Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Tagasaurus [RESOLVED]

Started by twism7 , Apr 12 2006 08:00 PM

  • This topic is locked This topic is locked

#1
twism7
Posted 12 April 2006 - 08:00 PM

twism7

    Member

  • Member
  • PipPip
  • 18 posts
Hello,
I recently ran an .exe that I shouldn't have. There is now a file on my desktop named "Tagasaurus." A bunch of windows popped open with various sites including poker, video games, etc. A warning came up that said my computer had been infected with "blackworm." My homepage has changed, new toolbars have been added, etc. I have ad-aware, so I ran it. I "fixed" everything that was listed. Nothing seemed to be fixed. I ran accross this forum and d/l HJT. I restarted my computer and ran it. My IE will not come up as of now. When I double-click on the icon, Limewire opens up. It says a firewall is blocking it and that's all. Below is my log. Any help would be greatly appreciated. Thanks for your time.
-John

Logfile of HijackThis v1.99.1
Scan saved at 2:50:24 AM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\eqwjifi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\csrrs.exe
C:\windows\mousepad10.exe
C:\WINDOWS\eqwjifiA.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\sys027558953010.exe
C:\WINDOWS\system32\owinqrag.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\ikof\ikofm.exe
C:\WINDOWS\system32\CURITY~1\wuaclt.exe
C:\WINDOWS\SYSTEM32\??pPatch\w?nspool.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\PROGRA~1\COMMON~1\ikof\ikofa.exe
c:\windows\system32\qpdsregk.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\JOHNLI~1\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\ikof\ikofl.exe
C:\Program Files\limewire\limewire.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yclvi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jxsasip.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe
O4 - HKLM\..\Run: [eqwjifiA] C:\WINDOWS\eqwjifiA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys027558953010] C:\WINDOWS\sys027558953010.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{C3-31-19-9A-ZN}] c:\windows\system32\qpdsregk.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinqrag.exe CORN001
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [ikof] C:\PROGRA~1\COMMON~1\ikof\ikofm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\CURITY~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Gnnpqrr] C:\WINDOWS\SYSTEM32\??pPatch\w?nspool.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinqrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O20 - AppInit_DLLs: repairs303169572.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\wuvdmod.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eqwjifi.exe
  • 0

Advertisements

#2
RiP
Posted 12 April 2006 - 08:11 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
I apologize for the delay in getting to your log; the helpers here have been very busy lately. I am currently analyzing your log and will post a fix for you shortly.
  • 0

#3
RiP
Posted 13 April 2006 - 02:58 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system an and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply please include the following:
  • A new HijackThis log.
  • The uninstall_list.txt.

  • 0

#4
twism7
Posted 13 April 2006 - 08:25 PM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you for your quick response and help. Attached is my new HjT log and my uninstall_list.txt. Thanks for your time.

-John

HjT log
Logfile of HijackThis v1.99.1
Scan saved at 9:42:20 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\eqwjifi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\windows\mousepad10.exe
C:\WINDOWS\eqwjifiA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys027558953010.exe
C:\WINDOWS\system32\csrrs.exe
C:\windows\system32\qpdsregk.exe
C:\WINDOWS\system32\owinqrag.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\ikof\ikofm.exe
C:\WINDOWS\system32\CURITY~1\wuaclt.exe
C:\WINDOWS\SYSTEM32\??pPatch\w?nspool.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\PROGRA~1\COMMON~1\ikof\ikofa.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\ikof\ikofl.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\limewire\limewire.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yclvi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jxsasip.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe
O4 - HKLM\..\Run: [eqwjifiA] C:\WINDOWS\eqwjifiA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys027558953010] C:\WINDOWS\sys027558953010.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{C3-31-19-9A-ZN}] C:\windows\system32\qpdsregk.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinqrag.exe CORN001
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [ikof] C:\PROGRA~1\COMMON~1\ikof\ikofm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\CURITY~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Gnnpqrr] C:\WINDOWS\SYSTEM32\??pPatch\w?nspool.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinqrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O20 - AppInit_DLLs: repairs303169572.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dnn6015se.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eqwjifi.exe

uninstall_list.txt
Ad-aware 6 Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
AOL Instant Messenger
APC PowerChute Personal Edition
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AviSynth 2.5
BCM V.92 56K Modem
Canon Camera Window for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Citrix ICA Web Client
Classic PhoneTools
Command
DAO
Dell | Support
Dell Modem-On-Hold
Dell Solution Center
DellTouch
Digital Line Detect
Divace eLite
DVD Decrypter (Remove Only)
Easy CD Creator 5 Basic
Enhanced Ads by Zeno removal
Google Earth
Hijackthis 1.99.1
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
Intel® PROSet II
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.10.5
LiveReg (Symantec Corporation)
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Modem Helper
Network Monitor
Norton AntiVirus 2002
PowerDVD
PSP Video 9 1.74
QuickTime
Remove DivX Codec
Santa Cruz
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
Sony PSP Media Manager 1.0a
Surf SideKick
Toolbar888
TSA
UltimateBet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Web Nexus Network
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.0
WinRAR archiver
XoftSpy
Yazzle Sudoku by OIN
Zeno Search Assistant removal

Edited by twism7, 13 April 2006 - 08:26 PM.

  • 0

#5
RiP
Posted 14 April 2006 - 07:05 AM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

You have quite a few infections on your computer so this will be a few step process. If at any time you encounter a problem, please continue on with the instructions and tell me about the problem(s) in your next reply.

----------------------------------------------- Part 1

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of webhdll.dll.
  • Select every instance of webhdll.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
----------------------------------------------- Part 2

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download the Killbox by Option^Explicit. ( Save it to your desktop. )

Note: In the event you already have Killbox, this is a new version that I need you to download.

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

----------------------------------------------- Part 3

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

If any of these uninstallers take you to a website to continue the uninstall process, get rid of the site and continue on to the next program. If any of these programs ask you to reboot at the end of the uninstall select No.

Command
Enhanced Ads by Zeno removal
Network Monitor
Surf SideKick
Toolbar888
TSA
UltimateBet
Viewpoint Media Player
Web Nexus Network
Windows Overlay Components
Yazzle Sudoku by OIN
Zeno Search Assistant removal

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop Network Monitor
sc delete Network Monitor
sc stop cmdService
sc delete cmdService
sc stop Windows Overlay Components
sc delete Windows Overlay Components
exit


Double click FixServices.bat. A window will open and close. This is normal.

