Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Trouble


  • This topic is locked This topic is locked
34 replies to this topic

#1 wodfer

wodfer

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 23 April 2006 - 05:07 PM

A few days ago my dad got a pop-up message on his laptop telling him that he had 256 infected files on his computer and he had to buy and install Winfixer to removed the problems right away. Sadly he trusted this message and bought the program. The PC soon after went totally bananas opening windows here and there with ads, alarms going off and much more crap.

So now I'm trying to get rid of all these problems for him.

OK, here's what I've done so far:

- Run CWShredder
- Run Ad-Aware
- Run Norton Anitvirus
- Run HijackThis
- Run Spybot search & destroy
- Run Vundofix
- Emptied HOSTS

All latest versions and updates. Windows XP is also updated.

Plus booted in safe mode and removed a lot of infected files manually from DOS.

I've managed to get a lot of it away, but still there are pops up browser windows with ads and there's still something left that I can't get away. Therefore I ask for some help here.

Vundofix reports no files found.

HijackThis has this log:

Logfile of HijackThis v1.99.1
Scan saved at 23:58:20, on 23.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\D-Link AirPlus\AirPlus.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\VundoFix.exe
E:\HijackThis.exe
C:\Programfiler\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\lvn2095oe.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

I have tried to delete 020 many times without success.

Any suggestions to what I can do next?

Cheers! :thumbsup:

Andreas

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 24 April 2006 - 03:00 AM

Hello and welcome aboard, lets get started :thumbsup:

Please download Look2Me-Destroyer to your desktop.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#3 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 April 2006 - 02:44 PM

Thanks.

I have run the Look2Me Destroyer tool now and it found a lot of infected files, but reported that many couldn't be removed. I have rebooted the machine and now the Look2Me tool won't start up again. Here's the log:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 24.04.2006 19:22:22

Infected! C:\WINDOWS\system32\k4620ejoehoc0.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081427.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081474.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081502.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081964.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081976.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0082060.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082109.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082110.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082143.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082144.dll
Infected! C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP301\A0082206.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k4620ejoehoc0.dll
C:\WINDOWS\system32\k4620ejoehoc0.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081427.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081427.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081474.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081474.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081502.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP295\A0081502.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081964.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081964.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081976.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0081976.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0082060.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP299\A0082060.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082109.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082109.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082110.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082110.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082143.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082143.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082144.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP300\A0082144.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP301\A0082206.dll
C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP301\A0082206.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EDAF7BFF-048B-4469-BA9F-C662109910D6}"
HKCR\Clsid\{EDAF7BFF-048B-4469-BA9F-C662109910D6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6D602801-1107-4F47-A6C9-AA97AC7268A6}"
HKCR\Clsid\{6D602801-1107-4F47-A6C9-AA97AC7268A6}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorer - Succeeded

HiJackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:58:20, on 23.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\D-Link AirPlus\AirPlus.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\VundoFix.exe
E:\HijackThis.exe
C:\Programfiler\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\lvn2095oe.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

When I boot the machine I keep getting warnings from RUNDLL saying something like:

An exception has occured while trying to run c:\windows\system32\dlnaddr.dll*,DllGetVersion

(The reboot before I got a warning about btowseui.dll)

I'm running a trial version of SpySweeper now to see if that will find something.

Any other suggestions?

Thanks,
Andreas

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 25 April 2006 - 01:16 AM

Don't run SS yet.. Lets take care of HaxDoor first. It's very possible that the other infections are interfering with the L2M-Destroyer fix. :thumbsup:

Please download Haxfix.exe:
  • Save it to your desktop.
  • Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
  • Checkmark "Create a desktop icon".
  • Click "Next".
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
  • Click "Finish".
  • A red "dos window" (dos box) will open.
  • Select option 1. Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer. When it is finished a logfile will open.
  • Copy the contents of that logfile and paste it into this thread.

Hi there, stranger!

#5 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 25 April 2006 - 02:23 PM

Haxfix logfile:

HAXFIX logfile - by Marckie
--------------
version 2.31
25.04.2006 21:19:59,35

checking for ps.a3d....
ps.a3d is present!

checking for p2s2.a3d....
p2s2.a3d not found

checking for matching notify keys....
matching notify keys found
xptp

checking for matching services....
matching services found
Aspi32
CmBatt
xptptt
xptpmm

checking for matching safeboot services....
matching safeboot services found
xptptt.sys
xptpmm.sys

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 26 April 2006 - 12:36 AM

Option 3 Manual fix:
  • Open the following folder: C:\Program Files\Haxfix\
  • Double-click on Fix.bat.
  • Close all other open windows since this step requires a reboot.
  • Select option 3. Run manu fix by typing 3 and then pressing Enter.
This message will appear:

echo Insert the haxdoorkey,
and then press Enter:

  • Type the following: xptp
    When this is a valid choice, the key will be added to delete.
  • There is the possibility to add a new key: Yes (type Y) or No (type N).
    Followed by this message:

    Haxdoorkey xptp added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:

  • Type N for No and press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of the logfile together with a new HijackThis log. :thumbsup:

Hi there, stranger!

#7 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 26 April 2006 - 01:32 AM

Haxfix:

HAXFIX logfile - by Marckie
--------------
version 2.31
26.04.2006 8:18:57,66

Manual Haxdoorfix

Adding haxdoorkeys to delete...
xptp


haxdoor key: xptp

searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService FAIL
[SWSC] DeleteService FAIL


rebooting the computer.....


haxdoor key: xptp
searching for services....
services not found

checking if files are found.....
xptptt.dll exist
xptpmm.sys exist
xptp32.dll not found
xptp32.sys not found
xptp64.sys not found
xptp16.dll not found
xptp16.sys not found
xptp24.sys not found
xptpxt.dll not found
xptpxt.sys not found
xptpxm.sys not found
xptptt.sys not found

deleting files.....

checking if files are deleted.....


checking for other files.....
klgcptini.dat exist
sd.dll exist
sd.sys exist
ps.a3d exist
fux87.ini exist
qm.dll not found
qm.sys not found
qy.dll not found
qy.sys not found
qz.dll not found
qz.sys not found
zq.dll not found
zq.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
p2s2.a3d not found
klo5.sys not found
set87.ini not found

deleting other files.....

checking if the files are deleted.....


Finished

HiJackthis:

Logfile of HijackThis v1.99.1
Scan saved at 08:29:55, on 26.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\D-Link AirPlus\AirPlus.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Digital Line Detect\DLG.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programfiler\Messenger\msmsgs.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\irjml5111.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

Cheers! :thumbsup:
Andreas

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 26 April 2006 - 07:49 AM

Go ahead and delete HaxFix :thumbsup:

Please run a Full Scan w/ all the scanning options checked on WebRoot SpySweeper (as I notice you have installed it), with the latest definitions and post back with its log. Then post a fresh HijackThis log.

Edited by Rawe, 26 April 2006 - 07:50 AM.

Hi there, stranger!

#9 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 26 April 2006 - 02:04 PM

Spy Sweeper log:

********
18:27: | Start of Session, 26. april 2006 |
18:27: Spy Sweeper started
18:27: Sweep initiated using definitions version 665
18:27: Starting Memory Sweep
18:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:31: Memory Sweep Complete, Elapsed Time: 00:03:50
18:31: Starting Registry Sweep
18:31: Found Adware: instant access
18:31: HKCR\interface\{2e30ac01-99d7-4e9c-b13e-94e1701b0ac9}\ (5 subtraces) (ID = 128709)
18:31: HKCR\interface\{8f0a06f6-df4d-4d54-b8ca-e8eedbae6ddb}\ (5 subtraces) (ID = 128711)
18:31: HKLM\software\classes\interface\{2e30ac01-99d7-4e9c-b13e-94e1701b0ac9}\ (5 subtraces) (ID = 128764)
18:31: HKLM\software\classes\interface\{8f0a06f6-df4d-4d54-b8ca-e8eedbae6ddb}\ (5 subtraces) (ID = 128766)
18:31: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/p2ecom.dll\ (2 subtraces) (ID = 128807)
18:31: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\p2ecom.dll (ID = 128828)
18:31: Found Adware: winantispyware 2005
18:31: HKCR\typelib\{eb2a5b78-7437-43ef-ab74-4ab1d3a374b6}\ (9 subtraces) (ID = 797699)
18:31: HKLM\software\classes\typelib\{eb2a5b78-7437-43ef-ab74-4ab1d3a374b6}\ (9 subtraces) (ID = 797714)
18:32: Found Adware: dollarrevenue
18:32: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
18:32: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
18:32: Found Adware: command
18:32: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
18:32: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
18:32: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
18:32: Found Adware: adwaresheriff fakealert
18:32: HKCR\typelib\{fd0ab400-e691-46ee-a756-0c045ceab6df}\ (9 subtraces) (ID = 1252073)
18:32: HKLM\software\classes\typelib\{fd0ab400-e691-46ee-a756-0c045ceab6df}\ (9 subtraces) (ID = 1252228)
18:32: Found Trojan Horse: trojan-downloader-terula
18:32: HKCR\clsid\{196b9cb5-4c83-46f7-9b06-9672ecd9d99b}\ (4 subtraces) (ID = 1252503)
18:32: HKLM\software\classes\clsid\{196b9cb5-4c83-46f7-9b06-9672ecd9d99b}\ (4 subtraces) (ID = 1252516)
18:32: Found Trojan Horse: rbot
18:32: HKU\S-1-5-21-165837334-270390624-2978790236-1006\software\microsoft\ole\ || microsoft windows system (ID = 1075721)
18:32: Registry Sweep Complete, Elapsed Time:00:00:42
18:32: Starting Cookie Sweep
18:32: Cookie Sweep Complete, Elapsed Time: 00:00:00
18:32: Starting File Sweep
18:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:32: egcomlib_1035.dll (ID = 63741)
18:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:32: Found Trojan Horse: trojan-backdoor-securemulti
18:32: scane[1].exe (ID = 283573)
18:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:35: Found Adware: targetsaver
18:35: class-barrel (ID = 78229)
18:35: vocabulary (ID = 78283)
18:35: winsrv32.exe (ID = 284281)
18:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:36: taskdir~.exe (ID = 283573)
18:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:43: winapi32.dll (ID = 284073)
18:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:48: tmlpcert2005 (ID = 63918)
18:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:50: uninstall_nmon.vbs (ID = 231442)
18:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:51: Found Adware: look2me
18:51: temp.frf908 (ID = 159)
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:53: wqp.dll (ID = 159)
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:54: Found Trojan Horse: trojan-backdoor-snd
18:54: senssrv.dll (ID = 277948)
18:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: mousepad12.exe (ID = 284620)
18:55: newname12.exe (ID = 284627)
18:55: 3a.tmp (ID = 283111)
18:55: keyboard12.exe (ID = 284619)
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: sqc4trlwtqcs.vbs (ID = 185675)
18:58: File Sweep Complete, Elapsed Time: 00:26:05
18:58: Full Sweep has completed. Elapsed time 00:30:52
18:58: Traces Found: 115
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:58: Removal process initiated
20:58: Quarantining All Traces: look2me
20:58: Quarantining All Traces: rbot
20:58: Quarantining All Traces: trojan-backdoor-securemulti
20:58: Quarantining All Traces: dollarrevenue
20:58: Quarantining All Traces: trojan-backdoor-snd
20:58: Quarantining All Traces: trojan-downloader-terula
20:58: Quarantining All Traces: adwaresheriff fakealert
20:59: Quarantining All Traces: command
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: Quarantining All Traces: instant access
20:59: Quarantining All Traces: targetsaver
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
20:59: Quarantining All Traces: winantispyware 2005
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
21:00: Removal process completed. Elapsed time 00:01:29
********
18:25: | Start of Session, 26. april 2006 |
18:25: Spy Sweeper started
18:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:27: Updating spyware definitions
18:27: Your definitions are up to date.
18:27: | End of Session, 26. april 2006 |


HiJackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 21:01:34, on 26.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\D-Link AirPlus\AirPlus.exe
C:\Programfiler\Digital Line Detect\DLG.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programfiler\Messenger\msmsgs.exe
E:\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\h6j4lg1q16.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe


I forgot to delete haxfix, but will do so now.

Thanks :-)

/Andreas

#10 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 April 2006 - 02:27 AM

Still Ads popping up...

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 27 April 2006 - 08:05 AM

Thats certainly looking better. :thumbsup:

Could you please give Look2Me-Destroyer a second shot, with the same instructions. If that doesn't work, we can use L2MFix.
Hi there, stranger!

#12 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 April 2006 - 08:35 AM

I've already tried Look2Me destroyer again, but it will not re-open when I check to have it run as a service. It only closes and then goes away. Nothing else happens.

Perhaps it's still running in the background.

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 27 April 2006 - 08:37 AM

Ok.. Delete Look2Me-Destroyer. :thumbsup:

Please download the L2MFix by Shadowwar:
  • Save it to your desktop.
  • Double-click l2mfix.exe
  • Click the Install - button to extract the files.
  • Follow the prompts, then please open the newly added l2mfix folder on your desktop.
  • Double-click the l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system.

Double-click the file it downloads and extract the files to its predetermined System32 folder.

Hi there, stranger!

#14 wodfer

wodfer
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 27 April 2006 - 08:39 AM

L2MFix log:

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h60qlgd5160.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,61,cb,f3,78,b2,22,07,48,8b,9e,b3,54,b4,f1,01,09,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,71,15,25,4f,ee,3c,68,fb,\
f6,88,31,d7,71,a7,3f,5f,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,ac,\
47,9a,de,69,09,66,cb,2a,9b,cd,a0,77,1f,b5,3e,88,03,00,00,d5,54,48,41,94,a0,\
eb,f7,0b,27,04,33,6e,e2,95,70,9f,32,b6,cf,8e,cb,ea,d7,8a,3d,0f,1e,62,64,19,\
5f,3c,f4,ba,d3,6b,f4,f9,ca,06,5b,d0,f6,dd,68,df,4f,0f,21,8d,ce,bf,cb,01,b0,\
ce,34,a4,73,9d,02,c0,c3,40,55,2d,19,6c,85,47,f4,e6,d7,07,77,1d,f7,76,f0,10,\
e4,1f,e5,a5,9b,cb,6e,ac,aa,85,f9,11,9f,22,cc,a8,b6,8d,cf,a7,65,14,9d,70,66,\
ba,19,be,95,33,44,a0,55,25,50,81,df,27,4e,f9,6e,a2,d6,f2,1c,80,d9,60,2a,1a,\
be,94,df,4a,53,c1,48,71,20,c8,89,54,c3,20,51,ea,87,11,f5,61,76,7e,58,c9,f2,\
3c,f6,b6,6d,cf,5d,41,c6,11,45,fd,9d,61,86,ce,74,11,72,bf,dc,2d,93,3d,2d,78,\
52,e5,e5,f7,29,63,74,5d,1a,11,49,a9,88,ff,39,72,a6,f1,c3,26,b9,44,26,30,2d,\
51,b0,36,54,74,fb,e4,21,dc,3b,c5,5f,1d,c5,d3,fa,5a,56,f5,2b,95,28,64,ab,0c,\
7a,9d,9d,e5,92,86,94,24,47,0a,9d,c7,a2,28,f5,cb,b7,2b,84,32,b1,0d,75,4b,f3,\
5e,fa,5d,0d,99,63,12,f1,c6,f8,a7,19,7e,37,25,40,fe,b8,46,81,3a,63,c0,2c,db,\
4e,f0,27,76,e4,73,e6,98,91,d4,2f,b7,8c,1a,f4,3e,5b,82,b1,00,26,5e,7b,03,7d,\
08,16,71,31,dd,f0,2c,06,e4,54,fa,9f,88,cd,6b,18,0c,8d,05,84,c8,94,d8,41,54,\
96,e5,2e,ef,69,5b,bd,96,2d,7a,a9,8b,15,71,33,11,4c,fd,f7,91,76,d2,02,7b,c9,\
a3,42,e4,a7,90,de,79,bb,ef,a4,3e,f1,00,7b,6d,6a,8c,30,81,ea,ac,42,94,6a,d5,\
be,a7,6e,18,62,e8,ec,df,9a,7f,db,5a,fb,fa,f9,de,18,61,6f,07,b4,c5,02,10,a8,\
9f,a8,2e,81,17,3c,80,c4,ef,bb,0f,85,83,a8,bf,94,f2,59,09,21,d7,a2,29,46,3c,\
4a,76,1f,05,9f,eb,a6,aa,5d,d0,f4,ff,08,b7,28,64,5d,b9,03,5c,2c,96,47,fe,f3,\
bf,a1,83,3e,ce,fb,7f,26,c6,0b,55,3f,9d,76,2f,71,ea,38,c9,28,38,8f,7a,be,4b,\
e6,c5,47,69,fb,d6,9a,f3,b1,fd,c4,b6,bf,2a,c9,09,2d,79,22,db,04,4e,c4,00,d1,\
ce,4d,d1,f4,54,42,dc,7b,b0,ff,ea,cb,2f,94,54,34,af,8d,f5,88,bf,bc,7a,30,9d,\
b9,74,e5,fb,a6,f1,af,3e,bb,87,83,a4,d3,ca,4c,35,6b,97,88,f9,63,b5,59,fe,4d,\
64,ed,85,a5,5f,6f,83,4c,de,14,42,0f,7b,c3,fe,34,fc,72,59,ef,b2,99,ac,c0,ec,\
9f,ac,99,c5,bf,a8,63,7a,4b,77,26,37,c0,ca,c3,cd,1c,3d,a2,32,38,6c,f4,fa,97,\
86,bf,e1,7f,6a,24,42,63,95,76,4a,f7,03,e7,30,85,81,5b,bd,03,f1,95,0f,e8,31,\
82,41,9d,72,12,17,9f,8f,8d,4d,24,8a,a2,7a,0e,5a,10,b6,33,03,ec,0e,1c,05,db,\
d8,bc,e2,34,07,c7,ce,be,cd,37,ee,9d,71,9e,e5,b3,9a,6b,cf,09,29,f7,e4,b0,1e,\
ba,d7,6b,2e,0c,aa,a4,87,d4,a6,e2,4f,bf,93,a1,44,aa,6f,0d,4d,7c,cb,b7,0b,9a,\
71,11,c8,e5,16,81,5f,10,c3,df,c9,b7,85,0c,65,10,9e,f1,ce,11,95,f9,b2,b3,f9,\
59,41,c0,65,20,1d,fe,05,0d,7f,6a,c9,d3,8a,6f,79,76,21,d4,39,3c,de,16,18,04,\
21,a8,94,98,b4,9e,4e,2b,1b,f8,05,21,04,48,d4,96,64,3d,c8,83,9e,9e,d8,17,fb,\
c8,fd,4f,76,e2,0c,4d,d2,7f,01,f6,cd,6b,ff,d6,63,da,27,1d,d2,c0,9f,bd,71,23,\
8f,f0,6f,2f,af,e0,71,9c,25,4c,10,d6,ab,af,11,49,03,68,0a,f2,2f,1f,03,09,c9,\
08,f1,8a,9d,92,78,05,de,7b,34,01,e6,c4,59,e6,c2,43,f0,4d,d5,a1,d5,22,b7,bc,\
7f,76,8a,a3,77,18,09,ae,ee,7a,a7,4a,7a,41,c1,b8,86,08,bc,da,f5,2e,3e,ef,ea,\
7d,76,05,ef,bc,f0,2d,e6,46,e1,eb,8b,7a,09,a3,c9,ff,b9,ca,ae,7f,e5,33,14,00,\
00,00,59,af,ea,a2,9b,7d,05,b5,2d,da,f4,1a,24,b9,b3,51,53,5c,30,66

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{247BD65F-B202-425F-CDAE-E4D03426D076}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Skallutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{EDAF7BFF-048B-4469-BA9F-C662109910D6}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDAF7BFF-048B-4469-BA9F-C662109910D6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAF7BFF-048B-4469-BA9F-C662109910D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAF7BFF-048B-4469-BA9F-C662109910D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAF7BFF-048B-4469-BA9F-C662109910D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\ofengl32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat 4 Mar 2006 5:35:50 A.... 1 022 976 999,00 K
cdfview.dll Sat 4 Mar 2006 5:35:50 A.... 151 552 148,00 K
danim.dll Sat 4 Mar 2006 5:35:50 A.... 1 054 720 1,00 M
dxtrans.dll Sat 4 Mar 2006 5:35:50 A.... 205 312 200,50 K
enl4l1~1.dll Mon 24 Apr 2006 20:38:42 ..... 233 641 228,16 K
extmgr.dll Sat 4 Mar 2006 5:35:50 ..... 55 808 54,50 K
h60qlg~1.dll Thu 27 Apr 2006 8:36:34 ..S.R 234 756 229,25 K
i024la~1.dll Mon 24 Apr 2006 19:18:18 ..S.R 235 061 229,55 K
iepeers.dll Sat 4 Mar 2006 5:35:50 A.... 251 392 245,50 K
inetcomm.dll Fri 17 Mar 2006 11:13:12 A.... 679 424 663,50 K
inseng.dll Sat 4 Mar 2006 5:35:50 A.... 96 768 94,50 K
legitc~1.dll Tue 14 Feb 2006 9:20:14 A.... 550 120 537,23 K
lvj009~1.dll Thu 27 Apr 2006 10:52:40 ..S.R 233 641 228,16 K
mshtml.dll Thu 23 Mar 2006 22:32:10 A.... 3 074 560 2,93 M
mshtmled.dll Sat 4 Mar 2006 5:35:54 A.... 448 512 438,00 K
msrating.dll Sat 4 Mar 2006 5:35:54 A.... 146 432 143,00 K
mstime.dll Sat 4 Mar 2006 5:35:54 A.... 532 480 520,00 K
mxvcrt20.dll Wed 26 Apr 2006 18:17:54 ..S.R 234 756 229,25 K
ofengl32.dll Thu 27 Apr 2006 10:55:18 ..S.R 234 756 229,25 K
pngfilt.dll Sat 4 Mar 2006 5:35:54 A.... 39 424 38,50 K
s32evnt1.dll Tue 31 Jan 2006 14:35:34 A.... 91 904 89,75 K
shdocvw.dll Thu 30 Mar 2006 11:27:54 A.... 1 492 480 1,42 M
shell32.dll Fri 17 Mar 2006 6:08:38 A.... 8 458 240 8,07 M
shlwapi.dll Sat 4 Mar 2006 5:35:54 A.... 474 112 463,00 K
urlmon.dll Sat 18 Mar 2006 13:11:46 A.... 613 376 599,00 K
wgalogon.dll Tue 14 Feb 2006 9:20:14 A.... 567 016 553,73 K
wininet.dll Sat 4 Mar 2006 5:35:56 A.... 657 920 642,50 K
wmp.dll Fri 10 Mar 2006 6:09:14 A.... 5 533 696 5,28 M
xpsp3res.dll Thu 30 Mar 2006 3:17:00 A.... 16 384 16,00 K

29 items found: 29 files (5 H/S), 0 directories.
Total of file sizes: 27 621 219 bytes 26,34 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
wupdmgr.tmp Thu 20 Apr 2006 20:57:44 A.SH. 0 0,00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 0 bytes 0,00 K
**********************************************************************************
Directory Listing of system files:
Volumet i stasjon C er uten navn.
Volumserienummeret er 787F-4D41

Innhold i C:\WINDOWS\System32

27.04.2006 10:55 234˙756 ofengl32.dll
27.04.2006 10:52 233˙641 lvj0091me.dll
27.04.2006 08:36 234˙756 h60qlgd5160.dll
26.04.2006 18:17 234˙756 MXVCRT20.DLL
24.04.2006 19:18 235˙061 i024lafq1d2e.dll
23.04.2006 15:54 <DIR> DLLCACHE
20.04.2006 20:57 0 wupdmgr.tmp
17.04.2005 16:34 18˙432 Thumbs.db
31.07.2003 12:24 32 {AC7CD19F-946B-401A-B294-95FD12DB131D}.dat
31.07.2003 11:48 <DIR> Microsoft
8 fil(er) 1˙191˙434 byte
2 mappe® 27˙529˙900˙032 byte ledig

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:36 PM

Posted 27 April 2006 - 08:49 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a fresh HijackThis log, and we'll clean up what's left. :thumbsup:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users