Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups That Wont Go Away


  • This topic is locked This topic is locked
13 replies to this topic

#1 Ben Davis

Ben Davis

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 November 2005 - 05:21 PM

I've been getting Ad-ware popping up constantly and no matter how many different programs i run, i cant get rid it.

Here is my log, please help

Logfile of HijackThis v1.99.1
Scan saved at 22:14:06, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://193.60.61.250/activex/AxisCamControl.ocx
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\gp06l3ds1.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 03 November 2005 - 05:23 PM

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#3 Ben Davis

Ben Davis
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 November 2005 - 05:29 PM

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp06l3ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8D0BAC73-0391-9C24-60B6-99965750ACA8}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{4B4604E0-8961-11D4-A0EC-009099164712}"="My MultiPASS"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"Default"="Evidence Eliminator Shell Extension"
"{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"="Evidence Eliminator Shell Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}"="NOMAD Explorer"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{D120D80B-BD26-4A74-8E43-2C2AF0966139}"="QuickPar ContextMenu extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{5678E500-F561-406A-898B-A06067BA79F1}"=""
"{6267E6F6-D900-4CA0-9E30-7FEED0AD98A1}"=""
"{16B5DC90-C50F-4799-86B0-2DF6C5259521}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5678E500-F561-406A-898B-A06067BA79F1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5678E500-F561-406A-898B-A06067BA79F1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5678E500-F561-406A-898B-A06067BA79F1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5678E500-F561-406A-898B-A06067BA79F1}\InprocServer32]
@="C:\\WINDOWS\\system32\\xwsp1res.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6267E6F6-D900-4CA0-9E30-7FEED0AD98A1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6267E6F6-D900-4CA0-9E30-7FEED0AD98A1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6267E6F6-D900-4CA0-9E30-7FEED0AD98A1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6267E6F6-D900-4CA0-9E30-7FEED0AD98A1}\InprocServer32]
@="C:\\WINDOWS\\system32\\WZDRMdev.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16B5DC90-C50F-4799-86B0-2DF6C5259521}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16B5DC90-C50F-4799-86B0-2DF6C5259521}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16B5DC90-C50F-4799-86B0-2DF6C5259521}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16B5DC90-C50F-4799-86B0-2DF6C5259521}\InprocServer32]
@="C:\\WINDOWS\\system32\\oebcbcp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ati2cqag.dll Thu 15 Sep 2005 1:59:20 A.... 233,472 228.00 K
ati2dvag.dll Thu 15 Sep 2005 2:58:48 A.... 241,664 236.00 K
ati2edxx.dll Thu 15 Sep 2005 2:53:24 A.... 39,936 39.00 K
ati2evxx.dll Thu 15 Sep 2005 2:53:14 A.... 46,080 45.00 K
ati3duag.dll Thu 15 Sep 2005 2:44:50 A.... 2,429,952 2.32 M
atiddc.dll Thu 15 Sep 2005 2:51:48 A.... 53,248 52.00 K
atidemgr.dll Thu 15 Sep 2005 4:55:12 A.... 253,952 248.00 K
atiiiexx.dll Thu 15 Sep 2005 5:32:28 A.... 307,200 300.00 K
atikvmag.dll Thu 15 Sep 2005 2:27:18 A.... 147,456 144.00 K
atioglx1.dll Thu 15 Sep 2005 4:14:50 A.... 6,680,576 6.37 M
atioglxx.dll Thu 15 Sep 2005 3:13:08 A.... 4,837,376 4.61 M
atipdlxx.dll Thu 15 Sep 2005 2:53:46 A.... 106,496 104.00 K
atitvo32.dll Thu 15 Sep 2005 2:04:28 A.... 17,408 17.00 K
ativvaxx.dll Thu 15 Sep 2005 2:39:22 A.... 602,016 587.91 K
browseui.dll Fri 2 Sep 2005 23:52:04 A.... 1,019,904 996.00 K
cdfview.dll Fri 2 Sep 2005 23:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 1:53:42 A.... 2,067,968 1.97 M
cmdlin~2.dll Sun 9 Oct 2005 12:41:28 A.... 43,520 42.50 K
danim.dll Fri 2 Sep 2005 23:52:04 A.... 1,053,696 1.00 M
dxtrans.dll Fri 2 Sep 2005 23:52:04 A.... 205,312 200.50 K
extmgr.dll Fri 2 Sep 2005 23:52:04 ..... 55,808 54.50 K
gp06l3~1.dll Tue 1 Nov 2005 16:39:42 ..S.R 234,272 228.78 K
iepeers.dll Fri 2 Sep 2005 23:52:04 A.... 251,392 245.50 K
inseng.dll Fri 2 Sep 2005 23:52:04 A.... 96,256 94.00 K
j8j60i~1.dll Thu 3 Nov 2005 21:53:02 ..S.R 234,890 229.38 K
legitc~1.dll Mon 29 Aug 2005 12:27:12 A.... 520,968 508.76 K
linkinfo.dll Thu 1 Sep 2005 1:41:54 A.... 19,968 19.50 K
mshtml.dll Tue 4 Oct 2005 16:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Fri 2 Sep 2005 23:52:06 A.... 448,512 438.00 K
msrating.dll Fri 2 Sep 2005 23:52:06 A.... 146,432 143.00 K
mstime.dll Fri 2 Sep 2005 23:52:06 A.... 530,432 518.00 K
netman.dll Mon 22 Aug 2005 18:29:46 A.... 197,632 193.00 K
nwwks.dll Thu 11 Aug 2005 15:10:00 A.... 65,024 63.50 K
oebcbcp.dll Tue 1 Nov 2005 16:38:42 ..S.R 234,272 228.78 K
oemdspif.dll Thu 15 Sep 2005 2:53:36 A.... 73,728 72.00 K
pngfilt.dll Fri 2 Sep 2005 23:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 3:54:26 A.... 1,287,168 1.23 M
shdocvw.dll Fri 2 Sep 2005 23:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 3:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Fri 2 Sep 2005 23:52:06 A.... 473,600 462.50 K
sirenacm.dll Sun 18 Sep 2005 23:00:34 A.... 119,856 117.05 K
umpnpmgr.dll Tue 23 Aug 2005 3:35:42 A.... 123,392 120.50 K
upnotvid.dll Mon 31 Oct 2005 22:05:08 A.... 45,056 44.00 K
urlmon.dll Fri 2 Sep 2005 23:52:06 A.... 608,768 594.50 K
wininet.dll Fri 2 Sep 2005 23:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 1:41:54 A.... 291,840 285.00 K
wzdrmdev.dll Tue 1 Nov 2005 16:33:34 ..S.R 234,272 228.78 K
xwsp1res.dll Thu 3 Nov 2005 21:53:02 ..... 234,272 228.78 K

