Free Malware Removal Forum

[Picks]

l2mfix log:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enlml1311.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{030200D9-1075-7F88-75E2-D4CCCD9B8965}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Â

[jwbirdsong]

That log looks better, I was just unwilling to go ahead with a fix with out seeing the whole L2mfix log as l2m can/does mess with your permissions and other registry keys, and that was the part of the log that was missing from earlier post.
Once SpySweeper is no longer running, please do the following.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, NOTEPAD will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log and the log from SS IF it runs to completion..

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons don’t disappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

[Picks]

I tried to use the l2mfix to run a fix but when the scan is done, I can only see the wallpaper and nothing else, no matter how long I wait. I tried various time and was unsuccessful, even with the second.bat file.

However I have been able to perform a complete sweep with SS, here is the log:


********
02:52: | Start of Session, samedi 19 novembre 2005 |
02:52: Spy Sweeper started
02:52: Sweep initiated using definitions version 575
02:53: Starting Memory Sweep
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:53: Found Adware: icannnews
02:53: Detected running threat: C:\WINDOWS\system32\enlml1311.dll (ID = 83)
02:54: Detected running threat: C:\WINDOWS\system32\kvdda.dll (ID = 83)
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:54: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:55: Memory Sweep Complete, Elapsed Time: 00:02:15
02:55: Starting Registry Sweep
02:55: Registry Sweep Complete, Elapsed Time:00:00:10
02:55: Starting Cookie Sweep
02:55: Cookie Sweep Complete, Elapsed Time: 00:00:00
02:55: Starting File Sweep
02:55: Found Adware: look2me
02:55: m4pole731h.dll (ID = 159)
02:55: fzlemgmt.dll (ID = 159)
02:55: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:55: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:55: hrnm0551e.dll (ID = 159)
02:55: kvdda.dll (ID = 159)
02:56: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:56: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:56: kidkyr.dll (ID = 159)
02:56: mv6ql9j51.dll (ID = 159)
02:56: dn8o01l3e.dll (ID = 159)
02:56: azao0333e.dll (ID = 159)
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: gp44l3hq1.dll (ID = 159)
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:57: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: nilanui.dll (ID = 159)
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: lvj8091ue.dll (ID = 159)
02:58: enlml1311.dll (ID = 159)
02:58: ipagxpr7.dll (ID = 159)
02:58: installer[1].exe (ID = 168558)
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:58: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:59: aqptif.dll (ID = 159)
02:59: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:59: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
02:59: Found Adware: targetsaver
02:59: tsuninst.exe (ID = 193501)
02:59: mv60l9jm1.dll (ID = 159)
02:59: iupeers.dll (ID = 159)
02:59: ddcompos.dll (ID = 159)
02:59: ebtmgr.dll (ID = 159)
03:00: tsupdate2[1].ini (ID = 193498)
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: appwrap[2].exe (ID = 65722)
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:00: e2202cfmgf2a2.dll (ID = 159)
03:01: nbtapi32.dll (ID = 159)
03:01: n4p40e7qeh.dll (ID = 159)
03:01: qysname.dll (ID = 159)
03:01: mrgsvc.dll (ID = 159)
03:01: ouecli.dll (ID = 159)
03:01: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.ad-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:01: The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com
03:01: i2lolc331f.dll (ID = 159)
03:01: n62ulgf9162.dll (ID = 159)
03:01: m646lghs1646.dll (ID = 159)
03:01: fprm0391e.dll (ID = 159)
03:01: nfrsel.dll (ID = 159)
03:02: m6820gloe6qc0.dll (ID = 159)


(here are pages of "The Spy Communication shield has blocked access to: http://www.a-d-w-a-r-e.com")

12:22: Removal process initiated
12:22: Quarantining All Traces: icannnews
12:23: icannnews is in use. It will be removed on reboot.
12:23: C:\WINDOWS\system32\enlml1311.dll is in use. It will be removed on reboot.
12:23: C:\WINDOWS\system32\kvdda.dll is in use. It will be removed on reboot.
12:23: Quarantining All Traces: look2me
12:23: look2me is in use. It will be removed on reboot.
12:23: kvdda.dll is in use. It will be removed on reboot.
12:23: enlml1311.dll is in use. It will be removed on reboot.
12:23: e2202cfmgf2a2.dll is in use. It will be removed on reboot.
12:23: Quarantining All Traces: targetsaver
12:24: Preparing to restart your computer. Please wait...
12:24: Removal process completed. Elapsed time 00:02:03


And a fresh Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:31:45, on 19/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st800\dslmon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6944E235-1BA8-4A21-BE20-4DF4E0315A08}: NameServer = 212.27.54.252 212.27.39.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ADSLAutoconnect - Unknown owner - C:\Program Files\ADSL Autoconnect\ADSL Autoconnect.exe" -z (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[jwbirdsong]

Looks like SpySweeper may have killed it all for us any way...will you give me another log from Option #1 from the L2mfix.bat please. Hows the computer running?

[Picks]

Here you go:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(NI) ALLOW Full access AUTORITE NT\SYSTEM
(IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'environnement pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Â

[Picks]

However when pressing ctrl alt del I can see that lsass.exe is still running and I can't do anything about it as it is a "critical system process". Kaspersky is telling me it's a trojan

[jwbirdsong]

However when pressing ctrl alt del I can see that lsass.exe is still running and I can't do anything about it as it is a "critical system process". Kaspersky is telling me it's a trojan
And from your HijackThis log>Running processes C:\WINDOWS\system32\lsass.exe

The above file is a valid Windows system file. Use your computer to search for lsass.exe and see if you have a copy in a location other than C:\WINDOWS\system32\. Make sure to tick the box to search for Hidden/System files under 'more options' in the search dialog. View Hidden files must also still be enabled (directions in 1st post) If you find a copy in C:\Windows ( The most likely place)...that is more than likely a spoofed (bad) file. You can always check ANY file by going to Jotti's malware scan just copy and paste the file path of questionable file into the "File to upload & scan" box on the top of the page. As far as the freezing problem goes:

could a jumper issue cause that much pb? Could it be the ram?

jumper issue not likely. Bad ram is a much better bet. One other thing to check is make sure of the drives for your Video Card, they are the culprit in cases like this more often than not. Check with the manufacturer to see if there are any updated drives.

Let's see if we can resolve this lsass issue and then I'll post some final instructions/tips to keep your computer happy and healthy


ADDED after posting ---->>>> You will more than likely find a variation on lsass in the prefetch folder..This is expected

[Picks]

Apparently I have 3 versions of lsass, one in C:\WINDOWS\system32\, the other two in the Service Pack file: C:\WINDOWS\ServicePackFiles\i386 and C:\WINDOWS\$NtServicePackUninstall$

For the freezing problems, I checked my graphic card driver as the first thing, so I don't think it is the issue. Are there any ways to test the ram? Thanks a lot for your help by the way

[jwbirdsong]

All valid locations for lsass

DocMemory is one of the best know and widest used Ram tests; it's available for download HERE Make sure to get the manual/instructions from the same page. It seems you must register to get DocMemory now but is still available as free download.

Windows Memory Diagnostic is available HERE (The only think I know of this one is it's existence, sorry can provide no more info it)

[NonSuch]

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.