Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look2me And Popups Taking Over...please Help


  • This topic is locked This topic is locked
15 replies to this topic

#1 Abobo

Abobo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 12:54 PM

Hello. I am new here. I have read through the guides and also many old posts. I am hoping someone can come to my rescue. It seems it all started with surfsidekick and now I just cannot get rid of whatever is taking over my pc. If there is an internet connection, I get popups constantly. I have run Ad-Aware, Spybot, AVG, and stinger. Ad-Aware finds critical Look2Me objects but cannot remove a .dll file. Everytime I reboot, Ad-Aware finds a new .dll file it cannot remove and I still get popups. I removed any suspicious programs using add/remove and have used AVG in safe mode to delete some viruses but still the problem persists. I have posted my HijackThis log below in hopes that someone can save me. Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 12:46:11 PM, on 3/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\WlanCU.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [keyboard] C:\\keyboard2.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe
O4 - HKLM\..\Run: [newname] C:\\newname2.exe
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Wireless Configuration Utility HW.31.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\lv4m09h1e.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fglorun.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 01:29 PM

Hello and welcome to the site.. :thumbsup: Lets get started. You have couple infections there.

==

Download and unzip BFUzip from HERE.

Run the program and click the Web button as shown here:

Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Check the following boxes:
  • Use settings specified in script for above options.
  • Show log after script ends.
Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log. Post the log created by the script when you have completed the fix.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Hi there, stranger!

#3 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 01:54 PM

Thanks so much for working with me! Here's that log:


BFU v1.00.9
Windows XP SP1 (WinNT 5.01.2600 SP1)
Script started at 1:51:14 PM, on 3/25/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable Command Service (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\DOCUME~1\Evans\LOCALS~1\Temp\Temporary Directory 1 for bfu.zip (operation failed)
Failed: FileDelete C:\DOCUME~1\Evans\LOCALS~1\Temp\~DF2E1B.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 02:05 PM

Hmm.. Please post a fresh HijackThis log. :thumbsup:

The fix might have failed, but then again, we can simply go after the other infection first, then fix the other one.
Hi there, stranger!

#5 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 02:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:05:53 PM, on 3/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\WlanCU.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Wireless Configuration Utility HW.31.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q0nu0a59ed.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fglorun.exe (file missing)

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 02:16 PM

Next:

Please download the L2MFix by Shadowwar:
  • Save it to your desktop.
  • Double-click l2mfix.exe
  • Click the Install - button to extract the files.
  • Follow the prompts, then please open the newly added l2mfix folder on your desktop.
  • Double-click the l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
Copy the contents of that log and paste it into your next reply. :thumbsup:

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system.

Double-click the file it downloads and extract the files to its predetermined System32 folder.

Hi there, stranger!

#7 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 02:21 PM

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q0nu0a59ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1BB4FE2-3F13-B90F-45F3-EF81266B25B6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{85657032-CEF7-424B-8735-97548F6C1AC5}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}"=""
"{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}"=""
"{4FBFC114-4B19-4FE5-8D81-861A88CDC189}"=""
"{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}"=""
"{7861223A-6E66-40BD-8377-504D7216205E}"=""
"{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\InprocServer32]
@="C:\\WINDOWS\\system32\\hK23msp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\InprocServer32]
@="C:\\WINDOWS\\system32\\tvkwks.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkmtapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqskadp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\InprocServer32]
@="C:\\WINDOWS\\system32\\mqswch.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ctgbkend.dll Wed Mar 22 2006 7:18:54p ..S.R 233,550 228.07 K
ddime.dll Thu Mar 23 2006 5:20:38p ..S.R 234,891 229.38 K
dtloader.dll Fri Mar 24 2006 8:04:36p ..S.R 234,132 228.64 K
en48l1~1.dll Wed Mar 22 2006 7:12:16p ..S.R 235,391 229.87 K
en82l1~1.dll Thu Mar 16 2006 6:49:14p ..S.R 236,903 231.35 K
enrsl1~1.dll Sat Mar 25 2006 11:08:42a ..S.R 235,509 229.99 K
gdi32.dll Mon Jan 2 2006 5:38:04p A.... 260,608 254.50 K
hvd.dll Sat Mar 25 2006 1:46:34p ..S.R 236,459 230.91 K
ikspolcy.dll Sat Mar 18 2006 10:34:38a ..S.R 235,718 230.19 K
inuv_32.dll Sun Mar 19 2006 5:03:18p ..S.R 236,693 231.14 K
iyspolcy.dll Thu Mar 23 2006 6:19:36p ..S.R 234,733 229.23 K
k0260a~1.dll Sat Mar 25 2006 1:48:32p ..S.R 237,079 231.52 K
kmdgkl.dll Thu Mar 16 2006 8:58:32p ..S.R 235,718 230.19 K
kndhe220.dll Mon Mar 20 2006 7:50:58p ..S.R 236,693 231.14 K
kvdsw.dll Thu Mar 16 2006 6:22:32p ..S.R 235,718 230.19 K
kvdusr.dll Thu Mar 23 2006 6:14:38p ..S.R 233,843 228.36 K
kydycl.dll Thu Mar 23 2006 6:08:54p ..S.R 236,370 230.83 K
lv4209~1.dll Thu Mar 23 2006 6:06:26p ..S.R 236,619 231.07 K
mqswch.dll Sat Mar 25 2006 1:48:32p ..... 236,459 230.91 K
msvcp71.dll Sun Mar 19 2006 1:18:58p A.... 499,712 488.00 K
msvcr71.dll Sun Mar 19 2006 1:18:58p A.... 348,160 340.00 K
oge2disp.dll Fri Mar 24 2006 8:13:16p ..S.R 236,077 230.54 K
oiecli32.dll Fri Mar 24 2006 8:07:28p ..S.R 235,898 230.37 K
q0nu0a~1.dll Sat Mar 25 2006 11:05:40a ..S.R 236,459 230.91 K
qadwipes.dll Wed Mar 22 2006 5:11:00p ..S.R 236,693 231.14 K
sadll.dll Fri Mar 17 2006 6:16:50p ..S.R 235,718 230.19 K
sporder.dll Wed Mar 15 2006 9:12:04p A.... 8,464 8.27 K
szxcoins.dll Wed Mar 22 2006 5:51:30p ..S.R 235,718 230.19 K
uvnp.dll Thu Mar 23 2006 6:40:22p ..S.R 237,019 231.46 K
uximdmat.dll Fri Mar 24 2006 9:35:26p ..S.R 236,469 230.93 K
vfs_ps.dll Wed Mar 22 2006 5:57:44p ..S.R 236,693 231.14 K
wdavusd.dll Wed Mar 22 2006 7:23:56p ..S.R 234,891 229.38 K
wdhcon.dll Wed Mar 22 2006 6:15:18p ..S.R 237,187 231.63 K
webclnt.dll Tue Jan 3 2006 10:37:34p A.... 64,000 62.50 K
widmps.dll Wed Mar 22 2006 7:12:16p ..S.R 233,550 228.07 K
wjnsock.dll Thu Mar 23 2006 6:29:12p ..S.R 236,640 231.09 K
wlcltui.dll Thu Mar 23 2006 6:06:26p ..S.R 236,370 230.83 K
wnn32spl.dll Thu Mar 16 2006 6:31:14p ..S.R 236,903 231.35 K
wznstrm.dll Mon Mar 20 2006 6:40:16p ..S.R 235,718 230.19 K

39 items found: 39 files (33 H/S), 0 directories.
Total of file sizes: 9,201,425 bytes 8.77 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Mar 25 2006 1:49:32p ..S.R 236,459 230.91 K
setupe~1.tmp Wed Mar 15 2006 9:10:18p A.... 32,768 32.00 K

2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 269,227 bytes 262.91 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 4052-FC14