48 items found: 48 files (4 H/S), 0 directories.
Total of file sizes: 40,713,442 bytes 38.82 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu 3 Nov 2005 21:54:02 ..S.R 234,272 228.78 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234,272 bytes 228.78 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F04C-415A

Directory of C:\WINDOWS\System32

03/11/2005 21:54 234,272 guard.tmp
03/11/2005 21:53 234,890 j8j60i1se8.dll
01/11/2005 16:39 234,272 gp06l3ds1.dll
01/11/2005 16:38 234,272 oebcbcp.dll
01/11/2005 16:33 234,272 WZDRMdev.dll
16/10/2005 08:15 <DIR> dllcache
15/09/2005 20:53 13,560 KGyGaAvL.sys
06/04/2005 20:16 0 Uninstall014714.ini
31/03/2005 20:35 0 SetupConfig.ini
03/08/2004 13:36 <DIR> Microsoft
20/09/2002 08:00 181,296 SCSIACC.EXE
9 File(s) 1,366,834 bytes
2 Dir(s) 16,460,976,128 bytes free

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 03 November 2005 - 05:34 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

#5 Ben Davis

Ben Davis
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 November 2005 - 05:42 PM

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Ben\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Ben\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Ben\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 204 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1080 'rundll32.exe'
Killing PID 3372 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (deflated 28%)
adding: test3.txt (164 bytes security) (deflated 28%)
adding: test5.txt (164 bytes security) (deflated 28%)
adding: xfind.txt (164 bytes security) (stored 0%)
adding: backregs/5678E500-F561-406A-898B-A06067BA79F1.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:
Setting Directory
C:\Documents and Settings\Ben\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Ben\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 600 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
File not found - C:\WINDOWS\system32\guard.tmp
Backing Up: C:\WINDOWS\system32\guard.tmp
The system cannot find the file specified.
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
updating: guard.tmp (164 bytes security) (deflated 5%)
updating: clear.reg (164 bytes security) (deflated 2%)
updating: echo.reg (164 bytes security) (deflated 11%)
adding: cleanup.reg (164 bytes security) (deflated 45%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 81%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: report.txt (164 bytes security) (deflated 66%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
updating: xfind.txt (164 bytes security) (stored 0%)
updating: backregs/5678E500-F561-406A-898B-A06067BA79F1.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 88%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j8j60i1se8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Edited by Ben Davis, 03 November 2005 - 05:46 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 03 November 2005 - 05:48 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
And a new HJT log
David

#7 Ben Davis

Ben Davis
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 November 2005 - 06:11 PM

Logfile of HijackThis v1.99.1
Scan saved at 23:10:39, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://193.60.61.250/activex/AxisCamControl.ocx
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\f8l00i3me8.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe



********
22:53: | Start of Session, 03 November 2005 |
22:53: Spy Sweeper started
22:53: Sweep initiated using definitions version 556
22:53: Starting Memory Sweep
22:53: Found Adware: icannnews
22:53: Detected running threat: C:\WINDOWS\system32\j8j60i1se8.dll (ID = 83)
22:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:55: Memory Sweep Complete, Elapsed Time: 00:01:14
22:55: Starting Registry Sweep
22:55: Found Adware: cws-aboutblank
22:55: HKLM\software\classes\wer1316.wer1316\ (1 subtraces) (ID = 115921)
22:55: HKCR\wer1316.wer1316\ (1 subtraces) (ID = 116781)
22:55: Found Adware: cws_analyzeie
22:55: HKLM\software\microsoft\internet explorer\main\msmsgsvc\ (ID = 116919)
22:55: Found Adware: weirdontheweb
22:55: HKCR\amnotifier.hubawindow\ (5 subtraces) (ID = 866632)
22:55: HKCR\amnotifier.hubawindow.1\ (3 subtraces) (ID = 866638)
22:55: Found Adware: mediapipe
22:55: HKCR\downloadmanager.manager\ (5 subtraces) (ID = 866642)
22:55: HKCR\mpagent.agent\ (5 subtraces) (ID = 866662)
22:55: HKCR\mpagent.agent.1\ (3 subtraces) (ID = 866668)
22:55: HKCR\appid\amnotifier.exe\ (1 subtraces) (ID = 866682)
22:55: HKCR\appid\downloadmanager.exe\ (1 subtraces) (ID = 866684)
22:55: HKCR\appid\mpagent.dll\ (1 subtraces) (ID = 866688)
22:55: HKCR\appid\trayicon.exe\ (1 subtraces) (ID = 866692)
22:55: HKCR\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (1 subtraces) (ID = 866694)
22:55: HKCR\appid\{7911272a-a32a-404e-8a51-ee18b99b18c4}\ (1 subtraces) (ID = 866698)
22:55: HKCR\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (1 subtraces) (ID = 866702)
22:55: HKCR\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (1 subtraces) (ID = 866704)
22:55: HKCR\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (11 subtraces) (ID = 866706)
22:55: HKCR\clsid\{7bf58804-e672-4b96-8eec-bfcce6492c9a}\ (11 subtraces) (ID = 866735)
22:55: Found Trojan Horse: p2pnetwork
22:55: HKCR\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (12 subtraces) (ID = 866747)
22:55: HKCR\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (9 subtraces) (ID = 866796)
22:55: HKCR\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (9 subtraces) (ID = 866816)
22:55: HKCR\typelib\{afdbb222-dea9-4c12-b3a3-a13c2985e3ee}\ (9 subtraces) (ID = 866826)
22:55: HKCR\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (9 subtraces) (ID = 866836)
22:55: HKLM\software\altpayments\ (22 subtraces) (ID = 866864)
22:55: HKLM\software\mediapipe\ (11 subtraces) (ID = 866893)
22:55: HKLM\software\classes\amnotifier.hubawindow\ (5 subtraces) (ID = 866911)
22:55: HKLM\software\classes\amnotifier.hubawindow.1\ (3 subtraces) (ID = 866917)
22:55: HKLM\software\classes\amnotifier.hubawindow.1\clsid\ (1 subtraces) (ID = 866919)
22:55: HKLM\software\classes\downloadmanager.manager\ (5 subtraces) (ID = 866921)
22:55: HKLM\software\classes\mpagent.agent\ (5 subtraces) (ID = 866941)
22:55: HKLM\software\classes\mpagent.agent.1\ (3 subtraces) (ID = 866947)
22:55: HKLM\software\classes\appid\amnotifier.exe\ (1 subtraces) (ID = 866961)
22:55: HKLM\software\classes\appid\downloadmanager.exe\ (1 subtraces) (ID = 866963)
22:55: HKLM\software\classes\appid\mpagent.dll\ (1 subtraces) (ID = 866967)
22:55: HKLM\software\classes\appid\trayicon.exe\ (1 subtraces) (ID = 866971)
22:55: HKLM\software\classes\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (1 subtraces) (ID = 866973)
22:55: HKLM\software\classes\appid\{7911272a-a32a-404e-8a51-ee18b99b18c4}\ (1 subtraces) (ID = 866977)
22:55: HKLM\software\classes\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (1 subtraces) (ID = 866981)
22:55: HKLM\software\classes\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (1 subtraces) (ID = 866983)
22:55: HKLM\software\classes\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (11 subtraces) (ID = 866985)
22:55: HKLM\software\classes\clsid\{7bf58804-e672-4b96-8eec-bfcce6492c9a}\ (11 subtraces) (ID = 867014)
22:55: HKLM\software\classes\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (12 subtraces) (ID = 867026)
22:55: HKLM\software\classes\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (9 subtraces) (ID = 867075)
22:55: HKLM\software\classes\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (9 subtraces) (ID = 867095)
22:55: HKLM\software\classes\typelib\{afdbb222-dea9-4c12-b3a3-a13c2985e3ee}\ (9 subtraces) (ID = 867105)
22:55: HKLM\software\classes\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (9 subtraces) (ID = 867115)
22:55: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\program files\p2pnetworks\p2pnetworks.exe (ID = 871570)
22:55: Found Adware: edipol alloticket dialer
22:55: HKU\WRSS_Profile_S-1-5-21-527237240-1637723038-839522115-1004\software\visio ras script\ (1 subtraces) (ID = 125646)
22:55: HKU\S-1-5-21-527237240-1637723038-839522115-1003\software\visio ras script\ (1 subtraces) (ID = 125646)
22:55: Found Adware: purityscan
22:55: HKU\S-1-5-21-527237240-1637723038-839522115-1003\software\microsoft\windows\currentversion\explorer\browser helper objects\{cf021f40-3e14-23a5-cba2-717765721316}\ (ID = 137948)
22:55: Registry Sweep Complete, Elapsed Time:00:00:12
22:55: Starting Cookie Sweep
22:55: Found Spy Cookie: aa cookie
22:55: lyn@aa[1].txt (ID = 2029)
22:55: Found Spy Cookie: adknowledge cookie
22:55: lyn@adknowledge[2].txt (ID = 2072)
22:55: Found Spy Cookie: a cookie
22:55: lyn@a[1].txt (ID = 2027)
22:55: Found Spy Cookie: belnk cookie
22:55: lyn@belnk[1].txt (ID = 2292)
22:55: lyn@dist.belnk[2].txt (ID = 2293)
22:55: Found Spy Cookie: go.com cookie
22:55: lyn@go[1].txt (ID = 2728)
22:55: Found Spy Cookie: touchclarity cookie
22:55: lyn@msn.touchclarity[1].txt (ID = 3566)
22:55: lyn@partypoker.touchclarity[1].txt (ID = 3567)
22:55: Found Spy Cookie: partypoker cookie
22:55: lyn@partypoker[2].txt (ID = 3111)
22:55: Found Spy Cookie: reunion cookie
22:55: lyn@reunion[2].txt (ID = 3255)
22:55: Found Spy Cookie: yieldmanager cookie
22:55: ben@ad.yieldmanager[1].txt (ID = 3751)
22:55: Found Spy Cookie: azjmp cookie
22:55: ben@azjmp[2].txt (ID = 2270)
22:55: ben@a[1].txt (ID = 2027)
22:55: ben@belnk[1].txt (ID = 2292)
22:55: Found Spy Cookie: burstnet cookie
22:55: ben@burstnet[2].txt (ID = 2336)
22:55: Found Spy Cookie: wtlive.com cookie
22:55: ben@dcstest.wtlive[2].txt (ID = 3700)
22:55: ben@dist.belnk[2].txt (ID = 2293)
22:55: Found Spy Cookie: gamespy cookie
22:55: ben@gamespy[1].txt (ID = 2719)
22:55: Found Spy Cookie: adjuggler cookie
22:55: ben@rotator.adjuggler[1].txt (ID = 2071)
22:55: Found Spy Cookie: toplist cookie
22:55: ben@toplist[1].txt (ID = 3557)
22:55: Found Spy Cookie: myaffiliateprogram.com cookie
22:55: ben@www.myaffiliateprogram[1].txt (ID = 3032)
22:55: Cookie Sweep Complete, Elapsed Time: 00:00:00
22:55: Starting File Sweep
22:55: Found Adware: look2me
22:55: icont.exe (ID = 65722)
22:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:56: Found Adware: apropos
22:56: wingenerics.dll (ID = 50187)
22:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:58: f8l00i3me8.dll (ID = 163672)
22:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:00: bw2.com (ID = 65721)
23:00: Found Adware: targetsaver
23:00: 3c4e48ac-7970-4c8a-86c4-ae304b (ID = 78246)
23:00: appwrap[1].exe (ID = 65739)
23:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:01: appwrap[1].exe (ID = 65722)
23:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:02: Found Adware: effective-i toolbar
23:02: 7233b891-61f4-41e7-b729-e3707f (ID = 59855)
23:02: 200c6550-34ab-43fe-9a39-76d461 (ID = 59838)
23:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:06: File Sweep Complete, Elapsed Time: 00:11:39
23:06: Full Sweep has completed. Elapsed time 00:13:10
23:06: Traces Found: 317
23:07: Removal process initiated
23:07: Quarantining All Traces: look2me
23:07: look2me is in use. It will be removed on reboot.
23:07: f8l00i3me8.dll is in use. It will be removed on reboot.
23:07: Quarantining All Traces: cws_analyzeie
23:07: Quarantining All Traces: cws-aboutblank
23:07: Quarantining All Traces: p2pnetwork
23:07: Quarantining All Traces: apropos
23:07: apropos is in use. It will be removed on reboot.
23:07: wingenerics.dll is in use. It will be removed on reboot.
23:07: Quarantining All Traces: edipol alloticket dialer
23:07: Quarantining All Traces: effective-i toolbar
23:07: Quarantining All Traces: icannnews
23:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:07: icannnews is in use. It will be removed on reboot.
23:07: C:\WINDOWS\system32\j8j60i1se8.dll is in use. It will be removed on reboot.
23:07: Quarantining All Traces: mediapipe
23:07: Quarantining All Traces: purityscan
23:07: Quarantining All Traces: targetsaver
23:07: Quarantining All Traces: weirdontheweb
23:07: Quarantining All Traces: a cookie
23:07: Quarantining All Traces: aa cookie
23:07: Quarantining All Traces: adjuggler cookie
23:07: Quarantining All Traces: adknowledge cookie
23:07: Quarantining All Traces: azjmp cookie
23:07: Quarantining All Traces: belnk cookie
23:07: Quarantining All Traces: burstnet cookie
23:07: Quarantining All Traces: gamespy cookie
23:07: Quarantining All Traces: go.com cookie
23:07: Quarantining All Traces: myaffiliateprogram.com cookie
23:07: Quarantining All Traces: partypoker cookie
23:07: Quarantining All Traces: reunion cookie
23:07: Quarantining All Traces: toplist cookie
23:07: Quarantining All Traces: touchclarity cookie
23:07: Quarantining All Traces: wtlive.com cookie
23:07: Quarantining All Traces: yieldmanager cookie
23:07: Preparing to restart your computer. Please wait...
23:07: Removal process completed. Elapsed time 00:00:33
********
22:52: | Start of Session, 03 November 2005 |
22:52: Spy Sweeper started
22:53: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
22:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
22:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
22:53: | End of Session, 03 November 2005 |




I think its done the trick, Thanks a lot for your help, its very much appreciated. :thumbsup: :flowers:

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 03 November 2005 - 06:19 PM

aaaaaannndddd a new HJT log please! :thumbsup:

David

#9 Ben Davis

Ben Davis
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 November 2005 - 06:20 PM

aaaaaannndddd a new HJT log please! :thumbsup:

David



Logfile of HijackThis v1.99.1
Scan saved at 23:20:43, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://193.60.61.250/activex/AxisCamControl.ocx
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\f8l00i3me8.dll (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 03 November 2005 - 06:24 PM

:thumbsup: Looking much better! :flowers:

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://193.60.61.250/activex/AxisCamControl.ocx

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\f8l00i3me8.dll (file missing)

_____________

Post new HJT log
David

#11 Ben Davis

Ben Davis
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 04 November 2005 - 04:11 AM

Ok thanks, I do it when i get home. Sorry for bumping this message.

Thanks again. :thumbsup:

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 04 November 2005 - 01:18 PM

That's ok :thumbsup:

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 08 November 2005 - 11:50 AM

Hi there :thumbsup:

Whilst we appreciate you may be busy, we haven't heard from you for a while. You haven't answered the reply i have posted.

This message is just a bump, to remind you that i am helping you - if no answer is given in a few more days, the topic will be closed.

Thanks very much for understanding

David

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:58 AM

Posted 13 November 2005 - 05:01 PM

Due to the lack of feedback, I will close this thread. :thumbsup:

If you want to thread to be re-opened at any point, please PM me or any other staff with a link to it!

If anyone else is reading this with a similar problem that you would like help with, please post it in a new thread in the security section!

:flowers: David :trumpet:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users