Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please review my log file


  • This topic is locked This topic is locked
26 replies to this topic

#1 zonker20122

zonker20122

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 27 September 2005 - 06:30 PM

Hi,

I run Spybot and Ad-Aware SE once per week. I can barely get this message typed without getting hyjacked!! Please help!! Thanks!!!!!

Computer: Dell Dimension 4550
Operating System: Windows XP
Browser: Firefox 1.0.7.
Firewall: ZoneAlarm version:6.0.667.000
Virus Protect: Norton
Anti-Spyware: Microsoft Anti Spyware/Spybot Search & Destroy/Ad-Aware SE


Logfile of HijackThis v1.99.1
Scan saved at 6:34:29 PM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\rdso\eetu.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\SCOTTR~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {95AAC5DC-AF1F-418B-BA0D-ED523E6B69D3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {96721B58-8AFE-469D-AF67-6DB7C40666E6} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C48AB761-5F59-4B0C-8355-61F0DA3913AE} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341122
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.39.14.242/activex/AxisCamControl.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\f40oled31h0.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 30 September 2005 - 02:49 PM

Hello zonker20122 and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Important
Your copy of HijackThis needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned. If it is run from the desktop then the backup files and folders can clutter up the desktop and be accidentally deleted. If it is run from inside a compressed file then the backups are not created at all.
  • Please open My Computer
  • Double-click on Local Disk (C:)
  • Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
  • Unzip to or copy and paste HijackThis.exe to the new folder (do not run HijackThis directly out of the sfx or compressed file).
Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\f40oled31h0.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\rdso\ <--folder
C:\WINDOWS\system32\f40oled31h0.dll

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 02 October 2005 - 05:29 PM

Thanks Oldtimer!! I'll get right on it.

Z

#4 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 05 October 2005 - 06:37 PM

Okay Oldtimer, I followed your instructions and here is the new log file. I just completed the task and this is the first time I have accessed the internet...so far in the 5 minutes I have been on line, no hijacking has occurred.....knock on wood.

Please let me know if I need to do anything else. Thank you very, very much for your help.


Logfile of HijackThis v1.99.1
Scan saved at 7:29:18 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {95AAC5DC-AF1F-418B-BA0D-ED523E6B69D3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {96721B58-8AFE-469D-AF67-6DB7C40666E6} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C48AB761-5F59-4B0C-8355-61F0DA3913AE} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341122
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.39.14.242/activex/AxisCamControl.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\fp6o03j3e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 06 October 2005 - 06:23 AM

Hi zonker20122. It appears that the infection is still present. Let's try a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 06 October 2005 - 05:58 PM

Thanks OT.....here are the new logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/4/2005 12:08:30 PM 24816 C:\WINDOWS\icont.exe
qoologic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
urllogic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
abetterinternet.com 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\26hs39r8.ini
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\7r3h3adg.ini
WinShutDown 9/20/2005 8:03:54 PM R S 234793 C:\WINDOWS\SYSTEM32\ALHPRXY.DLL
ad-w-a-r-e.com 9/20/2005 8:03:54 PM R S 234793 C:\WINDOWS\SYSTEM32\ALHPRXY.DLL
WinShutDown 7/21/2005 6:11:58 PM R S 234272 C:\WINDOWS\SYSTEM32\aza6li1s18.dll
ad-w-a-r-e.com 7/21/2005 6:11:58 PM R S 234272 C:\WINDOWS\SYSTEM32\aza6li1s18.dll
WinShutDown 7/21/2005 7:14:22 PM R S 233248 C:\WINDOWS\SYSTEM32\ckbcatq.dll
ad-w-a-r-e.com 7/21/2005 7:14:22 PM R S 233248 C:\WINDOWS\SYSTEM32\ckbcatq.dll
WinShutDown 8/1/2005 5:39:24 PM R S 233248 C:\WINDOWS\SYSTEM32\CNL3D32.DLL
ad-w-a-r-e.com 8/1/2005 5:39:24 PM R S 233248 C:\WINDOWS\SYSTEM32\CNL3D32.DLL
WinShutDown 8/17/2005 5:45:58 PM R S 233305 C:\WINDOWS\SYSTEM32\cycdll.dll
ad-w-a-r-e.com 8/17/2005 5:45:58 PM R S 233305 C:\WINDOWS\SYSTEM32\cycdll.dll
WinShutDown 7/17/2005 9:58:24 AM R S 236025 C:\WINDOWS\SYSTEM32\dCtaclen.dll
ad-w-a-r-e.com 7/17/2005 9:58:24 AM R S 236025 C:\WINDOWS\SYSTEM32\dCtaclen.dll
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
WinShutDown 9/18/2005 9:06:24 PM R S 234793 C:\WINDOWS\SYSTEM32\dnn8015ue.dll
ad-w-a-r-e.com 9/18/2005 9:06:24 PM R S 234793 C:\WINDOWS\SYSTEM32\dnn8015ue.dll
WinShutDown 8/28/2005 3:54:48 PM R S 233305 C:\WINDOWS\SYSTEM32\dpvmgr.dll
ad-w-a-r-e.com 8/28/2005 3:54:48 PM R S 233305 C:\WINDOWS\SYSTEM32\dpvmgr.dll
WinShutDown 7/23/2005 9:45:32 AM R S 234272 C:\WINDOWS\SYSTEM32\ejs.dll
ad-w-a-r-e.com 7/23/2005 9:45:32 AM R S 234272 C:\WINDOWS\SYSTEM32\ejs.dll
WinShutDown 8/5/2005 7:52:14 PM R S 233305 C:\WINDOWS\SYSTEM32\fpno0353e.dll
ad-w-a-r-e.com 8/5/2005 7:52:14 PM R S 233305 C:\WINDOWS\SYSTEM32\fpno0353e.dll
WinShutDown 9/17/2005 10:49:12 PM R S 234793 C:\WINDOWS\SYSTEM32\g8040idqe80e0.dll
ad-w-a-r-e.com 9/17/2005 10:49:12 PM R S 234793 C:\WINDOWS\SYSTEM32\g8040idqe80e0.dll
WinShutDown 8/13/2005 8:46:02 AM R S 233377 C:\WINDOWS\SYSTEM32\gei32.dll
ad-w-a-r-e.com 8/13/2005 8:46:02 AM R S 233377 C:\WINDOWS\SYSTEM32\gei32.dll
SAHAgent 6/1/2005 5:32:28 PM 3468 C:\WINDOWS\SYSTEM32\ghck3gel.ini
WinShutDown 8/29/2005 6:07:44 PM R S 233305 C:\WINDOWS\SYSTEM32\gpj0l31m1.dll
ad-w-a-r-e.com 8/29/2005 6:07:44 PM R S 233305 C:\WINDOWS\SYSTEM32\gpj0l31m1.dll
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\h0bk8ji3.ini
WinShutDown 8/4/2005 11:31:24 AM R S 233305 C:\WINDOWS\SYSTEM32\hjzcoi09(4).dll
ad-w-a-r-e.com 8/4/2005 11:31:24 AM R S 233305 C:\WINDOWS\SYSTEM32\hjzcoi09(4).dll
WinShutDown 9/16/2005 10:47:56 AM R S 234793 C:\WINDOWS\SYSTEM32\hrl0053me.dll
ad-w-a-r-e.com 9/16/2005 10:47:56 AM R S 234793 C:\WINDOWS\SYSTEM32\hrl0053me.dll
WinShutDown 7/22/2005 11:14:22 PM R S 233248 C:\WINDOWS\SYSTEM32\i4jq0e15eh.dll
ad-w-a-r-e.com 7/22/2005 11:14:22 PM R S 233248 C:\WINDOWS\SYSTEM32\i4jq0e15eh.dll
WinShutDown 7/21/2005 8:18:52 PM R S 233248 C:\WINDOWS\SYSTEM32\IEXRIP.DLL
ad-w-a-r-e.com 7/21/2005 8:18:52 PM R S 233248 C:\WINDOWS\SYSTEM32\IEXRIP.DLL
WinShutDown 8/26/2005 10:46:10 PM R S 233305 C:\WINDOWS\SYSTEM32\IFSHLPR.DLL
ad-w-a-r-e.com 8/26/2005 10:46:10 PM R S 233305 C:\WINDOWS\SYSTEM32\IFSHLPR.DLL
WinShutDown 8/29/2005 8:39:34 AM R S 233305 C:\WINDOWS\SYSTEM32\imnathlp.dll
ad-w-a-r-e.com 8/29/2005 8:39:34 AM R S 233305 C:\WINDOWS\SYSTEM32\imnathlp.dll
WinShutDown 8/5/2005 5:55:56 PM R S 233305 C:\WINDOWS\SYSTEM32\JLSD400.DLL
ad-w-a-r-e.com 8/5/2005 5:55:56 PM R S 233305 C:\WINDOWS\SYSTEM32\JLSD400.DLL
WinShutDown 8/18/2005 11:35:00 PM R S 233305 C:\WINDOWS\SYSTEM32\k080lalm1dqa.dll
ad-w-a-r-e.com 8/18/2005 11:35:00 PM R S 233305 C:\WINDOWS\SYSTEM32\k080lalm1dqa.dll
WinShutDown 9/19/2005 9:35:48 PM R S 234793 C:\WINDOWS\SYSTEM32\k4pmle711h.dll
ad-w-a-r-e.com 9/19/2005 9:35:48 PM R S 234793 C:\WINDOWS\SYSTEM32\k4pmle711h.dll
WinShutDown 8/17/2005 5:45:58 PM R S 234571 C:\WINDOWS\SYSTEM32\k662lgjo16oc.dll
ad-w-a-r-e.com 8/17/2005 5:45:58 PM R S 234571 C:\WINDOWS\SYSTEM32\k662lgjo16oc.dll
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\krf4240k.ini
WinShutDown 3/14/2005 3:05:38 PM R S 234482 C:\WINDOWS\SYSTEM32\l08m0al1edq.dll
ad-w-a-r-e.com 3/14/2005 3:05:38 PM R S 234482 C:\WINDOWS\SYSTEM32\l08m0al1edq.dll
WinShutDown 7/22/2005 6:06:20 PM R S 233248 C:\WINDOWS\SYSTEM32\labmp12n.dll
ad-w-a-r-e.com 7/22/2005 6:06:20 PM R S 233248 C:\WINDOWS\SYSTEM32\labmp12n.dll
WinShutDown 9/13/2005 5:23:44 PM R S 234793 C:\WINDOWS\SYSTEM32\lP8m0al1edq.dll
ad-w-a-r-e.com 9/13/2005 5:23:44 PM R S 234793 C:\WINDOWS\SYSTEM32\lP8m0al1edq.dll
WinShutDown 8/24/2005 9:17:40 AM R S 234219 C:\WINDOWS\SYSTEM32\lv2u09f9e.dll
ad-w-a-r-e.com 8/24/2005 9:17:40 AM R S 234219 C:\WINDOWS\SYSTEM32\lv2u09f9e.dll
WinShutDown 8/3/2005 5:28:54 PM R S 233305 C:\WINDOWS\SYSTEM32\Lxvec12n.dll
ad-w-a-r-e.com 8/3/2005 5:28:54 PM R S 233305 C:\WINDOWS\SYSTEM32\Lxvec12n.dll
WinShutDown 8/11/2005 7:51:44 AM R S 233377 C:\WINDOWS\SYSTEM32\MAD32.DLL
ad-w-a-r-e.com 8/11/2005 7:51:44 AM R S 233377 C:\WINDOWS\SYSTEM32\MAD32.DLL
WinShutDown 8/13/2005 2:50:44 PM R S 233305 C:\WINDOWS\SYSTEM32\mdtext35.dll
ad-w-a-r-e.com 8/13/2005 2:50:44 PM R S 233305 C:\WINDOWS\SYSTEM32\mdtext35.dll
WinShutDown 8/28/2005 7:29:06 AM R S 233305 C:\WINDOWS\SYSTEM32\MKXML4a.dll
ad-w-a-r-e.com 8/28/2005 7:29:06 AM R S 233305 C:\WINDOWS\SYSTEM32\MKXML4a.dll
WinShutDown 9/12/2005 5:39:58 PM R S 234793 C:\WINDOWS\SYSTEM32\MLD32.DLL
ad-w-a-r-e.com 9/12/2005 5:39:58 PM R S 234793 C:\WINDOWS\SYSTEM32\MLD32.DLL
WinShutDown 9/3/2005 8:01:56 AM R S 234793 C:\WINDOWS\SYSTEM32\mnnsspc.dll
ad-w-a-r-e.com 9/3/2005 8:01:56 AM R S 234793 C:\WINDOWS\SYSTEM32\mnnsspc.dll
WinShutDown 9/18/2005 1:58:22 PM R S 234793 C:\WINDOWS\SYSTEM32\mqvidctl.dll
ad-w-a-r-e.com 9/18/2005 1:58:22 PM R S 234793 C:\WINDOWS\SYSTEM32\mqvidctl.dll
PECompact2 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 7/23/2005 11:22:24 AM R S 233248 C:\WINDOWS\SYSTEM32\MTWMDMSP.DLL
ad-w-a-r-e.com 7/23/2005 11:22:24 AM R S 233248 C:\WINDOWS\SYSTEM32\MTWMDMSP.DLL
WinShutDown 8/31/2005 7:56:36 AM R S 233305 C:\WINDOWS\SYSTEM32\MUNDEX.DLL
ad-w-a-r-e.com 8/31/2005 7:56:36 AM R S 233305 C:\WINDOWS\SYSTEM32\MUNDEX.DLL
WinShutDown 10/4/2005 4:16:28 PM R S 234272 C:\WINDOWS\SYSTEM32\mv62l9jo1.dll
ad-w-a-r-e.com 10/4/2005 4:16:28 PM R S 234272 C:\WINDOWS\SYSTEM32\mv62l9jo1.dll
WinShutDown 9/14/2005 11:15:52 AM R S 234793 C:\WINDOWS\SYSTEM32\mv8ml9l11.dll
ad-w-a-r-e.com 9/14/2005 11:15:52 AM R S 234793 C:\WINDOWS\SYSTEM32\mv8ml9l11.dll
WinShutDown 7/21/2005 5:34:12 PM R S 236025 C:\WINDOWS\SYSTEM32\mv8ul9l91.dll
ad-w-a-r-e.com 7/21/2005 5:34:12 PM R S 236025 C:\WINDOWS\SYSTEM32\mv8ul9l91.dll
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
WinShutDown 3/15/2005 8:24:08 PM R S 234482 C:\WINDOWS\SYSTEM32\p44u0eh9eh4.dll
ad-w-a-r-e.com 3/15/2005 8:24:08 PM R S 234482 C:\WINDOWS\SYSTEM32\p44u0eh9eh4.dll
WinShutDown 9/4/2005 8:28:22 AM R S 233305 C:\WINDOWS\SYSTEM32\p6n8lg5u16.dll
ad-w-a-r-e.com 9/4/2005 8:28:22 AM R S 233305 C:\WINDOWS\SYSTEM32\p6n8lg5u16.dll
WinShutDown 10/3/2005 8:52:28 PM R S 235950 C:\WINDOWS\SYSTEM32\p8p6li7s18.dll
ad-w-a-r-e.com 10/3/2005 8:52:28 PM R S 235950 C:\WINDOWS\SYSTEM32\p8p6li7s18.dll
WinShutDown 9/7/2005 7:16:40 PM R S 234793 C:\WINDOWS\SYSTEM32\pFutoenr.dll
ad-w-a-r-e.com 9/7/2005 7:16:40 PM R S 234793 C:\WINDOWS\SYSTEM32\pFutoenr.dll
SAHAgent 7/24/2005 8:08:52 AM 3523 C:\WINDOWS\SYSTEM32\q5uo8k9d.ini
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 8/5/2005 7:18:14 PM R S 233305 C:\WINDOWS\SYSTEM32\RKSMXS.DLL
ad-w-a-r-e.com 8/5/2005 7:18:14 PM R S 233305 C:\WINDOWS\SYSTEM32\RKSMXS.DLL
WinShutDown 10/6/2005 5:52:32 PM R S 234850 C:\WINDOWS\SYSTEM32\rQsauto.dll
ad-w-a-r-e.com 10/6/2005 5:52:32 PM R S 234850 C:\WINDOWS\SYSTEM32\rQsauto.dll
WinShutDown 7/19/2005 6:02:02 PM R S 234272 C:\WINDOWS\SYSTEM32\s088lalu1dq8.dll
ad-w-a-r-e.com 7/19/2005 6:02:02 PM R S 234272 C:\WINDOWS\SYSTEM32\s088lalu1dq8.dll
