Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me, Thankyou :)


  • This topic is locked This topic is locked
16 replies to this topic

#1 bob1010

bob1010

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 20 July 2006 - 09:15 PM

This is his hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:16 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jamie Tucker.JAMIE\Local Settings\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qyyll.exe
F2 - REG:system.ini: UserInit=userinit.exe,cugovyy.exe
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\dfndrdd_6.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrddd_6.exe
O4 - HKLM\..\Run: [ms03592591942] C:\WINDOWS\ms03592591942.exe
O4 - HKLM\..\Run: [oqicfa97] RUNDLL32.EXE w00dc9f7.dll,n 001cfa960000000300dc9f7
O4 - HKLM\..\Run: [w00e2c2c.dll] RUNDLL32.EXE w00e2c2c.dll,I2 001cfa96000e2c2c
O4 - HKLM\..\Run: [newname] C:\\nwnmdd_6.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wikr] c:\stub_113_4_0_4_0newer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144890534217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144890011983
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\q6ps0g77e6.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe

BC AdBot (Login to Remove)

 


#2 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 20 July 2006 - 09:33 PM

Hello.

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
then..

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.


Please post the contents of the qoofix logfile and the l2mfix logfile


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#3 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 July 2006 - 01:26 PM

Thanks so much for the fast reply pomp. :thumbsup:

Here are his results:

Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/21/2006] at [2:05:45 PM]
-------------------------------------------------------------
Terminated module: hwhhcck.dll found in Qoofix.exe (988)
Terminated module: hwhhcck.dll found in rundll32.exe (488)
Terminated module: hwhhcck.dll found in bpihlt.exe (572)
Terminated module: hwhhcck.dll found in explorer.exe (580)
Terminated module: hwhhcck.dll found in qyyll.exe (588)
Terminated module: hwhhcck.dll found in qyyll.exe (612)
Terminated module: hwhhcck.dll found in qyyll.exe (620)
Terminated module: hwhhcck.dll found in iexplore.exe (792)
-------------------------------------------------------------
C:\WINDOWS\system32\bpihlt.exe will be deleted on reboot!
C:\WINDOWS\system32\cugovyy.exe will be deleted on reboot!
C:\WINDOWS\system32\gnwkw.dat will be deleted on reboot!
C:\WINDOWS\system32\hwhhcck.dll will be deleted on reboot!
C:\WINDOWS\system32\qyyll.exe will be deleted on reboot!
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\swtir.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/21/2006] at [2:08:26 PM]

Note: Some registry keys may have been removed.