----------------------------------------------- Part 4

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yclvi.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jxsasip.exe
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe
O4 - HKLM\..\Run: [eqwjifiA] C:\WINDOWS\eqwjifiA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys027558953010] C:\WINDOWS\sys027558953010.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{C3-31-19-9A-ZN}] C:\windows\system32\qpdsregk.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinqrag.exe CORN001
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [ikof] C:\PROGRA~1\COMMON~1\ikof\ikofm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\CURITY~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Gnnpqrr] C:\WINDOWS\SYSTEM32\??pPatch\w?nspool.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinqrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: svchost.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O20 - AppInit_DLLs: repairs303169572.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dnn6015se.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eqwjifi.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

----------------------------------------------- Part 5

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
----------------------------------------------- Part 6

Using Windows Explorer delete the following folders (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\WINDOWS\Sm9obiBMaXRzY2hlcg
C:\Program Files\Network Monitor
C:\WINDOWS\system32\CURITY~1
C:\WINDOWS\SYSTEM32\??pPatch ( Before deleting that folder, please make sure the file w?nspool.exe is inside. )
C:\PROGRA~1\COMMON~1\ikof
C:\Program Files\Toolbar888
C:\Program Files\SurfSideKick 3
C:\Program Files\webHancer
C:\Program Files\NewDotNet
C:\Program Files\EmpirePoker
C:\Program Files\UltimateBet
C:\Program Files\PartyPoker
C:\Program Files\Bodog Poker

----------------------------------------------- Part 7

Run Killbox:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\eqwjifi.exe
    C:\windows\mousepad10.exe
    C:\WINDOWS\eqwjifiA.exe
    C:\WINDOWS\SYSC00.exe
    C:\WINDOWS\sys027558953010.exe
    C:\WINDOWS\system32\csrrs.exe
    C:\windows\system32\qpdsregk.exe
    C:\WINDOWS\system32\owinqrag.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
    C:\Program Files\Common Files\Windows\services32.exe
    C:\WINDOWS\system32\yclvi.exe
    C:\WINDOWS\system32\jxsasip.exe
    C:\windows\keyboard10.exe
    C:\windows\newname10.exe
    C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
    C:\WINDOWS\SYSTEM32\dwdsregt.exe
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\repairs303169572.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Normal Mode.

----------------------------------------------- Part 8

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads....org/l2mfix.exe
http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

In your next post please include the following:
  • A new HijackThis log.
  • The l2mfix log.

  • 0

#6
twism7
Posted 16 April 2006 - 08:04 PM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you again for your quick response. Attached are the problems that occurred during the last step, as well as my new HjT log and my l2mfix log. Thanks for your time.

-John

during Part 3
While trying to remove Command, I recieved the following message from Norton Antivirus:
Object: windows script host shell object
activity run
file C:\windows\Sm9obiBMaXRzY2hlcg\mA6Cv2lgurlWSZl5w0.vbs (some of the ls may be 1s)
action stop this script (recommended) (which I did).

While trying to remove Surf Sidekick, I had to enter the security code:
5FFD84.

While opening FixServices.bat, a window opened that said:
another program is currently using this file.

during Part 4
while fixing some of the poker extra button & tools in HjT, several error messages opened.

during part 5
When I rebooted in safe mode, there were 2 options to sign in. There was administration and my usual sign in (which I signed in as).

during part 6
I only found and deleted ikof, Toolbar888, webHancer, & NewDotNet.
I found the folder C:WINDOWS\SYSTEM32\AppPatch, but there was no w?nspool.exe. I did not delete the folder.

during part 7
I did not recieve any PendingFileRenameOperations prompts.

during part 8
When I rebooted in normal mode, a rundll error window opened that said:
error loading
C:\progra~1\NewDot~1\newdot~2.dll.


Logfile of HijackThis v1.99.1
Scan saved at 9:13:19 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\i8nmli5118.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i8nmli5118.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B3693BCC-086E-EFB5-666A-5EC13A0B11F2}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{DC71471D-8881-44CE-B688-4F1F3D7B5D55}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\InprocServer32]
@="C:\\WINDOWS\\system32\\tPembed.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ahledit.dll Thu Apr 13 2006 9:37:58p ..S.R 236,426 230.88 K
atmtd.dll Tue Apr 11 2006 2:08:04a A.... 687,592 671.48 K
i8nmli~1.dll Fri Apr 14 2006 2:28:00p ..S.R 233,941 228.46 K
l04qla~1.dll Sun Apr 16 2006 9:09:10p ..S.R 235,481 229.96 K
m2polc~1.dll Tue Apr 11 2006 4:26:24a ..S.R 235,550 230.03 K
nadll.dll Fri Apr 14 2006 2:05:00p ..S.R 233,941 228.46 K
niobjapi.dll Sun Apr 16 2006 8:53:38p ..S.R 234,166 228.68 K
qwgr.dll Tue Apr 11 2006 2:48:50a ..S.R 234,272 228.78 K
snfrdm.dll Thu Apr 13 2006 9:29:14p ..S.R 235,775 230.25 K
tpembed.dll Sun Apr 16 2006 9:09:12p ..S.R 233,941 228.46 K
wchrm.dll Tue Apr 11 2006 4:21:24a ..S.R 235,550 230.03 K

11 items found: 11 files (10 H/S), 0 directories.
Total of file sizes: 3,036,635 bytes 2.89 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
old4.tmp Tue Apr 11 2006 2:06:24a A.... 36,864 36.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 36,864 bytes 36.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 401C-319A

Directory of C:\WINDOWS\System32

04/16/2006 09:09 PM 233,941 tPembed.dll
04/16/2006 09:09 PM 235,481 l04qlah51d4.dll
04/16/2006 08:53 PM 234,166 niobjapi.dll
04/14/2006 02:27 PM 233,941 i8nmli5118.dll
04/14/2006 02:04 PM 233,941 nadll.dll
04/13/2006 09:37 PM 236,426 AHLEDIT.DLL
04/13/2006 09:29 PM 235,775 sNfrdm.dll
04/11/2006 04:26 AM 235,550 m2polc731f.dll
04/11/2006 04:21 AM 235,550 wchrm.dll
04/11/2006 02:48 AM 234,272 qwgr.dll
04/11/2006 02:06 AM <DIR> DLLCACHE
09/30/2002 04:50 PM <DIR> Microsoft
10 File(s) 2,349,043 bytes
2 Dir(s) 40,468,488,192 bytes free
  • 0

#7
RiP
Posted 16 April 2006 - 08:38 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

Before we begin I must say that I'm very impressed by your amazing attention to detail and that it makes my job a lot easier as well.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

------------------------------------------ Part 1

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Download and Save Blacklight to your desktop

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

------------------------------------------ Part 2

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\i8nmli5118.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

------------------------------------------ Part 3

Open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Reboot into Normal Mode.

------------------------------------------ Part 4

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

In your next reply please include the following:
  • A new HijackThis log.
  • The WinPFind.txt log.
  • The Blacklight log.

  • 0

#8
twism7
Posted 17 April 2006 - 01:05 AM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you again for your quick response. Below are my l2mfix log, my HjT log, my WinPFind log, & my Blacklight log. Thanks for your time.

