i have been constantly getting popups ever since i downloaded a dodgy crack. first it tryed spybot search and distroy, that found a few adwares but it didnt work so now i have webroot spy sweeper and it has stoped the popups but i dont think it has fixed my problem because it brings up a message saying(The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com)every 30 seconds and after a day or so my computer frezes up and if i close spysweeper i get my popups again. Please help me. here is my Logfile of HijackThis. Thanks Logfile of HijackThis v1.99.1 Scan saved at 5:35:33 PM, on 10/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Downloads\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\jtls0737e.dll O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mtexcl40.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi chrisNo1, Cleaning instructions: Move HijackThis into its own folder C:\HJT Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/ -> Open Ewido Anti-Spyware -> Click the Update icon at the top of the window -> Click the Start update button -> Wait for the update to download and install -> Quit the program, we'll use this later. Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. Please download Brute Force Uninstaller to your desktop. http://www.merijn.org/files/bfu.zip -> Right-click the BFU folder on your desktop, and choose Extract All -> Click Next -> In the box to choose where to extract the files to, -> Click Browse -> Click on the + sign next to My Computer -> Click on Local Disk ( C: ) or whatever your primary drive is -> Click Make New Folder -> Type in BFU -> Click Next, and Uncheck the Show Extracted Files box and then click Finish. Download this removal script, rightclick, "save target as"-> http://metallica.geekstogo.com/alcanshorty.bfu And save it to the same folder than where BFU was installed earlier (c:\BFU). Do NOT use this yet! Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\jtls0737e.dll O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mtexcl40.dll (file missing) Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Press Start -> My Computer -> Go to folder C:\BFU -> Run BFU by doubleclicking BFU.exe -> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu -> Click Execute and let it do its work (You should see a progressbar if you did this right) -> Wait for the "Complete script execution" box and click OK. -> Click Exit in order to quit BFU. Run ATF Cleaner -> Check select all -> Press Empty selected -> Open Ewido Anti-Spyware -> Click the Scanner icon at the top of the window -> Click the Settings tab then select Recommended Options and choose Quarantine -> Click the Scan tab -> Select Complete System Scan. The scanning begins. -> When the scan has completed: -> If infections were found you'll be prompted about what to do. -> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window) -> Then press Apply all actions and answer yes to all if it asks about something -> Click on the Save Scan Report button and save the scan to your Desktop. -> Copy and paste the scan results into your next post Restart your computer normally. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log
ok completed all tasks Logfile of HijackThis v1.99.1 Scan saved at 5:15:32 PM, on 11/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HJT\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\p08qlal51dq.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 5:08:20 PM 11/07/2006 + Scan result: C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\T33PJ5RO\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\system32\fp6003jme.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\system32\hrn6055se.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\system32\k844lihq184e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINDOWS\system32\lv4409hqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined). [1044] C:\WINDOWS\system32\skftpub.dll -> Adware.Look2Me : Error during cleaning. [888] C:\WINDOWS\system32\skftpub.dll -> Adware.Look2Me : Error during cleaning. C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KH0T6L2V\kybrdb_3[1].exe -> Backdoor.VB.ary : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\0Z0HEFWN\drsmartload46a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\92B5PI4M\drsmartload45a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CXWHY34D\drsmartload849a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\NE03ZT0H\nwnmb_3[1].exe -> Downloader.Adload.cm : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MROBVODG\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined). C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4FM7O5YZ\dfndrb_3[1].exe -> Downloader.VB.afv : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KH0T6L2V\drsmartload[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined). C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UB49GV9V\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined). C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\NE03ZT0H\!update-4020[1].0000 -> Trojan.PurityAd : Cleaned with backup (quarantined). ::Report end Thank you
Hi chrisNo1 Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop IMPORTANT: Before continuing, you MUST do the following: ->Print this or save as a textfile ->Click start -> run -> services.msc -> ok ->Check that this service is running or its startuptype is automatic Secondary logon ->Disconnect from internet (unplug your network cable) ->Close ALL antivirus programs (this is essential!) ->Close all windows before continuing. ->Double-click Look2Me-Destroyer.exe to run it. ->Put a check next to Run this program as a task. ->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK ->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. ->Once it's done scanning, click the Remove L2M button. ->You will receive a Done Scanning message, click OK. ->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. ->Your computer will then shutdown. ->Turn your computer back on. ->Please post the contents of C:\Look2Me-Destroyer.txt If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX So post the contents of C:\Look2Me-Destroyer.txt and a new HijackThis log to here. Then we'll continue the cleaning, you're not clean yet!
