Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An Infection By Look2me Adware


  • This topic is locked This topic is locked
22 replies to this topic

#1 djred678

djred678

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 04 April 2006 - 11:01 PM

I've found 'Command' file in my Add/Remove Programs list and when I've tried to delete it it opened up IE window and went to http://command.adservs.com/uninstall.php. I've done some more reasearch on this and found out that it is a part of Look2me adware. I've also deleted mynexus.exe and NewDotNet folder. But the biggest fight was over guard.tmp (in system32 folder). I've blocked it with mcafee and it kept on giving me error messages that mcafee found a PUP but wasn't able to delete it. I currently have 4 instances of look2me (all in sys32) clmocx.dll, ddcprop2.dll, j6l40g3qe6.dll and kydmlt48.dll. I also have 1 dropper (I think that's the name) viptr76yg.exe and downloader w02c56b5.dll (both in sys32) and one more downloader loadex[1].exe in temporary files. Everytime I start windows I get error message (something to extent "unable to load newdot~1/newdot~2.dll) which I previously have erased. I've put a block (through mcafee) on guard.tmp in sys32 but virus kept on giving me errors that it can't load that file. And everytime I would get that message mcafee would follow up with "found PUP guard.tmp" asking me to delete it. When I would try to delete it (or quarantine) it would reply that it is unable to do that. So I just said f@ck it and allowed that program. So keeping all that in perspective and without further ado, here is my HighJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:38 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Documents and Settings\Marc Burkheart\Desktop\HijackThis.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rsjdjin.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pfpmxa] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - HKLM\..\Run: [newname] c:\windows\newname7.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad7.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard7.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinkrag.exe CORN001
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [mzik] C:\PROGRA~1\COMMON~1\mzik\mzikm.exe
O4 - HKCU\..\Run: [lcwna] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.cnetdownload.com
O15 - Trusted Zone: www.download.com
O15 - Trusted Zone: www.*.download.com
O15 - Trusted Zone: *.isqft.com
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143966883031
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Protocol: bw+0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {513232AC-2E75-4750-959B-C29B9817C671} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\r28s0cl7efq.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyYyBCdXJraGVhcnQ\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:56 AM

Posted 05 April 2006 - 02:19 PM

Hello djred678,

Welcome to BC. You have a lot going in there. It'll take several sessions to clean. Let's start with putting HijackThis.exe in a folder of its own so that it can house its backups. Right click in an empty space on your desktop>New>Folder and name it HijackThis. Then drag and drop HijackThis.exe into that folder.

Next, we'll remove New.Net

STEP 1.
======
WinsockXPfix
Download WinsockXPfix
Do Not use it yet!
If you encounter problems connecting to the Internet, run this WinsockXPfix. You may not even need to do this but I want you to be aware of this fix if for some reason you cannot connect after rebooting.
Locate the Winsockxpfix.exe and double click and click Run.
The VB_WinFix Win 1.2 window will appear.
Click Fix

STEP 2.
======
New.Net Removal

Please open Add/Remove programs and uninstall New.Net or NewDotNet. If it is not listed, follow these instructions:
  • From a computer that has Internet access, click on NewDotNet Removal
  • If you get "the page cannot be displayed" when clicking on the removal link.
    You may have winhelp's mvps hosts file installed, as www.newdotnet.com is a blocked site
  • Download and save uninstall6_90.exe (New.Net/Support/Uninstall exe file) to the Desktop.
  • Go to the Desktop and double-click on uninstall6_90.exe
  • Click on the OK button.
  • After removal, reboot.
=========================================

Let's also remove Logitech Desktop Messenger so that it will not take so much space in the HijackThis logs. It's sole purpose is to retrieve information about your Logitech devices; they claim that no other information is uploaded to their servers or any other internet servers, but in my opinion that's spying.

Go to Start>Control Panel>Add/Remove Programs and remove

Logitech Desktop Messenger

I also see two antivirus programs running at the same time. Symantec and Mcafee. It's not a good practice as they would conflict with each other rendering the computer vulnerable in every way. Please decide on one of them and remove the other from Add/Remove Programs.

=========================================

Then, let's take care of L2M first.

Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX[/QUOTE]
=========================================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

=========================================

Download WebRoot SpySweeper from here (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, Click Save to File and save the log somewhere convenient.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
  • After Spysweeper has finished and removed any items found, reboot your computer right away to ensure the infection is fully removed
After the reboot scan with HijackThis again and post back:

Look2me Destroyer. text
SpySweeper log
the new hijackthis log

Edited by amateur, 05 April 2006 - 02:22 PM.


#3 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 05 April 2006 - 11:42 PM

Thank you. That've seemed to fix it. I've deleted Look2Me destroyer log (but everything was deleted successfully registry re-done and etc). I've fell asleep waiting for SpySweeper so don't really remember what I've done with the log (it's been a long week). And here is my HijackThis log.

Actually something off the subject. I think in the whole process of me deleting random files I've deleted something for 'User Accounts' in control panel. Now whenever I click on it nothing happens. Is there like a dll file or something that could be a cause of that? I would really appreciate if you can point me in the right directiong.

Either way. I really appreciate your help and without further ado, here it is...

Logfile of HijackThis v1.99.1
Scan saved at 9:34:04 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\acer\eRecovery\Monitor.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Marc Burkheart\Desktop\HiJackThis\HijackThis.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\imapi.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rsjdjin.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pfpmxa] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mzik] C:\PROGRA~1\COMMON~1\mzik\mzikm.exe
O4 - HKCU\..\Run: [lcwna] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.cnetdownload.com
O15 - Trusted Zone: www.download.com
O15 - Trusted Zone: www.*.download.com
O15 - Trusted Zone: *.isqft.com
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143966883031
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\r66u0gj9e6o.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:56 AM

Posted 06 April 2006 - 07:26 AM

hello djred678,

We managed to get rid of L2M, but there are others yet to deal with. You are not in the clear yet.

Download this file from the link to your desktop.
http://www.mvps.org/winhelp2002/DelDomains.inf

It should look like a notebook tablet with a gear overlaid on it.
Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note: if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

=============================

I've fell asleep waiting for SpySweeper so don't really remember what I've done with the log (it's been a long week).


Please run it again following the earlier instructions and post it. I need to see what spysweeper did and didn't do.

=============================

Download FindQoologic.zip save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this text in your next reply, along with a fresh HijackThis log.

==============================

Actually something off the subject. I think in the whole process of me deleting random files I've deleted something for 'User Accounts' in control panel. Now whenever I click on it nothing happens. Is there like a dll file or something that could be a cause of that? I would really appreciate if you can point me in the right directiong.


As a rule, it's never a good idea to delete files without knowing exactly what you are doing. Having said that, if you are not the Administrator or have Admin privileges, you won't be able to access it.

#5 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:19 PM

I guess I was too quick to think that it was over. I reran all the programs listed earlier and here are the logs:

#6 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:29 PM

LOOK2ME-DESTROYER LOG:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/7/2006 3:42:01 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Edited by djred678, 07 April 2006 - 06:31 PM.


#7 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:35 PM

SPYSWEEP FIRST LOG
********
3:50 PM: | Start of Session, Friday, April 07, 2006 |
3:50 PM: Spy Sweeper started
3:50 PM: Sweep initiated using definitions version 652
3:50 PM: Starting Memory Sweep
3:54 PM: Memory Sweep Complete, Elapsed Time: 00:03:59
3:54 PM: Starting Registry Sweep
3:54 PM: Registry Sweep Complete, Elapsed Time:00:00:20
3:54 PM: Starting Cookie Sweep
3:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:54 PM: Starting File Sweep
3:54 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
3:54 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
3:58 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\mcafee\spamkiller\logs\filtering.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a20b603-c980-45c1-81e2-d268cb858346.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsddd77a0d-1970-446f-a4ec-c8dd0b70bb37.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd445a31c-d4e4-4630-aed8-dee2e7b61ec6.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbdadbafe-b797-4313-8bef-6d775914facc.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs343bc9a6-438c-4f7c-aa18-d592c0149ea2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5270cf18-af75-4780-9097-674f04e7c122.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsddb46e84-9075-420b-ba94-526d4dc63c60.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd49ce34f-d7ca-4559-b299-75940cddc9ba.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs230bfe96-b1dc-461e-952f-31c26aad5d66.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa8110ecc-80c0-4e04-9c9d-a65383d127ee.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd81f35b2-6385-4297-be6f-553e68096250.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1803c927-5d9f-487f-a74c-3a559c1e4b0a.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c7c88e7-12fd-4324-bbfe-f85721a93b3c.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscaa7f6e3-15bf-4f47-bdab-677803d020e1.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs10029133-faf9-45c8-96b9-86aa5fc311f3.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd399c5c4-2fcd-4365-a06e-b0170039702e.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs72dee817-384c-4941-9a52-efc857ef9a39.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2010c74b-6c5c-48e8-bb9e-87018e9a7eb2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsffab6ea5-2394-4a22-9860-621b415c49a3.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs77c6329b-246c-4096-9bec-5a01c1da38a3.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc26028b0-631d-4652-806f-addcca06a526.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd374c57-ffd3-47fa-a9a6-055152bcfe3f.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9928504a-6907-46e3-ba1d-8a1e1575aade.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse7a96840-9a0e-4b28-8a6e-041320bd9ed3.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2c819fc2-37f8-4d92-a552-83901ae73fb7.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9d3537ed-8b12-4aa1-8ec3-cc79854e62d7.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs045909fa-eaa9-46b4-a7a5-b2594a351641.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs903bbe59-d6c8-44cf-9cc9-85ae7527042f.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa5261791-a218-4994-bb99-413fb4733fbe.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f2cd37b-b3a7-4d6e-a070-42509300e6b0.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb4776331-3d90-4187-bb98-0c83a45e62b2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdbd20e4e-ab1b-472f-b204-da76831ae8c9.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfab3c7a9-0ed6-47a0-b381-88b3612c7213.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6ed6cbef-74e0-4cca-bd6b-6a8ef1241d2a.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf7f8f2b4-3c2c-49a1-a94a-fb80c4c412fc.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6755d320-7cae-4c1e-a0db-8862494e73c9.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc788648f-e396-4906-83b2-562f288cdc72.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs221e20b9-605e-4dff-999b-3afad9f8830d.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs97e54943-f89b-43fa-9c28-3ac08eef1ff6.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs594a9fea-30c8-4b50-92e2-897505079ff2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs736dc03e-b781-4568-8bad-f79279878c3a.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1392dc1e-7d8f-4f50-b2b6-3be6ea5a8825.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa30b62f2-e81c-4cad-aa82-47aa89b215cd.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc44ff042-6e3c-4137-a973-34f36126fbb0.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4cb46c05-52c8-4711-acfc-ca63f6845356.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs20e66812-f18b-4749-9c23-a16dc6d8f946.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7d0b6f95-c6c7-477a-b8cc-9df1dc80de56.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3516ce6d-08c1-43e7-b4ae-6ccee37c064d.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse99d1007-8a54-46f9-a9a5-a157bcfa5a3c.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs47e419c1-580d-412c-a188-bb498853ddff.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64c6a4c3-7f94-4298-b9fb-617518eaf5b5.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscd38c88a-2f1c-411d-825c-8a5e46eb3594.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs252515a7-9670-40b9-add2-bf6fd9962163.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5ed91c60-a8ea-42d3-b154-ececccb444dc.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs44792223-6cca-45dc-9e05-bac1c2ec43b8.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e830c07-7f9d-4c5e-88a3-b066e1bc8932.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs35b64e8d-b6db-4338-8a2c-d89a28d3de0b.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs76081c2d-e1bc-4de5-9e15-3533df616182.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs889352c0-72f8-4586-b0f3-a4f7de083ccf.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6b7f8fb4-7833-49e7-b8ed-af1bac6178b2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3305eb70-e71e-406b-9e84-b4d1dabeabfa.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs132247cb-0201-4ec6-881f-06f9dac3f724.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85d94c80-4149-4be5-892b-74ae597afa71.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9cf1eb67-89c4-43e1-9773-96df5f9405be.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8b1400fe-45c8-4afa-bfa7-0ab5dc1335dd.