-John


L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 588 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 688 'winlogon.exe'
Killing PID 688 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1712 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1276 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
0 file(s) copied.
Deleting: C:\WINDOWS\system32\AHLEDIT.DLL
Successfully Deleted: C:\WINDOWS\system32\AHLEDIT.DLL
Deleting: C:\WINDOWS\system32\k8noli5318.dll
Successfully Deleted: C:\WINDOWS\system32\k8noli5318.dll
Deleting: C:\WINDOWS\system32\l04qlah51d4.dll
Successfully Deleted: C:\WINDOWS\system32\l04qlah51d4.dll
Deleting: C:\WINDOWS\system32\m2polc731f.dll
Successfully Deleted: C:\WINDOWS\system32\m2polc731f.dll
Deleting: C:\WINDOWS\system32\nadll.dll
Successfully Deleted: C:\WINDOWS\system32\nadll.dll
Deleting: C:\WINDOWS\system32\niobjapi.dll
Successfully Deleted: C:\WINDOWS\system32\niobjapi.dll
Deleting: C:\WINDOWS\system32\qwgr.dll
Successfully Deleted: C:\WINDOWS\system32\qwgr.dll
Deleting: C:\WINDOWS\system32\SBNIKE.DLL
Successfully Deleted: C:\WINDOWS\system32\SBNIKE.DLL
Deleting: C:\WINDOWS\system32\sNfrdm.dll
Successfully Deleted: C:\WINDOWS\system32\sNfrdm.dll
Deleting: C:\WINDOWS\system32\tPembed.dll
Successfully Deleted: C:\WINDOWS\system32\tPembed.dll
Deleting: C:\WINDOWS\system32\wchrm.dll
Successfully Deleted: C:\WINDOWS\system32\wchrm.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ProgramChecksum]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l04qlah51d4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\AHLEDIT.DLL
C:\WINDOWS\system32\k8noli5318.dll
C:\WINDOWS\system32\l04qlah51d4.dll
C:\WINDOWS\system32\m2polc731f.dll
C:\WINDOWS\system32\nadll.dll
C:\WINDOWS\system32\niobjapi.dll
C:\WINDOWS\system32\qwgr.dll
C:\WINDOWS\system32\SBNIKE.DLL
C:\WINDOWS\system32\sNfrdm.dll
C:\WINDOWS\system32\tPembed.dll
C:\WINDOWS\system32\wchrm.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBNIKE.DLL"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DC71471D-8881-44CE-B688-4F1F3D7B5D55}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DC71471D-8881-44CE-B688-4F1F3D7B5D55}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/DC71471D-8881-44CE-B688-4F1F3D7B5D55.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 72%)


Logfile of HijackThis v1.99.1
Scan saved at 2:49:06 AM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O20 - Winlogon Notify: ProgramChecksum - C:\WINDOWS\system32\l04qlah51d4.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 4/11/2006 2:07:58 AM 467968 C:\visfx500.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 9/1/2004 10:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 8/18/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 12/10/2003 4:36:10 PM 236544 C:\WINDOWS\SYSTEM32\divxdec.ax
Umonitor 7/7/1998 1:01:02 AM 324096 C:\WINDOWS\SYSTEM32\ipebase11.dll
PTech 7/12/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/17/2006 2:34:52 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT
4/11/2006 2:08:36 AM S 50688 C:\WINDOWS\NDNuninstall6_38.exe
4/11/2006 2:11:44 AM S 183296 C:\WINDOWS\NDNuninstall7_22.exe
4/9/2006 1:09:10 PM H 54156 C:\WINDOWS\QTFont.qfn
4/17/2006 2:34:40 AM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
4/17/2006 2:35:08 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
4/17/2006 2:34:54 AM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
4/17/2006 2:35:26 AM H 81920 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
4/17/2006 2:35:00 AM H 1179648 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
3/19/2006 4:18:02 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
4/17/2006 2:34:00 AM H 6 C:\WINDOWS\Tasks\SA.DAT
4/16/2006 9:09:12 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
4/16/2006 9:09:12 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 12:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 4:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel Corporation 4/9/2002 1:05:28 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Voyetra Turtle Beach, Inc. 4/3/2002 4:47:48 PM 155648 C:\WINDOWS\SYSTEM32\tbccpnl.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/31/2001 11:50:56 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/31/2001 11:40:22 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
2/3/2006 7:31:08 PM 219 C:\Documents and Settings\All Users\Application Data\G-Force Prefs (iTunes).txt
7/17/2004 6:22:16 PM 221 C:\Documents and Settings\All Users\Application Data\G-Force Prefs (Winamp).txt
4/5/2006 1:08:16 AM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
8/31/2001 11:50:56 AM HS 84 C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\DESKTOP.INI
1/26/2004 2:56:06 AM 807 C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\PowerChute.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/31/2001 11:40:22 AM HS 62 C:\Documents and Settings\John Litscher\Application Data\DESKTOP.INI
3/23/2006 10:58:12 PM 76680 C:\Documents and Settings\John Litscher\Application Data\GDIPFONTCACHEV1.DAT
4/11/2006 2:52:46 AM 30 C:\Documents and Settings\John Litscher\Application Data\Sskcwrd.dll
4/11/2006 2:52:38 AM 101 C:\Documents and Settings\John Litscher\Application Data\Sskdmns.dll
4/11/2006 2:10:32 AM 515778 C:\Documents and Settings\John Litscher\Application Data\Sskknwrd.dll
4/11/2006 2:52:46 AM 39 C:\Documents and Settings\John Litscher\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
DellTouch C:\WINDOWS\MMKeybd.exe
Dell|Alert C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^John Litscher^Start Menu^Programs^Startup^PowerReg Scheduler.exe
path C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
location Startup
command C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\PowerReg Scheduler.exe
item PowerReg Scheduler
path C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
location Startup
command C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\PowerReg Scheduler.exe
item PowerReg Scheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^John Litscher^Start Menu^Programs^Startup^Webshots.lnk
path C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\Webshots.lnk
backup C:\WINDOWS\pss\Webshots.lnkStartup
location Startup
command C:\PROGRA~1\Webshots\WEBSHO~1.EXE
item Webshots
path C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup\Webshots.lnk
backup C:\WINDOWS\pss\Webshots.lnkStartup
location Startup
command C:\PROGRA~1\Webshots\WEBSHO~1.EXE
item Webshots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKCU
command
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATI DeviceDetect
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ATIDtct
hkey HKCU
command C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ATIDtct
hkey HKCU
command C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATI Launchpad
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LaunchPd
hkey HKCU
command "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LaunchPd
hkey HKCU
command "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATI Remote Control
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ATIRW
hkey HKCU
command C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ATIRW
hkey HKCU
command C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATICCC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeadAIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DeadAIM
hkey HKLM
command rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DeadAIM
hkey HKLM
command rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DIGStream
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item digstream
hkey HKLM
command C:\Program Files\DIGStream\digstream.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item digstream
hkey HKLM
command C:\Program Files\DIGStream\digstream.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyStartUp10.0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKCU
command C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKCU
command C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TraySantaCruz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tbctray
hkey HKLM
command C:\WINDOWS\SYSTEM32\tbctray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tbctray
hkey HKLM
command C:\WINDOWS\SYSTEM32\tbctray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ypager
hkey HKCU
command C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ypager
hkey HKCU
command C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ProgramChecksum
= C:\WINDOWS\system32\l04qlah51d4.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/17/2006 2:44:26 AM


04/17/06 02:46:36 [Info]: BlackLight Engine 1.0.35 initialized
04/17/06 02:46:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/17/06 02:46:36 [Note]: 7019 4
04/17/06 02:46:36 [Note]: 7005 0
04/17/06 02:47:02 [Note]: 7006 0
04/17/06 02:47:02 [Note]: 7011 1732
04/17/06 02:47:02 [Note]: 7026 0
04/17/06 02:47:03 [Note]: 7026 0
04/17/06 02:47:03 [Note]: FSRAW library version 1.7.1015
04/17/06 02:48:01 [Note]: 7007 0
  • 0

#9
RiP
Posted 17 April 2006 - 11:26 AM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

------------------------------------------------ Part 1

Please download MWav to your desktop.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download the Killbox by Option^Explicit. ( Save it to your desktop. )

Note: In the event you already have Killbox, this is a new version that I need you to download.

------------------------------------------------ Part 2

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ProgramChecksum]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt]

Save it to your desktop as fixstuff.reg and as Type "All files"

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------ Part 3

Run Killbox:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\NDNuninstall7_22.exe
    C:\WINDOWS\system32\l04qlah51d4.dll
    C:\WINDOWS\SYSTEM32\cpl_moh.cpl
    C:\Documents and Settings\John Litscher\Application Data\GDIPFONTCACHEV1.DAT
    C:\Documents and Settings\John Litscher\Application Data\Sskcwrd.dll
    C:\Documents and Settings\John Litscher\Application Data\Sskdmns.dll
    C:\Documents and Settings\John Litscher\Application Data\Sskknwrd.dll
    C:\Documents and Settings\John Litscher\Application Data\Sskuknwrd.dll
    C:\WINDOWS\system32\dmonwv.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Normal Mode.

------------------------------------------------ Part 4

Double click on fixstuff.reg and allow when prompted to let it merge with the registry.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

In your next reply please include the following:
  • A new HijackThis log.
  • The MWav infected items list.
  • An update on how your computer is running.

  • 0

#10
twism7
Posted 17 April 2006 - 11:49 PM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you again for your quick response. Below is what occurred during the last step, as well as my mwav list and my new HjT log. Thanks for your time.

-John

during part 3
I did not recieve any PendingFileRenameOperations prompts.

during part 4
I did not have a check next to registry.
When mwav found the first infected file this window opened:
MicroWorld Anti & Spyware Toolkit Utility
Virus!!! You Will need to buy Escan...

An update on how your computer is running.
When starting the last step, Windows found 6 updates. I did not install them. Should I before the next step?
The original Tagasaurus is still on my desktop, as well as a link to Titan Poker. When I put the mouse over the icon, it displays:
http://www.clicklinkc.net/icon.php?...
There are some strange things in my C: such as NNSCAA638.
My computer seems to be running as before, but I have not used it for anything other than to fix this problem.

mwav list
File C:\Documents and Settings\John Litscher\Desktop\Fastloader V0.7\ISO\Hot.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
Object "dyfuca Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "minibug Adware" found in File System! Action Taken: No Action Taken.
Object "cws.loadadv.400 Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "surfsidekick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "adware.softomate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "kapabout Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfsidekick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "downloadware Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfsidekick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "webhancer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud variant Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "downloadware Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\b.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_50.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\offun.exe infected by "Trojan-Downloader.Win32.VB.nw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf78.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf79.exe infected by "Trojan-Downloader.Win32.Dyfuca.ei" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SS1001.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\unin101.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\uni_eh.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\dr.exe infected by "Trojan-Downloader.Win32.Adload.aj" Virus! Action Taken: No Action Taken.
File C:\!KillBox\csrrs.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\!KillBox\NDNuninstall6_38.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\!KillBox\NDNuninstall7_22.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet.e". Action Taken: No Action Taken.
File C:\bintheredunthat\sk02.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\John Litscher\Desktop\Fastloader V0.7\ISO\Hot.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\NNSCAA638.EXE tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\Program Files\Hijackthis\backups\backup-20060414-142534-418-svchost.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Abbyy Finereader 8.0 Professional Edition.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Absolute Uninstaller 1.52.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\All in one Game Tools.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Ashampoo Movie Shrink And Burn v2.11.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\AutoCAD 2007 beta.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\AutoCAD 2007.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Battle for Middle-earth II.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Battlefield 2 Euro Force.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Call of Duty 2.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\East-tec Eraser 2006 V.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Elrise Disk Cleaner v2.3.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\ErrorKiller v2.6.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Fable The Lost Chapters.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Finding Nemo.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Flash Saver Gold v5.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\FontLab Studio 5.0.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Forgotten Realms Demon Stone [RUS &amp; ENG].exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\iRadio v1.5.0.516.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Iss Blackice Pc Protection V3.6 Cpd.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Manga Studio Debut.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\MDK 2.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\MetaProducts Web Studio v4.4.271.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Microsoft Office Pro Enterprise Edition 2007 Beta1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Microsoft Windows 2000 Pro Sp4 Oem.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Napoleon Dynamite DVDrip XviD.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Nascar racing 4.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\NCH Swift WavePad Master Edition v3.02.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Nvidia Gelato V2.0 R1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Offline Explorer Enterprise V4.1.2348 Sr1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Password Depot Build 2.6..exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\PowerCHM v5.5.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Prince of Persia Warior Within CZ.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Privacy Eraser Pro V5.60.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Quadro Uneraser v2.5.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Racing Stripes (2005).exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Radio2MP3 v1.0.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Rarlab WinRAR v3.60 Beta 1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Recover My Photos v 3.61.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Red Ace Squadron Full.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\SadMan HTML Image Browser v2.3.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Stardock SkinStudio Professional v4.6.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Stylus Studio 2006 XML Enterprise Edition v7.1.501.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\SwiftDog PCHeal v 1.4.3.2006.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\The Butterfly Effect.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Toon Car.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Weather Watcher 5.6.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\xzxzxzxzxzxz.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\XoftSpy\uninstall.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067352.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067353.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067355.exe infected by "Trojan-Downloader.Win32.Qoologic.at" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067356.dll tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067357.dll tagged as "not-a-virus:AdWare.Win32.WebHancer.381". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067358.exe tagged as "not-a-virus:AdWare.Win32.WebHancer.351". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067359.dll tagged as "not-a-virus:AdWare.Win32.WebHancer.381". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067366.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067374.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067379.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067380.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067386.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067391.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067394.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067398.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067405.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067408.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067411.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067417.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067418.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067425.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067430.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067432.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067443.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067448.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067450.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067462.exe infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067463.exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067509.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067510.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067511.dll tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067513.exe infected by "Trojan-Downloader.Win32.PurityScan.w" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067514.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067521.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067524.exe infected by "Trojan-Downloader.Win32.TSUpdate.n" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067525.exe infected by "Trojan-Downloader.Win32.TSUpdate.l" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067529.dll infected by "Trojan-Downloader.Win32.Agent.agw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067530.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067531.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067532.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067533.dll infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067535.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067537.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067541.exe infected by "Trojan-Downloader.NSIS.Agent.p" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067542.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067543.exe infected by "Trojan-Dropper.Win32.Agent.aac" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067544.dll infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067545.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067546.exe infected by "Trojan-Downloader.Win32.Adload.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067547.exe infected by "Trojan-Downloader.Win32.Adload.am" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067548.exe infected by "Trojan-Clicker.Win32.VB.ly" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067550.exe infected by "Trojan-Downloader.Win32.Adload.al" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067551.exe infected by "Trojan-Downloader.Win32.Adload.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067552.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067553.exe infected by "Trojan-Downloader.Win32.TSUpdate.o" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067554.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067555.exe tagged as "not-a-virus:AdWare.Win32.WebHancer.351". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067556.exe tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067557.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067558.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067559.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067560.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067561.exe tagged as "not-a-virus:AdWare.Win32.Softomate.j". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067562.exe infected by "Trojan-Dropper.Win32.Agent.aac" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067563.exe tagged as not-a-virus:Monitor.Win32.NetMon.a. No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067569.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067570.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067578.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067586.DLL tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067587.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067588.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067589.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067590.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067591.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067592.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067593.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067594.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067802.dll tagged as "not-a-virus:AdWare.Win32.NewDotNet.i". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067803.dll tagged as "not-a-virus:AdWare.Win32.Softomate.j". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067805.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067806.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet.e". Action Taken: No Action Taken.
File C:\visfx500.exe infected by "Trojan-Dropper.Win32.Agent.aie" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\b.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_50.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\offun.exe infected by "Trojan-Downloader.Win32.VB.nw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf78.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf79.exe infected by "Trojan-Downloader.Win32.Dyfuca.ei" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Sm9obiBMaXRzY2hlcg\asappsrv.dll tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\WINDOWS\SS1001.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dr.exe infected by "Trojan-Downloader.Win32.Adload.aj" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\unin101.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\uni_eh.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\!KillBox\csrrs.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\!KillBox\NDNuninstall6_38.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\!KillBox\NDNuninstall7_22.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet.e". Action Taken: No Action Taken.
File C:\bintheredunthat\sk02.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\John Litscher\Desktop\Fastloader V0.7\ISO\Hot.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\NNSCAA638.EXE tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\Program Files\Hijackthis\backups\backup-20060414-142534-418-svchost.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Abbyy Finereader 8.0 Professional Edition.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Absolute Uninstaller 1.52.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\All in one Game Tools.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Ashampoo Movie Shrink And Burn v2.11.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\AutoCAD 2007 beta.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\AutoCAD 2007.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Battle for Middle-earth II.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Battlefield 2 Euro Force.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Call of Duty 2.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\East-tec Eraser 2006 V.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Elrise Disk Cleaner v2.3.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\ErrorKiller v2.6.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Fable The Lost Chapters.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Finding Nemo.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Flash Saver Gold v5.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\FontLab Studio 5.0.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Forgotten Realms Demon Stone [RUS &amp; ENG].exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\iRadio v1.5.0.516.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Iss Blackice Pc Protection V3.6 Cpd.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Manga Studio Debut.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\MDK 2.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\MetaProducts Web Studio v4.4.271.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Microsoft Office Pro Enterprise Edition 2007 Beta1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Microsoft Windows 2000 Pro Sp4 Oem.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Napoleon Dynamite DVDrip XviD.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Nascar racing 4.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\NCH Swift WavePad Master Edition v3.02.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Nvidia Gelato V2.0 R1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Offline Explorer Enterprise V4.1.2348 Sr1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Password Depot Build 2.6..exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\PowerCHM v5.5.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Prince of Persia Warior Within CZ.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Privacy Eraser Pro V5.60.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Quadro Uneraser v2.5.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Racing Stripes (2005).exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Radio2MP3 v1.0.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Rarlab WinRAR v3.60 Beta 1.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Recover My Photos v 3.61.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Red Ace Squadron Full.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\SadMan HTML Image Browser v2.3.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Stardock SkinStudio Professional v4.6.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Stylus Studio 2006 XML Enterprise Edition v7.1.501.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\SwiftDog PCHeal v 1.4.3.2006.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\The Butterfly Effect.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Toon Car.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\Weather Watcher 5.6.7.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\LimeWire\Shared\_\xzxzxzxzxzxz.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\Program Files\XoftSpy\uninstall.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067352.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067353.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067355.exe infected by "Trojan-Downloader.Win32.Qoologic.at" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067356.dll tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067357.dll tagged as "not-a-virus:AdWare.Win32.WebHancer.381". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067358.exe tagged as "not-a-virus:AdWare.Win32.WebHancer.351". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067359.dll tagged as "not-a-virus:AdWare.Win32.WebHancer.381". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067366.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067374.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067379.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067380.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067386.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067391.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067394.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067398.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067405.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1155\A0067408.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067411.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067417.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067418.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067425.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067430.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067432.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067443.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067448.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067450.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067462.exe infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067463.exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067509.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067510.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067511.dll tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067513.exe infected by "Trojan-Downloader.Win32.PurityScan.w" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067514.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067521.exe infected by "Trojan-Dropper.Win32.VB.lu" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067524.exe infected by "Trojan-Downloader.Win32.TSUpdate.n" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067525.exe infected by "Trojan-Downloader.Win32.TSUpdate.l" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067529.dll infected by "Trojan-Downloader.Win32.Agent.agw" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067530.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067531.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067532.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067533.dll infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067535.exe infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067537.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067541.exe infected by "Trojan-Downloader.NSIS.Agent.p" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067542.exe tagged as "not-a-virus:AdWare.Win32.Maxifiles.h". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067543.exe infected by "Trojan-Dropper.Win32.Agent.aac" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067544.dll infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067545.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067546.exe infected by "Trojan-Downloader.Win32.Adload.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067547.exe infected by "Trojan-Downloader.Win32.Adload.am" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067548.exe infected by "Trojan-Clicker.Win32.VB.ly" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067550.exe infected by "Trojan-Downloader.Win32.Adload.al" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067551.exe infected by "Trojan-Downloader.Win32.Adload.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067552.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067553.exe infected by "Trojan-Downloader.Win32.TSUpdate.o" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067554.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067555.exe tagged as "not-a-virus:AdWare.Win32.WebHancer.351". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067556.exe tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067557.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067558.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067559.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067560.exe tagged as "not-a-virus:AdWare.Win32.ZenoSearch.m". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067561.exe tagged as "not-a-virus:AdWare.Win32.Softomate.j". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067562.exe infected by "Trojan-Dropper.Win32.Agent.aac" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067563.exe tagged as not-a-virus:Monitor.Win32.NetMon.a. No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067569.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067570.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067578.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067586.DLL tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067587.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067588.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067589.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067590.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067591.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067592.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067593.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067594.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067802.dll tagged as "not-a-virus:AdWare.Win32.NewDotNet.i". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067803.dll tagged as "not-a-virus:AdWare.Win32.Softomate.j". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067805.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1156\A0067806.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet.e". Action Taken: No Action Taken.
File C:\visfx500.exe infected by "Trojan-Dropper.Win32.Agent.aie" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\b.exe infected by "Backdoor.Win32.EggDrop.v" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_50.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\offun.exe infected by "Trojan-Downloader.Win32.VB.nw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf78.exe infected by "Trojan-Downloader.Win32.VB.tw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\pf79.exe infected by "Trojan-Downloader.Win32.Dyfuca.ei" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Sm9obiBMaXRzY2hlcg\asappsrv.dll tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\WINDOWS\Sm9obiBMaXRzY2hlcg\command.exe tagged as "not-a-virus:AdWare.Win32.CommAd.a". Action Taken: No Action Taken.
File C:\WINDOWS\SS1001.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dr.exe infected by "Trojan-Downloader.Win32.Adload.aj" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\unin101.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\uni_eh.exe infected by "Trojan.Win32.VB.tg" Virus! Action Taken: No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 9:41:39 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE

Edited by twism7, 17 April 2006 - 11:50 PM.

  • 0

Advertisements

#11
twism7
Posted 17 April 2006 - 11:51 PM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
continued

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#12
RiP
Posted 18 April 2006 - 03:27 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please delete the following folders:

C:\Program Files\LimeWire\Shared
C:\WINDOWS\Sm9obiBMaXRzY2hlcg
C:\bintheredunthat

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\unin101.exe
    C:\WINDOWS\uni_eh.exe
    C:\Documents and Settings\John Litscher\Desktop\Fastloader V0.7\ISO\Hot.exe
    C:\NNSCAA638.EXE
    C:\WINDOWS\b.exe
    C:\WINDOWS\NDNuninstall4_50.exe
    C:\WINDOWS\offun.exe
    C:\WINDOWS\pf78.exe
    C:\WINDOWS\pf79.exe
    C:\WINDOWS\SS1001.exe
    C:\WINDOWS\SYSTEM32\dr.exe
    C:\WINDOWS\unin101.exe
    C:\WINDOWS\uni_eh.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please let me know if you have any remaining problems and we'll go onto final cleanup.
  • 0

#13
twism7
Posted 21 April 2006 - 12:43 PM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you again for your quick response. Below is my new HjT log. Thanks for your time.

-John


An update on how your computer is running.
The original Tagasaurus is still on my desktop, as well as a link to Titan Poker. When I put the mouse over the icon, it displays:
http://www.clicklinkc.net/icon.php?...
There are some strange things in my C: such as visfx500 as well as some *.$$$ files.
The occasional ad will still pop up.
My computer seems to be running as before, but I have not used it for much besides to fix this problem.

Logfile of HijackThis v1.99.1
Scan saved at 2:24:52 PM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerChute.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.log...n/bin/imvid.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#14
RiP
Posted 21 April 2006 - 03:00 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, twism7.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not d
    one, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • Please download StartupList to your desktop.
  • Double click the startuplist.zip to extract the files inside.
  • When the new window opens, please double click on StartupList.exe
  • A window will open that will begin listing all of the startups with icons and text. In the lower left hand corner, it will show the status. When it says "ready" in the bottom left corner, it has finished running.
  • At the top of the window, click File>Save As and save startuplist.txt to your desktop.
  • Close startuplist.exe window
  • Post a copy of startuplist.txt in your next reply
Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Reboot into Normal Mode.

In your next reply please include the following:
  • The SilentRunners log.
  • The Startuplist log.
  • The WinPFind.txt log.

  • 0

#15
twism7
Posted 28 April 2006 - 11:42 AM

twism7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello RiP ChAiN,

Thank you again for your quick response. Below is my SilentRunners log, my Startuplist log, and my new WinPFind.txt log. Thanks for your time.

-John


SilentRunners
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"DellTouch" = "C:\WINDOWS\MMKeybd.exe" ["Netropa Corp."]
"Dell|Alert" = "C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [empty string]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\John Litscher\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


Startup items in "John Litscher" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\John Litscher\Start Menu\Programs\Startup
"PowerChute" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\PowerChute.exe" ["American Power Conversion Corporation"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MoneySide"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 39 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
---------- (total run time: 130 seconds)


Startuplist
StartupList report, 4/28/2006, 1:24:41 PM
StartupList version 2.01.0
Started from: C:\Documents and Settings\John Litscher\Desktop\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Logged on as 'John Litscher' to 'D5W33Y11'
* Using default options (see end of log for possible options)
==================================================

Running processes (23):

[C:\Documents and Settings\John Litscher\Desktop\StartupList.exe (43)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\asycfilt.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\System32\MSCOMCTL.OCX
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\NTDSAPI.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\System32\wbem\fastprox.dll
C:\WINDOWS\System32\wbem\wbemcomn.dll
C:\WINDOWS\System32\wbem\wbemdisp.dll
C:\WINDOWS\System32\wbem\wbemprox.dll
C:\WINDOWS\System32\wbem\wbemsvc.dll
C:\WINDOWS\System32\wbem\wmiutils.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\PROGRA~1\AIM95\aim.exe (153)]
C:\PROGRA~1\AIM95\AIM_xmlp.dll
C:\PROGRA~1\AIM95\aimapi.dll
C:\PROGRA~1\AIM95\AIMAX.dll
C:\PROGRA~1\AIM95\AimCoreSvcs.dll
C:\PROGRA~1\AIM95\aimres.dll
C:\PROGRA~1\AIM95\AimSecondarySvcs.dll
C:\PROGRA~1\AIM95\AIMToday.dll
C:\PROGRA~1\AIM95\alertui.ocm
C:\PROGRA~1\AIM95\ATE32.dll
C:\PROGRA~1\AIM95\ateima32.dll
C:\PROGRA~1\AIM95\browse.ocm
C:\PROGRA~1\AIM95\buddyui.ocm
C:\PROGRA~1\AIM95\chatui.ocm
C:\PROGRA~1\AIM95\CoolBos.dll
C:\PROGRA~1\AIM95\CoolBucky.dll
C:\PROGRA~1\AIM95\CoolHttp.dll
C:\PROGRA~1\AIM95\CoolSecNss.dll
C:\PROGRA~1\AIM95\CoolSocket.dll
C:\PROGRA~1\AIM95\DUNZIP32.dll
C:\PROGRA~1\AIM95\icbmui.ocm
C:\PROGRA~1\AIM95\idlemon.dll
C:\PROGRA~1\AIM95\inetsocket.dll
C:\PROGRA~1\AIM95\locateui.ocm
C:\PROGRA~1\AIM95\miscui.ocm
C:\PROGRA~1\AIM95\nspr4.dll
C:\PROGRA~1\AIM95\nss3.dll
C:\PROGRA~1\AIM95\nssckbi.dll
C:\PROGRA~1\AIM95\NTP.ocm
C:\PROGRA~1\AIM95\oscarui.dll
C:\PROGRA~1\AIM95\osclogin.ocm
C:\PROGRA~1\AIM95\oscmail.ocm
C:\PROGRA~1\AIM95\oscmain.ocm
C:\PROGRA~1\AIM95\oscore.dll
C:\PROGRA~1\AIM95\oscres.dll
C:\PROGRA~1\AIM95\oscsrch.ocm
C:\PROGRA~1\AIM95\plc4.dll
C:\PROGRA~1\AIM95\plds4.dll
C:\PROGRA~1\AIM95\popup.ocm
C:\PROGRA~1\AIM95\proto.ocm
C:\PROGRA~1\AIM95\rtvideo.dll
C:\PROGRA~1\AIM95\rvapps.ocm
C:\PROGRA~1\AIM95\sb.dll
C:\PROGRA~1\AIM95\smime3.dll
C:\PROGRA~1\AIM95\softokn3.dll
C:\PROGRA~1\AIM95\ssl3.dll
C:\PROGRA~1\AIM95\startup.ocm
C:\PROGRA~1\AIM95\stats.ocm
C:\PROGRA~1\AIM95\ticker.ocm
C:\PROGRA~1\AIM95\WNDUTILS.dll
C:\PROGRA~1\AIM95\xmlparse.dll
C:\PROGRA~1\AIM95\xmltok.dll
C:\PROGRA~1\AIM95\Xpcs.dll
C:\PROGRA~1\AIM95\Xprt.dll
C:\PROGRA~1\AIM95\xprt5.dll
C:\PROGRA~1\AIM95\Xptl.dll
C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\cryptnet.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\System32\DCIMAN32.dll
C:\WINDOWS\System32\DDRAW.dll
C:\WINDOWS\System32\ddrawex.dll
C:\WINDOWS\System32\devenum.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\dpnhupnp.dll
C:\WINDOWS\system32\dsound.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\System32\iepeers.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.dll
C:\WINDOWS\system32\iphlpapi.dll
c:\windows\system32\jscript.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LINKINFO.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
C:\WINDOWS\system32\MFC42.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\MLANG.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\mscoree.dll
C:\WINDOWS\System32\MSCTF.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msdmo.dll
C:\WINDOWS\System32\mshtml.dll
C:\WINDOWS\System32\msimtf.dll
C:\WINDOWS\System32\msls31.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\MSVCR71.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\MSVFW32.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ntshrui.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\PSAPI.DLL
C:\WINDOWS\System32\quartz.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\schannel.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\setupapi.dll
C:\WINDOWS\System32\shdoclc.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\System32\termmgr.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
c:\windows\system32\vbscript.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\system32\WINHTTP.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WINSPOOL.DRV
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\WSOCK32.dll
C:\WINDOWS\system32\WTSAPI32.DLL
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.DxmRtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll

[C:\PROGRA~1\NORTON~1\navapw32.exe (73)]
C:\PROGRA~1\NORTON~1\apwcmdnt.dll
C:\PROGRA~1\NORTON~1\apwutil.dll
C:\PROGRA~1\NORTON~1\DefAlert.dll
C:\PROGRA~1\NORTON~1\NAVProxy.dll
C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\appHelp.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\cryptnet.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\iphlpapi.dll
c:\windows\system32\jscript.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\MLANG.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\System32\MSCTF.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\System32\msimtf.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\System32\shdoclc.dll
C:\WINDOWS\System32\shdocvw.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\SYMREDIR.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\system32\WINHTTP.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (31)]
C:\Program Files\APC\APC PowerChute Personal Edition\drvutil.dll
C:\Program Files\APC\APC PowerChute Personal Edition\pdcdll.dll
C:\Program Files\APC\APC PowerChute Personal Edition\res.dll
C:\Program Files\APC\APC PowerChute Personal Edition\UpsControl.dll
C:\Program Files\APC\APC PowerChute Personal Edition\UpsDevice.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\HID.DLL
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\MSVCIRT.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\powrprof.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\Program Files\Dell\Support\Alert\bin\DAMon.exe (59)]
C:\Program Files\Common Files\Dell\EUSW\DDSM.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\mlang.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\msxml3.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\oledlg.dll
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\System32\qmgrprxy.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WINHTTP.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WINSPOOL.DRV
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[c:\program files\internet explorer\iexplore.exe (115)]
C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
C:\Program Files\Microsoft Office\Office10\msohev.dll
C:\WINDOWS\System32\actxprxy.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\appHelp.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\system32\browselc.dll
C:\WINDOWS\system32\BROWSEUI.dll
C:\WINDOWS\System32\CFGMGR32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\cryptnet.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\System32\davclnt.dll
C:\WINDOWS\System32\DCIMAN32.dll
C:\WINDOWS\System32\DDRAW.dll
C:\WINDOWS\System32\ddrawex.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\drprov.dll
C:\WINDOWS\system32\dssenh.dll
C:\WINDOWS\System32\dxtmsft.dll
C:\WINDOWS\System32\dxtrans.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\ImgUtil.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\iphlpapi.dll
c:\windows\system32\jscript.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LINKINFO.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
C:\WINDOWS\system32\MFC42.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\mlang.dll
C:\WINDOWS\system32\MPR.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\System32\MSCTF.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\MSGINA.dll
C:\WINDOWS\System32\mshtml.dll
C:\WINDOWS\System32\mshtmled.dll
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\System32\msimtf.dll
C:\WINDOWS\System32\msls31.dll
C:\WINDOWS\system32\msratelc.dll
C:\WINDOWS\system32\MSRATING.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\msxml3.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\System32\NETRAP.dll
C:\WINDOWS\System32\NETUI0.dll
C:\WINDOWS\System32\NETUI1.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\System32\ntlanman.dll
C:\WINDOWS\system32\ntshrui.dll
C:\WINDOWS\system32\ODBC32.dll
C:\WINDOWS\system32\odbcint.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\pngfilt.dll
C:\WINDOWS\System32\PSAPI.DLL
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\system32\schannel.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\sfc_os.dll
C:\WINDOWS\system32\shdoclc.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\System32\sti.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
c:\windows\system32\vbscript.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\system32\WINHTTP.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\wuapi.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\xpsp3res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\Program Files\iPod\bin\iPodService.exe (31)]
C:\Program Files\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.DLL
C:\Program Files\iPod\bin\iPodService.Resources\iPodService.DLL
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\CFGMGR32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\setupapi.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\Wtsapi32.dll
C:\WINDOWS\system32\xpsp2res.dll

[C:\Program Files\Netropa\OSD.exe (24)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINTRUST.dll

[C:\Program Files\Netropa\Traymon.exe (19)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msiosd32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\Program Files\Norton AntiVirus\navapsvc.exe (20)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\xpsp2res.dll

[C:\WINDOWS\Explorer.EXE (93)]
C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\System32\actxprxy.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\appHelp.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\BatMeter.dll
C:\WINDOWS\system32\browselc.dll
C:\WINDOWS\system32\BROWSEUI.dll
C:\WINDOWS\System32\CFGMGR32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\credui.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\CRYPTUI.dll
C:\WINDOWS\System32\CSCDLL.dll
C:\WINDOWS\System32\cscui.dll
C:\WINDOWS\System32\davclnt.dll
C:\WINDOWS\System32\drprov.dll
C:\WINDOWS\system32\DUSER.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\System32\l3codeca.acm
C:\WINDOWS\system32\LINKINFO.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\MPR.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\mscms.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\MSGINA.dll
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\System32\MSIMG32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\System32\NETRAP.dll
C:\WINDOWS\system32\NETSHELL.dll
C:\WINDOWS\System32\NETUI0.dll
C:\WINDOWS\System32\NETUI1.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\System32\ntlanman.dll
C:\WINDOWS\system32\ntshrui.dll
C:\WINDOWS\system32\ODBC32.dll
C:\WINDOWS\system32\odbcint.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\POWRPROF.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\System32\scrobj.dll
C:\WINDOWS\System32\Secur32.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\System32\SETUPAPI.dll
C:\WINDOWS\system32\shdoclc.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\System32\sti.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\System32\themeui.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSPOOL.DRV
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\WSOCK32.dll
C:\WINDOWS\System32\WTSAPI32.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll

[C:\WINDOWS\MMKeybd.exe (41)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hid.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\midimap.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msiosd32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\wdmaud.drv
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\WINDOWS\system32\Ati2evxx.exe (16)]
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Ati2edxx.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\uxtheme.dll

[C:\WINDOWS\system32\lsass.exe (61)]
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\AUTHZ.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\cryptdll.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\dssenh.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\ipsecsvc.dll
C:\WINDOWS\system32\kerberos.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\LSASRV.dll
C:\WINDOWS\system32\MPR.dll
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msprivs.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\netlogon.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\NTDSAPI.dll
C:\WINDOWS\system32\oakley.DLL
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\psbase.dll
C:\WINDOWS\system32\pstorsvc.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\SAMLIB.dll
C:\WINDOWS\system32\SAMSRV.dll
C:\WINDOWS\system32\scecli.dll
C:\WINDOWS\system32\schannel.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\w32time.dll
C:\WINDOWS\system32\wdigest.dll
C:\WINDOWS\system32\WINIPSEC.DLL
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\WINDOWS\system32\services.exe (39)]
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\AUTHZ.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\eventlog.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\NCObjAPI.DLL
C:\WINDOWS\system32\NETAPI32.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SCESRV.dll
C:\WINDOWS\system32\secur32.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\umpnpmgr.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WINSTA.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\wtsapi32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\WINDOWS\System32\smss.exe (1)]
C:\WINDOWS\system32\ntdll.dll

[C:\WINDOWS\system32\spoolsv.exe (53)]
C:\WINDOWS\AppPatch\AcGenral.DLL
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\cnbjmon.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\inetpp.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\localspl.dll
C:\WINDOWS\system32\LPK.DLL
C:\WINDOWS\system32\MSACM32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\netapi32.dll
C:\WINDOWS\system32\NETRAP.dll
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\NTDSAPI.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\pjlmon.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\serwvdrv.dll
C:\WINDOWS\system32\sfc_os.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SPOOLSS.DLL
C:\WINDOWS\system32\tcpmon.dll
C:\WINDOWS\system32\umdmxfrm.dll
C:\WINDOWS\system32\usbmon.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\system32\USP10.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\system32\win32spl.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\winspool.drv
C:\WINDOWS\system32\WINTRUST.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

[C:\WINDOWS\System32\svchost.exe (160)]
C:\WINDOWS\AppPatch\AcGenral.DLL
c:\windows\pchealth\helpctr\binaries\pchsvc.dll
C:\WINDOWS\System32\ACTIVEDS.dll
C:\WINDOWS\System32\adsldpc.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\System32\ADVPACK.dll
C:\WINDOWS\system32\Apphelp.dll
c:\windows\system32\ATL.DLL
c:\windows\system32\audiosrv.dll
c:\windows\system32\AUTHZ.dll
c:\windows\system32\browser.dll
C:\WINDOWS\System32\Cabinet.dll
C:\WINDOWS\System32\catsrv.dll
C:\WINDOWS\System32\catsrvut.dll
c:\windows\system32\certcli.dll
C:\WINDOWS\System32\CLBCATQ.DLL
C:\WINDOWS\System32\CLUSAPI.DLL
C:\WINDOWS\system32\colbact.DLL
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\COMRes.dll
C:\WINDOWS\system32\comsvcs.dll
c:\windows\system32\credui.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\System32\cryptdll.dll
c:\windows\system32\cryptsvc.dll
C:\WINDOWS\system32\CRYPTUI.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\DNSAPI.dll
C:\WINDOWS\System32\dssenh.dll
c:\windows\system32\ersvc.dll
c:\windows\system32\es.dll
c:\windows\system32\ESENT.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\System32\h323.tsp
C:\WINDOWS\System32\HID.DLL
C:\WINDOWS\System32\hidphone.tsp
C:\WINDOWS\System32\hnetcfg.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\System32\ipconf.tsp
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ipnathlp.dll
C:\WINDOWS\system32\kerberos.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\System32\kmddsp.tsp
C:\WINDOWS\System32\LPK.DLL
C:\WINDOWS\System32\MfcSubs.dll
C:\WINDOWS\System32\mlang.dll
C:\WINDOWS\system32\modemui.dll
C:\WINDOWS\system32\MPR.dll
C:\WINDOWS\System32\MPRAPI.dll
C:\WINDOWS\System32\MSACM32.dll
C:\WINDOWS\system32\MSASN1.dll
c:\windows\system32\msi.dll
C:\WINDOWS\System32\MSIDLE.DLL
C:\WINDOWS\System32\mspatcha.dll
C:\WINDOWS\system32\msv1_0.dll
c:\windows\system32\MSVCP60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\msxml3.dll
C:\WINDOWS\system32\MTXCLU.DLL
C:\WINDOWS\system32\NCObjAPI.DLL

Edited by twism7, 28 April 2006 - 11:45 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP