« previous next »
Pages: [1]

Author Topic: look2me worm problems  (Read 798 times)

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« on: December 03, 2005, 10:21:01 AM »
I recently got fooled into clicking a link from an instant message that read "I found your pic" and had a link to a bogus profile on buddypics.com.  It installed a mess of spyware and trojans on my computer and ive run Norton Antivirus, Enwido, SpySweeper, and Counterspy but still keep getting some annoying popups.  Here is my HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:01 AM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/news/console.html
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\e0jmla111d.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks in advance.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #1 on: December 03, 2005, 04:24:03 PM »
I would usually try a tool too help you out, but SpySweeper should work

Can you open SpySweeper please, make sure to check for updates

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

I need to see these 2 logs
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« Reply #2 on: December 03, 2005, 06:38:06 PM »
Spy Sweeper log file

********
4:01 PM: |       Start of Session, Saturday, December 03, 2005       |
4:01 PM: Spy Sweeper started
4:01 PM: Sweep initiated using definitions version 577
4:01 PM: Starting Memory Sweep
4:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:03 PM:   Found Adware: icannnews
4:03 PM:   Detected running threat: C:\WINDOWS\system32\e0jmla111d.dll (ID = 83)
4:04 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:04 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:05 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:05 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:05 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:05 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:06 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:06 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:06 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:06 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:07 PM:   Detected running threat: C:\WINDOWS\system32\mjhcp.dll (ID = 83)
4:08 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:08 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:08 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:08 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:08 PM: Memory Sweep Complete, Elapsed Time: 00:06:51
4:08 PM: Starting Registry Sweep
4:08 PM:   Found Adware: domain spy
4:08 PM:   HKCR\clsid\{a084a565-b09b-4e4c-a497-7cc50aeab2a7}\  (12 subtraces) (ID = 125229)
4:08 PM:   HKCR\gds.gds\  (5 subtraces) (ID = 125230)
4:08 PM:   HKCR\gds.gds.1\  (3 subtraces) (ID = 125231)
4:08 PM:   HKLM\software\classes\clsid\{a084a565-b09b-4e4c-a497-7cc50aeab2a7}\  (12 subtraces) (ID = 125232)
4:08 PM:   HKLM\software\classes\gds.gds\  (5 subtraces) (ID = 125233)
4:08 PM:   HKLM\software\classes\gds.gds.1\  (3 subtraces) (ID = 125234)
4:08 PM:   Found Adware: purityscan
4:08 PM:   HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\  (8 subtraces) (ID = 137348)
4:08 PM:   HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\  (7 subtraces) (ID = 137349)
4:08 PM:   HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\  (8 subtraces) (ID = 137678)
4:08 PM:   HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\  (7 subtraces) (ID = 137679)
4:08 PM:   HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\  (1 subtraces) (ID = 137680)
4:08 PM:   Found Adware: mirinda
4:08 PM:   HKCR\clsid\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\  (4 subtraces) (ID = 501125)
4:08 PM:   Found Adware: findthewebsiteyouneed hijacker
4:08 PM:   HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
4:08 PM:   Found Adware: dollarrevenue
4:08 PM:   HKLM\software\microsoft\drsmartload\  (1 subtraces) (ID = 916795)
4:08 PM:   Found Adware: command
4:08 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\  (6 subtraces) (ID = 1016064)
4:08 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\  (8 subtraces) (ID = 1016072)
4:08 PM:   Found Trojan Horse: trojan-downloader-moneymind
4:08 PM:   HKU\S-1-5-21-1935655697-1563985344-725345543-1004\software\xjado\  (1 subtraces) (ID = 144725)
4:09 PM: Registry Sweep Complete, Elapsed Time:00:00:36
4:09 PM: Starting Cookie Sweep
4:09 PM:   Found Spy Cookie: adlegend cookie
4:09 PM:   hant@adlegend[1].txt (ID = 2074)
4:09 PM:   Found Spy Cookie: linksynergy cookie
