Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highjacked Ie Browser... Ieh.jackov.zestyfind?


  • Please log in to reply
7 replies to this topic

#1 Riskykungfu

Riskykungfu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 31 December 2005 - 01:25 AM

Please Help, my pc was hit with a bunch of highjackers and other PITA stuff.

It started with the whole screen turning blue with the "Your computer is infected..." wall paper that did not allow me to change it in properties.

A look in the start up showed "Zeno" was in the start up file. I uninstalled and deleted it from the Windows System 32 file, ran Adaware, Spybot and Norton in safe mode. However it seems even in safe mode the jacker will randomly launch IE windows with locations usually ending with the ".yyy65.html" Sites it goes to are :

www.amaena.com
www212paypopup.com
uniqueoffers.com/yyy65.html
etc....

Each time I run Spybot it seems "Windows.Activedesktop" is found, and after Spybot removes it, it will come back.

I have tried follow the guide here however each time I run the House Call, it seems to just stop after the analysis.

Panda AntiVirus does not seem to activate.

I have tried CWshredder with nothing found.

When I ran Adaware in the prepartion guide it found 2 things, "MUR List" and "IEH.Jackov.zestyfind".

When I ran Spybot it found "windows.activedesktop"


Here is my Hijack this log"

Logfile of HijackThis v1.99.1
Scan saved at 10:14:17 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Downloads\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1119039575829
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\lv6q09j5e.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Any Help is Greatly appreciated

Edited by Riskykungfu, 31 December 2005 - 01:32 AM.


BC AdBot (Login to Remove)

 


#2 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 31 December 2005 - 02:01 AM

I just tried the Symantec instructions for the Zestyfind http://securityresponse.symantec.com/avcen....zestyfind.html

The file to be renamed was not found at the command prompt and none of the registry entries to be deleted were found when I looked in "regedit"

Edited by Riskykungfu, 31 December 2005 - 02:01 AM.


#3 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 31 December 2005 - 02:43 AM

Mcafee Stinger found nothing.

I looked for the Look2me registry entries, nothing....

Something sure is popping up IE windows or various sizes..GRRRRR!

#4 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 31 December 2005 - 09:11 AM

Here is the latest log this morning:

Logfile of HijackThis v1.99.1
Scan saved at 8:11:13 AM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Downloads\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1119039575829
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\gprsl3971.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 31 December 2005 - 07:17 PM

This is what Spybot keeps turning up, even though it is deleted each time it keeps reappering. No doubt it's what is bring up the pop-ups.

Windows.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-725345543-1532298954-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1


I intalled Pop-up washer trial version from the web, it blocked 1 popup, bu then thats it, they are back even with this program running, good thing I didn't spend $36 bucks on it at Future Shop when I saw it there today.


Looking at the Hijackthis Log, I don't seem to see anything suspecious....?

Edited by Riskykungfu, 31 December 2005 - 07:18 PM.


#6 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 01 January 2006 - 01:45 PM

I think I have banished the pop-up and hijacking :thumbsup: :huh:


I have pretty much tried everything, but the one that killed it was in a post I read by another poster, MFDnSC.

I downloaded http://www.atribune.org/downloads/l2mfix.exe
And executed the file running option 1 first then option 2 second. It asked me to fix 020- Winlogon Notify: App Paths - C:\WINDOWS\system32\q2ps0c77ef.dll (file missing) in the Highjack log.


I then downloaded http://www.ewido.net/en/download/, ran the updates and then rebooted in safe mode. I then scanned the system and it found 62 errors.

When done, I rebooted and the system looked clean with Windows Security Alert coming on in my System tray. I never thought I would be so glad to see that alert as it indicated to me what ever had a grip on my machine has finally let it go.

The PC has been running for ~4 hours now with narry a pop-up of problem. Scans with Spybot, Adaware and Norton show the system to be clean. :huh:


Thanks so much MFDnSC! :flowers: Your post helping another user is greatly appreciated.


For intrest sake these were the logs generated by L2mfix and Ewido

L2mfix Report:

L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q2ps0c77ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4A40AC53-C17C-E853-3FF5-A4425BF063F2}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{FCF608CF-5716-47C3-A1A8-991D873AF72B}"="Delphi Context Menu Shell Extension Example"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
@=""
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{69D2565F-8EF5-49F7-A904-FA898EB7539B}"=""
"{25384BE5-C07A-4805-91A9-E751121FD98C}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\InprocServer32]
@="C:\\WINDOWS\\system32\\shcfiles.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\InprocServer32]
@="C:\\WINDOWS\\system32\\wxvdmod.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aeycfilt.dll Sat Dec 31 2005 6:45:16p ..S.R 236,262 230.72 K
avisynth.dll Fri Oct 7 2005 11:14:52a A.... 308,224 301.00 K
c600lg~1.dll Fri Dec 30 2005 6:26:28p ..... 236,134 230.60 K
divx.dll Wed Dec 7 2005 11:05:52a A.... 573,952 560.50 K
divx_x~1.dll Wed Dec 7 2005 11:05:50a A.... 679,936 664.00 K
divx_x~2.dll Wed Dec 7 2005 11:05:50a A.... 679,936 664.00 K
divx_x~3.dll Wed Dec 7 2005 11:05:50a A.... 663,552 648.00 K
djtmsft.dll Fri Dec 30 2005 3:40:06p ..S.R 234,622 229.12 K
dpl100.dll Thu Oct 27 2005 1:37:46p A.... 86,016 84.00 K
dpu10.dll Thu Oct 27 2005 1:37:44p A.... 294,912 288.00 K
dpu11.dll Thu Oct 27 2005 1:37:44p A.... 294,912 288.00 K
dpugui10.dll Thu Oct 27 2005 1:37:48p A.... 53,248 52.00 K
dpugui11.dll Thu Oct 27 2005 1:37:46p A.... 593,920 580.00 K
dpus11.dll Thu Oct 27 2005 1:37:44p A.... 339,968 332.00 K
dpv11.dll Thu Oct 27 2005 1:37:44p A.... 57,344 56.00 K
dtu100.dll Thu Oct 27 2005 1:37:44p A.... 200,704 196.00 K
fpnq03~1.dll Sat Dec 31 2005 12:53:46a ..S.R 237,256 231.70 K
hr6q05~1.dll Sat Dec 31 2005 7:51:10p ..S.R 235,430 229.91 K
ij32_32.dll Fri Dec 30 2005 10:22:30p ..S.R 237,010 231.45 K
lhnkinfo.dll Fri Dec 30 2005 5:01:56p ..S.R 235,775 230.25 K
ngcog.dll Fri Dec 30 2005 5:23:20p ..S.R 234,169 228.68 K
q2ps0c~1.dll Sat Dec 31 2005 7:32:32p ..S.R 234,865 229.36 K
r2p80c~1.dll Fri Dec 30 2005 5:45:44p ..S.R 236,000 230.47 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K
shcfiles.dll Sat Dec 31 2005 7:51:10p ..S.R 234,865 229.36 K
wpnstrm.dll Sat Dec 31 2005 12:53:46a ..S.R 236,703 231.15 K
wxvdmod.dll Fri Dec 30 2005 5:45:44p ..S.R 235,128 229.62 K

27 items found: 27 files (12 H/S), 0 directories.
Total of file sizes: 7,976,934 bytes 7.61 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Windows XP
Volume Serial Number is A45B-688A

Directory of C:\WINDOWS\System32

12/31/2005 07:51 PM <DIR> dllcache
12/31/2005 07:51 PM 234,865 shcfiles.dll
12/31/2005 07:51 PM 235,430 hr6q05j5e.dll
12/31/2005 07:32 PM 234,865 q2ps0c77ef.dll
12/31/2005 06:45 PM 236,262 aeycfilt.dll
12/31/2005 12:53 AM 236,703 wpnstrm.dll
12/31/2005 12:53 AM 237,256 fpnq0355e.dll
12/30/2005 10:22 PM 237,010 Ij32_32.dll
12/30/2005 05:45 PM 235,128 wxvdmod.dll
12/30/2005 05:45 PM 236,000 r2p80c7uef.dll
12/30/2005 05:23 PM 234,169 NGCOG.DLL
12/30/2005 05:01 PM 235,775 lhnkinfo.dll
12/30/2005 03:40 PM 234,622 djtmsft.dll
07/03/2005 08:46 AM 32 {1ADAA26F-ACC2-4F0E-AD17-BA3D85D273C9}.dat
06/17/2005 01:45 PM <DIR> Microsoft
13 File(s) 2,828,117 bytes
2 Dir(s) 11,570,016,256 bytes free


