Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BookedSpace and other stuff


  • Please log in to reply
21 replies to this topic

#1 Lori

Lori

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 04 July 2005 - 01:08 AM

Well, here I am again asking for help. I tried so hard to keep everything cleaned up! I keep finding BookedSpace in my Adaware scans, AVG finds trojan horses such as Dropper Agent 6.BU, Dropper.agent.AG, and trojan Generic.CZ, and my firewall keeps notifying me that an odd program: mkyiydpygh.exe leeps trying to access the Internet every time I start up IE. I ran Spybot this evening and found nothing (it took a very long time to run compared to other times) and I ran Adaware before I ran HijackThis. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:29 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\khnkrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\windows\system32\zbzuzq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\User\LOCALS~1\Temp\PPY\aurareco.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.all-city.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\khnkrl.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [nfhdnh] c:\windows\system32\zbzuzq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: All-City - {C7DE858A-6486-4857-A71D-B068D9C997EF} - www.all-city.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.all-city.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\ib50_32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you for taking a look at it.

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 July 2005 - 05:28 AM

Hi Lori and Welcome!

Looks like you have contracted the l2m infection!

Download the l2mfix from here
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

#3 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 04 July 2005 - 01:30 PM

Thank you for your time and on a holiday! I downloaded 12mfix.exe and followed your instructions. After I had selected Option #1 for Run Find Log, I got a windows message box that said:

C:\Windows\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
The system file is not suitable for running MS-DOS and MS Windows applications. Choose close to terminate the application.

I chose close, the box opened once more, then after I clicked close, the notepad window opened with the log. Is this anything I should worry about? At any rate, here's the log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ib50_32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{89A8B5E4-8F88-7878-B78E-FC48D657B83B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}"="ICCompPropPage"
"{0A082D00-EC93-11D0-B1E6-80580BC10627}"="Corel Media Folder Root Menu Handler"
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"="Folder To Corel Media Folder Menu Handler"
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}"="Corel Media Find Folder"
"{F8152501-455F-11D1-B1E6-444553540000}"="Corel Media Folder Copy Hook Handler"
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}"="IconFactTemp.NSIconHandlerFactory"
"{A2AC368A-F883-11D0-B745-00A0C90646A4}"="NSFiltManDll.FiltManCom"
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=""
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A0761971-B6C8-4477-930F-4FFA8C494684}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}"="Google Deskbar"
"{C8A67C46-2D21-4193-8582-FBACC6BBC56F}"=""
"{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}\InprocServer32]
@="C:\\Corel\\Graphics8\\programs\\CMFFnd80.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\InprocServer32]
@="C:\\WINDOWS\\system32\\sWfrcdlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\mlcms.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8C33-A118

Directory of C:\WINDOWS\System32

07/04/2005 10:50 AM 417,792 mrpmsp.dll
07/03/2005 10:34 PM 417,792 ulbui.dll
07/03/2005 10:25 PM 417,792 mnltus35.dll
07/03/2005 10:09 PM 417,792 mlcms.dll
07/03/2005 10:06 PM 417,792 miftedit.dll
07/03/2005 10:00 PM 417,792 mqc71u.dll
07/03/2005 10:20 AM 417,792 sfdoclc.dll
07/02/2005 11:38 AM 417,792 mdrdim.dll
07/02/2005 12:54 AM 417,792 guard.tmp
07/02/2005 12:39 AM 417,792 phtorec.dll
07/01/2005 11:04 AM 417,792 sWfrcdlg.dll
06/30/2005 09:20 PM 417,792 ib50_32.dll
09/28/2002 02:50 PM <DIR> Microsoft
02/19/2002 04:38 PM <DIR> dllcache
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
14 File(s) 5,562,368 bytes
2 Dir(s) 54,943,580,160 bytes free


Thanks!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 July 2005 - 03:39 AM

Open up the L2MFix and Select Option 5>> This will open a Browser Page and load a site!

Once at the Site,Click the link that applies to you Operating System and let the Self Extractor replace the files in the System32 folder that are Damaged!

Once Complete,Run Option 1 of the l2mfix again and Post those Resluts!

#5 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 06 July 2005 - 10:37 AM

Well, I went to the site and selected the option for XP home, selected run and then unzip but I don't think anything happened. Should I have selected save instead of run? I also have gotten several dialog boxes telling me that the Windows logon process had an error and the computer totally shut down. Is this related to VX2? Or am I really in trouble!