4:09 PM:   hant@linksynergy[1].txt (ID = 2926)
4:09 PM:   Found Spy Cookie: azjmp cookie
4:09 PM:   hant@azjmp[2].txt (ID = 2270)
4:09 PM:   Found Spy Cookie: starware.com cookie
4:09 PM:   [email protected][1].txt (ID = 3442)
4:09 PM:   Found Spy Cookie: pointroll cookie
4:09 PM:   [email protected][1].txt (ID = 3148)
4:09 PM:   Found Spy Cookie: hotbar cookie
4:09 PM:   [email protected][2].txt (ID = 4207)
4:09 PM:   Found Spy Cookie: banners cookie
4:09 PM:   hant@banners[2].txt (ID = 2282)
4:09 PM:   Found Spy Cookie: xmatch cookie
4:09 PM:   hant@xmatch[2].txt (ID = 3719)
4:09 PM:   Found Spy Cookie: nextag cookie
4:09 PM:   hant@nextag[2].txt (ID = 5014)
4:09 PM:   Found Spy Cookie: exitexchange cookie
4:09 PM:   hant@exitexchange[1].txt (ID = 2633)
4:09 PM:   Found Spy Cookie: gamespy cookie
4:09 PM:   hant@gamespy[1].txt (ID = 2719)
4:09 PM:   Found Spy Cookie: herfirstanalsex cookie
4:09 PM:   hant@herfirstanalsex[2].txt (ID = 2769)
4:09 PM:   Found Spy Cookie: ask cookie
4:09 PM:   hant@ask[1].txt (ID = 2245)
4:09 PM:   Found Spy Cookie: servlet cookie
4:09 PM:   hant@servlet[2].txt (ID = 3345)
4:09 PM:   Found Spy Cookie: clickandtrack cookie
4:09 PM:   [email protected][2].txt (ID = 2397)
4:09 PM:   Found Spy Cookie: hbmediapro cookie
4:09 PM:   [email protected][2].txt (ID = 2768)
4:09 PM:   Found Spy Cookie: adprofile cookie
4:09 PM:   hant@adprofile[1].txt (ID = 2084)
4:09 PM:   Found Spy Cookie: seeq cookie
4:09 PM:   [email protected][1].txt (ID = 3332)
4:09 PM:   Found Spy Cookie: adminder cookie
4:09 PM:   [email protected][1].txt (ID = 2079)
4:09 PM:   Found Spy Cookie: adtech cookie
4:09 PM:   hant@adtech[2].txt (ID = 2155)
4:09 PM:   Found Spy Cookie: reunion cookie
4:09 PM:   hant@reunion[2].txt (ID = 3255)
4:09 PM:   Found Spy Cookie: screensavers.com cookie
4:09 PM:   [email protected][1].txt (ID = 3298)
4:09 PM:   Found Spy Cookie: sexsearch cookie
4:09 PM:   [email protected][1].txt (ID = 3358)
4:09 PM:   Found Spy Cookie: trb.com cookie
4:09 PM:   [email protected][1].txt (ID = 3588)
4:09 PM:   Found Spy Cookie: websponsors cookie
4:09 PM:   [email protected][2].txt (ID = 3665)
4:09 PM:   Found Spy Cookie: enhance cookie
4:09 PM:   [email protected][1].txt (ID = 2614)
4:09 PM:   Found Spy Cookie: adecn cookie
4:09 PM:   hant@adecn[1].txt (ID = 2063)
4:09 PM:   Found Spy Cookie: statcounter cookie
4:09 PM:   hant@statcounter[2].txt (ID = 3447)
4:09 PM:   Found Spy Cookie: cc214142 cookie
4:09 PM:   [email protected][1].txt (ID = 2367)
4:09 PM:   hant@trb[2].txt (ID = 3587)
4:09 PM:   Found Spy Cookie: targetnet cookie
4:09 PM:   hant@targetnet[1].txt (ID = 3489)
4:09 PM:   Found Spy Cookie: adknowledge cookie
4:09 PM:   hant@adknowledge[1].txt (ID = 2072)
4:09 PM:   Found Spy Cookie: ic-live cookie
4:09 PM:   hant@ic-live[1].txt (ID = 2821)
4:09 PM:   Found Spy Cookie: 360i cookie
4:09 PM:   [email protected][2].txt (ID = 1962)
4:09 PM:   Found Spy Cookie: outster cookie
4:09 PM:   hant@outster[2].txt (ID = 3103)
4:09 PM:   Found Spy Cookie: aptimus cookie
4:09 PM:   [email protected][2].txt (ID = 2235)
4:09 PM:   Found Spy Cookie: trafficmp cookie
4:09 PM:   hant@trafficmp[2].txt (ID = 3581)
4:09 PM:   Found Spy Cookie: apmebf cookie
4:09 PM:   hant@apmebf[2].txt (ID = 2229)
4:09 PM:   Found Spy Cookie: adrevolver cookie
4:09 PM:   hant@adrevolver[2].txt (ID = 2088)
4:09 PM:   hant@adrevolver[3].txt (ID = 2088)
4:09 PM:   Found Spy Cookie: belnk cookie
4:09 PM:   [email protected][2].txt (ID = 2293)
4:09 PM:   [email protected][1].txt (ID = 3298)
4:09 PM:   Found Spy Cookie: imlive.com cookie
4:09 PM:   [email protected][1].txt (ID = 2844)
4:09 PM:   hant@starware[2].txt (ID = 3441)
4:09 PM:   Found Spy Cookie: server.iad.liveperson cookie
4:09 PM:   [email protected][1].txt (ID = 3341)
4:09 PM:   Found Spy Cookie: kinghost cookie
4:09 PM:   hant@kinghost[1].txt (ID = 2903)
4:09 PM:   Found Spy Cookie: abcsearch cookie
4:09 PM:   hant@abcsearch[1].txt (ID = 2033)
4:09 PM:   Found Spy Cookie: yieldmanager cookie
4:09 PM:   hant@yieldmanager[1].txt (ID = 3749)
4:09 PM:   Found Spy Cookie: ccbill cookie
4:09 PM:   hant@ccbill[2].txt (ID = 2369)
4:09 PM:   Found Spy Cookie: reliablestats cookie
4:09 PM:   [email protected][1].txt (ID = 3254)
4:09 PM:   [email protected][1].txt (ID = 3442)
4:09 PM:   [email protected][1].txt (ID = 2293)
4:09 PM:   Found Spy Cookie: falkag cookie
4:09 PM:   [email protected][1].txt (ID = 2650)
4:09 PM:   Found Spy Cookie: banner cookie
4:09 PM:   hant@banner[1].txt (ID = 2276)
4:09 PM:   Found Spy Cookie: webpower cookie
4:09 PM:   hant@webpower[1].txt (ID = 3660)
4:09 PM:   [email protected][2].txt (ID = 3751)
4:09 PM:   Found Spy Cookie: valuead cookie
4:09 PM:   [email protected][2].txt (ID = 3627)
4:09 PM:   Found Spy Cookie: partypoker cookie
4:09 PM:   hant@partypoker[2].txt (ID = 3111)
4:09 PM:   [email protected][1].txt (ID = 3442)
4:09 PM:   system@azjmp[2].txt (ID = 2270)
4:09 PM:   [email protected][2].txt (ID = 3442)
4:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:10
4:09 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
4:09 PM: Starting File Sweep
4:09 PM:   drsmartload.dat (ID = 198788)
4:09 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:09 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:09 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:09 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:10 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:10 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:10 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:10 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:11 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:11 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:11 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:11 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:12 PM:   Warning: Failed to open file "c:\windows\system32\e0jmla111d.dll". The process cannot access the file because it is being used by another process
4:12 PM:   Found Adware: look2me
4:12 PM:   f2l00c3mef.dll (ID = 159)
4:12 PM:   Warning: Failed to open file "c:\windows\system32\r8p8li7u18.dll". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\mjhcp.dll". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
4:12 PM:   Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
4:12 PM:   __delete_on_reboot__guard.tmp (ID = 159)
4:13 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:13 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:13 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:13 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:14 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:14 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:14 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:14 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:16 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:17 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:17 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:17 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:17 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:18 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:18 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:18 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:18 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:19 PM:   Warning: Failed to read file "c:\documents and settings\all users\application data\aol\topspeed\2.0\server.lock". The process cannot access the file because another process has locked a portion of the file
4:19 PM:   Warning: Failed to read file "c:\documents and settings\all users\application data\aol\topspeed\2.0\aoltsmon.lock". The process cannot access the file because another process has locked a portion of the file
4:19 PM:   Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs307a66bf-2e05-43c0-b170-43542b86d711.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs97fd4030-a000-4c11-adb2-1b94f9f03cc0.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6344804f-734f-413b-9fb0-643480ed2b66.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs05cd7f13-3d99-4b75-94df-afa36a12b4a1.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs958fcb88-47c7-4fcf-89dc-224f38651375.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs31a74f8e-5303-42ca-b7ad-be683655f52e.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse57922a1-8fec-49ba-89ad-3d50dd2e5d24.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ea04590-4d4b-4734-85f4-e0b79febafd4.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs02124b98-21bf-47f2-9cf8-b61a99d3d756.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs45412e63-2e54-451b-af33-730b79422992.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0e5772d5-0232-4e2d-a4fb-a62e2c6f62f5.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs134dc306-b9f7-4068-bdf5-6ecf4509dfc5.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs88c8c9f7-7a47-4962-81f1-da27b13bc161.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6ebef4b4-6765-4087-aab2-d898dfb91f9f.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2ea8b61-fe13-45c5-b267-ce4b0cd9a530.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6df525df-1299-4aa8-9b82-3bb6dbc3cb62.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1244bd0c-fdf5-4998-9fa1-c44ad1593163.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs90b68759-7874-4ed3-855e-62ab838eb49e.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56bffaa6-40af-4c21-b6da-8b7e87d17021.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsae6e508d-88c2-4486-99e1-6f3703ccd7f0.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc5e3becb-aee4-4290-8474-82f1e02fb137.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs67ba9391-e704-4521-a813-88846ebefd37.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6249e272-7ba1-4b42-ab61-722a931715b3.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs64a7a64b-c9db-46fe-9c5d-51d8046e5964.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs61705d5a-63ff-43d8-914b-8f283a80edfe.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs97d3d6ac-7949-47a0-86d4-cb4085af848c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs84b8a82e-e763-4722-9996-76eaff2ba048.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs429708d6-53f0-485d-ae41-24d9f7ff8781.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0214b98-cf97-42b9-9094-051649f0cc88.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd7937071-5a90-4fd5-9932-b237bdd3883b.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f410829-8c07-46c9-a628-7602e48cd54a.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd0740fa3-4fad-43e7-9f62-08b59072086c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07bfc7b4-2e0d-4bd6-97c8-0e3d8ce73576.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4cda2740-90d5-44a4-a44e-994b732912a0.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0c7e9364-be67-40b8-8009-5d2daf17a6ab.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs74f0f7c7-af1e-4090-8aab-7d2be90a0d2f.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs374680d3-dd8f-473b-a9f6-f51557c1be0b.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5db20e9c-406b-4b81-96b1-39b3fa3178e1.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8f8337eb-a71f-4d40-ab56-fbdebec83f51.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfa7cc00-0a71-4ac7-8595-629a6e1ae0a0.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1c6c8b47-01ca-4865-9b47-b04681cfe6fb.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8627780b-afc6-4d1c-b2aa-8424e3261c78.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs54e669f7-5c0e-442a-aa44-8e22c0aec067.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs86748d4a-ef63-4ca5-b2f0-e9d1cafc0012.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3279cf81-8ff5-453e-b258-8eb648ea7abd.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7c8e82ff-d2c3-47ba-b2f2-3530dcc21b29.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs19c7d17e-f78a-42b0-a7c9-666bfb92c398.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6cf7c995-e381-40cc-b9c2-a74461be6257.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs53807cda-c73c-4f13-ab6e-8da9443b010f.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5082faf8-639a-4684-bfe4-febe9409fa59.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e31db5b-56fe-43fb-ab43-6222861ecd69.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfd131938-1c9f-4639-8dcb-8657a4dd4660.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc89177e6-a9f1-4aec-9f0e-fb68e34a928d.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdfa38107-a5f0-4409-bdb2-925873ee54e4.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1a043bcf-2331-47d8-b5eb-cff6766ea7b4.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs60449914-9dac-434b-986e-71a649e4ec83.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs164a31e4-7c75-4dd1-a0c1-8be4b0766f06.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsefb4916d-d6cb-40f9-b827-5c084a1cd345.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsce2bf67c-195b-486e-8415-396efefe797c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0af99671-b9cc-49fc-97a1-01350accba30.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscbed4bf2-07af-48f9-9bf0-8d51a5de4060.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd6ab375b-f793-4b99-98f6-03b5548ec5ba.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscd7a74ba-2700-4db5-923f-77052f8177df.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs417938ae-5c34-4955-a5f9-ee4a5f39baeb.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa58421fd-6291-4cd6-a556-93ce634b5c6b.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs996dccff-bb75-4d8e-a2c8-2374c24d9dd8.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a38772d-cfbd-4a91-908e-8e187ea07cb2.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f3ee11b-5f4d-4140-a637-23c8a882ae04.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa5bab53e-09f2-4784-90bf-40f9cabb7014.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0aa178b-b598-42c6-a641-948c737005e0.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04240f34-9cab-4366-8a47-a4779adb96d1.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc11b9c9-f611-4fca-936f-99d201886687.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa9423d78-e02e-4ca8-99aa-ed6ee019c9dc.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9c847e2c-3e01-4bd5-95d2-8f3855dcd612.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01487a96-fd04-4d82-a403-1c9ece57fd3e.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs60241e97-6cb6-4fc5-a80d-d54291a740df.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23a00ab7-3d4b-43d2-9f04-1fb7bc950ea2.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse51b7d7d-2678-4fe2-a95c-6c9a9969933c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf1195b2b-5e13-43f1-b8e4-d9643f2c0120.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs97243d67-0340-4d23-a758-b1b3dc45c461.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs043b1c10-6a0b-4cf3-b107-254eb85c4363.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4de989bf-133c-4b09-ad10-e27e6f063c28.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs88aa2c5c-767f-468e-970d-e37f13d07a59.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4cedbd14-c4fd-4648-b33e-18ab99d75a72.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3b41664b-e817-47b4-ac91-0602a74c8e4c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf1ed3c16-9446-4a2b-bd8e-9625a1d736a2.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f922582-256a-48b3-a4e1-95d606cd330c.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd5a93c28-4163-4d92-b4e1-7e44c5308600.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbf219328-da52-4200-b7f9-dc83adcba890.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34e5aff0-4211-4bc7-8fe4-40e0ff9b01b1.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8f387331-bb8e-4c52-a4ea-6b41c103f013.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs30119cab-ab8e-4c42-97d4-4c56429bddfa.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsec932458-d033-4e26-afd3-77af25a8386a.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa3eb9474-7c01-4531-9210-ab071814395b.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs46b81385-9084-4d8a-bc34-9b00479219d6.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0146104-9bf9-4c4c-85ba-bc7d6c7acbc8.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs96d18e81-c016-480c-9f1a-e7fa4de788eb.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs67148c36-f80c-469a-ba27-aa06294ca742.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb044f35-1f09-45e1-9286-c1f94e1fcc66.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4368640f-b1aa-41a4-aa97-f45c0d881e78.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb670a8d6-70bf-48dd-8e89-beb6f9cdac65.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs67d0e623-8a74-4c8d-a90d-245ed2eb2bc9.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1738a5bc-20dc-4395-83a6-23542fd7a337.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsab553e7b-15f0-4aa5-aaf9-a7e786c5d2ea.tmp". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\hant\ntuser.dat". The process cannot access the file because it is being used by another process
4:19 PM:   Warning: Failed to open file "c:\documents and settings\hant\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:19 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:19 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:19 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:19 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:20 PM:   Warning: Failed to open file "c:\documents and settings\hant\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:20 PM:   Warning: Failed to open file "c:\documents and settings\hant\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:20 PM:   54c499ff-d2b6-4436-8697-931a9e (ID = 159)
4:20 PM:   3dd2d7a8-c451-4b16-b495-d85e19 (ID = 159)
4:21 PM:   9bfe3c7f-0f42-46a8-9d27-1430c8 (ID = 159)
4:21 PM:   1c4cb0ec-3288-497b-8b6d-96693e (ID = 159)
4:21 PM:   29cf6357-86b9-421b-afba-da8d74 (ID = 159)
4:21 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:21 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:21 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:21 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:22 PM:   Warning: Failed to open file "c:\documents and settings\hant\application data\securom\userdata\???????????p???????? ". The system cannot find the file specified
4:22 PM:   Warning: Failed to open file "c:\documents and settings\hant\application data\securom\userdata\???????????p??????????? ". The system cannot find the file specified
4:22 PM:   Warning: Failed to open file "c:\documents and settings\hant\application data\mozilla\firefox\profiles\default.ayk\parent.lock". The process cannot access the file because it is being used by another process
4:22 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:22 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:22 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:22 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:23 PM:   Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
4:24 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:24 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:24 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:24 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:24 PM:   Found Adware: targetsaver
4:24 PM:   class-barrel (ID = 78229)
4:25 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:25 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:25 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:25 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:26 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:26 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:26 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:26 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:28 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:28 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:28 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:28 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:29 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:29 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:29 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:29 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:30 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:30 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:30 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:30 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:31 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:36 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:37 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:37 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:37 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:37 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:40 PM:   Warning: Invalid Stream
4:40 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:40 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:40 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:40 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:40 PM:   Warning: Unhandled Archive Type
4:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   Warning: Unhandled Archive Type
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #3 on: December 03, 2005, 07:17:07 PM »
You didn't finish posting the bottom of the SpySweeper log
Could you also post a fresh hijackthis log please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« Reply #4 on: December 03, 2005, 07:20:32 PM »
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:46 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:46 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:46 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:46 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:46 PM: File Sweep Complete, Elapsed Time: 00:37:18
4:46 PM: Full Sweep has completed.  Elapsed time 00:45:04
4:46 PM: Traces Found: 180
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
4:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:01 PM: Removal process initiated
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:02 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:03 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:03 PM:   Quarantining All Traces: icannnews
5:04 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:04 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:04 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:04 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:04 PM:   icannnews is in use.  It will be removed on reboot.
5:04 PM:     C:\WINDOWS\system32\e0jmla111d.dll is in use.  It will be removed on reboot.
5:04 PM:     C:\WINDOWS\system32\mjhcp.dll is in use.  It will be removed on reboot.
5:04 PM:   Quarantining All Traces: look2me
5:04 PM:   look2me is in use.  It will be removed on reboot.
5:04 PM:     __delete_on_reboot__guard.tmp is in use.  It will be removed on reboot.
5:04 PM:   Quarantining All Traces: purityscan
5:04 PM:   Quarantining All Traces: trojan-downloader-moneymind
5:04 PM:   Quarantining All Traces: command
5:04 PM:   Quarantining All Traces: dollarrevenue
5:04 PM:   Quarantining All Traces: domain spy
5:04 PM:   Quarantining All Traces: findthewebsiteyouneed hijacker
5:04 PM:   Quarantining All Traces: mirinda
5:04 PM:   Quarantining All Traces: targetsaver
5:05 PM:   Quarantining All Traces: 360i cookie
5:05 PM:   Quarantining All Traces: abcsearch cookie
5:05 PM:   Quarantining All Traces: adecn cookie
5:05 PM:   Quarantining All Traces: adknowledge cookie
5:05 PM:   Quarantining All Traces: adlegend cookie
5:05 PM:   Quarantining All Traces: adminder cookie
5:05 PM:     The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:05 PM:     The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:05 PM:     The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:05 PM:     The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:05 PM:   Quarantining All Traces: adprofile cookie
5:05 PM:   Quarantining All Traces: adrevolver cookie
5:05 PM:   Quarantining All Traces: adtech cookie
5:05 PM:   Quarantining All Traces: apmebf cookie
5:05 PM:   Quarantining All Traces: aptimus cookie
5:05 PM:   Quarantining All Traces: ask cookie
5:05 PM:   Quarantining All Traces: azjmp cookie
5:05 PM:   Quarantining All Traces: banner cookie
5:05 PM:   Quarantining All Traces: banners cookie
5:05 PM:   Quarantining All Traces: belnk cookie
5:05 PM:   Quarantining All Traces: cc214142 cookie
5:05 PM:   Quarantining All Traces: ccbill cookie
5:05 PM:   Quarantining All Traces: clickandtrack cookie
5:05 PM:   Quarantining All Traces: enhance cookie
5:05 PM:   Quarantining All Traces: exitexchange cookie
5:05 PM:   Quarantining All Traces: falkag cookie
5:05 PM:   Quarantining All Traces: gamespy cookie
5:05 PM:   Quarantining All Traces: hbmediapro cookie
5:05 PM:   Quarantining All Traces: herfirstanalsex cookie
5:05 PM:   Quarantining All Traces: hotbar cookie
5:05 PM:   Quarantining All Traces: ic-live cookie
5:05 PM:   Quarantining All Traces: imlive.com cookie
5:05 PM:   Quarantining All Traces: kinghost cookie
5:05 PM:   Quarantining All Traces: linksynergy cookie
5:05 PM:   Quarantining All Traces: nextag cookie
5:05 PM:   Quarantining All Traces: outster cookie
5:05 PM:   Quarantining All Traces: partypoker cookie
5:05 PM:   Quarantining All Traces: pointroll cookie
5:05 PM:   Quarantining All Traces: reliablestats cookie
5:05 PM:   Quarantining All Traces: reunion cookie
5:05 PM:   Quarantining All Traces: screensavers.com cookie
5:05 PM:   Quarantining All Traces: seeq cookie
5:05 PM:   Quarantining All Traces: server.iad.liveperson cookie
5:05 PM:   Quarantining All Traces: servlet cookie
5:05 PM:   Quarantining All Traces: sexsearch cookie
5:05 PM:   Quarantining All Traces: starware.com cookie
5:06 PM:   Quarantining All Traces: statcounter cookie
5:06 PM:   Quarantining All Traces: targetnet cookie
5:06 PM:   Quarantining All Traces: trafficmp cookie
5:06 PM:   Quarantining All Traces: trb.com cookie
5:06 PM:   Quarantining All Traces: valuead cookie
5:06 PM:   Quarantining All Traces: webpower cookie
5:06 PM:   Quarantining All Traces: websponsors cookie
5:06 PM:   Quarantining All Traces: xmatch cookie
5:06 PM:   Quarantining All Traces: yieldmanager cookie
5:06 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:06 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:06 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:06 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:06 PM: Removal process completed.  Elapsed time 00:04:50
********
4:00 PM: |       Start of Session, Saturday, December 03, 2005       |
4:00 PM: Spy Sweeper started
4:00 PM: Your spyware definitions have been updated.
4:01 PM: |       End of Session, Saturday, December 03, 2005       |


