Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysherriff, Cws, About:blank


  • Please log in to reply
13 replies to this topic

#1 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:11:50 PM

Posted 17 December 2005 - 12:04 AM

This Dell laptop was at college for a semester, unprotected (don't ask!) I removed SpySherriff, CWS, and much else as best as I can by using AVG A/V, Ewido, SpySweeper, online scanners, CWShredder. I have followed the instructions in the pinned Preparation Guide to this forum.

I now have control over my wallpaper, the popups have stopped, and I can set my home page now. All good.

I get one error at startup: Windows can't find the file "soproc.exe".

Here is my HJT log. Thanks so much!
~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:46:37 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O1 - Hosts: ww.CLKPrecision.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en4ql1h51.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2005 - 07:46 PM

Hi Albert Frankenstein and Welcome to the Bleeping Computer!

Please Download the l2mfix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


If you recieve any errors while attempting to run Option 1 of the l2mfix similar to these


C:\windows\system32\cmd.exe or C:\windows\system32\autoexec.nt

"The system file is not suitable for running ms-dos and microsoft windows applications"

Choose "Close to terminate the application"

Then please use option 5 of the l2mfix or the web page link in the l2mfix folder to solve this error condition.

DO NOT run the fix portion without repairing this first.

#3 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA

Posted 19 December 2005 - 08:17 AM

Thank you for taking my case! Here are the results as requested:
~~~~~

L2MFIX find log 121605
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4ql1h51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A2E9E6BA-FEAF-F7C9-D5D7-3A8B5256DFB2}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{AE8440E9-AEFA-48C4-86B1-39612180495A}"=""
"{30090644-287B-447B-A4E6-01E2C63EAAD2}"=""
"{D0D29441-BB9F-495F-B49D-256A3BBAAE7E}"=""
"{4614244D-AA38-4825-8E56-36D58C7B58F7}"=""
"{A733E020-4C2D-40D9-B922-B385C2075CF2}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE8440E9-AEFA-48C4-86B1-39612180495A}]

[HKEY_CLASSES_ROOT\CLSID\{AE8440E9-AEFA-48C4-86B1-39612180495A}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\InprocServer32]
@="C:\\WINDOWS\\system32\\0Ymcdqrw.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
08mcdqrw.dll Fri Dec 16 2005 5:15:58p A.... 41,472 40.50 K
bddtn.dll Fri Dec 16 2005 8:35:24p A.... 0 0.00 K
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
dkpxo.dll Fri Dec 16 2005 8:54:00p A.... 0 0.00 K
dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K
esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M
extmgr.dll Thu Oct 20 2005 10:39:28p A.... 55,808 54.50 K
fiqxs.dll Fri Dec 16 2005 7:38:14p A.... 0 0.00 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
hkvkl.dll Fri Dec 16 2005 7:41:50p A.... 0 0.00 K
iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K
inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K
ipti.dll Sat Dec 10 2005 3:46:50a A.... 0 0.00 K
ipxgy.dll Fri Dec 16 2005 7:27:04p A.... 0 0.00 K
isjqm.dll Fri Dec 16 2005 7:42:14p A.... 0 0.00 K
kubnj.dll Fri Dec 16 2005 8:31:20p A.... 0 0.00 K
llzzy.dll Fri Dec 16 2005 8:27:14p A.... 0 0.00 K
lqwpk.dll Fri Dec 16 2005 8:12:04p A.... 0 0.00 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K
msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K
mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K
nhzih.dll Fri Dec 16 2005 7:58:56p A.... 0 0.00 K
nsoue.dll Fri Dec 16 2005 8:26:56p A.... 0 0.00 K
pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K
puchd.dll Fri Dec 16 2005 7:32:12p A.... 0 0.00 K
rpifx.dll Fri Dec 16 2005 7:54:20p A.... 0 0.00 K
rsmpl.dll Fri Dec 16 2005 7:13:10p A.... 0 0.00 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K
spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K
sporder.dll Wed Nov 30 2005 10:55:22p A.... 8,464 8.27 K
suijg.dll Fri Dec 16 2005 7:58:28p A.... 0 0.00 K
tgypl.dll Fri Dec 16 2005 8:19:02p A.... 0 0.00 K
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K
w95inf16.dll Sat Nov 12 2005 6:53:14p A.... 2,272 2.22 K
w95inf32.dll Sat Nov 12 2005 6:53:14p A.... 4,608 4.50 K
wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K
wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K
wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K
yiulm.dll Fri Dec 16 2005 8:39:28p A.... 0 0.00 K

44 items found: 44 files, 0 directories.
Total of file sizes: 20,645,584 bytes 19.69 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is BCA0-DA0E

Directory of C:\WINDOWS\System32

12/16/2005 11:01 PM <DIR> dllcache
09/25/2005 10:02 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 22,946,017,280 bytes free