Just in case the extractor worked, here's the L2MFix log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ib50_32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{89A8B5E4-8F88-7878-B78E-FC48D657B83B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}"="ICCompPropPage"
"{0A082D00-EC93-11D0-B1E6-80580BC10627}"="Corel Media Folder Root Menu Handler"
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"="Folder To Corel Media Folder Menu Handler"
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}"="Corel Media Find Folder"
"{F8152501-455F-11D1-B1E6-444553540000}"="Corel Media Folder Copy Hook Handler"
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}"="IconFactTemp.NSIconHandlerFactory"
"{A2AC368A-F883-11D0-B745-00A0C90646A4}"="NSFiltManDll.FiltManCom"
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=""
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A0761971-B6C8-4477-930F-4FFA8C494684}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{DCA04635-8950-48D5-8404-35A5ADCE3E3B}"="Google Deskbar"
"{C8A67C46-2D21-4193-8582-FBACC6BBC56F}"=""
"{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}\InprocServer32]
@="C:\\Corel\\Graphics8\\programs\\CMFFnd80.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}\InprocServer32]
@="C:\\WINDOWS\\system32\\sWfrcdlg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\mlcms.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K
wininet.dll Mon May 2 2005 1:52:36p A.... 657,920 642.50 K
mnltus35.dll Sun Jul 3 2005 10:25:28p ..S.R 417,792 408.00 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
browseui.dll Mon May 2 2005 1:52:34p A.... 1,019,904 996.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
xpsp3res.dll Mon May 16 2005 5:25:36p ..... 15,360 15.00 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
urlmon.dll Mon May 2 2005 1:52:36p A.... 607,744 593.50 K
shlwapi.dll Mon May 2 2005 1:52:36p A.... 473,600 462.50 K
shdocvw.dll Mon May 2 2005 1:52:36p A.... 1,483,776 1.41 M
pngfilt.dll Mon May 2 2005 1:52:36p A.... 39,424 38.50 K
msrating.dll Mon May 2 2005 1:52:36p A.... 146,432 143.00 K
mshtmled.dll Mon May 2 2005 1:52:36p A.... 448,512 438.00 K
cdfview.dll Mon May 2 2005 1:52:34p A.... 151,040 147.50 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
mshtml.dll Mon May 2 2005 1:52:36p A.... 3,012,608 2.87 M
iepeers.dll Mon May 2 2005 1:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 1:52:34p A.... 96,256 94.00 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
ib50_32.dll Thu Jun 30 2005 9:20:58p ..S.R 417,792 408.00 K
supdate.dll Fri Jul 1 2005 1:46:14a A.... 29,184 28.50 K
enoeryn.dll Fri Jul 1 2005 1:46:16a A.... 27,648 27.00 K
riqru.dll Fri Jul 1 2005 1:46:16a A.... 9,728 9.50 K
phtorec.dll Sat Jul 2 2005 12:39:46a ..S.R 417,792 408.00 K
mdrdim.dll Sat Jul 2 2005 11:38:08a ..S.R 417,792 408.00 K
sfdoclc.dll Sun Jul 3 2005 10:20:58a ..S.R 417,792 408.00 K
ulbui.dll Sun Jul 3 2005 10:34:48p ..S.R 417,792 408.00 K
mqc71u.dll Sun Jul 3 2005 10:00:24p ..S.R 417,792 408.00 K
miftedit.dll Sun Jul 3 2005 10:06:54p ..S.R 417,792 408.00 K
mlcms.dll Sun Jul 3 2005 10:09:52p ..S.R 417,792 408.00 K
mrpmsp.dll Mon Jul 4 2005 10:50:44a ..S.R 417,792 408.00 K
kzdpl.dll Wed Jul 6 2005 8:15:40a ..S.R 417,792 408.00 K
sme.dll Tue Jul 5 2005 10:26:40a ..S.R 417,792 408.00 K
ujrcoina.dll Tue Jul 5 2005 12:58:56p ..S.R 417,792 408.00 K
saell32.dll Tue Jul 5 2005 6:46:42p ..S.R 417,792 408.00 K
brhci.dll Wed Jul 6 2005 8:25:24a ..S.R 417,792 408.00 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
swfrcdlg.dll Fri Jul 1 2005 11:04:00a ..S.R 417,792 408.00 K
fqultrep.dll Tue Jul 5 2005 6:38:04p ..S.R 417,792 408.00 K

47 items found: 47 files (17 H/S), 0 directories.
Total of file sizes: 21,525,872 bytes 20.53 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jul 2 2005 12:54:46a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8C33-A118

Directory of C:\WINDOWS\System32

07/06/2005 08:25 AM 417,792 brhci.dll
07/06/2005 08:15 AM 417,792 kzdpl.dll
07/05/2005 06:46 PM 417,792 saell32.dll
07/05/2005 06:38 PM 417,792 fQultrep.dll
07/05/2005 12:58 PM 417,792 ujrcoina.dll
07/05/2005 10:26 AM 417,792 sme.dll
07/04/2005 10:50 AM 417,792 mrpmsp.dll
07/03/2005 10:34 PM 417,792 ulbui.dll
07/03/2005 10:25 PM 417,792 mnltus35.dll
07/03/2005 10:09 PM 417,792 mlcms.dll
07/03/2005 10:06 PM 417,792 miftedit.dll
07/03/2005 10:00 PM 417,792 mqc71u.dll
07/03/2005 10:20 AM 417,792 sfdoclc.dll
07/02/2005 11:38 AM 417,792 mdrdim.dll
07/02/2005 12:54 AM 417,792 guard.tmp
07/02/2005 12:39 AM 417,792 phtorec.dll
07/01/2005 11:04 AM 417,792 sWfrcdlg.dll
06/30/2005 09:20 PM 417,792 ib50_32.dll
09/28/2002 02:50 PM <DIR> Microsoft
02/19/2002 04:38 PM <DIR> dllcache
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
20 File(s) 8,069,120 bytes
2 Dir(s) 54,637,494,272 bytes free


Thanks!

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 July 2005 - 10:48 AM

Did you get the Error Message that time??

The Replacement files come in a Self Extractor and All you have to do is extract them to the predetermined System32 folder!

Let me know if you still got the error message!

And Yes the Wnlogon error is directly related to l2m!

#7 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 06 July 2005 - 01:42 PM

When I restarted the computer after the blue screen, I did not get the error message. I'm still confused though, should I save the file from the website to the computer, then run it to extract the files? Sorry to be so slow about this!

Thanks!

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 July 2005 - 04:28 AM

You are right on track!!

Download it and Double click the file to execute!

It will prompt you to extract the files to a predetermined location C:\Windows\System32

Allow it to do so then run Options 1 and 2 from the l2m fix and post those reusults!

#9 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 07 July 2005 - 11:35 AM

I extracted the files and ran LM2fix options 1, then 2. On the restart, my copy of the logfile was wiped but here is what appeared after the restart:

L2Mfix 1.03

Running From:
C:\DOCUME~1\User\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\User\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\User\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1868 'explorer.exe'
Killing PID 1868 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2160 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\mnltus35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnltus35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ib50_32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ib50_32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\phtorec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\phtorec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdrdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdrdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfdoclc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfdoclc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ulbui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ulbui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqc71u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqc71u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miftedit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\miftedit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlcms.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlcms.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrpmsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrpmsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdpl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kzdpl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ujrcoina.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ujrcoina.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\saell32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\saell32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gtu32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gtu32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\brhci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\brhci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stint78.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stint78.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwidx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwidx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sWfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sWfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fQultrep.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fQultrep.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\mnltus35.dll
Successfully Deleted: C:\WINDOWS\system32\mnltus35.dll
deleting: C:\WINDOWS\system32\mnltus35.dll
Successfully Deleted: C:\WINDOWS\system32\mnltus35.dll
deleting: C:\WINDOWS\system32\ib50_32.dll
Successfully Deleted: C:\WINDOWS\system32\ib50_32.dll
deleting: C:\WINDOWS\system32\ib50_32.dll
Successfully Deleted: C:\WINDOWS\system32\ib50_32.dll
deleting: C:\WINDOWS\system32\phtorec.dll
Successfully Deleted: C:\WINDOWS\system32\phtorec.dll
deleting: C:\WINDOWS\system32\phtorec.dll
Successfully Deleted: C:\WINDOWS\system32\phtorec.dll
deleting: C:\WINDOWS\system32\mdrdim.dll
Successfully Deleted: C:\WINDOWS\system32\mdrdim.dll
deleting: C:\WINDOWS\system32\mdrdim.dll
Successfully Deleted: C:\WINDOWS\system32\mdrdim.dll
deleting: C:\WINDOWS\system32\sfdoclc.dll
Successfully Deleted: C:\WINDOWS\system32\sfdoclc.dll
deleting: C:\WINDOWS\system32\sfdoclc.dll
Successfully Deleted: C:\WINDOWS\system32\sfdoclc.dll
deleting: C:\WINDOWS\system32\ulbui.dll
Successfully Deleted: C:\WINDOWS\system32\ulbui.dll
deleting: C:\WINDOWS\system32\ulbui.dll
Successfully Deleted: C:\WINDOWS\system32\ulbui.dll
deleting: C:\WINDOWS\system32\mqc71u.dll
Successfully Deleted: C:\WINDOWS\system32\mqc71u.dll
deleting: C:\WINDOWS\system32\mqc71u.dll
Successfully Deleted: C:\WINDOWS\system32\mqc71u.dll
deleting: C:\WINDOWS\system32\miftedit.dll
Successfully Deleted: C:\WINDOWS\system32\miftedit.dll
deleting: C:\WINDOWS\system32\miftedit.dll
Successfully Deleted: C:\WINDOWS\system32\miftedit.dll
deleting: C:\WINDOWS\system32\mlcms.dll
Successfully Deleted: C:\WINDOWS\system32\mlcms.dll
deleting: C:\WINDOWS\system32\mlcms.dll
Successfully Deleted: C:\WINDOWS\system32\mlcms.dll
deleting: C:\WINDOWS\system32\mrpmsp.dll
Successfully Deleted: C:\WINDOWS\system32\mrpmsp.dll
deleting: C:\WINDOWS\system32\mrpmsp.dll
Successfully Deleted: C:\WINDOWS\system32\mrpmsp.dll
deleting: C:\WINDOWS\system32\kzdpl.dll
Successfully Deleted: C:\WINDOWS\system32\kzdpl.dll
deleting: C:\WINDOWS\system32\kzdpl.dll
Successfully Deleted: C:\WINDOWS\system32\kzdpl.dll
deleting: C:\WINDOWS\system32\sme.dll
Successfully Deleted: C:\WINDOWS\system32\sme.dll
deleting: C:\WINDOWS\system32\sme.dll
Successfully Deleted: C:\WINDOWS\system32\sme.dll
deleting: C:\WINDOWS\system32\ujrcoina.dll
Successfully Deleted: C:\WINDOWS\system32\ujrcoina.dll
deleting: C:\WINDOWS\system32\ujrcoina.dll
Successfully Deleted: C:\WINDOWS\system32\ujrcoina.dll
deleting: C:\WINDOWS\system32\saell32.dll
Successfully Deleted: C:\WINDOWS\system32\saell32.dll
deleting: C:\WINDOWS\system32\saell32.dll
Successfully Deleted: C:\WINDOWS\system32\saell32.dll
deleting: C:\WINDOWS\system32\gtu32.dll
Successfully Deleted: C:\WINDOWS\system32\gtu32.dll
deleting: C:\WINDOWS\system32\gtu32.dll
Successfully Deleted: C:\WINDOWS\system32\gtu32.dll
deleting: C:\WINDOWS\system32\brhci.dll
Successfully Deleted: C:\WINDOWS\system32\brhci.dll
deleting: C:\WINDOWS\system32\brhci.dll
Successfully Deleted: C:\WINDOWS\system32\brhci.dll
deleting: C:\WINDOWS\system32\stint78.dll
Successfully Deleted: C:\WINDOWS\system32\stint78.dll
deleting: C:\WINDOWS\system32\stint78.dll
Successfully Deleted: C:\WINDOWS\system32\stint78.dll
deleting: C:\WINDOWS\system32\ktdaze.dll
Successfully Deleted: C:\WINDOWS\system32\ktdaze.dll
deleting: C:\WINDOWS\system32\ktdaze.dll
Successfully Deleted: C:\WINDOWS\system32\ktdaze.dll
deleting: C:\WINDOWS\system32\wwidx.dll
Successfully Deleted: C:\WINDOWS\system32\wwidx.dll
deleting: C:\WINDOWS\system32\wwidx.dll
Successfully Deleted: C:\WINDOWS\system32\wwidx.dll
deleting: C:\WINDOWS\system32\sWfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sWfrcdlg.dll
deleting: C:\WINDOWS\system32\sWfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sWfrcdlg.dll
deleting: C:\WINDOWS\system32\fQultrep.dll
Successfully Deleted: C:\WINDOWS\system32\fQultrep.dll
deleting: C:\WINDOWS\system32\fQultrep.dll
Successfully Deleted: C:\WINDOWS\system32\fQultrep.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: mnltus35.dll (deflated 48%)
adding: ib50_32.dll (deflated 48%)
adding: phtorec.dll (deflated 48%)
adding: mdrdim.dll (deflated 48%)
adding: sfdoclc.dll (deflated 48%)
adding: ulbui.dll (deflated 48%)
adding: mqc71u.dll (deflated 48%)
adding: miftedit.dll (deflated 48%)
adding: mlcms.dll (deflated 48%)
adding: mrpmsp.dll (deflated 48%)
adding: kzdpl.dll (deflated 48%)
adding: sme.dll (deflated 48%)
adding: ujrcoina.dll (deflated 48%)
adding: saell32.dll (deflated 48%)
adding: gtu32.dll (deflated 48%)
adding: brhci.dll (deflated 48%)
adding: stint78.dll (deflated 48%)
adding: ktdaze.dll (deflated 48%)
adding: wwidx.dll (deflated 48%)
adding: sWfrcdlg.dll (deflated 48%)
adding: fQultrep.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 8%)
adding: clear.reg (deflated 52%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 67%)
adding: lo2.txt (deflated 87%)
adding: test2.txt (deflated 34%)
adding: test3.txt (deflated 34%)
adding: test5.txt (deflated 34%)
adding: test.txt (deflated 89%)
adding: xfind.txt (deflated 87%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/B63FCD5A-2396-11D1-B762-00A0C90646A4.reg (deflated 53%)
adding: backregs/A0761971-B6C8-4477-930F-4FFA8C494684.reg (deflated 69%)
adding: backregs/C8A67C46-2D21-4193-8582-FBACC6BBC56F.reg (deflated 70%)
adding: backregs/565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: mnltus35.dll
deleting local copy: mnltus35.dll
deleting local copy: ib50_32.dll
deleting local copy: ib50_32.dll
deleting local copy: phtorec.dll
deleting local copy: phtorec.dll
deleting local copy: mdrdim.dll
deleting local copy: mdrdim.dll
deleting local copy: sfdoclc.dll
deleting local copy: sfdoclc.dll
deleting local copy: ulbui.dll
deleting local copy: ulbui.dll
deleting local copy: mqc71u.dll
deleting local copy: mqc71u.dll
deleting local copy: miftedit.dll
deleting local copy: miftedit.dll
deleting local copy: mlcms.dll
deleting local copy: mlcms.dll
deleting local copy: mrpmsp.dll
deleting local copy: mrpmsp.dll
deleting local copy: kzdpl.dll
deleting local copy: kzdpl.dll
deleting local copy: sme.dll
deleting local copy: sme.dll
deleting local copy: ujrcoina.dll
deleting local copy: ujrcoina.dll
deleting local copy: saell32.dll
deleting local copy: saell32.dll
deleting local copy: gtu32.dll
deleting local copy: gtu32.dll
deleting local copy: brhci.dll
deleting local copy: brhci.dll
deleting local copy: stint78.dll
deleting local copy: stint78.dll
deleting local copy: ktdaze.dll
deleting local copy: ktdaze.dll
deleting local copy: wwidx.dll
deleting local copy: wwidx.dll
deleting local copy: sWfrcdlg.dll
deleting local copy: sWfrcdlg.dll
deleting local copy: fQultrep.dll
deleting local copy: fQultrep.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\mnltus35.dll
C:\WINDOWS\system32\mnltus35.dll
C:\WINDOWS\system32\ib50_32.dll
C:\WINDOWS\system32\ib50_32.dll
C:\WINDOWS\system32\phtorec.dll
C:\WINDOWS\system32\phtorec.dll
C:\WINDOWS\system32\mdrdim.dll
C:\WINDOWS\system32\mdrdim.dll
C:\WINDOWS\system32\sfdoclc.dll
C:\WINDOWS\system32\sfdoclc.dll
C:\WINDOWS\system32\ulbui.dll
C:\WINDOWS\system32\ulbui.dll
C:\WINDOWS\system32\mqc71u.dll
C:\WINDOWS\system32\mqc71u.dll
C:\WINDOWS\system32\miftedit.dll
C:\WINDOWS\system32\miftedit.dll
C:\WINDOWS\system32\mlcms.dll
C:\WINDOWS\system32\mlcms.dll
C:\WINDOWS\system32\mrpmsp.dll
C:\WINDOWS\system32\mrpmsp.dll
C:\WINDOWS\system32\kzdpl.dll
C:\WINDOWS\system32\kzdpl.dll
C:\WINDOWS\system32\sme.dll
C:\WINDOWS\system32\sme.dll
C:\WINDOWS\system32\ujrcoina.dll
C:\WINDOWS\system32\ujrcoina.dll
C:\WINDOWS\system32\saell32.dll
C:\WINDOWS\system32\saell32.dll
C:\WINDOWS\system32\gtu32.dll
C:\WINDOWS\system32\gtu32.dll
C:\WINDOWS\system32\brhci.dll
C:\WINDOWS\system32\brhci.dll
C:\WINDOWS\system32\stint78.dll
C:\WINDOWS\system32\stint78.dll
C:\WINDOWS\system32\ktdaze.dll
C:\WINDOWS\system32\ktdaze.dll
C:\WINDOWS\system32\wwidx.dll
C:\WINDOWS\system32\wwidx.dll
C:\WINDOWS\system32\sWfrcdlg.dll
C:\WINDOWS\system32\sWfrcdlg.dll
C:\WINDOWS\system32\fQultrep.dll
C:\WINDOWS\system32\fQultrep.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=-
"{A0761971-B6C8-4477-930F-4FFA8C494684}"=-
"{C8A67C46-2D21-4193-8582-FBACC6BBC56F}"=-
"{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
[-HKEY_CLASSES_ROOT\CLSID\{A0761971-B6C8-4477-930F-4FFA8C494684}]
[-HKEY_CLASSES_ROOT\CLSID\{C8A67C46-2D21-4193-8582-FBACC6BBC56F}]
[-HKEY_CLASSES_ROOT\CLSID\{565C4D28-3B4D-418D-A9CC-B5D66F7ECEDC}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Does it look any better? I'm still getting popups and ggviewer.exe keeps trying to access the internet from my computer. Thank you for your help and patience!

