Author Topic: winlogon notifiy has taken over my PC! (Read 1211 times)

michealbeethoven · « **on:** November 08, 2005, 11:22:46 PM »

Hello:

I have been working all day on the same problem as was experienced by mediachick and supported so valiantly by questolo at http://www.thetechguide.com/forum/index.php?showtopic=22321. I have the same recurring WinLogon Notify dll’s that were perplexing mediachick and followed the same procedures as so minutely outlined by questolo, in fact, three times! The WinLogon Notify keeps reappearing in slightly different form no matter what I do to vanquish it. I followed closely the full thread of the issues and tried to duplicate the cure myself but have not succeeded. I would really appreciate some help at this point because I am getting really tired of all the advertisements that continually confront me whenever I click on the Internet. I thought I had enough protection on my PC but maybe it is not a good thing to let my three daughters have free reign!

Thanks!

guestolo · « **Reply #1 on:** November 08, 2005, 11:49:14 PM »

The best thing you can do is post your own hijackthis log in this thread
Here's the Instructions

Also, Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

michealbeethoven · « **Reply #2 on:** November 09, 2005, 12:00:57 AM »

WOW! You're fast! Thank you. I will immediately persue your directions.

michealbeethoven · « **Reply #3 on:** November 09, 2005, 12:17:36 AM »

OK, here is the HJT log but it looks so much smaller than those posted by mediachick. Am I doing something wrong??

The one item that I constantly get back as a variation is the only 020 listed. Is this correct? Is this the problem?

Thanks, again.

Logfile of HijackThis v1.99.1
Scan saved at 9:08:33 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_r2c5c0\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\f4l02e3mgh.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

guestolo · « **Reply #4 on:** November 09, 2005, 12:20:22 AM »

Can you post the log from L2Mfix please

Did you update SpySweeper before running it???
Don't run it yet, I want to see the log from L2Mfix first

michealbeethoven · « **Reply #5 on:** November 09, 2005, 12:29:52 AM »

Here's the L2Mfix log file. Wow, it's big.

I just got your latest post as I was about to send this. I have not updated SpySweeper. I have also not run it before this send. At least, not in the past hour or so....

L2MFIX find log 1.04a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f4l02e3mgh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access    PC233762962032\family
(ID-IO) ALLOW Full access    CREATOR OWNER

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{53D5B577-6234-1DC4-0AB9-3B59DB27CDBC}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}"=""
"{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5051DF90-7AC7-4DB0-BD91-8DA7FE261456}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C3B7EF42-8BE0-4481-890A-FD2FAFF2AB99}\InprocServer32]
@="C:\\WINDOWS\\system32\\cwbcatq.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 329D-CAC4

Directory of C:\WINDOWS\System32

11/08/2005 08:34 PM 236,020 cwbcatq.dll
11/08/2005 08:34 PM 234,075 n4n6le5s1h.dll
11/08/2005 04:12 PM 236,020 f4l02e3mgh.dll
11/08/2005 03:56 PM 236,418 wravideo.dll
11/08/2005 03:37 PM 234,519 wasdmoe2.dll
11/08/2005 03:28 PM 235,851 oujsel.dll
11/08/2005 03:21 PM 234,661 mboeacct.dll
11/08/2005 03:16 PM 233,800 sWmsrv.dll
11/08/2005 02:46 PM 237,167 dvquery.dll
11/08/2005 02:11 PM 236,992 oweprn.dll
11/08/2005 02:08 PM 237,167 idfxexps.dll
11/06/2005 07:08 PM 234,272 lvrs0997e.dll
09/10/2005 03:46 PM <DIR> dllcache
08/30/2005 08:36 AM 401,408 w?crtupd.exe
01/25/2005 06:26 AM <DIR> Microsoft
13 File(s) 3,228,370 bytes
2 Dir(s) 70,395,531,264 bytes free

guestolo · « **Reply #6 on:** November 09, 2005, 12:44:12 AM »

Oh, Ok, that's good you never ran spysweeper yet, I think we may be able to kill this the easy way out

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can you do the following please