L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en62l1jo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CBDFD7F-99EE-93B9-CEBD-4908317B0D13}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}"=""
"{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}"=""
"{0F7ED6BF-2051-4641-A79A-8CA6635AF504}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}"=""
"{B60D1703-8331-497F-A56B-E44E90F7D8D9}"=""
"{5D1A942A-83F3-495E-9D8A-35507B96D7C0}"=""
"{A8BB82B6-DB90-49E9-9442-63CE943B52FF}"=""
"{353E74E8-2EDA-4094-8C35-CFA57FF668B6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhvidc32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbpencen.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\InprocServer32]
@="C:\\WINDOWS\\system32\\xfob2res.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINDOWS\\system32\\qhdwipes.dll"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINDOWS\\system32\\fpamebuf.dll"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\InprocServer32]
@="C:\\WINDOWS\\system32\\smsinv.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aza4la~1.dll Thu Jul 20 2006 9:27:08p ..S.R 235,784 230.26 K
battyrun.dll Thu Jun 29 2006 10:07:36a A.... 61,440 60.00 K
browseui.dll Wed May 10 2006 1:23:00a A.... 1,022,976 999.00 K
cdfview.dll Wed May 10 2006 1:23:00a A.... 151,040 147.50 K
danim.dll Wed May 10 2006 1:23:00a A.... 1,054,208 1.00 M
dbdramp.dll Thu Jul 20 2006 9:05:22p ..S.R 236,945 231.39 K
dhcpcsvc.dll Fri May 19 2006 8:59:42a A.... 111,616 109.00 K
dnsapi.dll Fri May 19 2006 8:59:42a A.... 148,480 145.00 K
donbjnli.dll Wed Jul 19 2006 8:31:22p A.... 69,632 68.00 K
dxtmsft.dll Wed May 10 2006 1:23:00a A.... 357,888 349.50 K
dxtrans.dll Wed May 10 2006 1:23:00a A.... 205,312 200.50 K
en62l1~1.dll Fri Jul 21 2006 2:00:56p ..S.R 237,141 231.58 K
extmgr.dll Wed May 10 2006 1:23:00a ..... 55,808 54.50 K
f4l02e~1.dll Wed Jul 19 2006 8:57:10p ..S.R 236,306 230.77 K
fp2003~1.dll Thu Jul 20 2006 6:19:28p ..S.R 236,968 231.41 K
fp6203~1.dll Thu Jul 20 2006 9:15:32p ..S.R 234,251 228.76 K
fpamebuf.dll Fri Jul 21 2006 2:09:40p ..S.R 237,141 231.58 K
g6400g~1.dll Wed Jul 19 2006 10:50:50p ..S.R 236,839 231.29 K
g640lg~1.dll Fri Jul 21 2006 7:34:06a ..S.R 236,926 231.37 K
gp4ol3~1.dll Wed Jul 19 2006 8:58:54p ..S.R 235,615 230.09 K
gplsl3~1.dll Thu Jul 20 2006 10:53:36p ..S.R 234,114 228.63 K
hr2005~1.dll Fri Jul 21 2006 2:09:40p ..S.R 237,166 231.61 K
i0lo0a~1.dll Wed Jul 19 2006 10:19:02p ..S.R 235,948 230.42 K
ibfgnt5.dll Thu Jul 20 2006 9:19:14p A.... 234,272 228.78 K
iepeers.dll Wed May 10 2006 1:23:00a A.... 251,392 245.50 K
ijpeers.dll Thu Jul 20 2006 9:19:22p A.... 234,272 228.78 K
inseng.dll Wed May 10 2006 1:23:00a A.... 96,256 94.00 K
iphlpapi.dll Fri May 19 2006 8:59:42a A.... 94,720 92.50 K
irn8l5~1.dll Thu Jul 20 2006 6:08:12p ..S.R 234,175 228.68 K
ixsrad.dll Wed Jul 19 2006 10:23:16p ..S.R 235,618 230.09 K
jgdw400.dll Thu Jun 1 2006 2:47:08p A.... 163,840 160.00 K
jgpl400.dll Thu Jun 1 2006 2:47:08p A.... 27,648 27.00 K
jpmneekf.dll Wed Jul 19 2006 8:31:56p A.... 69,632 68.00 K
jscript.dll Thu May 18 2006 1:24:26a A.... 450,560 440.00 K
jsproxy.dll Wed May 10 2006 1:23:00a A.... 16,384 16.00 K
jtsh400.dll Thu Jul 20 2006 9:32:32p ..S.R 233,988 228.50 K
kqdda.dll Thu Jul 20 2006 6:19:28p ..S.R 236,945 231.39 K
l4n40e~1.dll Wed Jul 19 2006 8:58:52p ..S.R 234,726 229.22 K
legitc~1.dll Mon Jun 19 2006 4:19:42p A.... 571,184 557.80 K
mcgina.dll Thu Jul 20 2006 9:27:08p ..S.R 233,988 228.50 K
mjwmdm.dll Thu Jul 20 2006 6:08:12p ..S.R 236,945 231.39 K
mshtml.dll Fri May 19 2006 11:08:32a A.... 3,052,544 2.91 M
mshtmled.dll Wed May 10 2006 1:23:02a A.... 448,512 438.00 K
msrating.dll Wed May 10 2006 1:23:02a A.... 146,432 143.00 K
mstime.dll Wed May 10 2006 1:23:02a A.... 532,480 520.00 K
mvjul9~1.dll Thu Jul 20 2006 10:20:26p ..S.R 234,207 228.71 K
ndprovau.dll Wed Jul 19 2006 10:50:50p ..S.R 236,793 231.24 K
nodeip~1.dll Tue Jun 20 2006 8:55:26p A.... 389,120 380.00 K
o284lc~1.dll Thu Jul 20 2006 10:37:40p ..S.R 233,989 228.50 K
oqicfa97.dll Wed Jul 19 2006 8:28:06p A.... 61,440 60.00 K
pep.dll Fri Jul 21 2006 7:34:06a ..S.R 235,880 230.35 K
pngfilt.dll Wed May 10 2006 1:23:02a A.... 39,424 38.50 K
qhdwipes.dll Thu Jul 20 2006 9:15:32p ..S.R 233,988 228.50 K
r0p8la~1.dll Thu Jul 20 2006 9:05:22p ..S.R 234,183 228.69 K
rasmans.dll Sun May 14 2006 4:44:08a A.... 181,248 177.00 K
rmsser.dll Thu Jul 20 2006 10:53:36p ..S.R 235,880 230.35 K
s8880i~1.dll Thu Jul 20 2006 10:09:32p ..S.R 236,768 231.22 K
shdocvw.dll Mon May 29 2006 11:30:34a A.... 1,494,016 1.42 M
shlwapi.dll Wed May 10 2006 1:23:02a A.... 474,112 463.00 K
smsinv.dll Thu Jul 20 2006 10:14:00p ..S.R 235,880 230.35 K
sporder.dll Wed Jul 19 2006 8:39:56p A.... 8,464 8.27 K
urlmon.dll Wed May 10 2006 1:23:02a A.... 613,888 599.50 K
uutfs.dll Fri Jul 21 2006 2:00:56p ..S.R 235,880 230.35 K
vbsapi.dll Thu Jul 20 2006 9:55:10p ..S.R 234,279 228.79 K
w00dc9f7.dll Wed Jul 19 2006 8:27:56p A.... 29,696 29.00 K
w00e2c2c.dll Wed Jul 19 2006 8:28:28p A.... 51,712 50.50 K
w011313e.dll Wed Jul 19 2006 8:31:38p A.... 51,712 50.50 K
wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K
wininet.dll Wed May 10 2006 1:23:04a A.... 658,432 643.00 K
wmp.dll Sat Apr 29 2006 6:07:48a A.... 5,533,696 5.28 M
wovdmoe.dll Thu Jul 20 2006 9:17:12p A.... 234,272 228.78 K
xpsp3res.dll Thu May 11 2006 4:23:24a A.... 24,576 24.00 K

72 items found: 72 files (31 H/S), 0 directories.
Total of file sizes: 27,482,360 bytes 26.21 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 382E-D24F

Directory of C:\WINDOWS\System32

07/21/2006 02:09 PM 237,141 fpamebuf.dll
07/21/2006 02:09 PM 237,166 hr2005fme.dll
07/21/2006 02:00 PM 235,880 uutfs.dll
07/21/2006 02:00 PM 237,141 en62l1jo1.dll
07/21/2006 07:34 AM 235,880 pEp.dll
07/21/2006 07:34 AM 236,926 g640lghm164a.dll
07/20/2006 10:53 PM 235,880 rMsser.dll
07/20/2006 10:53 PM 234,114 gplsl3371.dll
07/20/2006 10:42 PM <DIR> DLLCACHE
07/20/2006 10:37 PM 233,989 o284lclq1fqe.dll
07/20/2006 10:20 PM 234,207 mvjul9191.dll
07/20/2006 10:13 PM 235,880 smsinv.dll
07/20/2006 10:09 PM 236,768 s8880ilue8q80.dll
07/20/2006 09:55 PM 234,279 vbsapi.dll
07/20/2006 09:32 PM 233,988 jtsh400.dll
07/20/2006 09:27 PM 233,988 mcgina.dll
07/20/2006 09:27 PM 235,784 aza4lalq1dqe.dll
07/20/2006 09:15 PM 233,988 qhdwipes.dll
07/20/2006 09:15 PM 234,251 fp6203joe.dll
07/20/2006 09:05 PM 236,945 dBdramp.dll
07/20/2006 09:05 PM 234,183 r0p8la7u1d.dll
07/20/2006 06:19 PM 236,945 kqdda.dll
07/20/2006 06:19 PM 236,968 fp2003fme.dll
07/20/2006 06:08 PM 236,945 MJWMDM.dll
07/20/2006 06:08 PM 234,175 irn8l55u1.dll
07/19/2006 10:50 PM 236,793 ndprovau.dll
07/19/2006 10:50 PM 236,839 g6400ghme64a0.dll
07/19/2006 10:23 PM 235,618 iXsrad.dll
07/19/2006 10:19 PM 235,948 i0lo0a33ed.dll
07/19/2006 08:58 PM 235,615 gp4ol3h31.dll
07/19/2006 08:58 PM 234,726 l4n40e5qeh.dll
07/19/2006 08:57 PM 236,306 f4l02e3mgh.dll
06/18/2002 04:18 AM <DIR> Microsoft
31 File(s) 7,305,256 bytes
2 Dir(s) 18,170,642,432 bytes free

Edited by bob1010, 21 July 2006 - 02:48 PM.