Thanks. How did we go? am i clean yet? Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 12/07/2006 5:07:03 PM Infected! C:\WINDOWS\system32\pkdrv.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll Infected! C:\WINDOWS\system32\ktn6l75s1.dll Infected! C:\WINDOWS\system32\p08qlal51dq.dll Attempting to delete infected files... Attempting to delete: C:\WINDOWS\system32\pkdrv.dll C:\WINDOWS\system32\pkdrv.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll could not be deleted! Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll could not be deleted! Attempting to delete: C:\WINDOWS\system32\ktn6l75s1.dll C:\WINDOWS\system32\ktn6l75s1.dll could not be deleted! Attempting to delete: C:\WINDOWS\system32\p08qlal51dq.dll C:\WINDOWS\system32\p08qlal51dq.dll could not be deleted! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{80690C7F-950D-40AC-B07E-3D3A1097FF6D}" HKCR\Clsid\{80690C7F-950D-40AC-B07E-3D3A1097FF6D} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D93646EF-F5DD-4FF8-B834-A8236C6D5E4E}" HKCR\Clsid\{D93646EF-F5DD-4FF8-B834-A8236C6D5E4E} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded Logfile of HijackThis v1.99.1 Scan saved at 5:16:56 PM, on 12/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
No you are not, It wont go away this tool. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! then when the log has been posted please report to a moderator and we will examine to ensure it is suitable to use the remainder of the fix
Thanks so much for doing all this, i realy appreciate it. L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] "Logon"="WLEventLogon" "Logoff"="WLEventLogoff" "Startup"="WLEventStartup" "Shutdown"="WLEventShutdown" "StartScreenSaver"="WLEventStartScreenSaver" "StopScreenSaver"="WLEventStopScreenSaver" "Lock"="WLEventLock" "Unlock"="WLEventUnlock" "StartShell"="WLEventStartShell" "PostShell"="WLEventPostShell" "Disconnect"="WLEventDisconnect" "Reconnect"="WLEventReconnect" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000000 "SafeMode"=dword:00000001 "MaxWait"=dword:ffffffff "DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Event"=dword:0000001f "InstallNotifyShown"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings] "Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\ 00,00,57,13,53,ad,d1,f7,23,42,a8,4d,b6,2c,ae,d5,94,26,04,00,00,00,04,00,00,\ 00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,72,8d,da,83,34,9e,a4,79,\ f0,03,90,36,8a,4c,a9,2b,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,46,\ 17,f9,05,67,8f,da,c0,8b,4d,9c,ee,3a,cd,13,ff,f8,04,00,00,da,55,4e,32,90,2a,\ 54,c2,b7,48,4e,ca,f1,d8,b3,5d,b7,b0,30,92,b0,05,75,1e,9e,4b,37,13,29,2a,3b,\ 36,aa,31,d6,57,72,90,a0,79,23,78,a8,3b,82,e4,2f,70,91,5a,fe,1c,f6,8f,97,5d,\ 10,a4,c1,5b,16,15,ad,f9,27,7b,d7,36,c9,f6,18,2b,33,a2,9f,76,0f,3e,24,49,44,\ 0a,c0,db,0e,6c,19,56,59,bf,07,c5,fb,1c,ec,fd,20,c4,0b,7a,48,36,af,8d,ba,b4,\ 2f,e2,27,84,33,ab,73,a4,06,c8,79,c1,91,67,4b,df,79,12,26,ac,d4,01,8d,e5,8f,\ ef,de,3c,77,14,d2,9f,13,6c,94,e7,3b,42,30,71,3a,e2,24,20,5b,d4,bc,7d,9e,f8,\ 26,20,07,69,0e,41,97,df,10,44,89,42,d9,12,f0,79,a3,a5,bb,c9,48,b8,de,2b,71,\ c8,29,0b,79,cb,a2,25,24,ac,59,41,1c,1b,28,3b,66,89,41,43,5f,ee,e0,47,7f,ae,\ 50,14,7f,9e,86,71,20,57,6a,f7,5e,da,e6,7d,60,87,a1,04,84,b3,0b,49,67,0e,f5,\ 4c,e6,b0,67,35,6b,e7,67,80,cb,13,74,92,f6,81,5b,f0,72,14,6f,7d,99,8e,74,ba,\ 53,a0,d5,ba,48,ec,65,75,d6,01,41,27,ae,68,d0,2f,9d,af,f9,e0,03,02,4e,ce,ef,\ 37,84,23,95,0f,bd,d5,7c,c3,12,19,0a,61,68,7d,d2,4e,16,f6,c9,cd,7f,b4,1b,6f,\ 9d,c1,31,10,5d,42,dc,51,1b,4c,5c,3f,a5,7a,cf,99,94,8e,a4,59,be,02,72,4d,1d,\ 43,d9,ce,e6,3a,27,b8,57,16,d5,5a,83,bc,48,f8,9d,ff,3a,3a,a4,22,2f,57,0c,2e,\ 8c,3d,b7,74,1d,21,16,35,6a,d0,97,87,bb,54,51,e3,31,a0,00,55,19,a2,41,5e,c4,\ 23,e6,d4,82,a8,37,e5,db,a3,b5,c8,50,33,9e,71,2d,f1,92,bf,cd,bd,b4,ab,a2,17,\ b9,31,76,e8,cf,77,ce,9c,4f,c3,31,fa,71,cf,d7,56,6f,dd,7c,ab,c5,5c,21,e9,17,\ f7,3f,6c,ea,51,3f,d6,03,a1,b8,49,93,d4,2f,55,56,5f,f8,bd,e2,34,b8,0d,cd,89,\ 99,72,40,59,5e,e3,b2,3c,91,1d,86,dc,54,d2,d4,76,c5,73,f4,c5,c4,d4,87,ce,97,\ 77,4a,05,9f,88,c6,aa,57,ee,3a,a8,fc,2b,39,81,62,1d,13,91,1d,b5,3b,7a,d4,61,\ 53,19,e9,71,03,2d,4e,61,7e,02,0d,16,1e,3d,83,27,e3,41,f5,75,ab,83,e4,7d,68,\ fe,f0,ff,01,b9,8a,18,fd,4b,f3,af,f8,1f,d4,9d,0f,00,83,14,e9,ff,81,d4,da,f7,\ 03,41,4a,c9,57,92,99,db,15,b6,48,79,81,16,88,2c,95,98,1b,4e,6d,7b,83,32,75,\ eb,44,75,98,bf,40,80,1b,28,fb,57,59,60,3e,41,8b,16,2a,f4,47,f4,d6,32,69,c0,\ ab,71,12,db,48,fc,90,1b,5e,35,4c,ca,a2,d5,0d,0d,66,84,b6,b7,9c,58,32,62,0b,\ ca,f4,a8,00,91,a0,94,66,8f,13,53,7f,cb,47,e3,1f,77,03,2e,0c,a2,80,f7,37,8f,\ aa,51,bf,da,60,3d,bc,f1,95,f4,c3,7f,de,37,69,25,54,4c,f9,50,eb,6d,89,67,80,\ e9,8c,ba,30,44,4b,f8,fd,ad,df,9a,f4,17,6f,89,0d,de,6c,6b,25,23,15,c8,14,87,\ 04,73,64,e9,5c,c2,ba,84,ce,84,3a,5b,4c,dd,37,77,2b,05,ae,e4,c7,f1,8b,3a,13,\ 02,03,f3,57,ef,2d,14,9e,f9,6f,36,83,e9,55,79,97,20,3e,50,56,db,e9,b4,a7,c4,\ d7,20,cf,d6,7b,55,72,51,93,35,48,79,9d,20,06,93,e0,dc,a3,c4,b2,0c,27,4a,fc,\ 6b,e3,e3,9b,15,76,36,2f,52,0f,a7,aa,0d,a0,4c,06,85,ca,0a,f2,18,94,21,54,3c,\ 99,ec,d4,11,84,4b,8a,97,45,f7,1d,3e,f3,1f,34,99,99,fc,12,9b,8c,a2,39,99,20,\ f9,db,1d,57,3f,ba,c0,f9,95,e1,9b,76,22,09,a1,ea,38,40,e4,29,2b,21,1a,5f,aa,\ 71,12,9b,ab,bc,9f,97,c8,78,fa,3b,46,f5,de,b2,71,39,6d,d6,1e,42,8d,86,f5,f8,\ 5a,f5,d2,da,9d,dd,83,18,80,57,d4,68,02,ca,32,4a,40,4e,1d,da,08,ba,0b,dd,cb,\ 3b,8f,d3,5d,a5,6b,b7,23,14,b7,22,28,66,d7,60,29,d1,cb,15,f5,f7,aa,5a,c0,3d,\ 4a,c4,a9,8b,74,41,c9,46,88,da,8a,d8,33,cc,2b,a6,98,14,f7,12,b5,0f,a1,13,cc,\ ed,1e,8c,07,8e,4f,81,e5,73,9c,ae,24,83,a2,d2,f4,80,ab,58,d8,12,65,be,2d,1a,\ fe,62,84,c1,01,1a,9e,09,3c,9c,40,b9,13,2f,54,d7,90,23,dc,74,19,e8,81,ef,05,\ 10,b8,58,5b,05,ef,e7,a6,f5,bd,54,78,8b,e5,0e,9f,3b,eb,f7,d2,4e,eb,59,37,f3,\ f5,78,92,59,a2,d5,a8,37,3f,84,fc,ea,21,8d,f1,99,df,73,07,21,69,59,fc,fb,62,\ 0b,7c,21,06,9e,09,a2,1f,1f,8c,d3,ad,f6,0b,cd,c1,55,b1,a5,b3,4a,5a,fa,f0,8a,\ 40,12,57,1f,a0,5c,51,41,42,03,db,7d,6d,b2,69,6e,50,67,b2,67,60,97,f8,8e,17,\ 5d,42,9f,70,d7,27,c8,57,ee,4f,30,2b,8a,56,d7,f1,2c,c0,3e,23,82,bb,01,88,16,\ 28,0e,a8,c2,34,d2,a5,92,94,fe,b5,25,18,75,05,90,09,de,b4,f8,d7,89,33,65,74,\ 33,d6,3a,14,7f,23,2c,4a,94,55,c0,be,9d,fe,a2,cf,f9,b0,4f,d1,c6,c6,61,d1,f8,\ 4d,a6,64,9d,6e,8c,b9,b3,65,30,0a,7b,05,78,cc,5e,4b,9e,1b,4c,de,c6,25,df,c0,\ ed,24,df,12,c8,78,cc,99,1a,06,bb,58,0d,d7,f8,18,8f,73,02,b1,98,c7,4f,96,16,\ 16,00,e1,f3,3f,bf,10,b4,39,c8,9b,10,ea,60,25,c5,2c,13,48,ae,d8,06,10,70,ad,\ 4c,09,aa,48,5f,a0,6a,8b,42,3b,8d,88,ed,4e,27,d0,14,00,00,00,1f,87,09,78,0c,\ 34,f9,d4,b4,26,56,b0,7d,11,57,95,fe,9b,dc,51 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "sv1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class" "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}"="IZArc DragDrop Menu" "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"="IZArc Shell Context Menu" "{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"="PowerISO" "{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References" "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References" "{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay Handler" "{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ atmtd.dll Mon 3 Jul 2006 17:46:42 A.... 687,592 671.48 K bassmod.dll Sun 11 Jun 2006 18:05:44 A.... 14,848 14.50 K hp0023~1.dll Wed 12 Jul 2006 10:00:56 ..S.R 236,487 230.94 K pkdrv.dll Tue 11 Jul 2006 17:10:56 ..... 236,487 230.94 K ravpperf.dll Wed 12 Jul 2006 17:05:06 ..S.R 236,487 230.94 K 5 items found: 5 files (2 H/S), 0 directories. Total of file sizes: 1,411,901 bytes 1.34 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 1859-0C70 Directory of C:\WINDOWS\System32 13/07/2006 06:52 PM <DIR> .. 13/07/2006 06:52 PM <DIR> . 13/07/2006 09:33 AM <DIR> dllcache 12/07/2006 05:05 PM 236,487 ravpperf.dll 12/07/2006 10:00 AM 236,487 hp0023dmg.dll 19/03/2006 08:45 AM 32 {7D7B0656-012A-4FFD-88CF-703A6BE4E46C}.dat 12/03/2006 04:33 PM 1,004 KGyGaAvL.sys 09/01/2006 11:58 PM 56 33DAC8FEE2.sys 13/07/2005 04:03 PM <DIR> Microsoft 5 File(s) 474,066 bytes 4 Dir(s) 2,950,344,704 bytes free
Hi chrisNo1 Run l2mfix.bat and run option #2 Allow it to do everything what it asks. Boot comp. Send a fresh hijack log and copy l2mefixes log to here.
