Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - michealbeethoven

Pages: [1]
1
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 11, 2005, 12:53:45 AM »
I think my problems are over!  This PC has been on and open to the Internet for almost 24 hours without a popup.

I would like to profusely thank Questolo for providing close in direction and support that has made a difference in the performance of this box.  

Thanks again... http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

2
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 10, 2005, 01:28:07 AM »
I don't know about you but I think we need to get away from l2mfix.  All it does is lock up the system.  Could it have been working away during those times and just could not make a transition to a final stage?  The reason I am asking is because since late last night I have been gingerly increasing the amount of time the ethernet cable in plugged in.  No popups! Whatsoever.  So, maybe, in an offhand way, without us knowing about it the l2mfix and other procedures that you have proffered, have done the job? http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

3
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 10, 2005, 01:04:06 AM »
Got your message.  Working on it now.

4
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 10, 2005, 12:45:20 AM »
I think I may be doing a few things wrong here.  When I unzip the XPHomeFiles I get three icons of the desktop titled autoexec.nt, command, and config.nt and none of them do anything when I click on them (except command which just opens up a command prompt).  What am I doing wrong?

5
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 11:29:34 PM »
Howdy:

I have copied your instructions to Notepad and will follow to the letter.  Will be back soon.

Regards.

6
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 11:55:53 AM »
Boy, this PC does not like l2mfix.  I turned off both SpySweeper and Pest Patrol so they do not run shields at startup.  Didn't help.  Neither the first nor the second l2mfix .bat file will complete a scan.  In fact, it takes at least two manual reboots to get back to a normal Windows screen. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

7
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 09:45:29 AM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> OK, Itried to do what you asked.  It is funny that you told me about running the second.bat for l2mfix if the first didn't work.  The first bat file has always run before, except this time.  In fact, I tried to run both twice in succession and got lockups as a result.

Here are the latest files:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:06 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\maria garcia\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_r2c5c0\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


********
10:05 PM: |       Start of Session, Tuesday, November 08, 2005       |
10:05 PM: Spy Sweeper started
10:05 PM: Sweep initiated using definitions version 569
10:05 PM: Starting Memory Sweep
10:05 PM:   Found Adware: icannnews
10:05 PM:   Detected running threat: C:\WINDOWS\system32\dn8001lme.dll (ID = 83)
10:06 PM:   Detected running threat: C:\WINDOWS\system32\nntapi32.dll (ID = 83)
10:07 PM: Memory Sweep Complete, Elapsed Time: 00:01:52
10:07 PM: Starting Registry Sweep
10:07 PM: Registry Sweep Complete, Elapsed Time:00:00:11
10:07 PM: Starting Cookie Sweep
10:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:07 PM: Starting File Sweep
10:15 PM:   Found Adware: directrevenue-abetterinternet
10:15 PM:   20051107083713515.zip (ID = 186349)
10:15 PM:   20051106212457578.zip (ID = 186349)
10:15 PM:   20051107171004.zip (ID = 186349)
10:15 PM:   20051107105056843.zip (ID = 186349)
10:15 PM: File Sweep Complete, Elapsed Time: 00:08:07
10:15 PM: Full Sweep has completed.  Elapsed time 00:10:16
10:15 PM: Traces Found: 6
10:17 PM: Removal process initiated
10:17 PM:   Quarantining All Traces: directrevenue-abetterinternet
10:17 PM:   Quarantining All Traces: icannnews
10:17 PM:   icannnews is in use.  It will be removed on reboot.
10:17 PM:     C:\WINDOWS\system32\dn8001lme.dll is in use.  It will be removed on reboot.
10:17 PM:     C:\WINDOWS\system32\nntapi32.dll is in use.  It will be removed on reboot.
10:17 PM:   Warning: Launched explorer.exe
10:17 PM:   Warning: Quarantine process could not restart Explorer.
10:17 PM: Removal process completed.  Elapsed time 00:00:21
********
8:51 AM: |···  Start of Session, Tuesday, November 08, 2005  ···|
8:51 AM: Spy Sweeper started
8:51 AM: Sweep initiated using definitions version 569
8:51 AM: Starting Memory Sweep
8:51 AM:   Warning: Failed to check file "C:\WINDOWS\system32\jt4o07h3e.dll". Cannot open file "C:\WINDOWS\system32\jt4o07h3e.dll". The process cannot access the file because it is being used by another process
8:52 AM:   Warning: Failed to check file "C:\WINDOWS\system32\rdnd.dll". Cannot open file "C:\WINDOWS\system32\rdnd.dll". The process cannot access the file because it is being used by another process
8:52 AM:   Warning: Failed to check file "C:\WINDOWS\system32\rdnd.dll". Cannot open file "C:\WINDOWS\system32\rdnd.dll". The process cannot access the file because it is being used by another process
8:52 AM: Memory Sweep Complete, Elapsed Time: 00:01:06
8:52 AM: Starting Registry Sweep
8:52 AM: Registry Sweep Complete, Elapsed Time:00:00:06
8:52 AM: Starting Cookie Sweep
8:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:52 AM: Starting File Sweep
8:53 AM:   Warning: Failed to read file "c:\windows\system32\en0ol1d31.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:53 AM:   Warning: Failed to read file "c:\windows\system32\rdnd.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:54 AM:   Warning: Failed to read file "c:\windows\system32\jt4o07h3e.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:54 AM: File Sweep Complete, Elapsed Time: 00:02:03
8:54 AM: Full Sweep has completed.  Elapsed time 00:03:19
8:54 AM: Traces Found: 0
9:56 PM: Your definitions are up to date.
10:01 PM: Updating spyware definitions
10:01 PM: Your definitions are up to date.
10:05 PM: |       End of Session, Tuesday, November 08, 2005       |
********
12:04 AM: |···  Start of Session, Tuesday, November 08, 2005  ···|
12:04 AM: Spy Sweeper started
12:04 AM: Sweep initiated using definitions version 569
12:04 AM: Found Adware: look2me
12:04 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\shell extensions\ || dllname (ID = 129986)
12:04 AM: ir6ql5j51.dll (ID = 129986)
12:04 AM: Starting Memory Sweep
12:04 AM:   Warning: Failed to check file "C:\WINDOWS\system32\ir6ql5j51.dll". Cannot open file "C:\WINDOWS\system32\ir6ql5j51.dll". The process cannot access the file because it is being used by another process
12:05 AM:   Warning: Failed to check file "C:\WINDOWS\system32\kedsl.dll". Cannot open file "C:\WINDOWS\system32\kedsl.dll". The process cannot access the file because it is being used by another process
12:05 AM: Memory Sweep Complete, Elapsed Time: 00:01:06
12:05 AM: Starting Registry Sweep
12:05 AM: Registry Sweep Complete, Elapsed Time:00:00:06
12:05 AM: Starting Cookie Sweep
12:05 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:05 AM: Starting File Sweep
12:05 AM:   Warning: Failed to read file "c:\windows\system32\ir6ql5j51.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:06 AM:   Warning: Failed to read file "c:\windows\system32\i8jq0i15e8.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:06 AM:   Warning: Failed to read file "c:\windows\system32\kedsl.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs39822.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs39828.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs3982b.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs3982c.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs3982d.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs39840.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs39847.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs39848.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM:   Warning: Failed to read file "c:\windows\temp\cs3984e.tmp". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: File Sweep Complete, Elapsed Time: 00:01:54
12:07 AM: Full Sweep has completed.  Elapsed time 00:03:10
12:07 AM: Traces Found: 2
12:11 AM: Removal process initiated
12:11 AM:   Quarantining All Traces: look2me
12:11 AM:   An error occurred during quarantine:
12:11 AM:   Cannot open file "C:\WINDOWS\system32\ir6ql5j51.dll". The process cannot access the file because it is being used by another process
12:11 AM: Removal process completed.  Elapsed time 00:00:02
12:11 AM: Deletion from quarantine initiated
12:11 AM: Processing: exact cashback/bargain buddy
12:11 AM: Processing: dealhelper
12:11 AM: Processing: elitebar
12:11 AM: Processing: look2me
12:11 AM: Processing: personal money tree
12:11 AM: Deletion from quarantine completed.  Elapsed time 00:00:00
8:51 AM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 569
8:51 AM: |···  End of Session, Tuesday, November 08, 2005  ···|
********
8:43 PM: |···  Start of Session, Monday, November 07, 2005  ···|
8:43 PM: Spy Sweeper started
8:43 PM: Sweep initiated using definitions version 569
8:43 PM: Starting Memory Sweep
8:43 PM:   Warning: Failed to check file "C:\WINDOWS\system32\h0n0la5m1d.dll". Cannot open file "C:\WINDOWS\system32\h0n0la5m1d.dll". The process cannot access the file because it is being used by another process
8:44 PM:   Warning: Failed to check file "C:\WINDOWS\system32\nrtshell.dll". Cannot open file "C:\WINDOWS\system32\nrtshell.dll". The process cannot access the file because it is being used by another process
8:44 PM:   Warning: Failed to check file "C:\WINDOWS\system32\nrtshell.dll". Cannot open file "C:\WINDOWS\system32\nrtshell.dll". The process cannot access the file because it is being used by another process
8:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:08
8:44 PM: Starting Registry Sweep
8:44 PM: Registry Sweep Complete, Elapsed Time:00:00:06
8:44 PM: Starting Cookie Sweep
8:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:44 PM: Starting File Sweep
8:44 PM:   Found Adware: elitebar
8:44 PM:   5701862_1924_3236_5680_63.41.tmp1 (ID = 137430)
8:44 PM:   Found Adware: exact cashback/bargain buddy
8:44 PM:   package_marketing30[1].exe (ID = 93621)
8:44 PM:   Found Adware: look2me
8:44 PM:   appwrap[1].exe (ID = 65739)
8:44 PM:   131826_1596_3608_1396_63.41.tmp1 (ID = 137430)
8:45 PM:   131862_668_3048_3324_63.41.tmp1 (ID = 137430)
8:45 PM:   918368_5260_3152_4424_63.41.tmp1 (ID = 137430)
8:45 PM:   131886_2024_2996_3220_63.41.tmp1 (ID = 137430)
8:45 PM:   459332_180_3220_5236_63.41.tmp1 (ID = 137430)
8:45 PM:   197838_3964_2284_4316_63.41.tmp1 (ID = 137430)
8:45 PM:   6816142_4456_3764_168_63.41.tmp1 (ID = 137430)
8:45 PM:   Warning: Failed to read file "c:\windows\system32\nrtshell.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:45 PM:   Warning: Failed to read file "c:\windows\system32\fpn2035oe.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:45 PM:   66550_3560_2092_1580_63.41.tmp1 (ID = 137430)
8:45 PM:   131718_3896_3000_972_63.41.tmp1 (ID = 137430)
8:45 PM:   262964_3964_2284_5132_63.41.tmp1 (ID = 137430)
8:45 PM:   524704_5208_2920_4188_63.41.tmp1 (ID = 137430)
8:45 PM:   2753328_5260_3152_176_63.41.tmp1 (ID = 137430)
8:45 PM:   2556146_3040_2408_3136_63.41.tmp1 (ID = 137430)
8:45 PM:   787640_5556_3612_4152_63.41.tmp1 (ID = 137430)
8:45 PM:   393702_2876_2828_3124_63.41.tmp1 (ID = 137430)
8:46 PM:   1180636_592_3384_5684_63.41.tmp1 (ID = 137430)
8:46 PM:   1180722_592_3384_4672_63.41.tmp1 (ID = 137430)
8:46 PM:   26214812_1544_2504_7060_63.41.tmp1 (ID = 137430)
8:46 PM:   984202_2192_3116_5636_63.41.tmp1 (ID = 137430)
8:46 PM:   132994_4492_1924_3320_63.41.tmp1 (ID = 137430)
8:46 PM:   1640082_5896_3232_6080_63.41.tmp1 (ID = 137430)
8:46 PM:   263076_5208_2920_5256_63.41.tmp1 (ID = 137430)
8:46 PM:   263104_3560_2092_2628_63.41.tmp1 (ID = 137430)
8:46 PM:   Found Adware: personal money tree
8:46 PM:   b7e5d.tmp (ID = 147038)
8:46 PM:   Warning: Failed to read file "c:\windows\system32\h0n0la5m1d.dll". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:46 PM:   nls[1].cfg (ID = 114713)
8:46 PM:   Found Adware: dealhelper
8:46 PM:   newuhbavhtime.xml (ID = 163168)
8:46 PM: File Sweep Complete, Elapsed Time: 00:02:04
8:46 PM: Full Sweep has completed.  Elapsed time 00:03:22
8:46 PM: Traces Found: 29
8:52 PM: Removal process initiated
8:52 PM:   Quarantining All Traces: elitebar
8:52 PM:   Quarantining All Traces: exact cashback/bargain buddy
8:52 PM:   Quarantining All Traces: look2me
8:52 PM:   Quarantining All Traces: personal money tree
8:52 PM:   Quarantining All Traces: dealhelper
8:52 PM: Removal process completed.  Elapsed time 00:00:09
12:04 AM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 569
12:04 AM: |···  End of Session, Tuesday, November 08, 2005  ···|
********
8:37 PM: |···  Start of Session, Monday, November 07, 2005  ···|
8:37 PM: Spy Sweeper started
8:37 PM: Sweep initiated using definitions version 492
8:37 PM: Starting Memory Sweep
8:37 PM:   Warning: Failed to check file "C:\WINDOWS\system32\hr8s05l7e.dll". Cannot open file "C:\WINDOWS\system32\hr8s05l7e.dll". The process cannot access the file because it is being used by another process
8:37 PM:   Sweep Canceled
8:37 PM: Memory Sweep Complete, Elapsed Time: 00:00:12
8:37 PM: Traces Found: 0
8:40 PM: Updating spyware definitions
8:41 PM: Your spyware definitions have been updated.
8:43 PM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 569
8:43 PM: |···  End of Session, Monday, November 07, 2005  ···|
********
5:12 PM: |···  Start of Session, Monday, November 07, 2005  ···|
5:12 PM: Spy Sweeper started
5:12 PM: Sweep initiated using definitions version 492
5:12 PM: Starting Memory Sweep
5:12 PM:   Warning: Failed to check file "C:\WINDOWS\system32\k2800clmefqa0.dll". Cannot open file "C:\WINDOWS\system32\k2800clmefqa0.dll". The process cannot access the file because it is being used by another process
5:13 PM: Memory Sweep Complete, Elapsed Time: 00:00:36
5:13 PM: Starting Registry Sweep
5:13 PM: Registry Sweep Complete, Elapsed Time:00:00:05
5:13 PM: Starting Cookie Sweep
5:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:13 PM: Starting File Sweep
5:15 PM: File Sweep Complete, Elapsed Time: 00:01:54
5:15 PM: Full Sweep has completed.  Elapsed time 00:02:40
5:15 PM: Traces Found: 0
8:37 PM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 492
8:37 PM: |···  End of Session, Monday, November 07, 2005  ···|
********
10:51 AM: |···  Start of Session, Monday, November 07, 2005  ···|
10:51 AM: Spy Sweeper started
10:51 AM: Sweep initiated using definitions version 492
10:51 AM: Starting Memory Sweep
10:51 AM:   Warning: Failed to check file "C:\WINDOWS\system32\l2r0lc9m1f.dll". Cannot open file "C:\WINDOWS\system32\l2r0lc9m1f.dll". The process cannot access the file because it is being used by another process
10:52 AM: Memory Sweep Complete, Elapsed Time: 00:00:36
10:52 AM: Starting Registry Sweep
10:52 AM:   Found Adware: clearsearch
10:52 AM:   HKU\S-1-5-21-849630295-849363746-335434035-1006\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 651415)
10:52 AM:   Found Adware: searchtoolbar
10:52 AM:   HKU\S-1-5-21-849630295-849363746-335434035-1006\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\  (3 subtraces) (ID = 686768)
10:52 AM: Registry Sweep Complete, Elapsed Time:00:00:06
10:52 AM: Starting Cookie Sweep
10:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:52 AM: Starting File Sweep
10:54 AM: File Sweep Complete, Elapsed Time: 00:01:55
10:54 AM: Full Sweep has completed.  Elapsed time 00:02:41
10:54 AM: Traces Found: 5
2:03 PM: Removal process initiated
2:03 PM:   Quarantining All Traces: clearsearch
2:03 PM:   Quarantining All Traces: searchtoolbar
2:03 PM: Removal process completed.  Elapsed time 00:00:01
2:03 PM: Deletion from quarantine initiated
2:03 PM: Processing: clearsearch
2:03 PM: Processing: searchtoolbar
2:03 PM: Deletion from quarantine completed.  Elapsed time 00:00:00
5:12 PM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 492
5:12 PM: |···  End of Session, Monday, November 07, 2005  ···|
********
10:51 AM: |···  Start of Session, Monday, November 07, 2005  ···|
10:51 AM: Spy Sweeper started
10:51 AM: Program Version 4.0.3  (Build 363)  Using Spyware Definitions 492
10:51 AM: |···  End of Session, Monday, November 07, 2005  ···|

8
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 12:55:10 AM »
I have printed out your instructions and will presently undertake them one by one.

Be back in just a few....

9
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 12:29:52 AM »
Here's the L2Mfix log file.  Wow, it's big.

I just got your latest post as I was about to send this.  I have not updated SpySweeper.  I have also not run it before this send.  At least, not in the past hour or so....

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f4l02e3mgh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access    PC233762962032\family
(ID-IO) ALLOW  Full access    CREATOR OWNER


********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{53D5B577-6234-1DC4-0AB9-3B59DB27CDBC}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}"=""
"{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\InprocServer32]
@="C:\\WINDOWS\\system32\\cwbcatq.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 329D-CAC4

 Directory of C:\WINDOWS\System32

11/08/2005  08:34 PM           236,020 cwbcatq.dll
11/08/2005  08:34 PM           234,075 n4n6le5s1h.dll
11/08/2005  04:12 PM           236,020 f4l02e3mgh.dll
11/08/2005  03:56 PM           236,418 wravideo.dll
11/08/2005  03:37 PM           234,519 wasdmoe2.dll
11/08/2005  03:28 PM           235,851 oujsel.dll
11/08/2005  03:21 PM           234,661 mboeacct.dll
11/08/2005  03:16 PM           233,800 sWmsrv.dll
11/08/2005  02:46 PM           237,167 dvquery.dll
11/08/2005  02:11 PM           236,992 oweprn.dll
11/08/2005  02:08 PM           237,167 idfxexps.dll
11/06/2005  07:08 PM           234,272 lvrs0997e.dll
09/10/2005  03:46 PM    <DIR>          dllcache
08/30/2005  08:36 AM           401,408 w?crtupd.exe
01/25/2005  06:26 AM    <DIR>          Microsoft
              13 File(s)      3,228,370 bytes
               2 Dir(s)  70,395,531,264 bytes free

10
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 12:17:36 AM »
OK, here is the HJT log but it looks so much smaller than those posted by mediachick.  Am I doing something wrong??

The one item that I constantly get back as a variation is the only 020 listed.  Is this correct?  Is this the problem?

Thanks, again.

Logfile of HijackThis v1.99.1
Scan saved at 9:08:33 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_r2c5c0\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\f4l02e3mgh.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

11
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 09, 2005, 12:00:57 AM »
WOW!  You're fast!  Thank you.  I will immediately persue your directions.

12
Tech Clinic / winlogon notifiy has taken over my PC!
« on: November 08, 2005, 11:22:46 PM »
Hello:

I have been working all day on the same problem as was experienced by mediachick and supported so valiantly by questolo at http://www.thetechguide.com/forum/index.php?showtopic=22321.  I have the same recurring WinLogon Notify dll’s that were perplexing mediachick and followed the same procedures as so minutely outlined by questolo, in fact, three times!  The WinLogon Notify keeps reappearing in slightly different form no matter what I do to vanquish it.  I followed closely the full thread of the issues and tried to duplicate the cure myself but have not succeeded.  I would really appreciate some help at this point because I am getting really tired of all the advertisements that continually confront me whenever I click on the Internet.  I thought I had enough protection on my PC but maybe it is not a good thing to let my three daughters have free reign!

Thanks!

Pages: [1]