#4 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 21 July 2006 - 05:52 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#5 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 July 2006 - 06:37 PM

Thankyou. This time I tried option 2. The log didn't pop up, so I went into the l2mfix folder and copy/pasted the file called "report." I hope this wasn't the same thing I posted before. :thumbsup:

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en62l1jo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CBDFD7F-99EE-93B9-CEBD-4908317B0D13}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}"=""
"{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}"=""
"{0F7ED6BF-2051-4641-A79A-8CA6635AF504}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}"=""
"{B60D1703-8331-497F-A56B-E44E90F7D8D9}"=""
"{5D1A942A-83F3-495E-9D8A-35507B96D7C0}"=""
"{A8BB82B6-DB90-49E9-9442-63CE943B52FF}"=""
"{353E74E8-2EDA-4094-8C35-CFA57FF668B6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA0F41FF-1AB6-4E23-BB65-44A1B35C86AE}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhvidc32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EDB5C7E-77B1-4BA2-8645-D23B26885F6B}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbpencen.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0F7ED6BF-2051-4641-A79A-8CA6635AF504}\InprocServer32]
@="C:\\WINDOWS\\system32\\xfob2res.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DBA3EDB9-E85C-4AD6-B1A2-09D9A29DE895}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINDOWS\\system32\\qhdwipes.dll"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60D1703-8331-497F-A56B-E44E90F7D8D9}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINDOWS\\system32\\fpamebuf.dll"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1A942A-83F3-495E-9D8A-35507B96D7C0}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8BB82B6-DB90-49E9-9442-63CE943B52FF}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{353E74E8-2EDA-4094-8C35-CFA57FF668B6}\InprocServer32]
@="C:\\WINDOWS\\system32\\smsinv.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aza4la~1.dll Thu Jul 20 2006 9:27:08p ..S.R 235,784 230.26 K
battyrun.dll Thu Jun 29 2006 10:07:36a A.... 61,440 60.00 K
browseui.dll Wed May 10 2006 1:23:00a A.... 1,022,976 999.00 K
cdfview.dll Wed May 10 2006 1:23:00a A.... 151,040 147.50 K
danim.dll Wed May 10 2006 1:23:00a A.... 1,054,208 1.00 M
dbdramp.dll Thu Jul 20 2006 9:05:22p ..S.R 236,945 231.39 K
dhcpcsvc.dll Fri May 19 2006 8:59:42a A.... 111,616 109.00 K
dnsapi.dll Fri May 19 2006 8:59:42a A.... 148,480 145.00 K
donbjnli.dll Wed Jul 19 2006 8:31:22p A.... 69,632 68.00 K
dxtmsft.dll Wed May 10 2006 1:23:00a A.... 357,888 349.50 K
dxtrans.dll Wed May 10 2006 1:23:00a A.... 205,312 200.50 K
en62l1~1.dll Fri Jul 21 2006 2:00:56p ..S.R 237,141 231.58 K
extmgr.dll Wed May 10 2006 1:23:00a ..... 55,808 54.50 K
f4l02e~1.dll Wed Jul 19 2006 8:57:10p ..S.R 236,306 230.77 K
fp2003~1.dll Thu Jul 20 2006 6:19:28p ..S.R 236,968 231.41 K
fp6203~1.dll Thu Jul 20 2006 9:15:32p ..S.R 234,251 228.76 K
fpamebuf.dll Fri Jul 21 2006 2:09:40p ..S.R 237,141 231.58 K
g6400g~1.dll Wed Jul 19 2006 10:50:50p ..S.R 236,839 231.29 K
g640lg~1.dll Fri Jul 21 2006 7:34:06a ..S.R 236,926 231.37 K
gp4ol3~1.dll Wed Jul 19 2006 8:58:54p ..S.R 235,615 230.09 K
gplsl3~1.dll Thu Jul 20 2006 10:53:36p ..S.R 234,114 228.63 K
hr2005~1.dll Fri Jul 21 2006 2:09:40p ..S.R 237,166 231.61 K
i0lo0a~1.dll Wed Jul 19 2006 10:19:02p ..S.R 235,948 230.42 K
ibfgnt5.dll Thu Jul 20 2006 9:19:14p A.... 234,272 228.78 K
iepeers.dll Wed May 10 2006 1:23:00a A.... 251,392 245.50 K
ijpeers.dll Thu Jul 20 2006 9:19:22p A.... 234,272 228.78 K
inseng.dll Wed May 10 2006 1:23:00a A.... 96,256 94.00 K
iphlpapi.dll Fri May 19 2006 8:59:42a A.... 94,720 92.50 K
irn8l5~1.dll Thu Jul 20 2006 6:08:12p ..S.R 234,175 228.68 K
ixsrad.dll Wed Jul 19 2006 10:23:16p ..S.R 235,618 230.09 K
jgdw400.dll Thu Jun 1 2006 2:47:08p A.... 163,840 160.00 K
jgpl400.dll Thu Jun 1 2006 2:47:08p A.... 27,648 27.00 K
jpmneekf.dll Wed Jul 19 2006 8:31:56p A.... 69,632 68.00 K
jscript.dll Thu May 18 2006 1:24:26a A.... 450,560 440.00 K
jsproxy.dll Wed May 10 2006 1:23:00a A.... 16,384 16.00 K
jtsh400.dll Thu Jul 20 2006 9:32:32p ..S.R 233,988 228.50 K
kqdda.dll Thu Jul 20 2006 6:19:28p ..S.R 236,945 231.39 K
l4n40e~1.dll Wed Jul 19 2006 8:58:52p ..S.R 234,726 229.22 K
legitc~1.dll Mon Jun 19 2006 4:19:42p A.... 571,184 557.80 K
mcgina.dll Thu Jul 20 2006 9:27:08p ..S.R 233,988 228.50 K
mjwmdm.dll Thu Jul 20 2006 6:08:12p ..S.R 236,945 231.39 K
mshtml.dll Fri May 19 2006 11:08:32a A.... 3,052,544 2.91 M
mshtmled.dll Wed May 10 2006 1:23:02a A.... 448,512 438.00 K
msrating.dll Wed May 10 2006 1:23:02a A.... 146,432 143.00 K
mstime.dll Wed May 10 2006 1:23:02a A.... 532,480 520.00 K
mvjul9~1.dll Thu Jul 20 2006 10:20:26p ..S.R 234,207 228.71 K
ndprovau.dll Wed Jul 19 2006 10:50:50p ..S.R 236,793 231.24 K
nodeip~1.dll Tue Jun 20 2006 8:55:26p A.... 389,120 380.00 K
o284lc~1.dll Thu Jul 20 2006 10:37:40p ..S.R 233,989 228.50 K
oqicfa97.dll Wed Jul 19 2006 8:28:06p A.... 61,440 60.00 K
pep.dll Fri Jul 21 2006 7:34:06a ..S.R 235,880 230.35 K
pngfilt.dll Wed May 10 2006 1:23:02a A.... 39,424 38.50 K
qhdwipes.dll Thu Jul 20 2006 9:15:32p ..S.R 233,988 228.50 K
r0p8la~1.dll Thu Jul 20 2006 9:05:22p ..S.R 234,183 228.69 K
rasmans.dll Sun May 14 2006 4:44:08a A.... 181,248 177.00 K
rmsser.dll Thu Jul 20 2006 10:53:36p ..S.R 235,880 230.35 K
s8880i~1.dll Thu Jul 20 2006 10:09:32p ..S.R 236,768 231.22 K
shdocvw.dll Mon May 29 2006 11:30:34a A.... 1,494,016 1.42 M
shlwapi.dll Wed May 10 2006 1:23:02a A.... 474,112 463.00 K
smsinv.dll Thu Jul 20 2006 10:14:00p ..S.R 235,880 230.35 K
sporder.dll Wed Jul 19 2006 8:39:56p A.... 8,464 8.27 K
urlmon.dll Wed May 10 2006 1:23:02a A.... 613,888 599.50 K
uutfs.dll Fri Jul 21 2006 2:00:56p ..S.R 235,880 230.35 K
vbsapi.dll Thu Jul 20 2006 9:55:10p ..S.R 234,279 228.79 K
w00dc9f7.dll Wed Jul 19 2006 8:27:56p A.... 29,696 29.00 K
w00e2c2c.dll Wed Jul 19 2006 8:28:28p A.... 51,712 50.50 K
w011313e.dll Wed Jul 19 2006 8:31:38p A.... 51,712 50.50 K
wgalogon.dll Mon Jun 19 2006 4:20:42p A.... 702,768 686.30 K
wininet.dll Wed May 10 2006 1:23:04a A.... 658,432 643.00 K
wmp.dll Sat Apr 29 2006 6:07:48a A.... 5,533,696 5.28 M
wovdmoe.dll Thu Jul 20 2006 9:17:12p A.... 234,272 228.78 K
xpsp3res.dll Thu May 11 2006 4:23:24a A.... 24,576 24.00 K

72 items found: 72 files (31 H/S), 0 directories.
Total of file sizes: 27,482,360 bytes 26.21 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 382E-D24F

Directory of C:\WINDOWS\System32

07/21/2006 02:09 PM 237,141 fpamebuf.dll
07/21/2006 02:09 PM 237,166 hr2005fme.dll
07/21/2006 02:00 PM 235,880 uutfs.dll
07/21/2006 02:00 PM 237,141 en62l1jo1.dll
07/21/2006 07:34 AM 235,880 pEp.dll
07/21/2006 07:34 AM 236,926 g640lghm164a.dll
07/20/2006 10:53 PM 235,880 rMsser.dll
07/20/2006 10:53 PM 234,114 gplsl3371.dll
07/20/2006 10:42 PM <DIR> DLLCACHE
07/20/2006 10:37 PM 233,989 o284lclq1fqe.dll
07/20/2006 10:20 PM 234,207 mvjul9191.dll
07/20/2006 10:13 PM 235,880 smsinv.dll
07/20/2006 10:09 PM 236,768 s8880ilue8q80.dll
07/20/2006 09:55 PM 234,279 vbsapi.dll
07/20/2006 09:32 PM 233,988 jtsh400.dll
07/20/2006 09:27 PM 233,988 mcgina.dll
07/20/2006 09:27 PM 235,784 aza4lalq1dqe.dll
07/20/2006 09:15 PM 233,988 qhdwipes.dll
07/20/2006 09:15 PM 234,251 fp6203joe.dll
07/20/2006 09:05 PM 236,945 dBdramp.dll
07/20/2006 09:05 PM 234,183 r0p8la7u1d.dll
07/20/2006 06:19 PM 236,945 kqdda.dll
07/20/2006 06:19 PM 236,968 fp2003fme.dll
07/20/2006 06:08 PM 236,945 MJWMDM.dll
07/20/2006 06:08 PM 234,175 irn8l55u1.dll
07/19/2006 10:50 PM 236,793 ndprovau.dll
07/19/2006 10:50 PM 236,839 g6400ghme64a0.dll
07/19/2006 10:23 PM 235,618 iXsrad.dll
07/19/2006 10:19 PM 235,948 i0lo0a33ed.dll
07/19/2006 08:58 PM 235,615 gp4ol3h31.dll
07/19/2006 08:58 PM 234,726 l4n40e5qeh.dll
07/19/2006 08:57 PM 236,306 f4l02e3mgh.dll
06/18/2002 04:18 AM <DIR> Microsoft
31 File(s) 7,305,256 bytes
2 Dir(s) 18,170,642,432 bytes free

Edited by bob1010, 21 July 2006 - 06:40 PM.


#6 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 21 July 2006 - 06:55 PM

That was the same log as before. Look in the l2mfix folder and see if you see another log file in there..if so post it..if not, don't worry about it.

Also, please scan with hijackthis and post a new log.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#7 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 July 2006 - 07:50 PM

His computer only functions now in safe mode so maybe that's why I can't access the second l2mfix log. Hopefully they both worked.

Here's the new hijack this log. Thank you for the continued assistance.

Logfile of HijackThis v1.99.1
Scan saved at 8:44:26 PM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jamie Tucker.JAMIE\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qyyll.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,cugovyy.exe
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [defender] C:\\dfndrdd_6.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrddd_6.exe
O4 - HKLM\..\Run: [ms03592591942] C:\WINDOWS\ms03592591942.exe
O4 - HKLM\..\Run: [oqicfa97] RUNDLL32.EXE w00dc9f7.dll,n 001cfa960000000300dc9f7
O4 - HKLM\..\Run: [w00e2c2c.dll] RUNDLL32.EXE w00e2c2c.dll,I2 001cfa96000e2c2c
O4 - HKLM\..\Run: [newname] C:\\nwnmdd_6.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ahmxkr] C:\WINDOWS\system32\bpihlt.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wikr] c:\stub_113_4_0_4_0newer.exe
O4 - HKCU\..\Run: [wetam] C:\WINDOWS\system32\bpihlt.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144890534217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144890011983
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\gp22l3fo1.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe

#8 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 21 July 2006 - 10:36 PM

What can't you do in normal mode? Try and boot the computer in normal mode...Do the following:

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


3. Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows...

then...