Open SpySweeper>>Click on the OPTIONS button and then click Update Definitions button
If you receive alerts from your firewall, allow all activities for Spy Sweeper
Let SpySweeper update
You should get a notication that Your definitions are up to date at the bottom

Once that is done

Please print the rest of these instructions or copy and paste them too notepad for reference

Close this Window
Make sure you are disconnected from the internet.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #4 by typing 4 and then pressing Enter
Exit l2mfix, we'll need again later

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Ensure C: Local Drive is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer

Back in Windows
Stay disconnected from the Net

Close any open programs running in the background, this step requires another reboot
Run L2MFix again with these instructions

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Additionally,
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

I won't be able to see your logs until tomorrow, I must retire for the night soon
Good luck

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Let's get this machine operating smooth again

michealbeethoven · « **Reply #7 on:** November 09, 2005, 12:55:10 AM »

I have printed out your instructions and will presently undertake them one by one.

Be back in just a few....

michealbeethoven · « **Reply #8 on:** November 09, 2005, 09:45:29 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> OK, Itried to do what you asked. It is funny that you told me about running the second.bat for l2mfix if the first didn't work. The first bat file has always run before, except this time. In fact, I tried to run both twice in succession and got lockups as a result.

Here are the latest files:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:06 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\maria garcia\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_r2c5c0\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