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 July 2005 - 01:41 PM

Ahhhh yes.....much progress now!

Try to locate this file

C:\WINDOWS\system32\khnkrl.exe

Upload it here
http://www.bleepingcomputer.com/submit-malware.php

Leave a link to the log and put "New Qoo?" in the message box

I will try to have a look at that ugly rascal later!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Run Cleanup and when Prompted to log off,select No!

Scan with Ewido>> Remember to Save a report when it finishes!

Scan with Ad Aware>> Remove it all and delete the Quaratine files

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Download the Hoster from here:
http://www.funkytoad.com/download/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!

Edited by Cretemonster, 07 July 2005 - 01:57 PM.


#11 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 07 July 2005 - 02:45 PM

I've not been able to locate the file you wanted to look at. I've tried the search for files feature using the full name, khnkrl.exe and truncated versions. I've also manually looked in the windows\system 32 file and the other system32 files I found with start-search. Do you have other suggestions for me as to how to find this?

Thanks!

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 July 2005 - 03:05 PM

Youc an post a new HijackThis log and I will look at it but dont slow down the healing process on that file!

If the file changed names then that would explain,they are always goobly gobbed names like that file that just dont fit!

#13 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 07 July 2005 - 10:30 PM

Wow, what a job! I was able to do everything but download Cleanup. I clicked on the link but didn't see where the program was. So... I had a copy of cCleaner from an earlier infestation so I used it instead. I may need to do this all again as I realized during the Ewido scan that I think I used the CCleaner on the Administrator stuff when we usually use another logon that has (I think administrator priviledges) so some temp files may not have been deleted. At any rate, I think some of the bad stuff got cleared out! Here are my logs etc.:

Logfile of HijackThis v1.99.1
Scan saved at 8:17:56 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\deskbar-0.5.95.0\ggviewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.all-city.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\khnkrl.exe reg_run
O4 - HKLM\..\Run: [ppmryo] c:\windows\system32\hpmhez.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: All-City - {C7DE858A-6486-4857-A71D-B068D9C997EF} - www.all-city.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.all-city.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, July 07, 2005 20:12:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/07/2005
Kaspersky Anti-Virus database records: 129737
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 100564
Number of viruses found: 19
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 2452 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\ozkqcdd.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
C:\WINDOWS\system32\fstqix.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
C:\WINDOWS\system32\fasosoft.exe Infected: Virus.Win32.Porad.a
C:\WINDOWS\system32\flddo20.exe Infected: Virus.Win32.Porad.a
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\qwbqp.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\system32\cdrcbxd.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\system32\RXBarsetupV2.dll Infected: Trojan-Dropper.Win32.Small.mh
C:\Documents and Settings\User\Local Settings\Temp\b.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5\ILY5HAFN\ysb_prompt[1].html Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILK5A5CV\AppWrap[1].exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILK5A5CV\AppWrap[2].exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILK5A5CV\AppWrap[5].exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\70D452EC.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\16ED72BC.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\70D77CE8.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5CB550BC.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1C125EC1.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\70DA26E5.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\44700C0E.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\03310C44.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4474360A.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48FA6A43.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\048D55EB.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\44776006.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A4255A7.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A457FA3.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1588590A.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49632867.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A4829A0.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5B50370A.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5EC83911.exe Infected: Email-Worm.Win32.Tanatos.b
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\64D04C6D Infected: Email-Worm.Win32.Tanatos.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\65984D92 Infected: Email-Worm.Win32.Tanatos.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6A402A72 Infected: Email-Worm.Win32.Tanatos.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6AC663DF Infected: Trojan.Win32.StartPage.y
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6DD54080 Infected: Trojan-Clicker.Win32.Qhost.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F050132 Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\712A0ED6 Infected: Trojan-Downloader.Win32.Small.cv
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\715E2E9D Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\736C165A Infected: Email-Worm.Win32.Tanatos.b
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP40\A0007384.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007751.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007752.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007753.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007754.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007755.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007756.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007763.exe Infected: Trojan-Downloader.Win32.Qoologic.u

Scan process completed.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:55:22 PM, 7/7/2005
+ Report-Checksum: C1C750F5

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000} -> Spyware.URLBlaze : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D941BEA3-81E9-4033-8822-A733E2A91698} -> Spyware.GigaSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EADD3112-0CF8-444b-AC0F-EBA38E004554} -> Spyware.Gigasearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CurVer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Dvx -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{978C4EC7-60D1-4005-8CE0-D6A7169E36EA} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Windows ServeAd -> Spyware.BlazeFind : Cleaned with backup
C:\WINDOWS\system32\hpmhez.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\enoeryn.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\system32\khnkrl.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\riqru.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\system32\246765-ventura-hot.exe -> Spyware.HotSearchBar.e : Cleaned with backup
C:\WINDOWS\system32\bs51-eginwl51-vb.exe -> Spyware.BookedSpace.e : Cleaned with backup
C:\WINDOWS\ahmffawm.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\grknpb.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\mkyiydpygh.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\drpd.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\Cookies\user@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\HQV\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\NQP\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\GGT\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\PPY\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\IUC\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\VEY\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\C7.tmp\thnall1a.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\EJL\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\DHD\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\170.tmp\thnall1a.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\171.tmp\thnall1ac.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\C4.tmp\thnall1a.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Local Settings\Temp\C5.tmp\thnall1ac.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/mnltus35.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/ib50_32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/phtorec.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/mdrdim.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/sfdoclc.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/ulbui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/mqc71u.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/miftedit.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/mlcms.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/mrpmsp.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/kzdpl.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/sme.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/ujrcoina.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/saell32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/gtu32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/brhci.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/stint78.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/ktdaze.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/wwidx.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/sWfrcdlg.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Desktop\l2mfix\backup.zip/fQultrep.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@counter2.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@mv.valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP39\A0007346.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP39\A0007357.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP39\A0007372.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP40\A0007377.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP40\A0007390.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP40\A0007404.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP40\A0007413.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP41\A0007415.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP41\A0007418.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP41\A0007429.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007441.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007459.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007462.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007471.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007482.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007498.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007509.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007516.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007526.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP42\A0007534.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP43\A0007537.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP43\A0007547.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP43\A0007560.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP43\A0007562.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP43\A0007571.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007587.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007593.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007608.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007624.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007634.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007641.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007649.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP44\A0007660.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007664.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007674.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007693.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007708.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007710.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007711.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007712.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007713.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007714.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007715.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007716.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007717.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007718.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007719.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007720.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007721.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007722.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007723.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007724.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007725.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007726.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007727.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007728.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007729.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{C1010EF8-2E36-44BA-92DF-86CF74FDF9CB}\RP45\A0007740.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

Thank you so much for your patience and help!

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 July 2005 - 05:39 AM

OK,we still got some bugs left in there,gonna need to see a couple of different Scans!

First lets do the best we can to get those Temp Files cleaned up!

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)

Download,Install and Run CleanUp! 4.0:
http://cleanup.stevengould.org/

When it prompts you to log off,Click NO!

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Download Pfind:
http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

Right Click the Zip Folder and Select "Extract All"
So make sure all those files remain in the same folder.

Don't use it yet!

I am attaching a Zip folder to this post>> Download and Right Click the Zip folder and Select "Extract All"

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results in the next post!

Restart in Safe Mode

Once in Safe Mode,Locate and Delete this file

C:\WINDOWS\cfgmgr52.dll<< File Only!


Doubleclick pfind.bat

It will scan for a while, so please be patient.

Wait till the doswindow closes.

Open HijackThis and put a check by these

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [ppmryo] c:\windows\system32\hpmhez.exe r

O14 - IERESET.INF: START_PAGE_URL=http://www.all-city.com

O15 - Trusted Zone: *.msn.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Make Sure All Windows and Browsers are Closed and Click "Fix Checked"

Dont Close out HijackThis just yet!

Open the Task Manager and Click on Processes>> See if this Process exist

hpmhez.exe

If you see that in processes,leave the Task Manager Open,if not,Close Out the Task Manager

In HijackThis>> Click Config>> Click Misc Tools>> Click Delete a File On Reboot

When the small Explorer Window Pops up>> Follow this Path and locate this file

C:\WINDOWS\System32\hpmhez.exe<< Double Click on that File!

When the Window Pops Up to Confirm Deletion Click "Yes"

Here is the Trick,if you saw that file in Processes,you need to Right Click the File and Select End Process and Immediatly go to the Confirmation Message in HijackThis and Click Yes to Reboot!

It will Restart Windows,Restart in Normal Mode!

Post the Results of C:\pfind.txt>> Log from Track Qoo and a fresh HijackThis log!

If any of these Instructions dont make sense to you,feel free to Private Message Me!

Attached Files



#15 Lori

Lori
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 08 July 2005 - 08:30 PM

I followed your instructions with no problem (I think!) with these exceptions, the hpmhez.exe process was not running when I looked for it and I did not find it in the windows\system32 folder to delete on reboot. Here's the various logs:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder

C:\Program Files\HijackThis.exe: UPX!
C:\Program Files\GoogleToolbarInstaller.exe: PEC2
C:\Program Files\GoogleToolbarInstaller.exe: PECompact2


Checking the C:\WINDOWS folder

C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\amhaj.dll: excl_urls=www2.bigtrafficnetwork.com,www10.paypopup.com,www10.click2begin.com,www10.bigtrafficnetwork.com,www1.paypopup.com,www1.eta.us,www1.click2begin.com,www1.bigtrafficnetwork.com,wwp.icq.com,ww2.weatherbug.com,ws.websearch.com,wisapidata.weatherbug.com,windowsupdate.microsoft.com,windowsmedia.com,whileyousurf.com,whenusearch.com,websearch.drsnsrch.com,websearch.com,webpdp.gator.com,webcruiser.cc,web.tickle.com,web.icq.com,web.adknowledge.com,weatherbug.com,waytofind.com,viewmorepics.myspace.com,view.atdmt.com,v8.alwaysupdatednews.com,v4.windowsupdate.microsoft.com,us.yimg.com,us.update.companion.yahoo.com,us.js1.yimg.com,us.i1.yimg.com,us.ard.yahoo.com,us.a1.yimg.com,updatelaston.myspace.com,update32.searchmiracle.com,update.searchmiracle.com,update.msupdater.net,tv.180solutions.com,trk.pcsecurityshield.com,trk.bestmagsdirect.com,trafficmp.com,trafficadmin.net,track.pointroll.com,toprebates.com,topmoxie.com,topicks.com,top-banners.com,toolbarqueries.google.com,toolbar5.trafficgeneration.biz,toolbar4.trafficgeneration.biz,toolbar.isearch.com,toolbar.desktoptraffic.net,tinkopal.com,thesearchster.com,thegreatestvitaminintheworld.c,target.com,thecoolbar.com,tag.contextweb.com,t.trafficmp.com,switch.atdmt.com,surfenhance.com,stopzilla.com,stech.web-nexus.net,stats.eblocs.com,ssl-hints.netflame.cc,srv.main.ebayrtm.com,srd.yahoo.com,sr.adwave.com,sr.websearch.com,spe.atdmt.com,songsonpage.com,song.musicvideocodes.com,smileycentral.com,show.budsinc.com,service.bfast.com,server2.103092804.com,server.trafficaces.com,server.iad.liveperson.net,server.cpmstar.com,server-us.imrworldwide.com,servedby.valuead.com,servedby.advertising.com,servedby.adscpm.com,secure-us.imrworldwide.com,searchprogress.com,searcheffect.com,search200.com,sc.musicmatch.com,sandboxer.com,s0b.bluestreak.com,rightmedia.net,realcasinoreview.com,radio.launch.yahoo.com,rad.msn.com,qksrv.net,publishers.clickbooth.com,pr.atwola.com,popuptraffic.com,popupsearches.com,popups.ad-logics.com,popuppers.com,popup.msn.com,pops.browseraid.com,playlist.yahoo.com,pipe.aimexpress.aim.com,photobucket.com,pgq.yahoo.com,pc-test.net,paypopup.com,passportimages.com,pan-advert.com,pagead2.googlesyndication.com,oz.valueclick.com,onlinenow.myspace.com,onemoresearch.net,oinadserve.com,odysseusmarketing.com,oascentral.comcast.net,oascentral.cciads.us,oas-central.realmedia.com,notes.blackplanet.com,newupdates.lzio.com,newsrss.bbc.co.uk,networkcollect.realmedia.com,network.realmedia.com,neededware.com,ncontextsearch.com,ncontextmedia.com,n3285ad.doubleclick.net,mydailyhoroscope.net,my-stats.com,musicvideocodes.com,msads.net,microsoft.com,mm.delfinproject.com,mmm.media-motor.net,messenger.zango.com,messenger.msn.com,member-services.blackplanet.com,member-services.blackplanet.co,mediaplex.com,media76.fastclick.net,media.fastclick.net,media.deskwizz.com,media.adrevolver.com,media.admarketplace.net,mds.centrport.net,maxserving.com,maxifiles.com,master.mx-targeting.com,mail.yahoo.com,mail.myspace.com,mads.webshots.com,m2.doubleclick.net,m3.doubleclick.net,lyricsonpage.com,look2me.com,login.yahoo.com,loginnet.passport.com,login.tracking101.com,login.passport.net,loadingwebsite.com,license.hotbar.com,kill-pop-ups.com,jseedcorn.cjt1.net,js1.yimg.com,join1.winhundred.com,jnictech.cjt1.net,jmnad1.com,jicmedia.cjt1.net,jcontent.bns1.net,jbns2.cydoor.com,jbigpops.cjt1.net,j.2004cms.com,isg05.casalemedia.com,iossrc.com,isapi60.weatherbug.com,internet-optimizer.com,insider.msg.yahoo.com,innovationads.directtrack.com,ingdirect.com,indiads.com,imptrk.metareward.com,img2.mailpostdirect.com,images.trafficmp.com,images.brazilwelcomesyou.com,i.emarketresearchgroup.com,hotmail.com,hotmail.msn.com,http300.edge.ru4.com,host239.ipowerweb.com,hop.clickbank.net,home.myspace.com,hits.clickandtrack.net,help.internet-optimizer.com,heavy.com,grandstreetinteractive.net,grandstreetinteractive.com,goldenpalace.com,gd2.mlb.com,global.msads.net,gms1.net,g6publish.videodome.com,games.yahoo.com,fxfeeds.mozilla.org,focusin.ads.targetnet.com,falkag.net,filter.belkin.com,findonpage.com,ezula.com,empnads.com,everyfreegift.com,eliteoffers.net,ekmas.com,ebay.doubleclick.net,edit.xanga.com,eadexchange.com,e.rn11.com,e.spyspotter.com,dw.dailywinner.net,dr.webservicehosts.com,downloads.aaa1screensavers.com,download.websearch.com,download.smileycentral.com,dotexplore.com,download.abetterinternet.com,dist.belnk.com,dist.belnk.com,dist.belnk.com,desk.mspaceads.com,desb.mspaceads.com,demr.mspaceads.com,delfinproject.com,delb.mspaceads.com,dehp.mspaceads.com,defp.mspaceads.com,debr.mspaceads.com,data.coremetrics.com,ctl.twain-tech.com,creatrixads.com,creativeby.viewpoint.com,couponage.com,counters.honesty.com,count.exitexchange.com,comcast.net,context3.kanoodle.com,cmhtml.overture.com,clicktrk.com,clickspring.net,clickserve.cc-dt.com,clicksearchclick.com,clicks.emarketmakers.com,clickit.go2net.com,clickboothlnk.com,click2begin.com,click2.containsitall.com,claxonmedia.com,chatter.flooble.com,cfg.mywebsearch.com,cdn.valueclick.com,cdn.icq.com,cdn.fastclick.net,cdn.comcast.net,cdn.aim.com,cdn-cf.aol.com,cdn-aimtoday.aol.com,cb.icq.com,cache.trafficmp.com,c5.zedo.com,c4.maxserving.com,c1.zedo.com,by.optimost.com,bv.channel.aol.com,burstnet.com,bulletin.myspace.com,bt1.kanoodle.com,bs.serving-sys.com,blog.myspace.com,blackplanet.com,bigtrafficnetwork.com,bigtrafficnetwork.com,begin2search.com,bannerserver.gator.com,banners.searchingbooth.com,banners.pennyweb.com,banners.exitexchange.com,bannerfarm.ace.advertising.com,badurl.grandstreetinteractive.net,badurl.grandstreetinteractive.com,ayb.lop.com,awbeta.net-nucleus.com,atdmt.com,as.casalemedia.com,as.adwave.com,as-us.falkag.net,ar.atwola.com,apps.deskwizz.com,ap2.auctionscan.biz,aol.com,anrdoezrs.net,amch.questionmarket.com,alwaysupdatednews.com,altfarm.mediaplex.com,allfreenetwork.com,allaboutsearching.com,akapp.whenu.com,aim-charts.pf.aol.com,affiliates.4lowrates.com,adverts.lzio.com,advert.runescape.com,advert-web.runescape.com,adv.eblocs.com,adsvr.adknowledge.com,adsv2.delfinproject.com,adserver.sharewareonline.com,adserv1.gruvmedia.com,adserv.internetfuel.com,adserv.680130.net,ads345.com,ads234.com,ads2.revenue.net,ads1.revenue.net,ads.zone-media.com,ads.us.e-planning.net,ads.surfsidekick.com,ads.shizmoo.com,ads.revsci.net,ads.pointroll.com,ads.mydailyhoroscope.net,ads.inet1.com,ads.flashtrack.net,ads.exitexchange.com,ads.delfinproject.com,ads.clickagents.com,ads.centralmedia.ws,ads.bidclix.com,ads.addynamix.com,adopt.specificclick.net,adopt.hbmediapro.com,adlog2.lzio.com,adfarm.mediaplex.com,adacuity.com,ad.yieldmanager.com,ad.trafficmp.com,ad.reunion.com,ad.linksynergy.com,ad.firstadsolution.com,ad.doubleclick.net,ad.admarketplace.net,ad.adlegend.com,ad-w-a-r-e.com,actualdeals.com,aaabesthomepage.com,a425.v8384d.c8384.g.vm.akamais,a420.v8383d.c8383.g.vm.akamais,a248.e.akamai.net,a1.yimg.com,a1.interclick.com,a.xanga.com,a.websponsors.com,a.tribalfusion.com,a.as-us.falkag.net,99search.com,680130.net,404.grandstreetinteractive.com,3.adbrite.com,103092804.com,0dp.com,www2.click2begin.com,www2.paypopup.com,www2.popupsearches.com,www3.bigtrafficnetwork.com,www3.click2begin.com,www3.paypopup.com,www3.popupsearches.com,www4.bigtrafficnetwork.com,www4.click2begin.com,www4.paypopup.com,www4.yesadvertising.com,www5.bigtrafficnetwork.com,www5.click2begin.com,www5.paypopup.com,www6.bigtrafficnetwork.com,www6.click2begin.com,www6.paypopup.com,www7.bigtrafficnetwork.com,www7.click2begin.com,www7.paypopup.com,www8.bigtrafficnetwork.com,www8.click2begin.com,www8.paypopup.com,www9.bigtrafficnetwork.com,www9.click2begin.com,www9.paypopup.com,xadso.offeroptimizer.com,xadsq.offeroptimizer.com,xanga.com,xbloom.com,xlime.offeroptimizer.com,yahoo.com,yazifind.com,yimg.com,yourfreedvds.com,z1.adserver.com,zone.msn.com,qwickclick.com,qwickable.com,www4.popupsearches.com,www5.popupsearches.com,www6.popupsearches.com,www7.popupsearches.com,www8.popupsearches.com,www9.popupsearches.com,www10.popupsearches.com,www11.popupsearches.com,www12.popupsearches.com,xads.offeroptimizer.com,xadsj.offeroptimizer.com,offeroptimizer.com,adshttp.com,dnaads.com,httpwwwads.com,ads.com,www.ads.com,inqwire.com,defb.mspaceads.com,content.yieldmanager.com,yieldmanager.com,newsh.com,69.28.210.251,bigtrafficnetswork.com,www1.bigtrafficnetswork.com,www2.bigtrafficnetswork.com,www3.bigtrafficnetswork.com,www4.bigtrafficnetswork.com,www5.bigtrafficnetswork.com,www6.bigtrafficnetswork.com,www7.bigtrafficnetswork.com,www8.bigtrafficnetswork.com,www9.bigtrafficnetswork.com,www10.bigtrafficnetswork.com,l00000.myspace.com,cgi.ebay.com,shopathomeselect.com,budsinc.com,ads.trekdata.com,img.mediaplex.com,screensavers.com,pbid.pro-market.net,pro-market.net,clicknchoose.com,code.inqwire.com,ww.smableeps.com,wwW.smableeps.com,smableeps.com,venus123.com,editprofile.myspace.com,comments.myspace.com,profile.myspace.com,cb1.msn.com,go.sidebysidesearch.com,sidebysidesearch.com,ehg-communityconnect.hitbox.co,ami.pointroll.com,install.spywarelabs.com,crtv.mate1.com,consumeralertsystem.com,m.2mdn.net,mynetprotector.com,espn.go.com,art.ath.belnk.com,login.passport.com,smableepsusa.com,results.cafefind.net,ehg-shopathome.hitbox.com,linkpositions.com,oascentral.artistdirect.com,oascentral.videodome.com,buycheapadvertising.com,hotdeals.intelenetwireless.com,wildwabbit.com,psc.disney.go.com,ads.realcastmedia.com,launch.adserver.yahoo.com,premiumnetworkrocks.valuead.co,boomspeed.com,pacimedia.com,apsc.disney.go.com,adserver.yahoo.com,pics.ebaystatic.com,thefacebook.com,cdn-startpage.aol.com,partypoker.touchclarity.com,pop.modserv.net,c.qckjmp.com,lovehappens.com,adoutput.com,users.perfhost.com,cnn.dyn.cnn.com,dealsonrealty.com,redir.windowsmedia.com,ww.smableeps.com,music.myspace.com,ads.web.aol.com,runonce.msn.com,log.go.com,newoffer.myfreegiftcards.net,lcplaylist.launch.yahoo.com,beefycomputer.com,mailcenter.comcast.net,ads.realtechnetwork.net,avbj.info,video.rednova.com,certified-safe-downloads.com,as.starware.com,web.checkm8.com,gdx.mlb.com,partypoker.touchclarity.com,xquizit.xangans.com,trackhits.cc,benews.net,server1.103092804.com,server2.103092804.com,server3.103092804.com,server4.103092804.com,server5.103092804.com,server6.103092804.com,server7.103092804.com,server8.103092804.com,server9.103092804.com,server10.103092804.com,tooltips.hotbar.com,ak.imgfarm.com,sidefind.com,srs.targetpoint.com,upload.myspace.com,us.update2.toolbar.yahoo.com,fad-1108.nyc1.targetnet.com,pbid.zenotecnico.com,lc2.bay0.hotmail.passport.com,speed.pointroll.com,64.62.232.32,fad-1107.nyc1.targetnet.com,popunder.paypopup.com,ads.web.aol.com,security-updater.com,cdn.gms1.net,webcrawl.net,fad-1109.nyc1.targetnet.com
C:\WINDOWS\mynewimurl.exe: UPX!
C:\WINDOWS\abiuninst.htm: <!-- saved from url=(0041)http://www.abetterinternet.com/solsssidpeer/ -->
C:\WINDOWS\abiuninst.htm: <td valign=bottom><a href="http://www.abetterinternet.com" class="noa"><span class="abi">ABI Network</span></a></td>
C:\WINDOWS\abiuninst.htm: <a href="http://www.abetterinternet.com/policies.htm" target=_blank>EULA</a>


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\70tovmto.ini: [SAHAgent]
C:\WINDOWS\SYSTEM32\70tovmto.ini: SAHAgent=ap9h4qmo.exe
C:\WINDOWS\SYSTEM32\qwbqp.dat: .aspack
C:\WINDOWS\SYSTEM32\cdrcbxd.exe: .aspack
C:\WINDOWS\SYSTEM32\RXBarsetupV2.dll: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\User\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\User\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Fri Jul 8 2005 5:48:10p A.S.. 2,048 2.00 K

C:\WINDOWS\INF\
oem18.inf Sun Jun 26 2005 9:55:40a ...H. 0 0.00 K

C:\WINDOWS\TASKS\
sa.dat Fri Jul 8 2005 5:47:26p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
system.log Fri Jul 8 2005 5:47:34p A..H. 1,130,496 1.08 M
software.log Fri Jul 8 2005 5:47:34p A..H. 98,304 96.00 K
default.log Fri Jul 8 2005 5:47:34p A..H. 8,192 8.00 K
sam.log Fri Jul 8 2005 5:48:54p A..H. 1,024 1.00 K
security.log Fri Jul 8 2005 5:48:12p A..H. 16,384 16.00 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Fri Jun 17 2005 11:04:08p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb896428.cat Tue May 10 2005 7:52:26p ..S.. 10,786 10.53 K
kb893066.cat Wed May 25 2005 2:39:08p ..S.. 10,786 10.53 K
kb890046.cat Tue May 17 2005 11:23:22a ..S.. 11,845 11.57 K
kb896358.cat Thu May 26 2005 7:22:40p ..S.. 15,022 14.67 K
kb896422.cat Tue May 10 2005 10:34:26a ..S.. 10,786 10.53 K
oem18.cat Thu May 26 2005 4:27:36a ..S.. 13,511 13.19 K
kb898461.cat Tue May 17 2005 12:16:24p ..S.. 9,735 9.50 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
prefer~1 Fri Jun 24 2005 1:53:48a A.SH. 24 0.02 K
c3638f~1 Fri Jun 24 2005 1:53:48a A.SH. 388 0.38 K

18 items found: 18 files, 0 directories.
Total of file sizes: 1,340,361 bytes 1.28 M
_________________________________________________

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"HP Lamp"="C:\\SCANJET\\PrecisionScanPro\\HPLamp.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"kmw_run.exe"="kmw_run.exe"
"MSWheel"=""
"mmtask"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"cfgmgr52"="RunDLL32.EXE C:\\WINDOWS\\cfgmgr52.dll,DllRun"
"KavSvc"="C:\\WINDOWS\\system32\\khnkrl.exe reg_run"
"ppmryo"="c:\\windows\\system32\\hpmhez.exe r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- gmtgfsmk
{3ebcda29-c887-48e6-b1fd-08063e388e3c}
C:\WINDOWS\system32\riqru.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Adobe Gamma Loader.exe.lnk
Corel MEDIA FOLDERS INDEXER 8.LNK
Adobe Gamma Loader.lnk
Microsoft Office.lnk
Acrobat Assistant.lnk
==============================
C:\Documents and Settings\User\Start Menu\Programs\Startup

desktop.ini
Adobe Gamma Loader.exe.lnk
Corel MEDIA FOLDERS INDEXER 8.LNK
Adobe Gamma Loader.lnk
Microsoft Office.lnk
Acrobat Assistant.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


QuickTime.cpl Apple Computer, Inc.
appwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
access.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
camcpl.cpl FotoNation inc.
wscui.cpl Microsoft Corporation
scmgrcpl.cpl Caere Corporation
firewall.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
QTW32.CPL Apple Computer, Inc.
__________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 6:20:11 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\deskbar-0.5.95.0\ggviewer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.lycos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.all-city.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\khnkrl.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: All-City - {C7DE858A-6486-4857-A71D-B068D9C997EF} - www.all-city.com (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here's hoping for some improvements!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users