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa8eb0376-8651-42de-840f-b16fb952a805.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs31b31778-9b5a-497c-bae8-7b5a9fe26941.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0fde327-0162-4e1d-ba4f-e5e5bd8a3b06.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01d95237-e804-4ad6-a11e-8a3f39fa39b3.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1cee09d4-c8d2-479d-8a8a-372632e85878.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc4042e6f-cffd-48e8-bcf6-e91a4a082a56.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf6006912-54b4-4d33-8b62-82cf1546d04d.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa70d65a2-6820-40d5-80f6-a5e116ef330b.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5148fb61-3b12-4624-856f-a5f4ef2e1daf.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0c0a4f4-cb08-46b6-b7f5-517ebc05def2.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2e3c646-3795-4a38-a7fc-e94a381e2ff9.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3243e803-f6f5-46b5-b920-21ff21a0612b.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs35e5a74d-ff5c-469d-9d4b-bc0d82c4de60.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscbf074e2-733e-45ef-9b0f-793fdb29ac1e.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbb9fcb7b-e214-46cc-a5e3-0ff540afb386.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc22481c-57da-4dda-82c2-6e22d40e3ca8.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d7965cf-077a-4db5-a4f5-dd0bf13f3c7b.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1e783706-b5df-40de-a928-7be28d78f482.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa744e057-8553-45f8-aa76-debb5d7c867c.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d431641-ebfc-44b9-87e3-8fad53b5fbd8.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ef3390e-e0d5-4699-a63b-e680f5299b65.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse15fcf20-00f8-4efe-a103-f2c9e9387b5a.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb2124940-5f4b-4326-90a7-c20369f6a7d9.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f363d51-7931-412a-99eb-e805cfbc95e7.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7b839207-cdb7-401a-a7fe-781f42ca89fe.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs752ea529-703f-4621-bb0c-19e1a6e4a52a.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs06d5a84b-f03b-4c84-a444-b078cd2f15b9.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseed7fd9d-7d54-42ee-9a7f-6173808f47a6.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb2078cb5-5dc0-4426-8afb-b355c35ad05b.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc10dd74-b170-4e34-845e-b515fcbfc7ef.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs99a91a4f-ab6e-437e-80b7-5a08ca0c70fa.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f2cb50e-2088-4c4b-a630-da321dd8a811.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e1f1bbf-dc0b-4a71-b990-ece8e080a947.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4574bce3-2edb-4d98-a88f-68909a134f29.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse44a67c0-7bed-4f9c-b827-9c31fff568bd.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd854c9c4-0a21-4304-8874-abcf00f11e12.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c3ec65d-dd48-4048-8ec8-197b03718aa7.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf1bde2a0-cc3a-49a1-be13-6edea1279b21.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c0b99f-eeed-479c-880b-018e8c847e36.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\marc burkheart\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\marc burkheart\ntuser.dat". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\marc burkheart\local settings\temp\~df920f.tmp". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\marc burkheart\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:07 PM: Warning: Failed to open file "c:\documents and settings\marc burkheart\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:12 PM: File Sweep Complete, Elapsed Time: 00:17:12
4:12 PM: Full Sweep has completed. Elapsed time 00:21:42
4:12 PM: Traces Found: 0
********
9:08 PM: | Start of Session, Wednesday, April 05, 2006 |
9:08 PM: Spy Sweeper started
9:08 PM: Sweep initiated using definitions version 650
9:08 PM: Starting Memory Sweep
9:11 PM: Memory Sweep Complete, Elapsed Time: 00:03:47
9:11 PM: Starting Registry Sweep
9:12 PM: Found Adware: desktop toolbar common components
9:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || wdskctl (ID = 128194)
9:12 PM: Found Adware: surfsidekick
9:12 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
9:12 PM: Found Adware: clkoptimizer
9:12 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
9:12 PM: Found Adware: ieplugin
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet explorer toolbar - intelligent explorer\ (2 subtraces) (ID = 841077)
9:12 PM: HKLM\software\qstat\ || brr (ID = 877670)
9:12 PM: Found Adware: command
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
9:12 PM: Found Adware: dollarrevenue
9:12 PM: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
9:12 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
9:12 PM: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
9:12 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
9:12 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
9:12 PM: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
9:12 PM: Found Adware: zenosearchassistant
9:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || browserupdatesched (ID = 1075246)
9:12 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
9:12 PM: Found Adware: quicklink search toolbar
9:12 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
9:12 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
9:12 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
9:12 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
9:12 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
9:12 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
9:12 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
9:12 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
9:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || mousepad (ID = 1191795)
9:12 PM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212644)
9:12 PM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212651)
9:12 PM: HKLM\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}\ (2 subtraces) (ID = 1212690)
9:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || newname (ID = 1215650)
9:12 PM: HKLM\software\microsoft\windows\currentversion\run\ || keyboard (ID = 1225564)
9:12 PM: HKU\S-1-5-21-3944966807-2045711082-1798716274-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
9:12 PM: Found Adware: findthewebsiteyouneed hijack
9:12 PM: HKU\S-1-5-21-3944966807-2045711082-1798716274-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
9:12 PM: Registry Sweep Complete, Elapsed Time:00:00:16
9:12 PM: Starting Cookie Sweep
9:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:12 PM: Starting File Sweep
9:12 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
9:12 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
9:13 PM: Warning: Failed to open file "c:\windows\wnu_74.exe". Access is denied
9:13 PM: uninstall_nmon.vbs (ID = 231442)
9:15 PM: msnav32.ax (ID = 220229)
9:15 PM: nt68rrtc12.sys (ID = 220230)
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
9:15 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\mcafee\spamkiller\logs\filtering.log". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse310b0ad-373b-48d1-88cc-ebd84134fe65.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs908c3d9e-5b03-4fb5-bd40-b2654c0b3ae8.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7550ac7f-d594-4364-bcdc-20ce19ba3bf0.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfb02fc97-1028-4c2c-a36a-6422b26ce4a6.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90e75d39-7326-4482-84b6-5e685ff937cf.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs92288386-7827-4555-8dfb-6a090b65e768.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6017ed35-cdbc-4a55-9b3d-6e3927cafb4e.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95f89e45-9d07-430d-8a80-d4ae77da14b8.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f276479-f1ab-4ab7-ae51-cc37b26ed7c4.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8159a7bb-8bdc-457b-8604-321354b13347.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04ce6b40-c1b7-47d3-9130-7c7dec24d608.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405986c1-a7a6-4007-b6ae-e12f95249e8d.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7e146c88-3ccb-44e7-9f90-ef746837e070.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfbe8e3bd-0de0-41d7-8fee-96372aace777.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc5eb1976-9906-4337-9a8a-787a2f7f4aa3.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs16cefbf8-35fa-4853-bed4-6b3c3114bdc1.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf2b6fe26-224a-4f56-805a-f8be673ba5e4.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6ee3d3e0-faed-4725-975b-2c7148109291.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse98069a3-e6e5-4045-9d77-195cf53a60b1.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4b706dff-1c72-4227-8dff-935f09c8d59d.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3340f538-2625-4afe-b464-f4dafbb860cc.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9567b65b-0db9-4866-883b-a9e8dc7a8a19.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb7ff8125-97fe-4d73-9499-24c62ff7f37f.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0eb96ddf-b1c5-4867-88dc-e3ff43f7d21c.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5a6eedc-7c3a-4297-a51f-29722c45fbcd.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsed58c199-38ae-457f-951e-f2af2c0aedf7.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs12ce48b7-d6de-4aa6-922c-807841cd231a.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse784538a-f765-408a-80e3-b2f4ce449aaa.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs49b7f9f7-f4aa-4259-a6d5-cb67ee454b25.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs89712bef-b65e-4ea1-9592-242826c6fee2.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs93efb705-37e8-4c4a-9360-03ee44347675.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs855712c3-f5ee-40d3-a5a0-cbc987b9c3c4.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf367a1b5-1766-49fc-af27-0a594509471a.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd15150c8-afff-406f-8dd5-cbb399048c96.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa413aa69-db51-4775-9970-53ce9d9682ee.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd79cc6e6-3cf9-423d-b73c-a2bdef644a0c.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc4079ef6-3533-472d-8efa-50e1f9987899.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6ac76c34-eacc-4540-819b-1b46ec02ab47.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa98ce12b-9733-4cd5-bf3f-2a6690f0178c.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs987e79fc-3144-4ebd-89cb-567b2681d067.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfaa7cbd2-da59-41ad-8b55-008ff89c16ac.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4d482bed-fbb9-495b-b1f5-810e852edf5d.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04737251-a003-4b51-a115-974b3a9cc61e.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs342c924f-e46a-4da6-9954-bc6b5ab2ab04.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80e8859d-86f0-4af8-8c5b-f261a23e0e88.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6443e40f-bacb-4b59-97e2-c7d5464fdc65.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e89242f-b210-4e6b-be8c-6825f3336454.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs646c4209-9a82-41fb-b327-52f1d4728dc3.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf146cea1-7726-4eea-adb5-7abfa1632aad.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3101d683-c1fb-4411-bfaf-29c8b6fb395c.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse8d27ae0-a155-4ceb-ab61-8e3788e2f084.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ecad4de-9280-4ada-96c2-60d8e561ae2b.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs611ef395-aa37-49ef-9aae-6848bf9b3336.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfd64862e-ebc8-47f9-a238-577999268f16.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf5b92d89-df0b-46a9-9b75-83543464e87c.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2b5e325f-47ce-4d96-a687-26332a721bfb.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs39019dec-5df5-4692-b737-079d6fed3f65.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs26d04b53-c8de-4ef0-9917-fb0aceb4961a.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc1811dc8-86f3-4d92-84b7-25fbc7557f6e.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5363b4cd-d58b-4d35-b08a-8dea4d4ff208.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2f5399a-1284-4818-9234-3ba754557031.tmp". The process cannot access the file because it is being used by another process
9:23 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc32f16f7-1f52-466e-9755-ec8644dd83b7.tmp". The process c

Edited by djred678, 07 April 2006 - 06:36 PM.


#8 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:38 PM

SPYSWEEP TODAY'S LOG
9:02 PM: | Start of Session, Wednesday, April 05, 2006 |
9:02 PM: Spy Sweeper started
9:03 PM: Your spyware definitions have been updated.
9:08 PM: | End of Session, Wednesday, April 05, 2006 |

FINDQOOL LOG


Check for missing files
.....
C:\WINDOWS\system32\Command.com not there
.....
End check for missing files
.....
VXD Check "vdd REG_MULTI_SZ \0"

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman 2005

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\virtualdevicedrivers
vdd REG_MULTI_SZ \0
.....
End vxd check

#9 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:40 PM

AND LAST, BUT NOT LEAST, HERE IS THE HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:18:55 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\acer\eRecovery\Monitor.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Marc Burkheart\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rsjdjin.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pfpmxa] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mzik] C:\PROGRA~1\COMMON~1\mzik\mzikm.exe
O4 - HKCU\..\Run: [lcwna] C:\WINDOWS\system32\qnluyc.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office Outlook 2003.lnk = ?
O4 - Global Startup: ACT!.lnk = C:\Program Files\ACT\act.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143966883031
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\r66u0gj9e6o.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe



Once again, I really do appreciate all your help and time spent on this. Thank you very much.

Edited by djred678, 07 April 2006 - 06:41 PM.


#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:56 AM

Posted 07 April 2006 - 06:45 PM

Thank you for the logs. Please give me some time to go through them. How is the computer running now?

#11 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 06:50 PM

It actually doesn't seem to have any problems. Thanx. I did get scared once when shutting it down I heard a warning beep (you know, the one like a program couldn't open), but haven't heard it since.

Thank you.

Dmitriy
Trust in the LORD with all your heart and lean not on your own understanding.
Proverbs 3:5

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:56 AM

Posted 07 April 2006 - 07:51 PM

Please do the following:

1) Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode by tapping the F8 key just before Windows starts to load.

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

2) Please download FindQool by LonnyRJones: Something didn't work right the last time. Make sure you unzip it and place the FindQool folder in the right place. ( C:\FindQool )
http://downloads.subratam.org/Lon/FindQool.zip

* Extract the files and place the FindQool folder in root. Usually C:\
* Open the folder and run Qlocate.bat.
* Post the contents of the txt.log which will open.

3) Download F-Secure Blacklight (blbeta.exe) to your C:\ drive.
- Open a command window. (Start>Run and type: cmd)
- Copy paste or type the following in the command window:

C:\blbeta.exe /expert

- Accept the user agreement.
- Click Scan.
After the scan finishes, click on Next, then Exit.

BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log.

Please post those 3 logs for me.

#13 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 10:24 PM

WinPFind LOG:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 4/3/2006 9:41:28 PM 1144839 C:\s_t_i_n_g_e_r.exe
UPX! 4/5/2006 3:21:46 PM 40960 C:\Look2Me-Destroyer.exe
UPX! 4/5/2006 3:21:58 PM 45568 C:\ATF-Cleaner.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 6/10/2004 5:17:12 PM 187392 C:\WINDOWS\ACER.SCR
ad-w-a-r-e.com 4/6/2006 6:10:44 PM 531643 C:\WINDOWS\setupapi.log
PTech 12/12/1989 10:10:10 AM RHS 480000 C:\WINDOWS\sweiymj.exe

Checking %System% folder...
PEC2 8/4/2004 8:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
winsync 8/4/2004 8:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack 8/4/2004 8:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PECompact2 3/9/2006 4:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 4:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/4/2004 8:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/4/2006 7:53:04 PM 48180 C:\WINDOWS\SYSTEM32\w0019a08.dll
PTech 2/14/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/7/2006 7:40:46 PM S 2048 C:\WINDOWS\bootstat.dat
4/2/2006 7:37:38 PM HS 54272 C:\WINDOWS\Thumbs.db
4/2/2006 7:37:42 PM HS 10752 C:\WINDOWS\system32\Thumbs.db
4/7/2006 7:39:40 PM H 1253376 C:\WINDOWS\system32\config\system.LOG
4/7/2006 7:39:40 PM H 77824 C:\WINDOWS\system32\config\software.LOG
4/7/2006 7:39:40 PM H 12288 C:\WINDOWS\system32\config\default.LOG
4/7/2006 7:40:54 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/7/2006 7:40:48 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
3/17/2006 1:59:22 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/14/2006 9:20:42 AM S 7086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
2/8/2006 4:58:30 PM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912945.cat
4/2/2006 1:27:06 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c2048883-658a-47e9-bd9d-4b424f6470ee
4/2/2006 1:27:06 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
4/2/2006 3:26:52 AM HS 5632 C:\WINDOWS\system32\autorun\Thumbs.db
4/2/2006 3:32:02 AM H 0 C:\WINDOWS\inf\oem28.inf
4/2/2006 3:26:40 AM HS 12800 C:\WINDOWS\Web\Thumbs.db
3/31/2006 6:03:46 PM HS 74752 C:\WINDOWS\Web\Wallpaper\Thumbs.db
4/7/2006 5:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
4/7/2006 5:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\A7VAHG01\desktop.ini
4/7/2006 5:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H7YD5VSS\desktop.ini
4/7/2006 5:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8B03CZ6H\desktop.ini
4/7/2006 5:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MVYJSTE7\desktop.ini
4/7/2006 5:29:00 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
4/7/2006 7:39:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT
4/2/2006 3:26:40 AM HS 5120 C:\WINDOWS\SHELLNEW\Thumbs.db
4/6/2006 6:06:56 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
4/6/2006 6:12:40 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
4/6/2006 6:12:40 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
4/7/2006 8:14:48 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
4/7/2006 8:14:50 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat

Checking for CPL files...
Microsoft Corporation 8/4/2004 8:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Intel Corporation 1/23/2005 10:33:44 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Realtek Semiconductor Corp. 4/18/2005 7:57:58 PM 18706432 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 11/18/1999 11:04:00 AM 96016 C:\WINDOWS\SYSTEM32\Modem.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 1:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 1:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 8:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Broadcom Corporation 12/22/2004 1:32:48 AM 1261676 C:\WINDOWS\SYSTEM32\autorun\Drivers\WINXP\80211bg\Broadcom\bcmwlcpl.cpl
Realtek Semiconductor Corp. 4/18/2005 7:57:58 PM 18706432 C:\WINDOWS\SYSTEM32\autorun\Drivers\WINXP\Audio\WDM\ALSndMgr.cpl
Intel Corporation 1/23/2005 10:33:44 AM 94208 C:\WINDOWS\SYSTEM32\autorun\Drivers\WINXP\VGA\Win2000\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/22/2006 1:57:00 PM 530 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACT!.lnk
2/15/2006 2:58:20 PM 1665 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/17/2004 1:22:56 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
4/7/2006 3:44:42 PM 2533 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/17/2004 1:14:08 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
10/19/2005 10:16:36 AM 394 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
8/17/2004 1:22:56 PM HS 84 C:\Documents and Settings\Marc Burkheart\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/17/2004 1:14:08 PM HS 62 C:\Documents and Settings\Marc Burkheart\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Autodesk.DWF.ContextMenu
{6C18531F-CA85-45F7-8278-FF33CF0A5964} = C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}
MenuText = McAfee AntiPhishing Filter : c:\program files\mcafee\spamkiller\mcapfbho.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\system32\igfxtray.exe
SoundMan SOUNDMAN.EXE
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
EPM-DM c:\acer\epm\epm-dm.exe
ePowerManagement C:\Acer\ePM\ePM.exe boot
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
WinFaxAppPortStarter wfxsnt40.exe
Wbutton "C:\Program Files\Launch Manager\Wbutton.exe"
Venturi Configurator C:\Program Files\Venturi2\Configurator\ventcfg.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Preload C:\Windows\RUNXMLPL.exe
PowerKey "C:\Program Files\Launch Manager\PowerKey.exe"
PHIME2002ASync C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
pfpmxa C:\WINDOWS\system32\qnluyc.exe reg_run
newname
MSPY2002 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
Logitech Hardware Abstraction Layer KHALMNPR.EXE
LMgrOSD "C:\Program Files\Launch Manager\OSDCtrl.exe"
LManager "C:\Program Files\Launch Manager\HotkeyApp.exe"
LaunchAp "C:\Program Files\Launch Manager\LaunchAp.exe"
keyboard
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
eRecoveryService C:\Windows\System32\Check.exe
CtrlVol "C:\Program Files\Launch Manager\CtrlVol.exe"
CQ4d6 "C:\WINDOWS\system32\slk8x2peu.exe"
Atomic.exe C:\Program Files\Atomic Clock Sync\Atomic.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
mzik C:\PROGRA~1\COMMON~1\mzik\mzikm.exe
lcwna C:\WINDOWS\system32\qnluyc.exe reg_run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Network Monitor 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,rsjdjin.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun
= C:\WINDOWS\system32\r66u0gj9e6o.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/7/2006 7:50:31 PM
Trust in the LORD with all your heart and lean not on your own understanding.
Proverbs 3:5

#14 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 10:25 PM

FindQool LOG:

Check for missing files
.....
C:\WINDOWS\system32\Command.com not there
.....
End check for missing files
.....
VXD Check "vdd REG_MULTI_SZ \0"

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman 2005

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\virtualdevicedrivers
vdd REG_MULTI_SZ \0
.....
End vxd check
Please post this in the forum
Trust in the LORD with all your heart and lean not on your own understanding.
Proverbs 3:5

#15 djred678

djred678
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Good ol' US of A
  • Local time:01:56 AM

Posted 07 April 2006 - 10:26 PM

FSBL LOG:

04/07/06 20:19:38 [Info]: BlackLight Engine 1.0.35 initialized
04/07/06 20:19:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/07/06 20:19:38 [Note]: 7019 4
04/07/06 20:19:38 [Note]: 7005 0
04/07/06 20:19:47 [Note]: 7006 0
04/07/06 20:19:47 [Note]: 7022 0
04/07/06 20:19:47 [Note]: 7011 508
04/07/06 20:19:47 [Note]: 7026 0
04/07/06 20:19:47 [Note]: 7026 0
04/07/06 20:19:48 [Note]: FSRAW library version 1.7.1015
04/07/06 20:20:50 [Note]: 7007 0
Trust in the LORD with all your heart and lean not on your own understanding.
Proverbs 3:5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users