--------------------------------------------------------------------------------------------------------------

L2mfix Log

L2mfix Beta 122705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 564 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 672 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 504 'explorer.exe'
Killing PID 504 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1328 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\aeycfilt.dll
Successfully Moved: C:\WINDOWS\system32\aeycfilt.dll
moving: C:\WINDOWS\system32\c600lgdm160a.dll
Successfully Moved: C:\WINDOWS\system32\c600lgdm160a.dll
moving: C:\WINDOWS\system32\djtmsft.dll
Successfully Moved: C:\WINDOWS\system32\djtmsft.dll
moving: C:\WINDOWS\system32\fpnq0355e.dll
Successfully Moved: C:\WINDOWS\system32\fpnq0355e.dll
moving: C:\WINDOWS\system32\hr6q05j5e.dll
Successfully Moved: C:\WINDOWS\system32\hr6q05j5e.dll
moving: C:\WINDOWS\system32\Ij32_32.dll
Successfully Moved: C:\WINDOWS\system32\Ij32_32.dll
moving: C:\WINDOWS\system32\lhnkinfo.dll
Successfully Moved: C:\WINDOWS\system32\lhnkinfo.dll
moving: C:\WINDOWS\system32\NGCOG.DLL
Successfully Moved: C:\WINDOWS\system32\NGCOG.DLL
moving: C:\WINDOWS\system32\q2ps0c77ef.dll
Successfully Moved: C:\WINDOWS\system32\q2ps0c77ef.dll
moving: C:\WINDOWS\system32\r2p80c7uef.dll
Successfully Moved: C:\WINDOWS\system32\r2p80c7uef.dll
moving: C:\WINDOWS\system32\shcfiles.dll
Successfully Moved: C:\WINDOWS\system32\shcfiles.dll
moving: C:\WINDOWS\system32\wpnstrm.dll
Successfully Moved: C:\WINDOWS\system32\wpnstrm.dll
moving: C:\WINDOWS\system32\wxvdmod.dll
Successfully Moved: C:\WINDOWS\system32\wxvdmod.dll




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q2ps0c77ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aeycfilt.dll
C:\WINDOWS\system32\c600lgdm160a.dll
C:\WINDOWS\system32\djtmsft.dll
C:\WINDOWS\system32\fpnq0355e.dll
C:\WINDOWS\system32\hr6q05j5e.dll
C:\WINDOWS\system32\Ij32_32.dll
C:\WINDOWS\system32\lhnkinfo.dll
C:\WINDOWS\system32\NGCOG.DLL
C:\WINDOWS\system32\q2ps0c77ef.dll
C:\WINDOWS\system32\r2p80c7uef.dll
C:\WINDOWS\system32\shcfiles.dll
C:\WINDOWS\system32\wpnstrm.dll
C:\WINDOWS\system32\wxvdmod.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}\InprocServer32]
@="C:\\WINDOWS\\system32\\shcfiles.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}\InprocServer32]
@="C:\\WINDOWS\\system32\\wxvdmod.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{69D2565F-8EF5-49F7-A904-FA898EB7539B}"=-
"{25384BE5-C07A-4805-91A9-E751121FD98C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{69D2565F-8EF5-49F7-A904-FA898EB7539B}]
[-HKEY_CLASSES_ROOT\CLSID\{25384BE5-C07A-4805-91A9-E751121FD98C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/aeycfilt.dll (148 bytes security) (deflated 5%)
adding: dlls/c600lgdm160a.dll (148 bytes security) (deflated 5%)
adding: dlls/djtmsft.dll (148 bytes security) (deflated 4%)
adding: dlls/fpnq0355e.dll (148 bytes security) (deflated 6%)
adding: dlls/hr6q05j5e.dll (148 bytes security) (deflated 5%)
adding: dlls/Ij32_32.dll (148 bytes security) (deflated 5%)
adding: dlls/lhnkinfo.dll (148 bytes security) (deflated 5%)
adding: dlls/NGCOG.DLL (148 bytes security) (deflated 4%)
adding: dlls/q2ps0c77ef.dll (148 bytes security) (deflated 5%)
adding: dlls/r2p80c7uef.dll (148 bytes security) (deflated 5%)
adding: dlls/shcfiles.dll (148 bytes security) (deflated 5%)
adding: dlls/wpnstrm.dll (148 bytes security) (deflated 5%)
adding: dlls/wxvdmod.dll (148 bytes security) (deflated 5%)
adding: backregs/25384BE5-C07A-4805-91A9-E751121FD98C.reg (212 bytes security) (deflated 70%)
adding: backregs/69D2565F-8EF5-49F7-A904-FA898EB7539B.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

-------------------------------------------------------------------------------------------------

Ewido Report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:29:14 AM, 1/1/2006
+ Report-Checksum: 4A8EECFF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
C:\Documents and Settings\Bing\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-4fbc14ee-54f2230a.class -> Trojan.ClassLoader.c : Cleaned with backup
C:\Documents and Settings\Bing\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-77449da2.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Bing\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-488fe19e-3bb376fb.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/aeycfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/c600lgdm160a.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/djtmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/fpnq0355e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/hr6q05j5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/Ij32_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/lhnkinfo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/NGCOG.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/q2ps0c77ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/r2p80c7uef.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/shcfiles.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/wpnstrm.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\backup.zip/dlls/wxvdmod.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\aeycfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\c600lgdm160a.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\djtmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\fpnq0355e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\hr6q05j5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\Ij32_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\lhnkinfo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\NGCOG.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\q2ps0c77ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\r2p80c7uef.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\shcfiles.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\wpnstrm.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Desktop\l2mfix\dlls\wxvdmod.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Cookies\bing@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Cookies\bing@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Cookies\bing@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Cookies\bing@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Cookies\bing@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Temporary Internet Files\Content.IE5\IMV379J8\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temp\Temporary Internet Files\Content.IE5\YH9SBUVN\free[1].anr -> Downloader.Ani.c : Cleaned with backup
C:\Documents and Settings\Bing\Local Settings\Temporary Internet Files\Content.IE5\6DB01HF7\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@e-2dj6wjk4wmajoao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@marthastewart.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christine\Cookies\christine@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1532298954-682003330-1003\Dc5.exe -> Spyware.Zestyfind : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1532298954-682003330-1003\Dc6.com -> Spyware.Zestyfind : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\bing@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IXOD8TKF\WinAntiVirusPro2006ScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup
D:\Backed up\Backed up April 5 05\Katherine\Cookies\katherine@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@ehg-hitent.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@msn-cnet.com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Backed up\Backup Sept 7 2004\Documents and Settings\Katherine\Cookies\katherine@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
H:\RECYCLER\S-1-5-21-1454471165-1004336348-725345543-1003\Dh3\Cookies\christine@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
H:\RECYCLER\S-1-5-21-1454471165-1004336348-725345543-1003\Dh3\Cookies\christine@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
H:\RECYCLER\S-1-5-21-1454471165-1004336348-725345543-1003\Dh3\Cookies\christine@ehg-brooksbrothers.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
H:\RECYCLER\S-1-5-21-1454471165-1004336348-725345543-1003\Dh4\Cookies\katherine@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
::Report End


:huh: Thanks Again for being a resource for removal of the spyware!

Edited by Riskykungfu, 01 January 2006 - 01:54 PM.


#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 January 2006 - 02:18 PM

DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries
========
Empty the recycle bin
========
Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
=========
Get all of these and/or verify you have the current versions

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 Riskykungfu

Riskykungfu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 01 January 2006 - 02:54 PM

Thanks for the additional tips!

RKF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users