********
10:05 PM: | Start of Session, Tuesday, November 08, 2005 |
10:05 PM: Spy Sweeper started
10:05 PM: Sweep initiated using definitions version 569
10:05 PM: Starting Memory Sweep
10:05 PM: Found Adware: icannnews
10:05 PM: Detected running threat: C:\WINDOWS\system32\dn8001lme.dll (ID = 83)
10:06 PM: Detected running threat: C:\WINDOWS\system32\nntapi32.dll (ID = 83)
10:07 PM: Memory Sweep Complete, Elapsed Time: 00:01:52
10:07 PM: Starting Registry Sweep
10:07 PM: Registry Sweep Complete, Elapsed Time:00:00:11
10:07 PM: Starting Cookie Sweep
10:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:07 PM: Starting File Sweep
10:15 PM: Found Adware: directrevenue-abetterinternet
10:15 PM: 20051107083713515.zip (ID = 186349)
10:15 PM: 20051106212457578.zip (ID = 186349)
10:15 PM: 20051107171004.zip (ID = 186349)
10:15 PM: 20051107105056843.zip (ID = 186349)
10:15 PM: File Sweep Complete, Elapsed Time: 00:08:07
10:15 PM: Full Sweep has completed. Elapsed time 00:10:16
10:15 PM: Traces Found: 6
10:17 PM: Removal process initiated
10:17 PM: Quarantining All Traces: directrevenue-abetterinternet
10:17 PM: Quarantining All Traces: icannnews
10:17 PM: icannnews is in use. It will be removed on reboot.
10:17 PM: C:\WINDOWS\system32\dn8001lme.dll is in use. It will be removed on reboot.
10:17 PM: C:\WINDOWS\system32\nntapi32.dll is in use. It will be removed on reboot.
10:17 PM: Warning: Launched explorer.exe
10:17 PM: Warning: Quarantine process could not restart Explorer.
10:17 PM: Removal process completed. Elapsed time 00:00:21
********
8:51 AM: |··· Start of Session, Tuesday, November 08, 2005 ···|
8:51 AM: Spy Sweeper started
8:51 AM: Sweep initiated using definitions version 569
8:51 AM: Starting Memory Sweep
8:51 AM: Warning: Failed to check file "C:\WINDOWS\system32\jt4o07h3e.dll". Cannot open file "C:\WINDOWS\system32\jt4o07h3e.dll". The process cannot access the file because it is being used by another process
8:52 AM: Warning: Failed to check file "C:\WINDOWS\system32\rdnd.dll". Cannot open file "C:\WINDOWS\system32\rdnd.dll". The process cannot access the file because it is being used by another process
8:52 AM: Warning: Failed to check file "C:\WINDOWS\system32\rdnd.dll". Cannot open file "C:\WINDOWS\system32\rdnd.dll". The process cannot access the file because it is being used by another process
8:52 AM: Memory Sweep Complete, Elapsed Time: 00:01:06
8:52 AM: Starting Registry Sweep
8:52 AM: Registry Sweep Complete, Elapsed Time:00:00:06
8:52 AM: Starting Cookie Sweep
8:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:52 AM: Starting File Sweep
8:53 AM: Warning: Failed to read file "c:\windows\system32\en0ol1d31.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:53 AM: Warning: Failed to read file "c:\windows\system32\rdnd.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:54 AM: Warning: Failed to read file "c:\windows\system32\jt4o07h3e.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:54 AM: File Sweep Complete, Elapsed Time: 00:02:03
8:54 AM: Full Sweep has completed. Elapsed time 00:03:19
8:54 AM: Traces Found: 0
9:56 PM: Your definitions are up to date.
10:01 PM: Updating spyware definitions
10:01 PM: Your definitions are up to date.
10:05 PM: | End of Session, Tuesday, November 08, 2005 |
********
12:04 AM: |··· Start of Session, Tuesday, November 08, 2005 ···|
12:04 AM: Spy Sweeper started
12:04 AM: Sweep initiated using definitions version 569
12:04 AM: Found Adware: look2me
12:04 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\shell extensions\ || dllname (ID = 129986)
12:04 AM: ir6ql5j51.dll (ID = 129986)
12:04 AM: Starting Memory Sweep
12:04 AM: Warning: Failed to check file "C:\WINDOWS\system32\ir6ql5j51.dll". Cannot open file "C:\WINDOWS\system32\ir6ql5j51.dll". The process cannot access the file because it is being used by another process
12:05 AM: Warning: Failed to check file "C:\WINDOWS\system32\kedsl.dll". Cannot open file "C:\WINDOWS\system32\kedsl.dll". The process cannot access the file because it is being used by another process
12:05 AM: Memory Sweep Complete, Elapsed Time: 00:01:06
12:05 AM: Starting Registry Sweep
12:05 AM: Registry Sweep Complete, Elapsed Time:00:00:06
12:05 AM: Starting Cookie Sweep
12:05 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:05 AM: Starting File Sweep
12:05 AM: Warning: Failed to read file "c:\windows\system32\ir6ql5j51.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:06 AM: Warning: Failed to read file "c:\windows\system32\i8jq0i15e8.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:06 AM: Warning: Failed to read file "c:\windows\system32\kedsl.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs39822.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs39828.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs3982b.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs3982c.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs3982d.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs39840.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs39847.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs39848.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: Warning: Failed to read file "c:\windows\temp\cs3984e.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:07 AM: File Sweep Complete, Elapsed Time: 00:01:54
12:07 AM: Full Sweep has completed. Elapsed time 00:03:10
12:07 AM: Traces Found: 2
12:11 AM: Removal process initiated
12:11 AM: Quarantining All Traces: look2me
12:11 AM: An error occurred during quarantine:
12:11 AM: Cannot open file "C:\WINDOWS\system32\ir6ql5j51.dll". The process cannot access the file because it is being used by another process
12:11 AM: Removal process completed. Elapsed time 00:00:02
12:11 AM: Deletion from quarantine initiated
12:11 AM: Processing: exact cashback/bargain buddy
12:11 AM: Processing: dealhelper
12:11 AM: Processing: elitebar
12:11 AM: Processing: look2me
12:11 AM: Processing: personal money tree
12:11 AM: Deletion from quarantine completed. Elapsed time 00:00:00
8:51 AM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 569
8:51 AM: |··· End of Session, Tuesday, November 08, 2005 ···|
********
8:43 PM: |··· Start of Session, Monday, November 07, 2005 ···|
8:43 PM: Spy Sweeper started
8:43 PM: Sweep initiated using definitions version 569
8:43 PM: Starting Memory Sweep
8:43 PM: Warning: Failed to check file "C:\WINDOWS\system32\h0n0la5m1d.dll". Cannot open file "C:\WINDOWS\system32\h0n0la5m1d.dll". The process cannot access the file because it is being used by another process
8:44 PM: Warning: Failed to check file "C:\WINDOWS\system32\nrtshell.dll". Cannot open file "C:\WINDOWS\system32\nrtshell.dll". The process cannot access the file because it is being used by another process
8:44 PM: Warning: Failed to check file "C:\WINDOWS\system32\nrtshell.dll". Cannot open file "C:\WINDOWS\system32\nrtshell.dll". The process cannot access the file because it is being used by another process
8:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:08
8:44 PM: Starting Registry Sweep
8:44 PM: Registry Sweep Complete, Elapsed Time:00:00:06
8:44 PM: Starting Cookie Sweep
8:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:44 PM: Starting File Sweep
8:44 PM: Found Adware: elitebar
8:44 PM: 5701862_1924_3236_5680_63.41.tmp1 (ID = 137430)
8:44 PM: Found Adware: exact cashback/bargain buddy
8:44 PM: package_marketing30[1].exe (ID = 93621)
8:44 PM: Found Adware: look2me
8:44 PM: appwrap[1].exe (ID = 65739)
8:44 PM: 131826_1596_3608_1396_63.41.tmp1 (ID = 137430)
8:45 PM: 131862_668_3048_3324_63.41.tmp1 (ID = 137430)
8:45 PM: 918368_5260_3152_4424_63.41.tmp1 (ID = 137430)
8:45 PM: 131886_2024_2996_3220_63.41.tmp1 (ID = 137430)
8:45 PM: 459332_180_3220_5236_63.41.tmp1 (ID = 137430)
8:45 PM: 197838_3964_2284_4316_63.41.tmp1 (ID = 137430)
8:45 PM: 6816142_4456_3764_168_63.41.tmp1 (ID = 137430)
8:45 PM: Warning: Failed to read file "c:\windows\system32\nrtshell.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:45 PM: Warning: Failed to read file "c:\windows\system32\fpn2035oe.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:45 PM: 66550_3560_2092_1580_63.41.tmp1 (ID = 137430)
8:45 PM: 131718_3896_3000_972_63.41.tmp1 (ID = 137430)
8:45 PM: 262964_3964_2284_5132_63.41.tmp1 (ID = 137430)
8:45 PM: 524704_5208_2920_4188_63.41.tmp1 (ID = 137430)
8:45 PM: 2753328_5260_3152_176_63.41.tmp1 (ID = 137430)
8:45 PM: 2556146_3040_2408_3136_63.41.tmp1 (ID = 137430)
8:45 PM: 787640_5556_3612_4152_63.41.tmp1 (ID = 137430)
8:45 PM: 393702_2876_2828_3124_63.41.tmp1 (ID = 137430)
8:46 PM: 1180636_592_3384_5684_63.41.tmp1 (ID = 137430)
8:46 PM: 1180722_592_3384_4672_63.41.tmp1 (ID = 137430)
8:46 PM: 26214812_1544_2504_7060_63.41.tmp1 (ID = 137430)
8:46 PM: 984202_2192_3116_5636_63.41.tmp1 (ID = 137430)
8:46 PM: 132994_4492_1924_3320_63.41.tmp1 (ID = 137430)
8:46 PM: 1640082_5896_3232_6080_63.41.tmp1 (ID = 137430)
8:46 PM: 263076_5208_2920_5256_63.41.tmp1 (ID = 137430)