Directory of C:\WINDOWS\System32

03/25/2006 01:49 PM 236,459 guard.tmp
03/25/2006 01:48 PM 237,079 k0260afsed260.dll
03/25/2006 01:46 PM 236,459 hvd.dll
03/25/2006 11:08 AM 235,509 enrsl1971.dll
03/25/2006 11:05 AM 236,459 q0nu0a59ed.dll
03/24/2006 09:35 PM 236,469 uximdmat.dll
03/24/2006 08:15 PM <DIR> dllcache
03/24/2006 08:13 PM 236,077 oge2disp.dll
03/24/2006 08:07 PM 235,898 oiecli32.dll
03/24/2006 08:04 PM 234,132 dtloader.dll
03/23/2006 06:40 PM 237,019 uvnp.dll
03/23/2006 06:29 PM 236,640 wjnsock.dll
03/23/2006 06:19 PM 234,733 iYspolcy.dll
03/23/2006 06:14 PM 233,843 kvdusr.dll
03/23/2006 06:08 PM 236,370 kydycl.dll
03/23/2006 06:06 PM 236,370 wlcltui.dll
03/23/2006 06:06 PM 236,619 lv4209hoe.dll
03/23/2006 05:20 PM 234,891 ddime.dll
03/22/2006 07:23 PM 234,891 wdavusd.dll
03/22/2006 07:18 PM 233,550 ctgbkend.dll
03/22/2006 07:12 PM 233,550 WIDMPS.dll
03/22/2006 07:12 PM 235,391 en48l1hu1.dll
03/22/2006 06:15 PM 237,187 wdhcon.dll
03/22/2006 05:57 PM 236,693 vfs_ps.dll
03/22/2006 05:51 PM 235,718 szxcoins.dll
03/22/2006 05:10 PM 236,693 qadwipes.dll
03/20/2006 07:50 PM 236,693 kndhe220.dll
03/20/2006 06:40 PM 235,718 wznstrm.dll
03/19/2006 05:03 PM 236,693 inuv_32.dll
03/18/2006 10:34 AM 235,718 iKspolcy.dll
03/17/2006 06:16 PM 235,718 sadll.dll
03/16/2006 08:58 PM 235,718 kmdgkl.dll
03/16/2006 06:49 PM 236,903 en82l1lo1.dll
03/16/2006 06:31 PM 236,903 wnn32spl.dll
03/16/2006 06:22 PM 235,718 kvdsw.dll
01/16/2006 07:19 PM <DIR> Microsoft
34 File(s) 8,020,481 bytes
2 Dir(s) 12,895,076,352 bytes free

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 02:23 PM

Before fixing there is something you must do:
  • Print this, or save as text into a convenient location.
  • Click Start -> Run and type in: services.msc
  • Check that the following services are running and that their startup is set to automatic:
  • Seclogon, or Secondary logon service
  • Next your machine needs to be offline, manually disconnect the network cable if necessary.
  • Your antivirus, and every other security software MUST be disabled.
==

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Reconnect back to the Internet. Copy the contents of that log and paste it back into this thread, along with a fresh HijackThis log, and we'll clean up what's left. :thumbsup:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
Hi there, stranger!

#9 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 02:36 PM

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 484 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 564 'winlogon.exe'
Killing PID 564 'winlogon.exe'
Killing PID 564 'winlogon.exe'
Killing PID 564 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1500 'explorer.exe'
Killing PID 1500 'explorer.exe'
Killing PID 1500 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 128 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\ctgbkend.dll
Successfully Deleted: C:\WINDOWS\system32\ctgbkend.dll
Deleting: C:\WINDOWS\system32\ddime.dll
Successfully Deleted: C:\WINDOWS\system32\ddime.dll
Deleting: C:\WINDOWS\system32\dtloader.dll
Successfully Deleted: C:\WINDOWS\system32\dtloader.dll
Deleting: C:\WINDOWS\system32\en48l1hu1.dll
Successfully Deleted: C:\WINDOWS\system32\en48l1hu1.dll
Deleting: C:\WINDOWS\system32\en82l1lo1.dll
Successfully Deleted: C:\WINDOWS\system32\en82l1lo1.dll
Deleting: C:\WINDOWS\system32\enrsl1971.dll
Successfully Deleted: C:\WINDOWS\system32\enrsl1971.dll
Deleting: C:\WINDOWS\system32\hvd.dll
Successfully Deleted: C:\WINDOWS\system32\hvd.dll
Deleting: C:\WINDOWS\system32\iKspolcy.dll
Successfully Deleted: C:\WINDOWS\system32\iKspolcy.dll
Deleting: C:\WINDOWS\system32\inuv_32.dll
Successfully Deleted: C:\WINDOWS\system32\inuv_32.dll
Deleting: C:\WINDOWS\system32\iYspolcy.dll
Successfully Deleted: C:\WINDOWS\system32\iYspolcy.dll
Deleting: C:\WINDOWS\system32\k0260afsed260.dll
Successfully Deleted: C:\WINDOWS\system32\k0260afsed260.dll
Deleting: C:\WINDOWS\system32\kmdgkl.dll
Successfully Deleted: C:\WINDOWS\system32\kmdgkl.dll
Deleting: C:\WINDOWS\system32\kndhe220.dll
Successfully Deleted: C:\WINDOWS\system32\kndhe220.dll
Deleting: C:\WINDOWS\system32\kvdsw.dll
Successfully Deleted: C:\WINDOWS\system32\kvdsw.dll
Deleting: C:\WINDOWS\system32\kvdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kvdusr.dll
Deleting: C:\WINDOWS\system32\kydycl.dll
Successfully Deleted: C:\WINDOWS\system32\kydycl.dll
Deleting: C:\WINDOWS\system32\lv4209hoe.dll
Successfully Deleted: C:\WINDOWS\system32\lv4209hoe.dll
Deleting: C:\WINDOWS\system32\mqswch.dll
Successfully Deleted: C:\WINDOWS\system32\mqswch.dll
Deleting: C:\WINDOWS\system32\oge2disp.dll
Successfully Deleted: C:\WINDOWS\system32\oge2disp.dll
Deleting: C:\WINDOWS\system32\oiecli32.dll
Successfully Deleted: C:\WINDOWS\system32\oiecli32.dll
Deleting: C:\WINDOWS\system32\q0nu0a59ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0nu0a59ed.dll
Deleting: C:\WINDOWS\system32\qadwipes.dll
Successfully Deleted: C:\WINDOWS\system32\qadwipes.dll
Deleting: C:\WINDOWS\system32\sadll.dll
Successfully Deleted: C:\WINDOWS\system32\sadll.dll
Deleting: C:\WINDOWS\system32\szxcoins.dll
Successfully Deleted: C:\WINDOWS\system32\szxcoins.dll
Deleting: C:\WINDOWS\system32\uvnp.dll
Successfully Deleted: C:\WINDOWS\system32\uvnp.dll
Deleting: C:\WINDOWS\system32\uximdmat.dll
Successfully Deleted: C:\WINDOWS\system32\uximdmat.dll
Deleting: C:\WINDOWS\system32\vfs_ps.dll
Successfully Deleted: C:\WINDOWS\system32\vfs_ps.dll
Deleting: C:\WINDOWS\system32\wdavusd.dll
Successfully Deleted: C:\WINDOWS\system32\wdavusd.dll
Deleting: C:\WINDOWS\system32\wdhcon.dll
Successfully Deleted: C:\WINDOWS\system32\wdhcon.dll
Deleting: C:\WINDOWS\system32\WIDMPS.dll
Successfully Deleted: C:\WINDOWS\system32\WIDMPS.dll
Deleting: C:\WINDOWS\system32\wjnsock.dll
Successfully Deleted: C:\WINDOWS\system32\wjnsock.dll
Deleting: C:\WINDOWS\system32\wlcltui.dll
Successfully Deleted: C:\WINDOWS\system32\wlcltui.dll
Deleting: C:\WINDOWS\system32\wnn32spl.dll
Successfully Deleted: C:\WINDOWS\system32\wnn32spl.dll
Deleting: C:\WINDOWS\system32\wznstrm.dll
Successfully Deleted: C:\WINDOWS\system32\wznstrm.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q0nu0a59ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ctgbkend.dll
C:\WINDOWS\system32\ddime.dll
C:\WINDOWS\system32\dtloader.dll
C:\WINDOWS\system32\en48l1hu1.dll
C:\WINDOWS\system32\en82l1lo1.dll
C:\WINDOWS\system32\enrsl1971.dll
C:\WINDOWS\system32\hvd.dll
C:\WINDOWS\system32\iKspolcy.dll
C:\WINDOWS\system32\inuv_32.dll
C:\WINDOWS\system32\iYspolcy.dll
C:\WINDOWS\system32\k0260afsed260.dll
C:\WINDOWS\system32\kmdgkl.dll
C:\WINDOWS\system32\kndhe220.dll
C:\WINDOWS\system32\kvdsw.dll
C:\WINDOWS\system32\kvdusr.dll
C:\WINDOWS\system32\kydycl.dll
C:\WINDOWS\system32\lv4209hoe.dll
C:\WINDOWS\system32\mqswch.dll
C:\WINDOWS\system32\oge2disp.dll
C:\WINDOWS\system32\oiecli32.dll
C:\WINDOWS\system32\q0nu0a59ed.dll
C:\WINDOWS\system32\qadwipes.dll
C:\WINDOWS\system32\sadll.dll
C:\WINDOWS\system32\szxcoins.dll
C:\WINDOWS\system32\uvnp.dll
C:\WINDOWS\system32\uximdmat.dll
C:\WINDOWS\system32\vfs_ps.dll
C:\WINDOWS\system32\wdavusd.dll
C:\WINDOWS\system32\wdhcon.dll
C:\WINDOWS\system32\WIDMPS.dll
C:\WINDOWS\system32\wjnsock.dll
C:\WINDOWS\system32\wlcltui.dll
C:\WINDOWS\system32\wnn32spl.dll
C:\WINDOWS\system32\wznstrm.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}\InprocServer32]
@="C:\\WINDOWS\\system32\\hK23msp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}\InprocServer32]
@="C:\\WINDOWS\\system32\\tvkwks.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkmtapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dqskadp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}\InprocServer32]
@="C:\\WINDOWS\\system32\\mqswch.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{85657032-CEF7-424B-8735-97548F6C1AC5}"=-
"{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}"=-
"{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}"=-
"{4FBFC114-4B19-4FE5-8D81-861A88CDC189}"=-
"{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}"=-
"{7861223A-6E66-40BD-8377-504D7216205E}"=-
"{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{85657032-CEF7-424B-8735-97548F6C1AC5}]
[-HKEY_CLASSES_ROOT\CLSID\{C939B3EC-3B81-401F-BA8E-ADFB8F338CCF}]
[-HKEY_CLASSES_ROOT\CLSID\{09052F20-C7F9-4E1B-A8B1-FB41BBE72C76}]
[-HKEY_CLASSES_ROOT\CLSID\{4FBFC114-4B19-4FE5-8D81-861A88CDC189}]
[-HKEY_CLASSES_ROOT\CLSID\{F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77}]
[-HKEY_CLASSES_ROOT\CLSID\{7861223A-6E66-40BD-8377-504D7216205E}]
[-HKEY_CLASSES_ROOT\CLSID\{1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/ctgbkend.dll (164 bytes security) (deflated 4%)
adding: dlls/ddime.dll (164 bytes security) (deflated 5%)
adding: dlls/dtloader.dll (164 bytes security) (deflated 5%)
adding: dlls/en48l1hu1.dll (164 bytes security) (deflated 5%)
adding: dlls/en82l1lo1.dll (164 bytes security) (deflated 5%)
adding: dlls/enrsl1971.dll (164 bytes security) (deflated 5%)
adding: dlls/guard.tmp (164 bytes security) (deflated 5%)
adding: dlls/hvd.dll (164 bytes security) (deflated 5%)
adding: dlls/iKspolcy.dll (164 bytes security) (deflated 5%)
adding: dlls/inuv_32.dll (164 bytes security) (deflated 5%)
adding: dlls/iYspolcy.dll (164 bytes security) (deflated 5%)
adding: dlls/k0260afsed260.dll (164 bytes security) (deflated 6%)
adding: dlls/kmdgkl.dll (164 bytes security) (deflated 5%)
adding: dlls/kndhe220.dll (164 bytes security) (deflated 5%)
adding: dlls/kvdsw.dll (164 bytes security) (deflated 5%)
adding: dlls/kvdusr.dll (164 bytes security) (deflated 4%)
adding: dlls/kydycl.dll (164 bytes security) (deflated 5%)
adding: dlls/lv4209hoe.dll (164 bytes security) (deflated 6%)
adding: dlls/mqswch.dll (164 bytes security) (deflated 5%)
adding: dlls/oge2disp.dll (164 bytes security) (deflated 5%)
adding: dlls/oiecli32.dll (164 bytes security) (deflated 5%)
adding: dlls/q0nu0a59ed.dll (164 bytes security) (deflated 5%)
adding: dlls/qadwipes.dll (164 bytes security) (deflated 5%)
adding: dlls/sadll.dll (164 bytes security) (deflated 5%)
adding: dlls/szxcoins.dll (164 bytes security) (deflated 5%)
adding: dlls/uvnp.dll (164 bytes security) (deflated 6%)
adding: dlls/uximdmat.dll (164 bytes security) (deflated 5%)
adding: dlls/vfs_ps.dll (164 bytes security) (deflated 5%)
adding: dlls/wdavusd.dll (164 bytes security) (deflated 5%)
adding: dlls/wdhcon.dll (164 bytes security) (deflated 5%)
adding: dlls/WIDMPS.dll (164 bytes security) (deflated 4%)
adding: dlls/wjnsock.dll (164 bytes security) (deflated 6%)
adding: dlls/wlcltui.dll (164 bytes security) (deflated 5%)
adding: dlls/wnn32spl.dll (164 bytes security) (deflated 5%)
adding: dlls/wznstrm.dll (164 bytes security) (deflated 5%)
adding: backregs/09052F20-C7F9-4E1B-A8B1-FB41BBE72C76.reg (188 bytes security) (deflated 70%)
adding: backregs/1F5FD55B-5482-4AAF-8C38-8A5B6AAD8CC7.reg (188 bytes security) (deflated 70%)
adding: backregs/4FBFC114-4B19-4FE5-8D81-861A88CDC189.reg (188 bytes security) (deflated 70%)
adding: backregs/7861223A-6E66-40BD-8377-504D7216205E.reg (188 bytes security) (deflated 70%)
adding: backregs/85657032-CEF7-424B-8735-97548F6C1AC5.reg (188 bytes security) (deflated 70%)
adding: backregs/C939B3EC-3B81-401F-BA8E-ADFB8F338CCF.reg (188 bytes security) (deflated 70%)
adding: backregs/F0AACB2A-9A49-4C3A-A2C7-F417BB43AA77.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

and hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:00 PM, on 3/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Wireless Configuration Utility HW.31.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q0nu0a59ed.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fglorun.exe (file missing)

thanks so much again for helping me out.

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 02:59 PM

Nice job! :thumbsup:

==

Please run a scan with HijackThis and check the following objects for removal:

R3 - Default URLSearchHook is missing
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q0nu0a59ed.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fglorun.exe (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

==

Next, click Start -> Run and type in: sc delete Windows Overlay Components

Hit ok and reboot.

==

Post back with a fresh log and let me know how's the system running now. :flowers:
Hi there, stranger!

#11 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 03:09 PM

I can't thank you enough. I haven't had a popup ad since I ran option 2 of l2mfix.bat! It feels good. Let me know if there's anything else I can do and again, THANK YOU!


Logfile of HijackThis v1.99.1
Scan saved at 3:06:23 PM, on 3/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\WlanCU.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Wireless Configuration Utility HW.31.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Pen Size Wireless USB 2.0 Adapter HW.31 V.1.00\WlanCU.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 03:38 PM

There's something I want to check.. If that is fine, then we can go on to preventive maintenance and tips :thumbsup:

Download and save Blacklight to your desktop:
  • Double-click blbeta.exe.
  • Accept the agreement.
  • Click Scan.
  • Click Next.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there.
Hi there, stranger!

#13 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 04:10 PM

03/25/06 16:07:34 [Info]: BlackLight Engine 1.0.33 initialized
03/25/06 16:07:34 [Info]: OS: 5.1 build 2600 (Service Pack 1)
03/25/06 16:07:35 [Note]: 7019 4
03/25/06 16:07:35 [Note]: 7005 0
03/25/06 16:07:50 [Note]: 7006 0
03/25/06 16:07:50 [Note]: 7011 1388
03/25/06 16:07:50 [Note]: FSRAW library version 1.7.1015

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 25 March 2006 - 04:12 PM

Just as I thought.. It's all fine. :thumbsup:

Glad I was able to help.

==


First priority: Install Service Pack 2 by visiting WindowsUpdates. After you have installed it, reboot, download & install ALL the available critical updates. Then some more preventive maintenance:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#15 Abobo

Abobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 March 2006 - 04:19 PM

Thanks so much. I am eternally grateful. Enjoy your saturday night!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users