1. Download this file - combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


Please post the combofix log. and the uninstall list.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#9 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 July 2006 - 11:21 PM

I've been using all of these programs on my brother's computer in safe mode, loading them onto the computer with a USB flash drive from my working computer. Since the virus normal mode on his computer displays no icons and is useless. Yesterday this wasn't the case, and internet explorer was working, albeit with millions of popups. Now only safe mode works.

#10 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 21 July 2006 - 11:25 PM

Boot into normal mode then put ur usb drive in with the programs I have you install and run on it....a window should pop up showing how to open the files on the drive and then you can see what's on it. Please try that and see.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#11 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 July 2006 - 11:26 PM

Will do. Thanks. I'll get back to you in a few hours. :thumbsup:

#12 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 22 July 2006 - 08:10 PM

Please put combofix.exe on your usb drive..
Boot into normal mode.

The icons may not be visible but command prompt should work. Press ctrl+alt+del to bring up task manager & from File> Run - type cmd to bring up a dos box.

Assuming that drive e: is the usb stick ,type the following

e: <Press Enter>
combofix.exe <Press Enter>

Then the log should come up..save it to your usb drive and post the log in a reply!


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#13 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 July 2006 - 09:50 PM

:thumbsup:
Sorry I wasn't able to get back to you earlier pomp. It took me literally all day to try to perform these tasks in normal mode. It's been going excruciatingly slow.

Brute Force wouldn't open in safe mode and so I tried it in normal mode and I believe it worked. At first I got an error that said "System Error &H800706BA (-21470231174). The RPC server is unavailable."

Combofix was working in normal mode and then would stop at the step saying something like processing supplementary files. First it said "cannot find the path specified." I believe it found 2 bad files - Look2It and Qoologic.

Here is the Hijack this Uninstall list:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Deskbar
AOL Instant Messenger
AOL Uninstaller
AOL You've Got Pictures Screensaver
ArcSoft PhotoStudio 5
Command
DiMAGE Viewer
HijackThis 1.99.1
hp deskjet 940c series (Remove only)
Icons
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 4
KONICA_MINOLTA DiMAGE remote camera driver
LimeWire 4.12.3
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office Basic Edition 2003
Mozilla Firefox (1.0.4)
MSN Music Assistant
Network Monitor
Norton AntiVirus Corporate Edition
Picasa 2
Pure Networks Port Magic
Quicklinks
QuickTime
RealPlayer
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Spybot - Search & Destroy 1.3
Update for Windows XP (KB900485)
Update for Windows XP (KB916595)
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Service Pack 2

:flowers:

Thank you for your continued help and support. I really really appreciate it pomp.

Edited by bob1010, 22 July 2006 - 10:06 PM.


#14 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:09:19 PM

Posted 23 July 2006 - 02:30 AM

Open up add/remove programs and please remove the following:

Command
Network Monitor
Quicklinks


Restart your computer.

Are you still having a problem in normal mode where you don't see icons or a taskbar? Do you see the wallpaper? Please explain exactly what the problem is in normal mode..


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#15 bob1010

bob1010
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 23 July 2006 - 09:05 AM

I'm not sure if I can uninstall the programs because I don't think I can access the control panel. In normal mode I only see my background. I don't see any icons or the taskbar. I have to press Ctrl+Alt+Delete to get to task manager.

I will try to post a combofix log and uninstall those programs though.

Thanks again pomp!

edit: My brother says he thinks he got the virus from AIM. Someone sent him an IM saying "can you click this link for me." A message popped up saying it was a Backdoor.DSNX. The person didn't really send it. That person got it from someone else, and it got sent to everyone on that person's buddy list.

Also, when this first happened my brother downloaded Webroot SpySweeper and I think he deleted a lot of adware and spyware, but maybe he got rid of some good files. Could that be why normal mode is so messed up right now?

There are 3 combofix.exe logs but when I open them all it shows are the start times, and nothing else. Is there any way to remove those programs in task manager, or in safe mode?

Edited by bob1010, 23 July 2006 - 11:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users