8:46 PM: 263104_3560_2092_2628_63.41.tmp1 (ID = 137430)
8:46 PM: Found Adware: personal money tree
8:46 PM: b7e5d.tmp (ID = 147038)
8:46 PM: Warning: Failed to read file "c:\windows\system32\h0n0la5m1d.dll". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:46 PM: nls[1].cfg (ID = 114713)
8:46 PM: Found Adware: dealhelper
8:46 PM: newuhbavhtime.xml (ID = 163168)
8:46 PM: File Sweep Complete, Elapsed Time: 00:02:04
8:46 PM: Full Sweep has completed. Elapsed time 00:03:22
8:46 PM: Traces Found: 29
8:52 PM: Removal process initiated
8:52 PM: Quarantining All Traces: elitebar
8:52 PM: Quarantining All Traces: exact cashback/bargain buddy
8:52 PM: Quarantining All Traces: look2me
8:52 PM: Quarantining All Traces: personal money tree
8:52 PM: Quarantining All Traces: dealhelper
8:52 PM: Removal process completed. Elapsed time 00:00:09
12:04 AM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 569
12:04 AM: |··· End of Session, Tuesday, November 08, 2005 ···|
********
8:37 PM: |··· Start of Session, Monday, November 07, 2005 ···|
8:37 PM: Spy Sweeper started
8:37 PM: Sweep initiated using definitions version 492
8:37 PM: Starting Memory Sweep
8:37 PM: Warning: Failed to check file "C:\WINDOWS\system32\hr8s05l7e.dll". Cannot open file "C:\WINDOWS\system32\hr8s05l7e.dll". The process cannot access the file because it is being used by another process
8:37 PM: Sweep Canceled
8:37 PM: Memory Sweep Complete, Elapsed Time: 00:00:12
8:37 PM: Traces Found: 0
8:40 PM: Updating spyware definitions
8:41 PM: Your spyware definitions have been updated.
8:43 PM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 569
8:43 PM: |··· End of Session, Monday, November 07, 2005 ···|
********
5:12 PM: |··· Start of Session, Monday, November 07, 2005 ···|
5:12 PM: Spy Sweeper started
5:12 PM: Sweep initiated using definitions version 492
5:12 PM: Starting Memory Sweep
5:12 PM: Warning: Failed to check file "C:\WINDOWS\system32\k2800clmefqa0.dll". Cannot open file "C:\WINDOWS\system32\k2800clmefqa0.dll". The process cannot access the file because it is being used by another process
5:13 PM: Memory Sweep Complete, Elapsed Time: 00:00:36
5:13 PM: Starting Registry Sweep
5:13 PM: Registry Sweep Complete, Elapsed Time:00:00:05
5:13 PM: Starting Cookie Sweep
5:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:13 PM: Starting File Sweep
5:15 PM: File Sweep Complete, Elapsed Time: 00:01:54
5:15 PM: Full Sweep has completed. Elapsed time 00:02:40
5:15 PM: Traces Found: 0
8:37 PM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 492
8:37 PM: |··· End of Session, Monday, November 07, 2005 ···|
********
10:51 AM: |··· Start of Session, Monday, November 07, 2005 ···|
10:51 AM: Spy Sweeper started
10:51 AM: Sweep initiated using definitions version 492
10:51 AM: Starting Memory Sweep
10:51 AM: Warning: Failed to check file "C:\WINDOWS\system32\l2r0lc9m1f.dll". Cannot open file "C:\WINDOWS\system32\l2r0lc9m1f.dll". The process cannot access the file because it is being used by another process
10:52 AM: Memory Sweep Complete, Elapsed Time: 00:00:36
10:52 AM: Starting Registry Sweep
10:52 AM: Found Adware: clearsearch
10:52 AM: HKU\S-1-5-21-849630295-849363746-335434035-1006\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 651415)
10:52 AM: Found Adware: searchtoolbar
10:52 AM: HKU\S-1-5-21-849630295-849363746-335434035-1006\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 686768)
10:52 AM: Registry Sweep Complete, Elapsed Time:00:00:06
10:52 AM: Starting Cookie Sweep
10:52 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:52 AM: Starting File Sweep
10:54 AM: File Sweep Complete, Elapsed Time: 00:01:55
10:54 AM: Full Sweep has completed. Elapsed time 00:02:41
10:54 AM: Traces Found: 5
2:03 PM: Removal process initiated
2:03 PM: Quarantining All Traces: clearsearch
2:03 PM: Quarantining All Traces: searchtoolbar
2:03 PM: Removal process completed. Elapsed time 00:00:01
2:03 PM: Deletion from quarantine initiated
2:03 PM: Processing: clearsearch
2:03 PM: Processing: searchtoolbar
2:03 PM: Deletion from quarantine completed. Elapsed time 00:00:00
5:12 PM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 492
5:12 PM: |··· End of Session, Monday, November 07, 2005 ···|
********
10:51 AM: |··· Start of Session, Monday, November 07, 2005 ···|
10:51 AM: Spy Sweeper started
10:51 AM: Program Version 4.0.3 (Build 363) Using Spyware Definitions 492
10:51 AM: |··· End of Session, Monday, November 07, 2005 ···|

guestolo · « **Reply #9 on:** November 09, 2005, 10:05:39 AM »

Just on my way to work
Please read this over carefully and only run the following
First, disable SpywareDoctor's realtime protection so it won't interfere with any fixes

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #4 by typing 4 and then pressing Enter

Then select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

michealbeethoven · « **Reply #10 on:** November 09, 2005, 11:55:53 AM »

Boy, this PC does not like l2mfix. I turned off both SpySweeper and Pest Patrol so they do not run shields at startup. Didn't help. Neither the first nor the second l2mfix .bat file will complete a scan. In fact, it takes at least two manual reboots to get back to a normal Windows screen.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

guestolo · « **Reply #11 on:** November 09, 2005, 11:18:51 PM »

Let's try the following please

If you have Windows XP Pro
Download this fix, save it too desktop and double click to install
http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe

If your operating system is Windows XP Home click on this link.
http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

If your unsure if your running Home or Pro
Go to start>>run>>type in winver
Hit OK

After that is done

Check for updates with Ewido

Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Reboot your computer

Back in windows
Try this one more time
Run L2mfix.bat
Then select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log
Post the contents of this log back here

If the L2MFix doesn't run after the restart, then go into the L2M fix folder and double click on second.bat to run it.

Also, post the report from Ewido's

michealbeethoven · « **Reply #12 on:** November 09, 2005, 11:29:34 PM »

Howdy:

I have copied your instructions to Notepad and will follow to the letter. Will be back soon.

Regards.

michealbeethoven · « **Reply #13 on:** November 10, 2005, 12:45:20 AM »

I think I may be doing a few things wrong here. When I unzip the XPHomeFiles I get three icons of the desktop titled autoexec.nt, command, and config.nt and none of them do anything when I click on them (except command which just opens up a command prompt). What am I doing wrong?

guestolo · « **Reply #14 on:** November 10, 2005, 12:52:29 AM »

Can you do the following please, we may as well do this well I have you here

Redownload L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files

I assume you have XP HOME
Download this fix from http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

Save this too desktop
Then Double click on it
Don't change the location it will Unzip too
It should self extract too
C:\WINDOWS\System32 folder

Then carry on with the instructions I posted earlier

michealbeethoven · « **Reply #15 on:** November 10, 2005, 01:04:06 AM »

Got your message. Working on it now.

michealbeethoven · « **Reply #16 on:** November 10, 2005, 01:28:07 AM »

I don't know about you but I think we need to get away from l2mfix. All it does is lock up the system. Could it have been working away during those times and just could not make a transition to a final stage? The reason I am asking is because since late last night I have been gingerly increasing the amount of time the ethernet cable in plugged in. No popups! Whatsoever. So, maybe, in an offhand way, without us knowing about it the l2mfix and other procedures that you have proffered, have done the job?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

michealbeethoven · « **Reply #17 on:** November 11, 2005, 12:53:45 AM »

I think my problems are over! This PC has been on and open to the Internet for almost 24 hours without a popup.

I would like to profusely thank Questolo for providing close in direction and support that has made a difference in the performance of this box.

Thanks again...

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #18 on:** November 11, 2005, 02:44:46 AM »

I didn't see the Ewido log

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Or did I

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can you do something for me please

==Download and save WinPFind.zip
UNZIP the contents to your desktop

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive

Post the results of the WindPFind.txt located in the WinPFind folder

NOTE: After you click STARTSCAN don't close or open any other windows
Let it do it's job

guestolo · « **Reply #19 on:** November 19, 2005, 01:29:53 AM »

Since the user has not returned I'll assume problems are resolved
Locking this topic

News:

Author Topic: winlogon notifiy has taken over my PC! (Read 1211 times)