WinShutDown 8/21/2005 11:34:38 AM R S 234219 C:\WINDOWS\SYSTEM32\SSFTPUB.DLL
ad-w-a-r-e.com 8/21/2005 11:34:38 AM R S 234219 C:\WINDOWS\SYSTEM32\SSFTPUB.DLL
WinShutDown 8/1/2005 5:49:24 PM R S 233248 C:\WINDOWS\SYSTEM32\t6r80g9ue6.dll
ad-w-a-r-e.com 8/1/2005 5:49:24 PM R S 233248 C:\WINDOWS\SYSTEM32\t6r80g9ue6.dll
WinShutDown 9/17/2005 5:50:12 PM R S 234793 C:\WINDOWS\SYSTEM32\TOD32.DLL
ad-w-a-r-e.com 9/17/2005 5:50:12 PM R S 234793 C:\WINDOWS\SYSTEM32\TOD32.DLL
WinShutDown 10/2/2005 3:56:18 PM R S 234272 C:\WINDOWS\SYSTEM32\ttrmsrv.dll
ad-w-a-r-e.com 10/2/2005 3:56:18 PM R S 234272 C:\WINDOWS\SYSTEM32\ttrmsrv.dll
WinShutDown 9/11/2005 9:34:56 AM R S 234793 C:\WINDOWS\SYSTEM32\UCILDLL.DLL
ad-w-a-r-e.com 9/11/2005 9:34:56 AM R S 234793 C:\WINDOWS\SYSTEM32\UCILDLL.DLL
WinShutDown 7/24/2005 7:45:40 AM R S 233248 C:\WINDOWS\SYSTEM32\UWRVOICA.DLL
ad-w-a-r-e.com 7/24/2005 7:45:40 AM R S 233248 C:\WINDOWS\SYSTEM32\UWRVOICA.DLL
WinShutDown 9/6/2005 5:33:50 PM R S 234793 C:\WINDOWS\SYSTEM32\vqregexp.dll
ad-w-a-r-e.com 9/6/2005 5:33:50 PM R S 234793 C:\WINDOWS\SYSTEM32\vqregexp.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
WinShutDown 10/3/2005 5:18:44 PM R S 234850 C:\WINDOWS\SYSTEM32\wC2time.dll
ad-w-a-r-e.com 10/3/2005 5:18:44 PM R S 234850 C:\WINDOWS\SYSTEM32\wC2time.dll
WinShutDown 3/16/2005 6:30:04 PM R S 234482 C:\WINDOWS\SYSTEM32\wnaservc.dll
ad-w-a-r-e.com 3/16/2005 6:30:04 PM R S 234482 C:\WINDOWS\SYSTEM32\wnaservc.dll
WinShutDown 7/23/2005 9:51:44 AM R S 233248 C:\WINDOWS\SYSTEM32\wsdsp.dll
ad-w-a-r-e.com 7/23/2005 9:51:44 AM R S 233248 C:\WINDOWS\SYSTEM32\wsdsp.dll
WinShutDown 7/21/2005 7:13:38 PM R S 233248 C:\WINDOWS\SYSTEM32\wssapi32.dll
ad-w-a-r-e.com 7/21/2005 7:13:38 PM R S 233248 C:\WINDOWS\SYSTEM32\wssapi32.dll
WinShutDown 7/23/2005 9:52:00 AM R S 233248 C:\WINDOWS\SYSTEM32\zpcomm.dll
ad-w-a-r-e.com 7/23/2005 9:52:00 AM R S 233248 C:\WINDOWS\SYSTEM32\zpcomm.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/6/2005 6:21:24 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
8/10/2005 3:21:30 PM H 0 C:\WINDOWS\INF\oem27.inf
8/11/2005 7:58:28 AM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\eb1df4d032779105d7cd961f50d8bf5a\BITD8.tmp
9/20/2005 8:03:54 PM R S 234793 C:\WINDOWS\SYSTEM32\ALHPRXY.DLL
8/17/2005 5:45:58 PM R S 233305 C:\WINDOWS\SYSTEM32\cycdll.dll
9/18/2005 9:06:24 PM R S 234793 C:\WINDOWS\SYSTEM32\dnn8015ue.dll
8/28/2005 3:54:48 PM R S 233305 C:\WINDOWS\SYSTEM32\dpvmgr.dll
9/17/2005 10:49:12 PM R S 234793 C:\WINDOWS\SYSTEM32\g8040idqe80e0.dll
8/13/2005 8:46:02 AM R S 233377 C:\WINDOWS\SYSTEM32\gei32.dll
8/29/2005 6:07:44 PM R S 233305 C:\WINDOWS\SYSTEM32\gpj0l31m1.dll
9/16/2005 10:47:56 AM R S 234793 C:\WINDOWS\SYSTEM32\hrl0053me.dll
8/26/2005 10:46:10 PM R S 233305 C:\WINDOWS\SYSTEM32\IFSHLPR.DLL
8/29/2005 8:39:34 AM R S 233305 C:\WINDOWS\SYSTEM32\imnathlp.dll
8/18/2005 11:35:00 PM R S 233305 C:\WINDOWS\SYSTEM32\k080lalm1dqa.dll
9/19/2005 9:35:48 PM R S 234793 C:\WINDOWS\SYSTEM32\k4pmle711h.dll
8/17/2005 5:45:58 PM R S 234571 C:\WINDOWS\SYSTEM32\k662lgjo16oc.dll
9/13/2005 5:23:44 PM R S 234793 C:\WINDOWS\SYSTEM32\lP8m0al1edq.dll
8/24/2005 9:17:40 AM R S 234219 C:\WINDOWS\SYSTEM32\lv2u09f9e.dll
8/11/2005 7:51:44 AM R S 233377 C:\WINDOWS\SYSTEM32\MAD32.DLL
8/13/2005 2:50:44 PM R S 233305 C:\WINDOWS\SYSTEM32\mdtext35.dll
8/28/2005 7:29:06 AM R S 233305 C:\WINDOWS\SYSTEM32\MKXML4a.dll
9/12/2005 5:39:58 PM R S 234793 C:\WINDOWS\SYSTEM32\MLD32.DLL
9/3/2005 8:01:56 AM R S 234793 C:\WINDOWS\SYSTEM32\mnnsspc.dll
9/18/2005 1:58:22 PM R S 234793 C:\WINDOWS\SYSTEM32\mqvidctl.dll
8/31/2005 7:56:36 AM R S 233305 C:\WINDOWS\SYSTEM32\MUNDEX.DLL
10/4/2005 4:16:28 PM R S 234272 C:\WINDOWS\SYSTEM32\mv62l9jo1.dll
9/14/2005 11:15:52 AM R S 234793 C:\WINDOWS\SYSTEM32\mv8ml9l11.dll
10/6/2005 6:19:34 PM R S 234850 C:\WINDOWS\SYSTEM32\o6lu0g39e6.dll
9/4/2005 8:28:22 AM R S 233305 C:\WINDOWS\SYSTEM32\p6n8lg5u16.dll
10/3/2005 8:52:28 PM R S 235950 C:\WINDOWS\SYSTEM32\p8p6li7s18.dll
9/7/2005 7:16:40 PM R S 234793 C:\WINDOWS\SYSTEM32\pFutoenr.dll
10/6/2005 6:21:50 PM R S 234850 C:\WINDOWS\SYSTEM32\pTpsvc.dll
10/5/2005 9:01:54 PM R S 234850 C:\WINDOWS\SYSTEM32\q4680ejueho80.dll
10/6/2005 5:52:32 PM R S 234850 C:\WINDOWS\SYSTEM32\rQsauto.dll
8/21/2005 11:34:38 AM R S 234219 C:\WINDOWS\SYSTEM32\SSFTPUB.DLL
9/17/2005 5:50:12 PM R S 234793 C:\WINDOWS\SYSTEM32\TOD32.DLL
10/2/2005 3:56:18 PM R S 234272 C:\WINDOWS\SYSTEM32\ttrmsrv.dll
9/11/2005 9:34:56 AM R S 234793 C:\WINDOWS\SYSTEM32\UCILDLL.DLL
9/6/2005 5:33:50 PM R S 234793 C:\WINDOWS\SYSTEM32\vqregexp.dll
10/6/2005 5:53:16 PM H 31884 C:\WINDOWS\SYSTEM32\vsconfig.xml
10/3/2005 5:18:44 PM R S 234850 C:\WINDOWS\SYSTEM32\wC2time.dll
9/16/2005 9:18:02 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
10/6/2005 6:21:52 PM H 24576 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/6/2005 6:21:48 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/6/2005 6:21:26 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/6/2005 6:22:26 PM H 192512 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/6/2005 6:21:38 PM H 1142784 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/14/2005 11:18:30 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
10/6/2005 6:04:36 PM S 6803 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/17/2005 3:24:46 PM S 408 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
9/9/2005 10:28:18 PM S 7652 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
10/6/2005 6:04:36 PM S 120 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/17/2005 3:24:46 PM S 124 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
9/9/2005 10:28:18 PM S 134 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
8/31/2005 5:49:04 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9718f4ec-e36c-4da3-a3c4-e8ca8e52787e
8/31/2005 5:49:04 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
10/6/2005 6:20:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/5/2005 7:27:54 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
10/5/2005 7:27:54 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 1:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 9/15/2003 2:56:02 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel Corporation 8/16/2002 5:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
11/22/2002 12:38:22 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
9/9/2002 6:39:20 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
9/27/2004 11:33:10 AM 4081 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{9A71D0A6-E671-4971-8BB6-4EC0C010C658} = C:\WINDOWS\system32\rjboex32.dll
{2A136FF2-A6CD-485F-8D23-CA08D49490F8} = C:\WINDOWS\system32\guard.tmp
{45CB2006-BBC6-4985-A736-9FBFA011B486} = C:\WINDOWS\system32\guard.tmp
{F248AA4B-335A-44B5-9BB8-3629AD34C959} = C:\WINDOWS\system32\uvicows.dll
{B2AD3D80-7685-4891-83DC-D91D29B9F4B2} = C:\WINDOWS\system32\uuimdmat.dll
{4A8E91CF-B0B4-4C8D-A2E5-A06F7A07AE14} = C:\WINDOWS\system32\KFDCZ1.DLL
{276DA8CE-88D5-40D0-BEA4-C4A18460B11B} = C:\WINDOWS\system32\guard.tmp
{2EDDA643-B0C9-4FED-90F2-C81ECA8E916A} = C:\WINDOWS\system32\locap12n.dll
{C9097ACD-9E5D-4C13-9A7B-D5B893CF922D} = C:\WINDOWS\system32\guard.tmp
{AFA02467-330A-4763-A5F3-DB88B86F40A5} = C:\WINDOWS\system32\guard.tmp
{3BB3B36A-1D2B-4C3B-AC7E-FD683C0211C9} = C:\WINDOWS\system32\rQsauto.dll
{EB9A8245-3FD6-416C-B0FC-1964E2370ADA} = C:\WINDOWS\system32\pTpsvc.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfg
{0cce165b-46c6-4429-8257-aca91700ebfc} = C:\WINDOWS\system32\cqpocg.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfgsm
{90795a4a-957c-4898-815b-773fc64f7d79} = C:\WINDOWS\system32\auapa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPHUPD05 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPHmon05 C:\WINDOWS\system32\hphmon05.exe
HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
BearShare "C:\Program Files\BearShare\BearShare.exe" /pause
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
= C:\WINDOWS\system32\q4680ejueho80.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/6/2005 6:32:05 PM





_____________________________________________________________________





Logfile of HijackThis v1.99.1
Scan saved at 6:51:01 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {95AAC5DC-AF1F-418B-BA0D-ED523E6B69D3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {96721B58-8AFE-469D-AF67-6DB7C40666E6} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C48AB761-5F59-4B0C-8355-61F0DA3913AE} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341122
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.39.14.242/activex/AxisCamControl.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\o6lu0g39e6.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 10 October 2005 - 06:28 AM

Hi zonker20122. It looks like we have a couple of pretty good infections here. Let's get rid of the worst one first.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Post that log along with any additional information as directed below.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and a new WinPFind log and I will review the information when it comes in.

OT

Edited by OldTimer, 10 October 2005 - 06:29 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 17 October 2005 - 02:18 PM

OT, sorry for the delay. After I extract 12mfix I do not find 12mfix.bat in the folder. I opened a dos app and ran Run Fix and rebooted. After reboot I expected my Icons to appear, disappear, then reappear. This did not happen. I got a pop up that my anitvirus was turned off. What have I done wrong?

Thanks!
Z

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 18 October 2005 - 08:38 AM

Hi zonker20122. I must be missing something here. If the l2mfix.bat file was missing what was it that was run? The Run Fix command is only available from the l2mfix.bat file.

Let me know.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 18 October 2005 - 08:58 PM

Sorry but I don't see 12mfix.bat in the file. Does bat mean batch file? Is is a DOS app? It lookes like DOS to me. Forgive me but I am not computer savy

I did the Run Fix by typing 2 and then enter. I was prompted to hit any key and my system rebooted but no log opened after reboot.

Should I have run this in safe mode?

Thanks
Z

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 19 October 2005 - 08:41 AM

Hi zonker20122. If you are seeing the menu then you are running the correct file. You probably are not seeing the extension because the computer is set to not show extensions for known file types.

Do this instead. Go to the l2mfix folder and run the second.bat (will probably show as "second" to you) file. This should produce the log. Post that back here along with a new HijackThis log and a new WinPFind log.

Cheers.

OT

Edited by OldTimer, 19 October 2005 - 08:41 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 19 October 2005 - 07:16 PM

Got it! Here are the new logs:

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 500 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2408 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ALHPRXY.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aza6li1s18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ckbcatq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CNL3D32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cycdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dCtaclen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnn8015ue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dpvmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ejs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpno0353e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8040idqe80e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gei32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpj0l31m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hjzcoi09(4).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrl0053me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i4jq0e15eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IEXRIP.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IFSHLPR.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imnathlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\JLSD400.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k080lalm1dqa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4pmle711h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k662lgjo16oc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KHDIT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l08m0al1edq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\labmp12n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lP8m0al1edq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv2u09f9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lxvec12n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MAD32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdtext35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MKXML4a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MLD32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnnsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqvidctl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MTWMDMSP.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MUNDEX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv62l9jo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ml9l11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ul9l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p44u0eh9eh4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p6n8lg5u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8p6li7s18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pFutoenr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pTpsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q886lils18q6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RKSMXS.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s088lalu1dq8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SSFTPUB.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t6r80g9ue6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\TOD32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ttrmsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UCILDLL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\UWRVOICA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vqregexp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wC2time.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wnaservc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wsdsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wssapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zpcomm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ALHPRXY.DLL
Successfully Deleted: C:\WINDOWS\system32\ALHPRXY.DLL
deleting: C:\WINDOWS\system32\aza6li1s18.dll
Successfully Deleted: C:\WINDOWS\system32\aza6li1s18.dll
deleting: C:\WINDOWS\system32\ckbcatq.dll
Successfully Deleted: C:\WINDOWS\system32\ckbcatq.dll
deleting: C:\WINDOWS\system32\CNL3D32.DLL
Successfully Deleted: C:\WINDOWS\system32\CNL3D32.DLL
deleting: C:\WINDOWS\system32\cycdll.dll
Successfully Deleted: C:\WINDOWS\system32\cycdll.dll
deleting: C:\WINDOWS\system32\dCtaclen.dll
Successfully Deleted: C:\WINDOWS\system32\dCtaclen.dll
deleting: C:\WINDOWS\system32\dnn8015ue.dll
Successfully Deleted: C:\WINDOWS\system32\dnn8015ue.dll
deleting: C:\WINDOWS\system32\dpvmgr.dll
Successfully Deleted: C:\WINDOWS\system32\dpvmgr.dll
deleting: C:\WINDOWS\system32\ejs.dll
Successfully Deleted: C:\WINDOWS\system32\ejs.dll
deleting: C:\WINDOWS\system32\fpno0353e.dll
Successfully Deleted: C:\WINDOWS\system32\fpno0353e.dll
deleting: C:\WINDOWS\system32\g8040idqe80e0.dll
Successfully Deleted: C:\WINDOWS\system32\g8040idqe80e0.dll
deleting: C:\WINDOWS\system32\gei32.dll
Successfully Deleted: C:\WINDOWS\system32\gei32.dll
deleting: C:\WINDOWS\system32\gpj0l31m1.dll
Successfully Deleted: C:\WINDOWS\system32\gpj0l31m1.dll
deleting: C:\WINDOWS\system32\hjzcoi09(4).dll
Successfully Deleted: C:\WINDOWS\system32\hjzcoi09(4).dll
deleting: C:\WINDOWS\system32\hrl0053me.dll
Successfully Deleted: C:\WINDOWS\system32\hrl0053me.dll
deleting: C:\WINDOWS\system32\i4jq0e15eh.dll
Successfully Deleted: C:\WINDOWS\system32\i4jq0e15eh.dll
deleting: C:\WINDOWS\system32\IEXRIP.DLL
Successfully Deleted: C:\WINDOWS\system32\IEXRIP.DLL
deleting: C:\WINDOWS\system32\IFSHLPR.DLL
Successfully Deleted: C:\WINDOWS\system32\IFSHLPR.DLL
deleting: C:\WINDOWS\system32\imnathlp.dll
Successfully Deleted: C:\WINDOWS\system32\imnathlp.dll
deleting: C:\WINDOWS\system32\JLSD400.DLL
Successfully Deleted: C:\WINDOWS\system32\JLSD400.DLL
deleting: C:\WINDOWS\system32\k080lalm1dqa.dll
Successfully Deleted: C:\WINDOWS\system32\k080lalm1dqa.dll
deleting: C:\WINDOWS\system32\k4pmle711h.dll
Successfully Deleted: C:\WINDOWS\system32\k4pmle711h.dll
deleting: C:\WINDOWS\system32\k662lgjo16oc.dll
Successfully Deleted: C:\WINDOWS\system32\k662lgjo16oc.dll
deleting: C:\WINDOWS\system32\KHDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\KHDIT.DLL
deleting: C:\WINDOWS\system32\l08m0al1edq.dll
Successfully Deleted: C:\WINDOWS\system32\l08m0al1edq.dll
deleting: C:\WINDOWS\system32\labmp12n.dll
Successfully Deleted: C:\WINDOWS\system32\labmp12n.dll
deleting: C:\WINDOWS\system32\lP8m0al1edq.dll
Successfully Deleted: C:\WINDOWS\system32\lP8m0al1edq.dll
deleting: C:\WINDOWS\system32\lv2u09f9e.dll
Successfully Deleted: C:\WINDOWS\system32\lv2u09f9e.dll
deleting: C:\WINDOWS\system32\Lxvec12n.dll
Successfully Deleted: C:\WINDOWS\system32\Lxvec12n.dll
deleting: C:\WINDOWS\system32\MAD32.DLL
Successfully Deleted: C:\WINDOWS\system32\MAD32.DLL
deleting: C:\WINDOWS\system32\mdtext35.dll
Successfully Deleted: C:\WINDOWS\system32\mdtext35.dll
deleting: C:\WINDOWS\system32\MKXML4a.dll
Successfully Deleted: C:\WINDOWS\system32\MKXML4a.dll
deleting: C:\WINDOWS\system32\MLD32.DLL
Successfully Deleted: C:\WINDOWS\system32\MLD32.DLL
deleting: C:\WINDOWS\system32\mnnsspc.dll
Successfully Deleted: C:\WINDOWS\system32\mnnsspc.dll
deleting: C:\WINDOWS\system32\mqvidctl.dll
Successfully Deleted: C:\WINDOWS\system32\mqvidctl.dll
deleting: C:\WINDOWS\system32\MTWMDMSP.DLL
Successfully Deleted: C:\WINDOWS\system32\MTWMDMSP.DLL
deleting: C:\WINDOWS\system32\MUNDEX.DLL
Successfully Deleted: C:\WINDOWS\system32\MUNDEX.DLL
deleting: C:\WINDOWS\system32\mv62l9jo1.dll
Successfully Deleted: C:\WINDOWS\system32\mv62l9jo1.dll
deleting: C:\WINDOWS\system32\mv8ml9l11.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ml9l11.dll
deleting: C:\WINDOWS\system32\mv8ul9l91.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ul9l91.dll
deleting: C:\WINDOWS\system32\p44u0eh9eh4.dll
Successfully Deleted: C:\WINDOWS\system32\p44u0eh9eh4.dll
deleting: C:\WINDOWS\system32\p6n8lg5u16.dll
Successfully Deleted: C:\WINDOWS\system32\p6n8lg5u16.dll
deleting: C:\WINDOWS\system32\p8p6li7s18.dll
Successfully Deleted: C:\WINDOWS\system32\p8p6li7s18.dll
deleting: C:\WINDOWS\system32\pFutoenr.dll
Successfully Deleted: C:\WINDOWS\system32\pFutoenr.dll
deleting: C:\WINDOWS\system32\pTpsvc.dll
Successfully Deleted: C:\WINDOWS\system32\pTpsvc.dll
deleting: C:\WINDOWS\system32\q886lils18q6.dll
Successfully Deleted: C:\WINDOWS\system32\q886lils18q6.dll
deleting: C:\WINDOWS\system32\RKSMXS.DLL
Successfully Deleted: C:\WINDOWS\system32\RKSMXS.DLL
deleting: C:\WINDOWS\system32\s088lalu1dq8.dll
Successfully Deleted: C:\WINDOWS\system32\s088lalu1dq8.dll
deleting: C:\WINDOWS\system32\SSFTPUB.DLL
Successfully Deleted: C:\WINDOWS\system32\SSFTPUB.DLL
deleting: C:\WINDOWS\system32\t6r80g9ue6.dll
Successfully Deleted: C:\WINDOWS\system32\t6r80g9ue6.dll
deleting: C:\WINDOWS\system32\TOD32.DLL
Successfully Deleted: C:\WINDOWS\system32\TOD32.DLL
deleting: C:\WINDOWS\system32\ttrmsrv.dll
Successfully Deleted: C:\WINDOWS\system32\ttrmsrv.dll
deleting: C:\WINDOWS\system32\UCILDLL.DLL
Successfully Deleted: C:\WINDOWS\system32\UCILDLL.DLL
deleting: C:\WINDOWS\system32\UWRVOICA.DLL
Successfully Deleted: C:\WINDOWS\system32\UWRVOICA.DLL
deleting: C:\WINDOWS\system32\vqregexp.dll
Successfully Deleted: C:\WINDOWS\system32\vqregexp.dll
deleting: C:\WINDOWS\system32\wC2time.dll
Successfully Deleted: C:\WINDOWS\system32\wC2time.dll
deleting: C:\WINDOWS\system32\wnaservc.dll
Successfully Deleted: C:\WINDOWS\system32\wnaservc.dll
deleting: C:\WINDOWS\system32\wsdsp.dll
Successfully Deleted: C:\WINDOWS\system32\wsdsp.dll
deleting: C:\WINDOWS\system32\wssapi32.dll
Successfully Deleted: C:\WINDOWS\system32\wssapi32.dll
deleting: C:\WINDOWS\system32\zpcomm.dll
Successfully Deleted: C:\WINDOWS\system32\zpcomm.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: ALHPRXY.DLL (164 bytes security) (deflated 5%)
adding: aza6li1s18.dll (164 bytes security) (deflated 4%)
adding: ckbcatq.dll (164 bytes security) (deflated 4%)
adding: CNL3D32.DLL (164 bytes security) (deflated 4%)
adding: cycdll.dll (164 bytes security) (deflated 4%)
adding: dCtaclen.dll (164 bytes security) (deflated 5%)
adding: dnn8015ue.dll (164 bytes security) (deflated 5%)
adding: dpvmgr.dll (164 bytes security) (deflated 4%)
adding: ejs.dll (164 bytes security) (deflated 4%)
adding: fpno0353e.dll (164 bytes security) (deflated 4%)
adding: g8040idqe80e0.dll (164 bytes security) (deflated 5%)
adding: gei32.dll (164 bytes security) (deflated 4%)
adding: gpj0l31m1.dll (164 bytes security) (deflated 4%)
adding: hjzcoi09(4).dll (164 bytes security) (deflated 4%)
adding: hrl0053me.dll (164 bytes security) (deflated 5%)
adding: i4jq0e15eh.dll (164 bytes security) (deflated 4%)
adding: IEXRIP.DLL (164 bytes security) (deflated 4%)
adding: IFSHLPR.DLL (164 bytes security) (deflated 4%)
adding: imnathlp.dll (164 bytes security) (deflated 4%)
adding: JLSD400.DLL (164 bytes security) (deflated 4%)
adding: k080lalm1dqa.dll (164 bytes security) (deflated 4%)
adding: k4pmle711h.dll (164 bytes security) (deflated 5%)
adding: k662lgjo16oc.dll (164 bytes security) (deflated 5%)
adding: KHDIT.DLL (164 bytes security) (deflated 5%)
adding: l08m0al1edq.dll (164 bytes security) (deflated 5%)
adding: labmp12n.dll (164 bytes security) (deflated 4%)
adding: lP8m0al1edq.dll (164 bytes security) (deflated 5%)
adding: lv2u09f9e.dll (164 bytes security) (deflated 5%)
adding: Lxvec12n.dll (164 bytes security) (deflated 4%)
adding: MAD32.DLL (164 bytes security) (deflated 4%)
adding: mdtext35.dll (164 bytes security) (deflated 4%)
adding: MKXML4a.dll (164 bytes security) (deflated 4%)
adding: MLD32.DLL (164 bytes security) (deflated 5%)
adding: mnnsspc.dll (164 bytes security) (deflated 5%)
adding: mqvidctl.dll (164 bytes security) (deflated 5%)
adding: MTWMDMSP.DLL (164 bytes security) (deflated 4%)
adding: MUNDEX.DLL (164 bytes security) (deflated 4%)
adding: mv62l9jo1.dll (164 bytes security) (deflated 4%)
adding: mv8ml9l11.dll (164 bytes security) (deflated 5%)
adding: mv8ul9l91.dll (164 bytes security) (deflated 5%)
adding: p44u0eh9eh4.dll (164 bytes security) (deflated 5%)
adding: p6n8lg5u16.dll (164 bytes security) (deflated 4%)
adding: p8p6li7s18.dll (164 bytes security) (deflated 5%)
adding: pFutoenr.dll (164 bytes security) (deflated 5%)
adding: pTpsvc.dll (164 bytes security) (deflated 5%)
adding: q886lils18q6.dll (164 bytes security) (deflated 5%)
adding: RKSMXS.DLL (164 bytes security) (deflated 4%)
adding: s088lalu1dq8.dll (164 bytes security) (deflated 4%)
adding: SSFTPUB.DLL (164 bytes security) (deflated 5%)
adding: t6r80g9ue6.dll (164 bytes security) (deflated 4%)
adding: TOD32.DLL (164 bytes security) (deflated 5%)
adding: ttrmsrv.dll (164 bytes security) (deflated 4%)
adding: UCILDLL.DLL (164 bytes security) (deflated 5%)
adding: UWRVOICA.DLL (164 bytes security) (deflated 4%)
adding: vqregexp.dll (164 bytes security) (deflated 5%)
adding: wC2time.dll (164 bytes security) (deflated 5%)
adding: wnaservc.dll (164 bytes security) (deflated 5%)
adding: wsdsp.dll (164 bytes security) (deflated 4%)
adding: wssapi32.dll (164 bytes security) (deflated 4%)
adding: zpcomm.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 66%)
adding: echo.reg (164 bytes security) (deflated 15%)
adding: 12mfix instructions.txt (164 bytes security) (deflated 50%)
adding: direct.txt (164 bytes security) (deflated 7%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (deflated 46%)
adding: test3.txt (164 bytes security) (deflated 46%)
adding: test5.txt (164 bytes security) (deflated 46%)
adding: xfind.txt (164 bytes security) (deflated 76%)
adding: backregs/276DA8CE-88D5-40D0-BEA4-C4A18460B11B.reg (164 bytes security) (deflated 70%)
adding: backregs/2A136FF2-A6CD-485F-8D23-CA08D49490F8.reg (164 bytes security) (deflated 70%)
adding: backregs/2EDDA643-B0C9-4FED-90F2-C81ECA8E916A.reg (164 bytes security) (deflated 70%)
adding: backregs/3BB3B36A-1D2B-4C3B-AC7E-FD683C0211C9.reg (164 bytes security) (deflated 70%)
adding: backregs/45CB2006-BBC6-4985-A736-9FBFA011B486.reg (164 bytes security) (deflated 70%)
adding: backregs/4A8E91CF-B0B4-4C8D-A2E5-A06F7A07AE14.reg (164 bytes security) (deflated 70%)
adding: backregs/9A71D0A6-E671-4971-8BB6-4EC0C010C658.reg (164 bytes security) (deflated 70%)
adding: backregs/AFA02467-330A-4763-A5F3-DB88B86F40A5.reg (164 bytes security) (deflated 70%)
adding: backregs/B2AD3D80-7685-4891-83DC-D91D29B9F4B2.reg (164 bytes security) (deflated 70%)
adding: backregs/C9097ACD-9E5D-4C13-9A7B-D5B893CF922D.reg (164 bytes security) (deflated 70%)
adding: backregs/EB9A8245-3FD6-416C-B0FC-1964E2370ADA.reg (164 bytes security) (deflated 70%)
adding: backregs/F248AA4B-335A-44B5-9BB8-3629AD34C959.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ALHPRXY.DLL
deleting local copy: aza6li1s18.dll
deleting local copy: ckbcatq.dll
deleting local copy: CNL3D32.DLL
deleting local copy: cycdll.dll
deleting local copy: dCtaclen.dll
deleting local copy: dnn8015ue.dll
deleting local copy: dpvmgr.dll
deleting local copy: ejs.dll
deleting local copy: fpno0353e.dll
deleting local copy: g8040idqe80e0.dll
deleting local copy: gei32.dll
deleting local copy: gpj0l31m1.dll
deleting local copy: hjzcoi09(4).dll
deleting local copy: hrl0053me.dll
deleting local copy: i4jq0e15eh.dll
deleting local copy: IEXRIP.DLL
deleting local copy: IFSHLPR.DLL
deleting local copy: imnathlp.dll
deleting local copy: JLSD400.DLL
deleting local copy: k080lalm1dqa.dll
deleting local copy: k4pmle711h.dll
deleting local copy: k662lgjo16oc.dll
deleting local copy: KHDIT.DLL
deleting local copy: l08m0al1edq.dll
deleting local copy: labmp12n.dll
deleting local copy: lP8m0al1edq.dll
deleting local copy: lv2u09f9e.dll
deleting local copy: Lxvec12n.dll
deleting local copy: MAD32.DLL
deleting local copy: mdtext35.dll
deleting local copy: MKXML4a.dll
deleting local copy: MLD32.DLL
deleting local copy: mnnsspc.dll
deleting local copy: mqvidctl.dll
deleting local copy: MTWMDMSP.DLL
deleting local copy: MUNDEX.DLL
deleting local copy: mv62l9jo1.dll
deleting local copy: mv8ml9l11.dll
deleting local copy: mv8ul9l91.dll
deleting local copy: p44u0eh9eh4.dll
deleting local copy: p6n8lg5u16.dll
deleting local copy: p8p6li7s18.dll
deleting local copy: pFutoenr.dll
deleting local copy: pTpsvc.dll
deleting local copy: q886lils18q6.dll
deleting local copy: RKSMXS.DLL
deleting local copy: s088lalu1dq8.dll
deleting local copy: SSFTPUB.DLL
deleting local copy: t6r80g9ue6.dll
deleting local copy: TOD32.DLL
deleting local copy: ttrmsrv.dll
deleting local copy: UCILDLL.DLL
deleting local copy: UWRVOICA.DLL
deleting local copy: vqregexp.dll
deleting local copy: wC2time.dll
deleting local copy: wnaservc.dll
deleting local copy: wsdsp.dll
deleting local copy: wssapi32.dll
deleting local copy: zpcomm.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4ns0e57eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv84l9lq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ALHPRXY.DLL
C:\WINDOWS\system32\aza6li1s18.dll
C:\WINDOWS\system32\ckbcatq.dll
C:\WINDOWS\system32\CNL3D32.DLL
C:\WINDOWS\system32\cycdll.dll
C:\WINDOWS\system32\dCtaclen.dll
C:\WINDOWS\system32\dnn8015ue.dll
C:\WINDOWS\system32\dpvmgr.dll
C:\WINDOWS\system32\ejs.dll
C:\WINDOWS\system32\fpno0353e.dll
C:\WINDOWS\system32\g8040idqe80e0.dll
C:\WINDOWS\system32\gei32.dll
C:\WINDOWS\system32\gpj0l31m1.dll
C:\WINDOWS\system32\hjzcoi09(4).dll
C:\WINDOWS\system32\hrl0053me.dll
C:\WINDOWS\system32\i4jq0e15eh.dll
C:\WINDOWS\system32\IEXRIP.DLL
C:\WINDOWS\system32\IFSHLPR.DLL
C:\WINDOWS\system32\imnathlp.dll
C:\WINDOWS\system32\JLSD400.DLL
C:\WINDOWS\system32\k080lalm1dqa.dll
C:\WINDOWS\system32\k4pmle711h.dll
C:\WINDOWS\system32\k662lgjo16oc.dll
C:\WINDOWS\system32\KHDIT.DLL
C:\WINDOWS\system32\l08m0al1edq.dll
C:\WINDOWS\system32\labmp12n.dll
C:\WINDOWS\system32\lP8m0al1edq.dll
C:\WINDOWS\system32\lv2u09f9e.dll
C:\WINDOWS\system32\Lxvec12n.dll
C:\WINDOWS\system32\MAD32.DLL
C:\WINDOWS\system32\mdtext35.dll
C:\WINDOWS\system32\MKXML4a.dll
C:\WINDOWS\system32\MLD32.DLL
C:\WINDOWS\system32\mnnsspc.dll
C:\WINDOWS\system32\mqvidctl.dll
C:\WINDOWS\system32\MTWMDMSP.DLL
C:\WINDOWS\system32\MUNDEX.DLL
C:\WINDOWS\system32\mv62l9jo1.dll
C:\WINDOWS\system32\mv8ml9l11.dll
C:\WINDOWS\system32\mv8ul9l91.dll
C:\WINDOWS\system32\p44u0eh9eh4.dll
C:\WINDOWS\system32\p6n8lg5u16.dll
C:\WINDOWS\system32\p8p6li7s18.dll
C:\WINDOWS\system32\pFutoenr.dll
C:\WINDOWS\system32\pTpsvc.dll
C:\WINDOWS\system32\q886lils18q6.dll
C:\WINDOWS\system32\RKSMXS.DLL
C:\WINDOWS\system32\s088lalu1dq8.dll
C:\WINDOWS\system32\SSFTPUB.DLL
C:\WINDOWS\system32\t6r80g9ue6.dll
C:\WINDOWS\system32\TOD32.DLL
C:\WINDOWS\system32\ttrmsrv.dll
C:\WINDOWS\system32\UCILDLL.DLL
C:\WINDOWS\system32\UWRVOICA.DLL
C:\WINDOWS\system32\vqregexp.dll
C:\WINDOWS\system32\wC2time.dll
C:\WINDOWS\system32\wnaservc.dll
C:\WINDOWS\system32\wsdsp.dll
C:\WINDOWS\system32\wssapi32.dll
C:\WINDOWS\system32\zpcomm.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9A71D0A6-E671-4971-8BB6-4EC0C010C658}"=-
"{2A136FF2-A6CD-485F-8D23-CA08D49490F8}"=-
"{45CB2006-BBC6-4985-A736-9FBFA011B486}"=-
"{F248AA4B-335A-44B5-9BB8-3629AD34C959}"=-
"{B2AD3D80-7685-4891-83DC-D91D29B9F4B2}"=-
"{4A8E91CF-B0B4-4C8D-A2E5-A06F7A07AE14}"=-
"{276DA8CE-88D5-40D0-BEA4-C4A18460B11B}"=-
"{2EDDA643-B0C9-4FED-90F2-C81ECA8E916A}"=-
"{C9097ACD-9E5D-4C13-9A7B-D5B893CF922D}"=-
"{AFA02467-330A-4763-A5F3-DB88B86F40A5}"=-
"{3BB3B36A-1D2B-4C3B-AC7E-FD683C0211C9}"=-
"{EB9A8245-3FD6-416C-B0FC-1964E2370ADA}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9A71D0A6-E671-4971-8BB6-4EC0C010C658}]
[-HKEY_CLASSES_ROOT\CLSID\{2A136FF2-A6CD-485F-8D23-CA08D49490F8}]
[-HKEY_CLASSES_ROOT\CLSID\{45CB2006-BBC6-4985-A736-9FBFA011B486}]
[-HKEY_CLASSES_ROOT\CLSID\{F248AA4B-335A-44B5-9BB8-3629AD34C959}]
[-HKEY_CLASSES_ROOT\CLSID\{B2AD3D80-7685-4891-83DC-D91D29B9F4B2}]
[-HKEY_CLASSES_ROOT\CLSID\{4A8E91CF-B0B4-4C8D-A2E5-A06F7A07AE14}]
[-HKEY_CLASSES_ROOT\CLSID\{276DA8CE-88D5-40D0-BEA4-C4A18460B11B}]
[-HKEY_CLASSES_ROOT\CLSID\{2EDDA643-B0C9-4FED-90F2-C81ECA8E916A}]
[-HKEY_CLASSES_ROOT\CLSID\{C9097ACD-9E5D-4C13-9A7B-D5B893CF922D}]
[-HKEY_CLASSES_ROOT\CLSID\{AFA02467-330A-4763-A5F3-DB88B86F40A5}]
[-HKEY_CLASSES_ROOT\CLSID\{3BB3B36A-1D2B-4C3B-AC7E-FD683C0211C9}]
[-HKEY_CLASSES_ROOT\CLSID\{EB9A8245-3FD6-416C-B0FC-1964E2370ADA}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/4/2005 12:08:30 PM 24816 C:\WINDOWS\icont.exe
qoologic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
urllogic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
abetterinternet.com 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\26hs39r8.ini
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\7r3h3adg.ini
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
SAHAgent 6/1/2005 5:32:28 PM 3468 C:\WINDOWS\SYSTEM32\ghck3gel.ini
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\h0bk8ji3.ini
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\krf4240k.ini
PECompact2 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
SAHAgent 7/24/2005 8:08:52 AM 3523 C:\WINDOWS\SYSTEM32\q5uo8k9d.ini
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/19/2005 7:29:16 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
10/18/2005 8:42:32 PM R S 235261 C:\WINDOWS\SYSTEM32\mv84l9lq1.dll
10/18/2005 9:50:04 PM R S 235261 C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
10/19/2005 7:30:12 PM H 31884 C:\WINDOWS\SYSTEM32\vsconfig.xml
9/16/2005 9:18:02 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
10/4/2005 6:17:42 PM S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/29/2005 9:25:44 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 2:48:28 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/19/2005 7:30:54 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/19/2005 7:29:24 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/19/2005 7:48:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/19/2005 7:58:22 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/19/2005 7:51:02 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/13/2005 9:09:16 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
10/6/2005 6:04:36 PM S 6803 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
9/9/2005 10:28:18 PM S 7652 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
10/6/2005 6:04:36 PM S 120 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
9/9/2005 10:28:18 PM S 134 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
8/31/2005 5:49:04 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9718f4ec-e36c-4da3-a3c4-e8ca8e52787e
8/31/2005 5:49:04 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
10/19/2005 7:29:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/11/2005 5:44:44 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
10/11/2005 5:44:44 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 1:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 9/15/2003 2:56:02 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel Corporation 8/16/2002 5:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
11/22/2002 12:38:22 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
9/9/2002 6:39:20 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
9/27/2004 11:33:10 AM 4081 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\Scott Rahn\Start Menu\Programs\Startup\DESKTOP.INI
8/6/2005 4:37:14 PM 925 C:\Documents and Settings\Scott Rahn\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\Scott Rahn\Application Data\DESKTOP.INI
8/6/2005 4:37:14 PM 83 C:\Documents and Settings\Scott Rahn\Application Data\sversion.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfg
{0cce165b-46c6-4429-8257-aca91700ebfc} = C:\WINDOWS\system32\cqpocg.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfgsm
{90795a4a-957c-4898-815b-773fc64f7d79} = C:\WINDOWS\system32\auapa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPHUPD05 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPHmon05 C:\WINDOWS\system32\hphmon05.exe
HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
BearShare "C:\Program Files\BearShare\BearShare.exe" /pause
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Weather C:\Program Files\AWS\WeatherBug\Weather.exe 1
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ccWasher C:\Program Files\Cookie Washer\aolwasher.exe /0
Aida C:\Program Files\rdso\eetu.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:13 PM

Posted 20 October 2005 - 06:49 AM

Hi zonker20122. The WinPFind log was cut off. Can you rerun that and post it back here.

Thanks.OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 20 October 2005 - 09:26 AM

Okay will do. Should I be doing these scans in safe mode?

Thanks!
Z

#15 zonker20122

zonker20122
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 20 October 2005 - 08:48 PM

Hi OT,

In safe mode I ran 12mfix, WinPFind, Ad-Aware SE (removed what it found). Then I rebooted and ran Hijack This. Here are the new logs:

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 784 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 656 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\hkzcoi09.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iosetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RPPCFGEX.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\hkzcoi09.dll
Successfully Deleted: C:\WINDOWS\system32\hkzcoi09.dll
deleting: C:\WINDOWS\system32\iosetup.dll
Successfully Deleted: C:\WINDOWS\system32\iosetup.dll
deleting: C:\WINDOWS\system32\RPPCFGEX.DLL
Successfully Deleted: C:\WINDOWS\system32\RPPCFGEX.DLL
deleting: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: hkzcoi09.dll (164 bytes security) (deflated 5%)
adding: iosetup.dll (164 bytes security) (deflated 5%)
adding: RPPCFGEX.DLL (164 bytes security) (deflated 5%)
updating: guard.tmp (164 bytes security) (deflated 5%)
updating: clear.reg (164 bytes security) (deflated 36%)
updating: echo.reg (164 bytes security) (deflated 15%)
updating: 12mfix instructions.txt (164 bytes security) (deflated 50%)
updating: direct.txt (164 bytes security) (deflated 7%)
updating: lo2.txt (164 bytes security) (deflated 75%)
updating: readme.txt (164 bytes security) (deflated 52%)
updating: test.txt (164 bytes security) (deflated 53%)
updating: test2.txt (164 bytes security) (deflated 16%)
updating: test3.txt (164 bytes security) (deflated 16%)
updating: test5.txt (164 bytes security) (deflated 16%)
updating: xfind.txt (164 bytes security) (deflated 46%)
adding: log 10-19-05.txt (164 bytes security) (deflated 85%)
adding: log.txt (164 bytes security) (deflated 85%)
updating: backregs/276DA8CE-88D5-40D0-BEA4-C4A18460B11B.reg (164 bytes security) (deflated 70%)
updating: backregs/2A136FF2-A6CD-485F-8D23-CA08D49490F8.reg (164 bytes security) (deflated 70%)
updating: backregs/2EDDA643-B0C9-4FED-90F2-C81ECA8E916A.reg (164 bytes security) (deflated 70%)
updating: backregs/3BB3B36A-1D2B-4C3B-AC7E-FD683C0211C9.reg (164 bytes security) (deflated 70%)
updating: backregs/45CB2006-BBC6-4985-A736-9FBFA011B486.reg (164 bytes security) (deflated 70%)
updating: backregs/4A8E91CF-B0B4-4C8D-A2E5-A06F7A07AE14.reg (164 bytes security) (deflated 70%)
updating: backregs/9A71D0A6-E671-4971-8BB6-4EC0C010C658.reg (164 bytes security) (deflated 70%)
updating: backregs/AFA02467-330A-4763-A5F3-DB88B86F40A5.reg (164 bytes security) (deflated 70%)
updating: backregs/B2AD3D80-7685-4891-83DC-D91D29B9F4B2.reg (164 bytes security) (deflated 70%)
updating: backregs/C9097ACD-9E5D-4C13-9A7B-D5B893CF922D.reg (164 bytes security) (deflated 70%)
updating: backregs/EB9A8245-3FD6-416C-B0FC-1964E2370ADA.reg (164 bytes security) (deflated 70%)
updating: backregs/F248AA4B-335A-44B5-9BB8-3629AD34C959.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 88%)
updating: backregs/shell.reg (164 bytes security) (deflated 73%)
adding: backregs/3A1BFC16-02CE-4B3D-84BF-88EE4D708522.reg (164 bytes security) (deflated 70%)
adding: backregs/DD0C4759-94F7-463B-8375-2BC51971BF8C.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: hkzcoi09.dll
deleting local copy: iosetup.dll
deleting local copy: RPPCFGEX.DLL
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt2607fse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hkzcoi09.dll
C:\WINDOWS\system32\iosetup.dll
C:\WINDOWS\system32\RPPCFGEX.DLL
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DD0C4759-94F7-463B-8375-2BC51971BF8C}"=-
"{3A1BFC16-02CE-4B3D-84BF-88EE4D708522}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DD0C4759-94F7-463B-8375-2BC51971BF8C}]
[-HKEY_CLASSES_ROOT\CLSID\{3A1BFC16-02CE-4B3D-84BF-88EE4D708522}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/4/2005 12:08:30 PM 24816 C:\WINDOWS\icont.exe
qoologic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
urllogic 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
abetterinternet.com 5/15/2005 5:12:32 PM 4173 C:\WINDOWS\jzkhj.dll
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\lpt$vpn.871
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
qoologic 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
SAHAgent 10/3/2005 1:13:18 PM 15999039 C:\WINDOWS\VPTNFILE.871
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\26hs39r8.ini
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\7r3h3adg.ini
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
SAHAgent 6/1/2005 5:32:28 PM 3468 C:\WINDOWS\SYSTEM32\ghck3gel.ini
WinShutDown 10/20/2005 8:48:46 PM 235261 C:\WINDOWS\SYSTEM32\guard.tmp
ad-w-a-r-e.com 10/20/2005 8:48:46 PM 235261 C:\WINDOWS\SYSTEM32\guard.tmp
SAHAgent 5/11/2005 10:33:30 PM 35 C:\WINDOWS\SYSTEM32\h0bk8ji3.ini
SAHAgent 6/24/2005 10:18:16 PM 35 C:\WINDOWS\SYSTEM32\krf4240k.ini
PECompact2 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
SAHAgent 7/24/2005 8:08:52 AM 3523 C:\WINDOWS\SYSTEM32\q5uo8k9d.ini
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/20/2005 8:47:26 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
10/20/2005 8:47:46 PM R S 236734 C:\WINDOWS\SYSTEM32\gpp4l37q1.dll
10/20/2005 8:41:38 PM R S 235261 C:\WINDOWS\SYSTEM32\jt2607fse.dll
10/20/2005 5:34:50 PM H 31884 C:\WINDOWS\SYSTEM32\vsconfig.xml
9/16/2005 9:18:02 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
10/4/2005 6:17:42 PM S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/29/2005 9:25:44 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 2:48:28 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/20/2005 8:47:48 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/20/2005 8:47:44 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/20/2005 8:51:44 PM H 20480 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/20/2005 8:51:46 PM H 544768 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/20/2005 8:53:18 PM H 1032192 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/13/2005 9:09:16 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
10/6/2005 6:04:36 PM S 6803 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
9/9/2005 10:28:18 PM S 7652 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
10/6/2005 6:04:36 PM S 120 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
9/9/2005 10:28:18 PM S 134 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
8/31/2005 5:49:04 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9718f4ec-e36c-4da3-a3c4-e8ca8e52787e
8/31/2005 5:49:04 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
10/20/2005 8:42:36 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/11/2005 5:44:44 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
10/11/2005 5:44:44 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 1:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 9/15/2003 2:56:02 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel Corporation 8/16/2002 5:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
11/22/2002 12:38:22 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
9/9/2002 6:39:20 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
9/27/2004 11:33:10 AM 4081 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{C806E23E-1331-402D-A060-67CEB856A9C3} = C:\WINDOWS\system32\guard.tmp

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfg
{0cce165b-46c6-4429-8257-aca91700ebfc} = C:\WINDOWS\system32\cqpocg.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqtfgsm
{90795a4a-957c-4898-815b-773fc64f7d79} = C:\WINDOWS\system32\auapa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPHUPD05 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPHmon05 C:\WINDOWS\system32\hphmon05.exe
HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
BearShare "C:\Program Files\BearShare\BearShare.exe" /pause
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce
= C:\WINDOWS\system32\jt2607fse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/20/2005 9:06:36 PM


Logfile of HijackThis v1.99.1
Scan saved at 9:44:18 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scott Rahn\My Documents\DL Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Scott Rahn"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {95AAC5DC-AF1F-418B-BA0D-ED523E6B69D3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {96721B58-8AFE-469D-AF67-6DB7C40666E6} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C48AB761-5F59-4B0C-8355-61F0DA3913AE} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341122
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.39.14.242/activex/AxisCamControl.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\gpp4l37q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users