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2005 - 07:48 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password enter bye (lowercase) then hit enter.

Your desktop and icons will disappear (this is normal).

L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.

Press any key to reboot.

After the reboot notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

#5 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:11:50 PM

Posted 20 December 2005 - 08:04 AM

Thank you.

BTW, I did not have to enter a password, the program entered it automatically. Here is the L2MFix Log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

L2mfix Beta 121605
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 760 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 864 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1964 'explorer.exe'
Killing PID 1964 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4ql1h51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AE8440E9-AEFA-48C4-86B1-39612180495A}]

[HKEY_CLASSES_ROOT\CLSID\{AE8440E9-AEFA-48C4-86B1-39612180495A}\InprocServer32]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}\InprocServer32]
@="C:\\WINDOWS\\system32\\0Ymcdqrw.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AE8440E9-AEFA-48C4-86B1-39612180495A}"=-
"{30090644-287B-447B-A4E6-01E2C63EAAD2}"=-
"{D0D29441-BB9F-495F-B49D-256A3BBAAE7E}"=-
"{4614244D-AA38-4825-8E56-36D58C7B58F7}"=-
"{A733E020-4C2D-40D9-B922-B385C2075CF2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AE8440E9-AEFA-48C4-86B1-39612180495A}]
[-HKEY_CLASSES_ROOT\CLSID\{30090644-287B-447B-A4E6-01E2C63EAAD2}]
[-HKEY_CLASSES_ROOT\CLSID\{D0D29441-BB9F-495F-B49D-256A3BBAAE7E}]
[-HKEY_CLASSES_ROOT\CLSID\{4614244D-AA38-4825-8E56-36D58C7B58F7}]
[-HKEY_CLASSES_ROOT\CLSID\{A733E020-4C2D-40D9-B922-B385C2075CF2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/30090644-287B-447B-A4E6-01E2C63EAAD2.reg (212 bytes security) (deflated 70%)
adding: backregs/AE8440E9-AEFA-48C4-86B1-39612180495A.reg (212 bytes security) (deflated 55%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#6 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA

Posted 20 December 2005 - 08:06 AM

New HJT log:
~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:05:16 AM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O1 - Hosts: ww.CLKPrecision.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en4ql1h51.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 December 2005 - 06:05 PM

Please Update Ewido with the latest definitions.

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Once in Safe Mode and with All other Windows and Browsers Closed,please Scan the entire PC with Ewido-> Clean all it Finds and please be sure to click the tab to Save a Report.


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido-> WinPFind and Panda

#8 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:11:50 PM

Posted 21 December 2005 - 10:39 AM

Ok, cretemonster, here goes:

EWIDO

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:59:43 AM, 12/21/2005
+ Report-Checksum: F6D91B32

+ Scan result:

C:\WINDOWS\eReg.dat:gxzmkh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB873333.log:xwtywl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB886185.log:dehphz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB893066.log:vamgvr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB905915.log:dvsefj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\08mcdqrw.dll -> Adware.Sud : Cleaned with backup
C:\WINDOWS\_default.pif:gxzmk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vqxogp -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End
~~~~~~~~~~~~~~~~~~~~~~~~~~~


WinPFind


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 12/16/2005 7:05:28 PM 12285001 C:\AVG7QT.DAT
urllogic 12/16/2005 7:05:28 PM 12285001 C:\AVG7QT.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 12/8/2005 3:31:36 PM 16736805 C:\WINDOWS\lpt$vpn.993
qoologic 12/8/2005 3:31:36 PM 16736805 C:\WINDOWS\lpt$vpn.993
SAHAgent 12/8/2005 3:31:36 PM 16736805 C:\WINDOWS\lpt$vpn.993
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 11/25/2005 10:59:08 PM 16736805 C:\WINDOWS\VPTNFILE.993
qoologic 11/25/2005 10:59:08 PM 16736805 C:\WINDOWS\VPTNFILE.993
SAHAgent 11/25/2005 10:59:08 PM 16736805 C:\WINDOWS\VPTNFILE.993
UPX! 11/9/2005 8:04:40 PM 1077328 C:\WINDOWS\vsapi32.dll
aspack 11/9/2005 8:04:40 PM 1077328 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/4/2004 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 7:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 7:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/16/2005 7:02:48 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 12/16/2005 7:02:48 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 12/16/2005 7:02:48 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 12/16/2005 7:02:48 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.urllogic.com
127.0.0.1 www.qoologic.com

qoologic 12/16/2005 8:52:46 PM 856 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
urllogic 12/16/2005 8:52:46 PM 856 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/21/2005 7:57:58 AM S 2048 C:\WINDOWS\bootstat.dat
11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
12/21/2005 7:58:08 AM H 12288 C:\WINDOWS\system32\config\default.LOG
12/21/2005 7:58:20 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/21/2005 7:58:00 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/21/2005 9:05:22 AM H 155648 C:\WINDOWS\system32\config\software.LOG
12/21/2005 8:10:22 AM H 880640 C:\WINDOWS\system32\config\system.LOG
12/16/2005 11:00:30 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
12/8/2005 9:09:42 AM S 5826 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
12/8/2005 8:38:36 AM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
12/8/2005 9:09:40 AM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
12/8/2005 8:38:40 AM S 22423 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
12/8/2005 9:09:42 AM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
12/8/2005 8:38:36 AM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
12/8/2005 9:09:40 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
12/8/2005 8:38:40 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
12/21/2005 7:57:04 AM H 6 C:\WINDOWS\Tasks\SA.DAT
12/8/2005 9:02:18 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
12/11/2005 1:26:10 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
12/15/2005 6:19:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\050JFDQE\desktop.ini
12/12/2005 4:04:52 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C5QZ012B\desktop.ini
12/14/2005 6:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\FX0C1FZ5\desktop.ini
12/12/2005 4:04:52 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GB2ZCZCB\desktop.ini
12/11/2005 1:26:10 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\HRSTCV5O\desktop.ini
12/11/2005 1:26:10 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IA2CV56P\desktop.ini
12/14/2005 6:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\JHJKDZNG\desktop.ini
12/15/2005 6:19:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K9CGE2OL\desktop.ini
12/11/2005 1:26:10 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O7Z91TU4\desktop.ini
12/15/2005 6:19:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OGS54F65\desktop.ini
12/12/2005 4:04:52 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPQJOL6V\desktop.ini
12/12/2005 4:04:52 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\W1QBC9IJ\desktop.ini
12/14/2005 6:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XXRNMS6T\desktop.ini
12/15/2005 6:19:06 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y4D7JYIT\desktop.ini
12/11/2005 1:26:10 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YH91BCVE\desktop.ini
12/14/2005 6:29:00 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YSPVFQPF\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Dell Computer Corporation 2/20/2004 3:14:02 PM 958464 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 7/13/2005 5:51:48 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 9:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 7/20/2004 9:14:06 AM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/5/2005 11:50:00 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/5/2005 2:58:32 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
12/9/2005 10:00:52 PM 1646 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
10/1/2005 9:48:12 AM 1816 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
7/6/2005 8:15:14 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/6/2005 10:07:16 AM 848 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/5/2005 3:33:24 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
7/6/2005 8:15:14 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/5/2005 3:33:24 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
UserFaultCheck %systemroot%\system32\dumprep 0 -u
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_Run C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage
= C:\WINDOWS\system32\en4ql1h51.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/21/2005 9:13:02 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PANDA



Incident Status Location

Adware:adware/exact.searchbar Not disinfected C:\Documents and Settings\New User\Local Settings\Temp\blank.gif
Adware:adware/antivirus-gold Not disinfected C:\WINDOWS\desktop.html
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\teller2.chk
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Adware:adware/gator Not disinfected Windows Registry
Dialer:Dialer.DNA Not disinfected C:\Documents and Settings\New User\Local Settings\Temp\5.tmp
Virus:Trj/Qhost.gen Not disinfected D:\Anti Malware\Individual Removers\Individual Information (From NOD 32)\Win32 Mytob.BV.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEW HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 10:29:58 AM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O1 - Hosts: ww.CLKPrecision.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en4ql1h51.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2005 - 08:40 PM

Download The Hoster from here but dont run it just yet.
http://www.funkytoad.com/download/hoster.zip

Right Click the Zip Folder and Select "Extract All"


Download CleanUp
Install the program, dont run it yet, we will later.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
    C:\Documents and Settings\New User\Local Settings\Temp\blank.gif
    C:\WINDOWS\desktop.html
    C:\WINDOWS\teller2.chk
    C:\Documents and Settings\New User\Local Settings\Temp\5.tmp


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)


Once in Safe Mode,be sure Windows is Showing Hidden Files and Folders
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Locate and Delete these 2 folders

C:\PROGRAM FILES\QL

C:\Program Files\SoftwareOnline


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj

O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en4ql1h51.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Now, Run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Open The Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled

Click "Back up Host files"

Press "Restore Original Hosts" and press "OK"

Exit the Program.


Restart Nornmal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log.


#10 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:11:50 PM

Posted 22 December 2005 - 12:43 PM

Thanks again, Cretemonster, for all of your help!

I have completed the requested tasks and below please find my log from Kaspersky and a new HJT log.

BTW, with Killbox I was unable to check "Unregister .dll before Deleting" as this choice was greyed out.
~~~~~~~~~~~~~~~~~~~~

KASPERSKY LOG

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 22, 2005 12:22:26
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 22/12/2005
Kaspersky Anti-Virus database records: 168508
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46479
Number of viruses found: 26
Number of infected objects: 188
Number of suspicious objects: 0
Duration of the scan process: 3603 sec

Infected Object Name - Virus Name
C:\!KillBox\5.tmp Infected: Trojan.Win32.Small.ga
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP113\A0006151.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP114\A0006166.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP117\A0006242.dll Infected: not-a-virus:AdWare.Win32.Sud.a
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP117\A0006243.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006284.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006287.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006289.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006290.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006291.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006292.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006293.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006294.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006295.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006296.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006297.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006298.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006299.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006300.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006301.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006302.DLL Infected: not-a-virus:AdWare.Win32.IWon.a
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006303.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006304.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006305.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006307.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006308.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006309.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006310.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006324.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006351.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006352.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006353.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006366.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006368.exe Infected: not-a-virus:AdWare.Win32.SaveNow.br
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006370.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bt
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006371.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006419.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006423.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006436.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP120\A0006451.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0006452.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0006460.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007433.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007445.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007455.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007456.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007471.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007472.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007485.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP121\A0007496.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP123\A0007506.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP123\A0007517.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP123\A0007521.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP123\A0007542.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007544.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007545.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007568.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007569.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007581.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007582.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007594.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007605.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007641.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007642.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007653.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007654.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA/data0001.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA/data0002.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA/data0003.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA/data0004.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA/data0005.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007655.prx:ismkok:$DATA Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007657.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007658.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007666.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007678.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA/data0001.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA/data0002.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA/data0003.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA/data0004.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA/data0005.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007679.prx:ismkok:$DATA Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007681.dll Infected: not-a-virus:AdWare.Win32.Sud.a
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007693.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007694.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007696.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007709.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA/data0001.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA/data0002.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA/data0003.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA/data0004.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA/data0005.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007710.prx:ismkok:$DATA Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007711.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007712.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007719.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007729.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007734.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007744.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007749.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007753.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007753.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007763.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007773.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007773.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007775.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007776.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA/data0001.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA/data0002.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA/data0003.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA/data0004.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA/data0005.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007777.prx:ismkok:$DATA Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007778.EXE Infected: not-a-virus:AdWare.Win32.HelpExpress.b
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007780.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007786.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007791.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007802.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007802.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007803.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007806.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007817.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007817.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007821.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007824.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA/data0001.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA/data0002.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA/data0003.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA/data0004.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA/data0005.html Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007825.prx:ismkok:$DATA Infected: not-a-virus:AdWare.Win32.SearchPage
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007856.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007863.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007863.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007868.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007919.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007927.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007927.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007931.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007932.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007942.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007942.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP124\A0007945.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008025.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008025.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008027.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008037.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008037.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008039.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008040.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008048.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008048.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008051.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008053.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008066.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008076.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008076.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008078.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008079.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008094.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP125\A0008104.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008153.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008174.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008177.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008178.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008179.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008180.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008181.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008182.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008183.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008184.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008185.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008186.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008187.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008188.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008203.ini:contbs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008223.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008224.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008227.dll Infected: not-a-virus:AdWare.Win32.Sud.a
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008229.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008230.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008233.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008246.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP126\A0008250.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.p
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP128\A0010493.dll Infected: not-a-virus:AdWare.Win32.Sud.a
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP128\A0010494.pif:gxzmk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP128\A0010494.pif:vqxogp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{05549932-7335-4134-AD7A-3A3F6FEB175F}\RP87\A0005372.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e

Scan process completed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:26:01 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 December 2005 - 08:24 PM

And how is the PC acting today?

#12 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA

Posted 24 December 2005 - 11:10 AM

:thumbsup: Everything seems to be ok! :flowers:

Thanks so very much! Happy Holidays to you!
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 10:28 AM

Sorry for the delays,been abit under the weather.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Delete the !killbox folder as well.


Restart and Renable System Restore and restart once more, this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:

#14 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:11:50 PM

Posted 28 December 2005 - 04:51 PM

Thanks again! I appreciate it!

I put a little stocking stuffer in your PayPal account today! :thumbsup:
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users