents of the report in your next reply
_________________________________________________

Paste the results of the Panda Scan here together with a new HiJack This log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #7
Pop ups continue!!

Hi Again Horse,

Hope things are well.

Thanks for the last post. Checked that tea-timer was off then ran spysweeper. Spysweeper identified a number of the rogue pages.

I downloaded the panda activescan controls and the search page opens up. However, whenever I select my computer, I get a message saying page error. When I click on this further it reads 'object doesn't support this object or method'.

Is this a web-browser problem???

Any suggestions???

Thanks again,
Leeroy

P.S. Despite the spysweeper clean, popups continue!!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Leeroy,

We would require the logs from SpySweeper.
From Spysweeper's main menu, please click Results in the left pane.
Click the Session Log tab & select Save to file.

Then attach the log to your next reply.

I would also like to know the version number of your SpySweeper. This information can be retrieved from the main menu.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #9
Pop ups!!!

Hi Guys,

Sorry about the mixup, Spysweeper log is given below (Lots of warnings!!).

Recent Hijack this log also attached below FYI if it is of any use. Line 020 is still there and the filename has changed again.

Thanks for your on-going help, I hope we are getting a bit closer to an answer!!

Many Thanks Again,
Leeroy

********
7:39 PM: |··· Start of Session, Wednesday, 19 October 2005 ···|
7:39 PM: Spy Sweeper started
7:39 PM: Sweep initiated using definitions version 557
7:39 PM: Starting Memory Sweep
7:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:40 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:41 PM: Memory Sweep Complete, Elapsed Time: 00:02:14
7:41 PM: Starting Registry Sweep
7:42 PM: Registry Sweep Complete, Elapsed Time:00:00:06
7:42 PM: Starting Cookie Sweep
7:42 PM: Found Spy Cookie: abcsearch cookie
7:42 PM: [email protected][2].txt (ID = 2033)
7:42 PM: Found Spy Cookie: accoona cookie
7:42 PM: [email protected][2].txt (ID = 2041)
7:42 PM: Found Spy Cookie: yieldmanager cookie
7:42 PM: [email protected][2].txt (ID = 3751)
7:42 PM: Found Spy Cookie: azjmp cookie
7:42 PM: [email protected][2].txt (ID = 2270)
7:42 PM: Found Spy Cookie: starware.com cookie
7:42 PM: [email protected][1].txt (ID = 3442)
7:42 PM: Found Spy Cookie: paypopup cookie
7:42 PM: [email protected][2].txt (ID = 3119)
7:42 PM: Found Spy Cookie: rn11 cookie
7:42 PM: [email protected][2].txt (ID = 3261)
7:42 PM: Found Spy Cookie: tribalfusion cookie
7:42 PM: [email protected][1].txt (ID = 3589)
7:42 PM: [email protected][1].txt (ID = 3442)
7:42 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:42 PM: Starting File Sweep
7:42 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\perflib_perfdata_3c8.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:43 PM: Warning: Failed to read file "c:\windows\system32\m4280efueh280.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:43 PM: Warning: Failed to read file "c:\windows\system32\wdauserv.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:43 PM: Warning: Failed to read file "c:\windows\system32\k626lgfs1626.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:43 PM: File Sweep Complete, Elapsed Time: 00:01:41
7:43 PM: Full Sweep has completed. Elapsed time 00:04:06
7:43 PM: Traces Found: 9
7:44 PM: Removal process initiated
7:44 PM: Quarantining All Traces: abcsearch cookie
7:44 PM: Quarantining All Traces: accoona cookie
7:44 PM: Quarantining All Traces: yieldmanager cookie
7:44 PM: Quarantining All Traces: azjmp cookie
7:44 PM: Quarantining All Traces: starware.com cookie
7:44 PM: Quarantining All Traces: paypopup cookie
7:44 PM: Quarantining All Traces: rn11 cookie
7:44 PM: Quarantining All Traces: tribalfusion cookie
7:44 PM: Removal process completed. Elapsed time 00:00:01
7:44 PM: Deletion from quarantine initiated
7:44 PM: Processing: abcsearch cookie
7:44 PM: Processing: accoona cookie
7:44 PM: Processing: azjmp cookie
7:44 PM: Processing: yieldmanager cookie
7:44 PM: Processing: rn11 cookie
7:44 PM: Processing: tribalfusion cookie
7:44 PM: Processing: starware.com cookie
7:44 PM: Processing: paypopup cookie
7:44 PM: Deletion from quarantine completed. Elapsed time 00:00:00
7:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
********
1:27 PM: |··· Start of Session, Wednesday, 19 October 2005 ···|
1:27 PM: Spy Sweeper started
1:27 PM: Sweep initiated using definitions version 557
1:27 PM: Starting Memory Sweep
1:27 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:27 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:28 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:29 PM: Memory Sweep Complete, Elapsed Time: 00:02:43
1:29 PM: Starting Registry Sweep
1:30 PM: Registry Sweep Complete, Elapsed Time:00:00:08
1:30 PM: Starting Cookie Sweep
1:30 PM: Found Spy Cookie: accoona cookie
1:30 PM: [email protected][1].txt (ID = 2041)
1:30 PM: Found Spy Cookie: yieldmanager cookie
1:30 PM: [email protected][2].txt (ID = 3751)
1:30 PM: Found Spy Cookie: azjmp cookie
1:30 PM: [email protected][2].txt (ID = 2270)
1:30 PM: Found Spy Cookie: belnk cookie
1:30 PM: [email protected][1].txt (ID = 2292)
1:30 PM: [email protected][2].txt (ID = 2293)
1:30 PM: Found Spy Cookie: metareward.com cookie
1:30 PM: [email protected][1].txt (ID = 2990)
1:30 PM: Found Spy Cookie: paypopup cookie
1:30 PM: [email protected][1].txt (ID = 3119)
1:30 PM: Found Spy Cookie: overture cookie
1:30 PM: [email protected][1].txt (ID = 3106)
1:30 PM: Found Spy Cookie: tribalfusion cookie
1:30 PM: [email protected][1].txt (ID = 3589)
1:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:30 PM: Starting File Sweep
1:30 PM: Warning: Failed to read file "c:\windows\system32\ir82l5lo1.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:30 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\perflib_perfdata_730.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:30 PM: Warning: Failed to read file "c:\windows\system32\m4280efueh280.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:30 PM: Found Adware: azsearch toolbar
1:30 PM: 00018911.xml (ID = 50319)
1:30 PM: Warning: Failed to read file "c:\windows\system32\dgtaclen.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:31 PM: Found Adware: sp2ms
1:31 PM: 00018913.exe (ID = 148760)
1:31 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\~dfd8.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:31 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\~df6abe.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:31 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\~df6adb.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:31 PM: File Sweep Complete, Elapsed Time: 00:01:29
1:31 PM: Full Sweep has completed. Elapsed time 00:04:24
1:31 PM: Traces Found: 11
1:32 PM: Removal process initiated
1:32 PM: Quarantining All Traces: accoona cookie
1:32 PM: Quarantining All Traces: yieldmanager cookie
1:32 PM: Quarantining All Traces: azjmp cookie
1:32 PM: Quarantining All Traces: belnk cookie
1:32 PM: Quarantining All Traces: metareward.com cookie
1:32 PM: Quarantining All Traces: paypopup cookie
1:32 PM: Quarantining All Traces: overture cookie
1:32 PM: Quarantining All Traces: tribalfusion cookie
1:32 PM: Quarantining All Traces: azsearch toolbar
1:32 PM: Quarantining All Traces: sp2ms
1:32 PM: Removal process completed. Elapsed time 00:00:01
1:32 PM: Deletion from quarantine initiated
1:32 PM: Processing: accoona cookie
1:32 PM: Processing: cydoor peer-to-peer dependency
1:32 PM: Processing: overture cookie
1:32 PM: Processing: azsearch toolbar
1:32 PM: Processing: hbmediapro cookie
1:32 PM: Processing: azjmp cookie
1:32 PM: Processing: belnk cookie
1:32 PM: Processing: yieldmanager cookie
1:32 PM: Processing: epilot cookie
1:32 PM: Processing: rn11 cookie
1:32 PM: Processing: hypertracker.com cookie
1:32 PM: Processing: topsearch
1:32 PM: Processing: tribalfusion cookie
1:32 PM: Processing: sp2ms
1:32 PM: Processing: starware.com cookie
1:32 PM: Processing: metareward.com cookie
1:32 PM: Processing: paypopup cookie
1:32 PM: Deletion from quarantine completed. Elapsed time 00:00:00
1:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
1:40 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
1:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
1:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
1:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
1:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:00 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:00 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:00 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:05 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:05 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:05 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:20 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:20 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:21 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:56 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
2:56 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
2:56 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:01 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:01 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:01 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:16 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:17 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:17 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:27 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:27 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:27 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:32 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:37 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:37 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:37 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:42 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:42 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:42 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:47 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:52 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:52 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:52 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
3:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
3:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:08 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:08 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:13 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:13 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:13 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:18 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:18 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:18 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:23 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:23 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:23 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:28 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:28 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:28 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:33 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:33 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:33 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:38 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:38 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:38 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:43 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:43 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:43 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:48 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:53 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:53 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:53 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:58 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
4:58 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
4:58 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:03 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:04 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:04 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:09 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:09 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:09 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:14 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:14 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:14 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:19 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:19 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:19 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:24 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:24 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:24 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:29 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:29 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:29 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:34 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:34 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:34 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:39 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:44 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:44 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:44 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:49 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:54 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:59 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
5:59 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
5:59 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:04 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:04 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:05 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:10 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:15 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:20 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:20 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:20 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:25 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:25 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:25 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:30 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:30 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:30 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:35 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:35 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:35 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:40 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:40 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:40 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:45 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
6:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
6:55 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:00 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:00 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:01 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:06 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:11 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:16 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:16 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:16 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:21 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:21 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:21 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:26 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:31 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\m4280efueh280.dll". Cannot open file "C:\WINDOWS\system32\m4280efueh280.dll". The process cannot access the file because it is being used by another process
7:36 PM: Warning: Failed to check file "C:\WINDOWS\system32\wdauserv.dll". Cannot open file "C:\WINDOWS\system32\wdauserv.dll". The process cannot access the file because it is being used by another process
7:39 PM: |··· End of Session, Wednesday, 19 October 2005 ···|
********
12:28 PM: |··· Start of Session, Wednesday, 19 October 2005 ···|
12:28 PM: Spy Sweeper started
12:28 PM: Sweep initiated using definitions version 557
12:28 PM: Starting Memory Sweep
12:28 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
12:29 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:29 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:30 PM: Memory Sweep Complete, Elapsed Time: 00:02:21
12:30 PM: Starting Registry Sweep
12:30 PM: Found Adware: cydoor peer-to-peer dependency
12:30 PM: HKU\S-1-5-21-1957994488-1844237615-725345543-1003\software\kazaa\promotions\cydoor\ (192 subtraces) (ID = 124527)
12:30 PM: Registry Sweep Complete, Elapsed Time:00:00:06
12:30 PM: Starting Cookie Sweep
12:30 PM: Found Spy Cookie: accoona cookie
12:30 PM: [email protected][1].txt (ID = 2041)
12:30 PM: Found Spy Cookie: yieldmanager cookie
12:30 PM: [email protected][2].txt (ID = 3751)
12:30 PM: Found Spy Cookie: hbmediapro cookie
12:30 PM: [email protected][2].txt (ID = 2768)
12:30 PM: Found Spy Cookie: azjmp cookie
12:30 PM: [email protected][1].txt (ID = 2270)
12:30 PM: Found Spy Cookie: starware.com cookie
12:30 PM: [email protected][2].txt (ID = 3442)
12:30 PM: Found Spy Cookie: hypertracker.com cookie
12:30 PM: [email protected][1].txt (ID = 2817)
12:30 PM: Found Spy Cookie: paypopup cookie
12:30 PM: [email protected][1].txt (ID = 3119)
12:30 PM: Found Spy Cookie: rn11 cookie
12:30 PM: [email protected][2].txt (ID = 3261)
12:30 PM: Found Spy Cookie: tribalfusion cookie
12:30 PM: [email protected][1].txt (ID = 3589)
12:30 PM: Found Spy Cookie: epilot cookie
12:30 PM: [email protected][1].txt (ID = 2622)
12:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:30 PM: Starting File Sweep
12:31 PM: Warning: Failed to read file "c:\windows\system32\ir82l5lo1.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:33 PM: Found Adware: topsearch
12:33 PM: topsearch.dll (ID = 79735)
12:33 PM: Warning: Failed to read file "c:\documents and settings\owner\local settings\temp\perflib_perfdata_730.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:33 PM: Warning: Failed to read file "c:\windows\system32\m4280efueh280.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:33 PM: Found Adware: azsearch toolbar
12:33 PM: azebar.xml (ID = 50319)
12:33 PM: Warning: Failed to read file "c:\windows\system32\dgtaclen.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:34 PM: Found Adware: sp2ms
12:34 PM: msresearch.exe (ID = 148760)
12:34 PM: dc155.tcf (ID = 50344)
12:34 PM: File Sweep Complete, Elapsed Time: 00:03:40
12:34 PM: Full Sweep has completed. Elapsed time 00:06:12
12:34 PM: Traces Found: 207
12:35 PM: Removal process initiated
12:36 PM: Quarantining All Traces: cydoor peer-to-peer dependency
12:36 PM: Quarantining All Traces: accoona cookie
12:36 PM: Quarantining All Traces: yieldmanager cookie
12:36 PM: Quarantining All Traces: hbmediapro cookie
12:36 PM: Quarantining All Traces: azjmp cookie
12:36 PM: Quarantining All Traces: starware.com cookie
12:36 PM: Quarantining All Traces: hypertracker.com cookie
12:36 PM: Quarantining All Traces: paypopup cookie
12:36 PM: Quarantining All Traces: rn11 cookie
12:36 PM: Quarantining All Traces: tribalfusion cookie
12:36 PM: Quarantining All Traces: epilot cookie
12:36 PM: Quarantining All Traces: topsearch
12:36 PM: Quarantining All Traces: azsearch toolbar
12:36 PM: Quarantining All Traces: sp2ms
12:36 PM: Removal process completed. Elapsed time 00:00:28
12:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
12:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:41 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
12:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:46 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
12:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:51 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
12:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
12:57 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:02 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:07 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:07 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:07 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:12 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:12 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:12 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:17 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:17 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:17 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\ir82l5lo1.dll". Cannot open file "C:\WINDOWS\system32\ir82l5lo1.dll". The process cannot access the file because it is being used by another process
1:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:22 PM: Warning: Failed to check file "C:\WINDOWS\system32\dGtaclen.dll". Cannot open file "C:\WINDOWS\system32\dGtaclen.dll". The process cannot access the file because it is being used by another process
1:27 PM: |··· End of Session, Wednesday, 19 October 2005 ···|
********
12:28 PM: |··· Start of Session, Wednesday, 19 October 2005 ···|
12:28 PM: Spy Sweeper started
12:28 PM: |··· End of Session, Wednesday, 19 October 2005 ···|





Logfile of HijackThis v1.99.1
Scan saved at 7:58:44 PM, on 19/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\m4280efueh280.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
Administrator
Joined
·
4,870 Posts
Hi Leeroy

Please boot your system into Safe Mode and then run Spysweeper again. Come back and post the session log and new HJT log again.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #11
Pop Pop Pop

Horse said:
Hi Leeroy

Please boot your system into Safe Mode and then run Spysweeper again. Come back and post the session log and new HJT log again.

Hi Horse,

All done (Results below, not quite as messy this time!!). Popups continue, only warning this time from Spysweeper was the 020 Dll file!

How is it looking?

Thanks again,
Leeroy

********
12:49 PM: |··· Start of Session, Thursday, 20 October 2005 ···|
12:49 PM: Spy Sweeper started
12:49 PM: Sweep initiated using definitions version 492
12:49 PM: Starting Memory Sweep
12:50 PM: Warning: Failed to check file "C:\WINDOWS\system32\tgpelib.dll". Cannot open file "C:\WINDOWS\system32\tgpelib.dll". The process cannot access the file because it is being used by another process
12:50 PM: Memory Sweep Complete, Elapsed Time: 00:00:35
12:50 PM: Starting Registry Sweep
12:50 PM: Registry Sweep Complete, Elapsed Time:00:00:06
12:50 PM: Starting Cookie Sweep
12:50 PM: Found Cookie: accoona cookie
12:50 PM: [email protected][2].txt (ID = 25730)
12:50 PM: Found Cookie: yieldmanager cookie
12:50 PM: [email protected][1].txt (ID = 27415)
12:50 PM: Found Cookie: azjmp cookie
12:50 PM: [email protected][2].txt (ID = 25953)
12:50 PM: Found Cookie: com.com cookie
12:50 PM: [email protected][2].txt (ID = 26128)
12:50 PM: [email protected][1].txt (ID = 26129)
12:50 PM: [email protected][1].txt (ID = 26129)
12:50 PM: Found Cookie: starware.com cookie
12:50 PM: [email protected][1].txt (ID = 27116)
12:50 PM: [email protected][2].txt (ID = 26129)
12:50 PM: Found Cookie: metareward.com cookie
12:50 PM: [email protected][1].txt (ID = 26666)
12:50 PM: [email protected][2].txt (ID = 26129)
12:50 PM: Found Cookie: paypopup cookie
12:50 PM: [email protected][2].txt (ID = 26793)
12:50 PM: Found Cookie: realmedia cookie
12:50 PM: [email protected][1].txt (ID = 26909)
12:50 PM: Found Cookie: rn11 cookie
12:50 PM: [email protected][2].txt (ID = 26937)
12:50 PM: [email protected][1].txt (ID = 26129)
12:50 PM: Found Cookie: tribalfusion cookie
12:50 PM: [email protected][1].txt (ID = 27261)
12:50 PM: [email protected][1].txt (ID = 27116)
12:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
12:50 PM: Starting File Sweep
12:53 PM: File Sweep Complete, Elapsed Time: 00:02:42
12:53 PM: Full Sweep has completed. Elapsed time 00:03:30
12:53 PM: Traces Found: 16
12:53 PM: Removal process initiated
12:53 PM: Quarantining All Traces: accoona cookie
12:53 PM: Quarantining All Traces: yieldmanager cookie
12:53 PM: Quarantining All Traces: azjmp cookie
12:53 PM: Quarantining All Traces: com.com cookie
12:53 PM: Quarantining All Traces: starware.com cookie
12:53 PM: Quarantining All Traces: metareward.com cookie
12:53 PM: Quarantining All Traces: paypopup cookie
12:53 PM: Quarantining All Traces: realmedia cookie
12:53 PM: Quarantining All Traces: rn11 cookie
12:53 PM: Quarantining All Traces: tribalfusion cookie
12:53 PM: Removal process completed. Elapsed time 00:00:02
12:58 PM: Warning: Failed to check file "C:\WINDOWS\system32\tgpelib.dll". Cannot open file "C:\WINDOWS\system32\tgpelib.dll". The process cannot access the file because it is being used by another process
********

Logfile of HijackThis v1.99.1
Scan saved at 1:03:17 PM, on 20/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Hijack This\HijackThis.exe
C:\Hijack This\HijackThis.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\tgpelib.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Leeroy,

There's something odd about your Spysweeper log that leads me to suspect that you have the incorrect version.

Please launch SpySweeper & click 'Home' from the left pane.
Find out the Program version of your Spysweeper. It should be 4.53
The latest spyware definitions is v 558

Your logs indicate an older version -
12:49 PM: |··· Start of Session, Thursday, 20 October 2005 ···|
12:49 PM: Spy Sweeper started
12:49 PM: Sweep initiated using definitions version 492
Take a look here > http://www.techsupportforum.com/showthread.php?t=73652

This is what the log should look like.
 

·
Administrator
Joined
·
4,870 Posts
Sorry guys, the wrong version could be as a result of my original link which downloads v4.0.

The link below downloads V4.5

Spy Sweeper
 

·
Registered
Joined
·
7 Posts
Discussion Starter #14
Success???

Hi Guys,

Sorry for the confusion....(if I were a little more learned I could have picked up on it myself!!!) :wink:

I have since installed the latest SpySweeper and it seems to have zapped the ever changing dll file.

I have pasted the results from my latest sweep and HJT scan below.

Popups have stopped (for good I hope!!!!!)

Am I clean???

Thanks,
Leeroy



********
3:57 PM: | Start of Session, Thursday, 20 October 2005 |
3:57 PM: Spy Sweeper started
3:57 PM: Sweep initiated using definitions version 558
3:57 PM: Starting Memory Sweep
3:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:58 PM: Found Adware: icannnews
3:58 PM: Detected running threat: C:\WINDOWS\system32\hrr8059ue.dll (ID = 83)
3:58 PM: Detected running threat: C:\WINDOWS\system32\wfnmp32.dll (ID = 83)
3:58 PM: Memory Sweep Complete, Elapsed Time: 00:01:16
3:58 PM: Starting Registry Sweep
3:58 PM: Registry Sweep Complete, Elapsed Time:00:00:08
3:58 PM: Starting Cookie Sweep
3:58 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:58 PM: Starting File Sweep
3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:03 PM: File Sweep Complete, Elapsed Time: 00:04:47
4:03 PM: Full Sweep has completed. Elapsed time 00:06:14
4:03 PM: Traces Found: 2
4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:04 PM: Removal process initiated
4:04 PM: Quarantining All Traces: icannnews
4:04 PM: icannnews is in use. It will be removed on reboot.
4:04 PM: C:\WINDOWS\system32\hrr8059ue.dll is in use. It will be removed on reboot.
4:04 PM: C:\WINDOWS\system32\wfnmp32.dll is in use. It will be removed on reboot.
4:04 PM: Warning: Launched explorer.exe
4:04 PM: Warning: Quarantine process could not restart Explorer.
4:04 PM: Preparing to restart your computer. Please wait...
4:04 PM: Removal process completed. Elapsed time 00:00:23


Logfile of HijackThis v1.99.1
Scan saved at 4:11:40 PM, on 20/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EL.EXE /P26 "EPSON Stylus CX6500 Series" /O5 "LPT1:" /M "Stylus CX6500"
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P35 "EPSON Stylus CX6500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC2E8B4-FCD3-458D-B8FD-D08FCCC189E9}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Leeroy,

Please run L2Mfix's option #2 & post the resultant logs.


After you have done that, please perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 
1 - 15 of 15 Posts
Status
Not open for further replies.
Top