Logfile of HijackThis v1.99.1
Scan saved at 5:15:27 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLServiceHost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/news/console.html
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

yeah i was tryng to post the rest but i think something happened with your flood control, it wouldnt let me make a second post
« Last Edit: December 03, 2005, 07:22:06 PM by Arahant »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #5 on: December 03, 2005, 09:01:24 PM »
Could you do the following for me please

This file may not exist, but take a look
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
I would like to see what it's related too
C:\WINDOWS\csrvs.exe <-this file

Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« Reply #6 on: December 03, 2005, 09:25:57 PM »
It doesnt look like that file exists.  I couldnt find it in my windows folder
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #7 on: December 03, 2005, 09:38:45 PM »
Then can we finish with the following please

Go to START>>RUN>>Copy and paste following into the open field

sc stop Service Secured

And this one
sc delete Service Secured

Afterwards

Please disable SpySweeper You can re-enable it later
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

If CounterSpy has realtime protections enabled, can you disable them too

Could you also
Disable Norton AntiVirus Script Blocking, I don't want it interfering too

   1. Start Norton AntiVirus.
      If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
   2. Click Options.
      If you see a menu, click Norton AntiVirus.
   3. In the left pane, click Script Blocking.
   4. In the right pane, uncheck Enable Script Blocking (recommended).
   5. Click OK.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start.  Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT:  Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!![/color]
If after the reboot the log does not open double click on it in the l2mfix folder.
« Last Edit: December 03, 2005, 09:39:40 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« Reply #8 on: December 03, 2005, 10:19:39 PM »
L2mfix Beta 120305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
 Granting SeDebugPrivilege to L2MFIX   ... successful
 
Running From:
C:\WINDOWS\system32
 
Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 564 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 652 'winlogon.exe'
Killing PID 652 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1992 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1116 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\r8p8li7u18.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\r8p8li7u18.dll  
Successfully Deleted: C:\WINDOWS\system32\r8p8li7u18.dll
 
Desktop.ini sucessfully removed
 
 
Zipping up files for submission:
   zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
  adding: l2mfix/l2mfix/backregs/notibac.reg (deflated 87%)
  adding: l2mfix/l2mfix/backregs/shell.reg (deflated 74%)
 
Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
Restoring Windows Update Certificates.:
 
deleting local copy: r8p8li7u18.dll  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\r8p8li7u18.dll
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{36F96052-C267-4B7C-8754-142B5BDCDA8D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{36F96052-C267-4B7C-8754-142B5BDCDA8D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
  adding: dlls/r8p8li7u18.dll (deflated 4%)

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:18:46 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0a\wEmail Removedexe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/news/console.html
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\Email RemovedEXE" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #9 on: December 03, 2005, 10:27:31 PM »
I'm stepping out for a bit, but can you do the following please

Go back and enable Norton's script blocking

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Secure HTTP

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Then post back a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Arahant

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
look2me worm problems
« Reply #10 on: December 04, 2005, 12:02:55 AM »
The service wasn't running, butI changedits from automatic to disabled.  I havent had any popups in a while so I think we might have got it.  I really appreciate all your help.

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:03:27 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124519570\ee\AOLServiceHost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/news/console.html
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124519570\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\Email RemovedEXE" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #11 on: December 05, 2005, 11:54:38 PM »
Sorry for the delay
Can you do the following please

Open Hijackthis>>Open Misc tools section>>Open "Delete an NT Service"
In the open field, copy and paste the next line in bold to the open field then hit OK

Service Secured

Reboot the computer

Back in windows

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should also install this tool for extra protection
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection...."

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
look2me worm problems
« Reply #12 on: December 15, 2005, 12:07:55 AM »
I'll lock this topic as your problems appear resolved
Take care
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »