Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible malware/spyware infection

Started by Lilaan , May 06 2006 11:29 PM

  • Please log in to reply

#1
Lilaan
Posted 06 May 2006 - 11:29 PM

Lilaan

    New Member

  • Member
  • Pip
  • 7 posts
Hello :whistling:

This is my first time on this forum. (Yay!)
HijackThis suggested this forum on it's website.

My problem seems to be that iexplore.exe (I use Firefox, so why this is popping up I have no idea) is randomly opening behind the scenes creating popups (which are thankfully being suppressed).

If it helps, I know I had New.Net installed (and removed) and I think webhancer.

I've tried my multi-prong approach to removing spyware using Ad-Aware, Spybot S&D, BHODemon and SpywareBlaster.

I use Alwil software's avast! antivirus for my antivirus.

I'm very meticulous to keep everything updated, and yet somehow about 6 or 7 malware infections were installed without my knowledge.

I removed those which showed up in the add/remove programs box.

I've turned off system restore and used avast's boot-time scan to remove some of the virus/trojans etc.

And then I used my 4 prong malware programs (above) to remove the majority of what was left.

Anything which was not removed by these programs was individually searched out and deleted manually.

Please find attached my HijackThis log.
Suggestions are appreciated^^


Logfile of HijackThis v1.99.1
Scan saved at 1:26:22 AM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Blue Security\bluefrog.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Documents and Settings\marvin74\Desktop\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\Software\..\Telephony: DomainName = csntprod.morrisville.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B73AF86-B81B-4999-89F9-FF924C83E880}: NameServer = 206.72.209.26 206.72.209.56
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\djdmo.dll (file missing)
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe



Thank you very much in advance :blink:
  • 0

Advertisements

#2
williesbest2
Posted 12 May 2006 - 10:54 PM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
Hi Lilaan. Sorry for the delay in getting to your log. If you are still in need of help, please do the following.

1. Look2me
You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads....org/l2mfix.exe
http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

2. HijackThis uninstall list
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

3. ATF Cleaner
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. Panda Activescan
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please post an updated HijackThis log, along with the uninstall list and the Panda Activescan report
  • 0

#3
Lilaan
Posted 13 May 2006 - 01:51 PM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the reply! Here are the requested logs.

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"LoginDomain"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName"="QConGina.dll"
"Logoff"="QConGinaWLEventLogoff"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\djdmo.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
@=""
"DllName"="tphklock.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,6d,f7,d4,23,a9,4b,47,4f,be,59,8f,39,69,1d,80,c2,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f8,93,18,a6,e9,0b,ce,e6,\
b9,d3,5b,7c,3e,61,cc,01,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,12,\
a3,b9,54,46,c0,c6,03,e0,72,52,d5,c6,9a,98,9d,20,00,00,00,e1,31,fa,f9,e7,20,\
c9,c9,dd,ae,0c,5a,bb,3b,bd,11,43,a3,68,b3,02,eb,4c,c0,f5,d1,4b,f3,cc,84,82,\
16,14,00,00,00,31,89,a1,df,03,7d,66,9b,95,ba,eb,e7,77,4e,ee,56,38,58,1d,a8

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BB2828E-C00C-7370-0FBE-53E7E855FC60}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}"="Record ISO Image to CD"
"{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Mon Mar 27 2006 8:24:16p A.... 14,848 14.50 K
browseui.dll Fri Mar 3 2006 11:58:42p A.... 1,022,976 999.00 K
cdfview.dll Fri Mar 3 2006 11:58:42p ..... 151,040 147.50 K
danim.dll Fri Mar 3 2006 11:58:44p ..... 1,054,208 1.00 M
dxtrans.dll Fri Mar 3 2006 11:58:44p A.... 205,312 200.50 K
extmgr.dll Fri Mar 3 2006 11:58:44p ..... 55,808 54.50 K
iepeers.dll Fri Mar 3 2006 11:58:44p A.... 251,904 246.00 K
inetcomm.dll Fri Mar 17 2006 5:07:18a ..... 679,424 663.50 K
inseng.dll Fri Mar 3 2006 11:58:44p ..... 96,256 94.00 K
legitc~1.dll Mon Apr 10 2006 1:00:34p A.... 555,824 542.80 K
lvpq09~1.dll Thu May 4 2006 2:11:40p ..S.R 234,851 229.34 K
mshtml.dll Thu Mar 23 2006 4:31:40p A.... 3,055,616 2.91 M
mshtmled.dll Fri Mar 3 2006 11:58:48p A.... 448,512 438.00 K
msrating.dll Fri Mar 3 2006 11:58:48p ..... 146,432 143.00 K
mstime.dll Fri Mar 3 2006 11:58:48p ..... 532,480 520.00 K
pacifisy.dll Thu May 4 2006 2:10:10p A.... 22 0.02 K
pncrt.dll Thu Mar 9 2006 10:11:18p A.... 278,528 272.00 K
pndx5016.dll Thu Mar 9 2006 10:11:20p A.... 6,656 6.50 K
pndx5032.dll Thu Mar 9 2006 10:11:20p A.... 5,632 5.50 K
pngfilt.dll Fri Mar 3 2006 11:58:48p ..... 39,424 38.50 K
rmoc3260.dll Thu Mar 9 2006 10:11:32p A.... 176,167 172.04 K
shdocvw.dll Thu Mar 30 2006 5:27:02a A.... 1,495,040 1.43 M
shell32.dll Fri Mar 17 2006 12:03:54a A.... 8,452,096 8.06 M
shlwapi.dll Fri Mar 3 2006 11:58:50p A.... 474,112 463.00 K
sporder.dll Thu May 4 2006 2:08:18p A.... 8,464 8.27 K
urlmon.dll Sat Mar 18 2006 7:04:10a A.... 614,400 600.00 K
w028067d.dll Thu May 4 2006 2:08:44p A.... 51,712 50.50 K
wdigest.dll Fri Mar 24 2006 12:37:50a A.... 49,152 48.00 K
wgalogon.dll Mon Apr 10 2006 1:00:30p A.... 144,688 141.30 K
wininet.dll Fri Mar 3 2006 11:58:52p A.... 663,552 648.00 K
wmp.dll Fri Mar 10 2006 6:09:14a ..... 5,533,696 5.28 M
xpsp3res.dll Wed Mar 29 2006 9:31:04p A.... 23,040 22.50 K

32 items found: 32 files (1 H/S), 0 directories.
Total of file sizes: 26,521,872 bytes 25.29 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
set34d.tmp Fri Mar 3 2006 11:58:52p A.... 663,552 648.00 K
set34e.tmp Sat Mar 18 2006 7:04:10a A.... 614,400 600.00 K
set34f.tmp Fri Mar 3 2006 11:58:50p A.... 474,112 463.00 K
set350.tmp Thu Mar 30 2006 5:27:02a A.... 1,495,040 1.43 M
set354.tmp Fri Mar 3 2006 11:58:48p A.... 448,512 438.00 K
set355.tmp Thu Mar 23 2006 4:31:40p A.... 3,055,616 2.91 M
set357.tmp Fri Mar 3 2006 11:58:44p A.... 251,904 246.00 K
set358.tmp Fri Mar 3 2006 11:58:44p A.... 205,312 200.50 K
set35b.tmp Fri Mar 3 2006 11:58:42p A.... 1,022,976 999.00 K
set35d.tmp Wed Mar 29 2006 9:31:04p A.... 23,040 22.50 K
set362.tmp Fri Mar 24 2006 12:37:50a A.... 49,152 48.00 K
set371.tmp Mon Apr 10 2006 1:00:34p ..... 555,824 542.80 K
set37c.tmp Fri Mar 17 2006 12:03:54a A.... 8,452,096 8.06 M

13 items found: 13 files, 0 directories.
Total of file sizes: 17,311,536 bytes 16.51 M
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is DCB5-F9B0

Directory of C:\WINDOWS\System32

05/13/2006 02:12 PM <DIR> ..
05/13/2006 02:12 PM <DIR> .
05/04/2006 04:35 PM <DIR> dllcache
05/04/2006 02:11 PM 234,851 lvpq0975e.dll
06/16/2004 08:51 AM <DIR> Microsoft
1 File(s) 234,851 bytes
4 Dir(s) 10,289,377,280 bytes free
--
Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Reader 7.0.7
Adobe Reader Japanese Fonts
Agere Systems AC'97 Modem
Alcohol 120% (Trial Version)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audio Convertor Plus version 2.18
avast! Antivirus
Blue Frog
BrainWave Generator
Cash Register 2.32
Dolphin Dreams Screensaver 5
ewido anti-malware
eyeQ
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
FINAL FANTASY XI: Treasures of Aht Urhgan
Google Desktop
Google Earth
Google Pack Screensaver
Google Talk (remove only)
Google Updater
Google Video Player
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
IBM Access Connections
IBM RecordNow Update Manager
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM TrackPoint Accessibility Features
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Intel® Sebring API
InterVideo WinDVD
iolo technologies' System Mechanic Professional 6
ISO Recorder
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
LimeWire 4.10.9
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Macromedia Shockwave Player
Magic ISO Maker v5.1 (build 0185)
Max Media Creator
MaxDrive PS2
MediaMonkey 2.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Tool Web Package:WntIpcfg.exe
MidiNotate
Mozilla Firefox (1.5.0.3)
NCH Tone Generator Uninstall
PhoneTray Dialup
Picasa 2
PlayOnline Viewer and Tetra Master
Pre-Algebra ActivityMaker
QuickTime
RealPlayer
Scroll Lock Indicator Utility
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
Skype 2.0
SoundMAX
Spybot - Search & Destroy 1.3
SpywareBlaster v3.5.1
Symantec Ghost Console Client
The Rosetta Stone
ThinkPad FullScreen Magnifier
ThinkPad Power Management Driver
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Vana'Guide Signature
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver

--
ATF Cleaner - Done.
--
Avast! reported one of the Panda files as a virus. You might want to let other people know that when they scan using Panda.
--

Incident Status Location

Adware:adware/adlogix Not disinfected c:\windows\system32\pacifisy.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\marvin74\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\newname.dat
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.go.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[server.iad.liveperson.net/hc/82089913]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[server.iad.liveperson.net/hc/82089913]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.peel.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.com.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[server.iad.liveperson.net/hc/80503492]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.hg1.hitbox.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.bfast.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.888.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[sel.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\marvin74\Application Data\Mozilla\Firefox\Profiles\ex2aj7i2.default\cookies.txt[as1.falkag.de/]
  • 0

#4
williesbest2
Posted 13 May 2006 - 02:26 PM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
Hi. Please do the following:

1. Look2me part 2
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

2. Webroot Spy Sweeper
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please post an updated HijackThis log, along with the Look2me log and the spy sweeper session log
  • 0

#5
Lilaan
Posted 14 May 2006 - 11:21 AM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello :whistling:
Here are the requested log files.
I had a little trouble with the spysweeper, it detected 4 things, 1 of which it was not able to remove, and the computer kept freezing up. I rebooted in safe mode to remove it. Rebooted again, and was presented with about a minute's worth of scrolling MISSING: (file names here) most of which were .gif files and .html files. These were somehow "hidden" to windows according to spysweeper. Hopefully that's OK.

Anyway, on to the log files.

--

Logfile of HijackThis v1.99.1
Scan saved at 12:52:25 PM, on 5/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Documents and Settings\marvin74\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\Software\..\Telephony: DomainName = csntprod.morrisville.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\djdmo.dll (file missing)
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--

********
11:00 AM: | Start of Session, Sunday, May 14, 2006 |
11:00 AM: Spy Sweeper started
11:00 AM: Sweep initiated using definitions version 677
11:00 AM: Starting Memory Sweep
11:02 AM: Memory Sweep Complete, Elapsed Time: 00:01:47
11:02 AM: Starting Registry Sweep
11:02 AM: Found Adware: enbrowser
11:02 AM: HKLM\software\system\sysold\ (ID = 926808)
11:02 AM: HKU\S-1-5-21-50867963-548222075-167591100-30592\software\system\sysuid\ (1 subtraces) (ID = 731748)
11:02 AM: Found Adware: zquest
11:02 AM: HKU\S-1-5-21-50867963-548222075-167591100-30592\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
11:02 AM: Registry Sweep Complete, Elapsed Time:00:00:17
11:02 AM: Starting Cookie Sweep
11:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:02 AM: Starting File Sweep
11:15 AM: howe.dll (ID = 290652)
11:49 AM: howe (ID = 290921)
11:50 AM: File Sweep Complete, Elapsed Time: 00:47:56
11:50 AM: Full Sweep has completed. Elapsed time 00:50:06
11:50 AM: Traces Found: 6
12:33 PM: Removal process initiated
12:33 PM: Quarantining All Traces: enbrowser
12:33 PM: Quarantining All Traces: zquest
12:33 PM: Removal process completed. Elapsed time 00:00:03
********
7:27 AM: | Start of Session, Sunday, May 14, 2006 |
7:27 AM: Spy Sweeper started
7:27 AM: Sweep initiated using definitions version 677
7:27 AM: Starting Memory Sweep
7:34 AM: Memory Sweep Complete, Elapsed Time: 00:07:03
7:34 AM: Starting Registry Sweep
7:34 AM: Found Adware: enbrowser
7:34 AM: HKLM\software\system\sysold\ (ID = 926808)
7:34 AM: Found Adware: clkoptimizer
7:34 AM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212644)
7:34 AM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212651)
7:34 AM: HKCR\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (1 subtraces) (ID = 1212684)
7:34 AM: HKLM\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (1 subtraces) (ID = 1212686)
7:34 AM: HKLM\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}\ (2 subtraces) (ID = 1212690)
7:34 AM: HKU\S-1-5-21-50867963-548222075-167591100-30592\software\system\sysuid\ (1 subtraces) (ID = 731748)
7:34 AM: Found Adware: zquest
7:34 AM: HKU\S-1-5-21-50867963-548222075-167591100-30592\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
7:34 AM: Registry Sweep Complete, Elapsed Time:00:00:26
7:34 AM: Starting Cookie Sweep
7:34 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:34 AM: Starting File Sweep
7:52 AM: howe.dll (ID = 290652)
8:43 AM: howe (ID = 290921)
8:43 AM: Found System Monitor: potentially rootkit-masked files
8:43 AM: data23 (ID = 0)
8:43 AM: data24 (ID = 0)
8:43 AM: data25 (ID = 0)
8:43 AM: edb.log (ID = 0)
8:43 AM: fntcache.dat (ID = 0)
8:43 AM: pmemnt.sys (ID = 0)
8:43 AM: netlm.pnf (ID = 0)
8:43 AM: netlm56.pnf (ID = 0)
8:43 AM: netlnev2.pnf (ID = 0)
8:43 AM: netloop.pnf (ID = 0)
8:43 AM: netlpd.pnf (ID = 0)
8:43 AM: sam (ID = 0)
8:43 AM: netmadge.pnf (ID = 0)
8:43 AM: system (ID = 0)
8:43 AM: netmhzn5.pnf (ID = 0)
8:43 AM: netmscli.pnf (ID = 0)
8:43 AM: netnb.pnf (ID = 0)
8:43 AM: netnf3.pnf (ID = 0)
8:43 AM: netngr.pnf (ID = 0)
8:43 AM: netnm.pnf (ID = 0)
8:43 AM: netnovel.pnf (ID = 0)
8:43 AM: netnwcli.pnf (ID = 0)
8:43 AM: netnwlnk.pnf (ID = 0)
8:43 AM: netoc.pnf (ID = 0)
8:43 AM: netosi2c.pnf (ID = 0)
8:43 AM: netosi5.pnf (ID = 0)
8:43 AM: data26 (ID = 0)
8:43 AM: netpc100.pnf (ID = 0)
8:43 AM: netpnic.pnf (ID = 0)
8:43 AM: netpsa.pnf (ID = 0)
8:43 AM: data27 (ID = 0)
8:43 AM: data28 (ID = 0)
8:43 AM: data29 (ID = 0)
8:43 AM: netpschd.pnf (ID = 0)
8:43 AM: netpwr2.pnf (ID = 0)
8:43 AM: netrasa.pnf (ID = 0)
8:43 AM: netrass.pnf (ID = 0)
8:43 AM: netrast.pnf (ID = 0)
8:43 AM: netrlw2k.pnf (ID = 0)
8:43 AM: netrsvp.pnf (ID = 0)
8:43 AM: netrtoem.pnf (ID = 0)
8:43 AM: opera6.ini (ID = 0)
8:43 AM: netrtpnt.pnf (ID = 0)
8:43 AM: netrtsnt.pnf (ID = 0)
8:43 AM: data30 (ID = 0)
8:43 AM: data31 (ID = 0)
8:43 AM: data32 (ID = 0)
8:43 AM: data33 (ID = 0)
8:43 AM: data34 (ID = 0)
8:43 AM: data35 (ID = 0)
8:43 AM: data36 (ID = 0)
8:43 AM: data37 (ID = 0)
8:43 AM: data38 (ID = 0)
8:43 AM: data39 (ID = 0)
8:43 AM: data40 (ID = 0)
8:43 AM: data41 (ID = 0)
8:43 AM: data42 (ID = 0)
8:43 AM: data43 (ID = 0)
8:43 AM: data44 (ID = 0)
8:43 AM: data45 (ID = 0)
8:43 AM: data46 (ID = 0)
8:43 AM: netrwan.pnf (ID = 0)
8:43 AM: data47 (ID = 0)
8:43 AM: data48 (ID = 0)
8:43 AM: data49 (ID = 0)
8:43 AM: data50 (ID = 0)
8:43 AM: data51 (ID = 0)
8:43 AM: data52 (ID = 0)
8:43 AM: netsap.pnf (ID = 0)
8:43 AM: netserv.pnf (ID = 0)
8:43 AM: hints.dat (ID = 0)
8:43 AM: system.dat (ID = 0)
8:43 AM: netsis.pnf (ID = 0)
8:43 AM: netsk98.pnf (ID = 0)
8:43 AM: netsk_fp.pnf (ID = 0)
8:43 AM: netsla30.pnf (ID = 0)
8:43 AM: netsmc.pnf (ID = 0)
8:43 AM: netsnip.pnf (ID = 0)
8:43 AM: netsnmp.pnf (ID = 0)
8:43 AM: nettb155.pnf (ID = 0)
8:43 AM: data53 (ID = 0)
8:43 AM: nettcpip.pnf (ID = 0)
8:43 AM: nettdkb.pnf (ID = 0)
8:43 AM: data54 (ID = 0)
8:43 AM: data55 (ID = 0)
8:43 AM: data56 (ID = 0)
8:43 AM: nettiger.pnf (ID = 0)
8:43 AM: nettpro.pnf (ID = 0)
8:43 AM: nettpsmp.pnf (ID = 0)
8:43 AM: data57 (ID = 0)
8:43 AM: nettun.pnf (ID = 0)
8:43 AM: data58 (ID = 0)
8:43 AM: data59 (ID = 0)
8:43 AM: data60 (ID = 0)
8:43 AM: bt0.dat (ID = 0)
8:43 AM: netupnp.pnf (ID = 0)
8:43 AM: netupnph.pnf (ID = 0)
8:43 AM: netvt86.pnf (ID = 0)
8:43 AM: netw840.pnf (ID = 0)
8:43 AM: netw926.pnf (ID = 0)
8:43 AM: netw940.pnf (ID = 0)
8:43 AM: netwlan.pnf (ID = 0)
8:43 AM: netwlan2.pnf (ID = 0)
8:43 AM: netwv48.pnf (ID = 0)
8:43 AM: netwzc.pnf (ID = 0)
8:43 AM: netx500.pnf (ID = 0)
8:43 AM: data6 (ID = 0)
8:43 AM: tocfile (ID = 0)
8:43 AM: hashfile (ID = 0)
8:43 AM: info (ID = 0)
8:43 AM: data0 (ID = 0)
8:43 AM: data1 (ID = 0)
8:43 AM: data2 (ID = 0)
8:43 AM: data3 (ID = 0)
8:43 AM: data4 (ID = 0)
8:43 AM: data5 (ID = 0)
8:43 AM: data7 (ID = 0)
8:43 AM: data8 (ID = 0)
8:43 AM: data9 (ID = 0)
8:43 AM: data10 (ID = 0)
8:43 AM: data11 (ID = 0)
8:43 AM: data12 (ID = 0)
8:43 AM: data13 (ID = 0)
8:43 AM: data14 (ID = 0)
8:43 AM: data15 (ID = 0)
8:43 AM: data16 (ID = 0)
8:43 AM: data17 (ID = 0)
8:43 AM: data18 (ID = 0)
8:43 AM: data19 (ID = 0)
8:43 AM: data20 (ID = 0)
8:43 AM: data21 (ID = 0)
8:43 AM: data22 (ID = 0)
8:43 AM: tvt.txt (ID = 0)
8:43 AM: osfilter.txt (ID = 0)
8:43 AM: biosinfo.inf (ID = 0)
8:43 AM: ntdetect.com (ID = 0)
8:43 AM: setupldr.bin (ID = 0)
8:43 AM: spcmdcon.sys (ID = 0)
8:43 AM: txtsetup.sif (ID = 0)
8:43 AM: 8514fix.fon (ID = 0)
8:43 AM: 8514fixe.fon (ID = 0)
8:43 AM: 8514fixg.fon (ID = 0)
8:43 AM: 8514fixr.fon (ID = 0)
8:43 AM: 8514fixt.fon (ID = 0)
8:43 AM: 8514oem.fon (ID = 0)
8:43 AM: 8514oeme.fon (ID = 0)
8:43 AM: 8514oemg.fon (ID = 0)
8:43 AM: 8514oemr.fon (ID = 0)
8:43 AM: 8514oemt.fon (ID = 0)
8:43 AM: 8514sys.fon (ID = 0)
8:43 AM: 8514syse.fon (ID = 0)
8:43 AM: 8514sysg.fon (ID = 0)
8:43 AM: 8514sysr.fon (ID = 0)
8:43 AM: 8514syst.fon (ID = 0)
8:43 AM: 85855.fon (ID = 0)
8:43 AM: 85f1255.fon (ID = 0)
8:43 AM: 85f1256.fon (ID = 0)
8:43 AM: 85f874.fon (ID = 0)
8:43 AM: 85s1255.fon (ID = 0)
8:43 AM: 85s1256.fon (ID = 0)
8:43 AM: 85s874.fon (ID = 0)
8:43 AM: ahronbd.ttf (ID = 0)
8:43 AM: andlso.ttf (ID = 0)
8:43 AM: angsa.ttf (ID = 0)
8:43 AM: angsab.ttf (ID = 0)
8:43 AM: angsai.ttf (ID = 0)
8:43 AM: angsau.ttf (ID = 0)
8:43 AM: angsaub.ttf (ID = 0)
8:43 AM: angsaui.ttf (ID = 0)
8:43 AM: angsauz.ttf (ID = 0)
8:43 AM: angsaz.ttf (ID = 0)
8:43 AM: app850.fon (ID = 0)
8:43 AM: app852.fon (ID = 0)
8:43 AM: app855.fon (ID = 0)
8:43 AM: app857.fon (ID = 0)
8:43 AM: app866.fon (ID = 0)
8:43 AM: arial.ttf (ID = 0)
8:43 AM: arialbd.ttf (ID = 0)
8:43 AM: arialbi.ttf (ID = 0)
8:43 AM: ariali.ttf (ID = 0)
8:43 AM: ariblk.ttf (ID = 0)
8:43 AM: artrbdo.ttf (ID = 0)
8:43 AM: artro.ttf (ID = 0)
8:43 AM: browa.ttf (ID = 0)
8:43 AM: browab.ttf (ID = 0)
8:43 AM: browai.ttf (ID = 0)
8:43 AM: browau.ttf (ID = 0)
8:43 AM: browaub.ttf (ID = 0)
8:43 AM: browaui.ttf (ID = 0)
8:43 AM: browauz.ttf (ID = 0)
8:43 AM: browaz.ttf (ID = 0)
8:43 AM: cga40737.fon (ID = 0)
8:43 AM: cga40850.fon (ID = 0)
8:43 AM: cga40852.fon (ID = 0)
8:43 AM: cga40857.fon (ID = 0)
8:43 AM: cga40866.fon (ID = 0)
8:43 AM: cga40869.fon (ID = 0)
8:43 AM: cga40woa.fon (ID = 0)
8:43 AM: cga80737.fon (ID = 0)
8:43 AM: cga80850.fon (ID = 0)
8:43 AM: cga80852.fon (ID = 0)
8:43 AM: cga80857.fon (ID = 0)
8:43 AM: cga80866.fon (ID = 0)
8:43 AM: cga80869.fon (ID = 0)
8:43 AM: cga80woa.fon (ID = 0)
8:43 AM: comic.ttf (ID = 0)
8:43 AM: comicbd.ttf (ID = 0)
8:43 AM: cordia.ttf (ID = 0)
8:43 AM: cordiab.ttf (ID = 0)
8:43 AM: cordiai.ttf (ID = 0)
8:43 AM: cordiau.ttf (ID = 0)
8:43 AM: cordiaub.ttf (ID = 0)
8:43 AM: cordiaui.ttf (ID = 0)
8:43 AM: cordiauz.ttf (ID = 0)
8:43 AM: cordiaz.ttf (ID = 0)
8:43 AM: coue1255.fon (ID = 0)
8:43 AM: coue1256.fon (ID = 0)
8:43 AM: couf1255.fon (ID = 0)
8:43 AM: couf1256.fon (ID = 0)
8:43 AM: cour.ttf (ID = 0)
8:43 AM: courbd.ttf (ID = 0)
8:43 AM: courbi.ttf (ID = 0)
8:43 AM: coure.fon (ID = 0)
8:43 AM: couree.fon (ID = 0)
8:43 AM: coureg.fon (ID = 0)
8:43 AM: courer.fon (ID = 0)
8:43 AM: couret.fon (ID = 0)
8:43 AM: courf.fon (ID = 0)
8:43 AM: courfe.fon (ID = 0)
8:43 AM: courfg.fon (ID = 0)
8:43 AM: courfr.fon (ID = 0)
8:43 AM: courft.fon (ID = 0)
8:43 AM: couri.ttf (ID = 0)
8:43 AM: david.ttf (ID = 0)
8:43 AM: davidbd.ttf (ID = 0)
8:43 AM: davidtr.ttf (ID = 0)
8:43 AM: dos737.fon (ID = 0)
8:43 AM: dosapp.fon (ID = 0)
8:43 AM: ega40737.fon (ID = 0)
8:43 AM: ega40850.fon (ID = 0)
8:43 AM: ega40852.fon (ID = 0)
8:43 AM: ega40857.fon (ID = 0)
8:43 AM: ega40866.fon (ID = 0)
8:43 AM: ega40869.fon (ID = 0)
8:43 AM: ega40woa.fon (ID = 0)
8:43 AM: ega80737.fon (ID = 0)
8:43 AM: ega80850.fon (ID = 0)
8:43 AM: ega80852.fon (ID = 0)
8:43 AM: ega80857.fon (ID = 0)
8:43 AM: ega80866.fon (ID = 0)
8:43 AM: ega80869.fon (ID = 0)
8:43 AM: ega80woa.fon (ID = 0)
8:43 AM: estre.ttf (ID = 0)
8:43 AM: framd.ttf (ID = 0)
8:43 AM: framdit.ttf (ID = 0)
8:43 AM: frank.ttf (ID = 0)
8:43 AM: gautami.ttf (ID = 0)
8:43 AM: georgia.ttf (ID = 0)
8:43 AM: georgiab.ttf (ID = 0)
8:43 AM: georgiai.ttf (ID = 0)
8:43 AM: georgiaz.ttf (ID = 0)
8:43 AM: impact.ttf (ID = 0)
8:43 AM: latha.ttf (ID = 0)
8:43 AM: lucon.ttf (ID = 0)
8:43 AM: lvnm.ttf (ID = 0)
8:43 AM: lvnmbd.ttf (ID = 0)
8:43 AM: l_10646.ttf (ID = 0)
8:43 AM: mangal.ttf (ID = 0)
8:43 AM: marlett.ttf (ID = 0)
8:43 AM: micross.ttf (ID = 0)
8:43 AM: modern.fon (ID = 0)
8:43 AM: mriam.ttf (ID = 0)
8:43 AM: mriamc.ttf (ID = 0)
8:43 AM: mriamfx.ttf (ID = 0)
8:43 AM: mriamtr.ttf (ID = 0)
8:43 AM: msdlg874.fon (ID = 0)
8:43 AM: mvboli.ttf (ID = 0)
8:43 AM: nrkis.ttf (ID = 0)
8:43 AM: pala.ttf (ID = 0)
8:43 AM: palab.ttf (ID = 0)
8:43 AM: palabi.ttf (ID = 0)
8:43 AM: palai.ttf (ID = 0)
8:43 AM: raavi.ttf (ID = 0)
8:43 AM: rod.ttf (ID = 0)
8:43 AM: rodtr.ttf (ID = 0)
8:43 AM: roman.fon (ID = 0)
8:43 AM: script.fon (ID = 0)
8:43 AM: sere1255.fon (ID = 0)
8:43 AM: sere1256.fon (ID = 0)
8:43 AM: serf1255.fon (ID = 0)
8:43 AM: serf1256.fon (ID = 0)
8:43 AM: serife.fon (ID = 0)
8:43 AM: serifee.fon (ID = 0)
8:43 AM: serifeg.fon (ID = 0)
8:43 AM: serifer.fon (ID = 0)
8:43 AM: serifet.fon (ID = 0)
8:43 AM: seriff.fon (ID = 0)
8:43 AM: seriffe.fon (ID = 0)
8:43 AM: seriffg.fon (ID = 0)
8:43 AM: seriffr.fon (ID = 0)
8:43 AM: serifft.fon (ID = 0)
8:43 AM: shruti.ttf (ID = 0)
8:43 AM: simpbdo.ttf (ID = 0)
8:43 AM: simpfxo.ttf (ID = 0)
8:43 AM: simpo.ttf (ID = 0)
8:43 AM: smae1255.fon (ID = 0)
8:43 AM: smae1256.fon (ID = 0)
8:43 AM: smaf1255.fon (ID = 0)
8:43 AM: smaf1256.fon (ID = 0)
8:43 AM: smalle.fon (ID = 0)
8:43 AM: smallee.fon (ID = 0)
8:43 AM: smalleg.fon (ID = 0)
8:43 AM: smaller.fon (ID = 0)
8:43 AM: smallet.fon (ID = 0)
8:43 AM: smallf.fon (ID = 0)
8:43 AM: smallfe.fon (ID = 0)
8:43 AM: smallfg.fon (ID = 0)
8:43 AM: smallfr.fon (ID = 0)
8:43 AM: smallft.fon (ID = 0)
8:43 AM: ssee1255.fon (ID = 0)
8:43 AM: ssee1256.fon (ID = 0)
8:43 AM: ssee874.fon (ID = 0)
8:43 AM: ssef1255.fon (ID = 0)
8:43 AM: ssef1256.fon (ID = 0)
8:43 AM: ssef874.fon (ID = 0)
8:43 AM: sserife.fon (ID = 0)
8:43 AM: sserifee.fon (ID = 0)
8:43 AM: sserifeg.fon (ID = 0)
8:43 AM: sserifer.fon (ID = 0)
8:43 AM: sserifet.fon (ID = 0)
8:43 AM: sseriff.fon (ID = 0)
8:43 AM: sseriffe.fon (ID = 0)
8:43 AM: sseriffg.fon (ID = 0)
8:43 AM: sseriffr.fon (ID = 0)
8:43 AM: sserifft.fon (ID = 0)
8:43 AM: sylfaen.ttf (ID = 0)
8:43 AM: symbol.ttf (ID = 0)
8:43 AM: tahoma.ttf (ID = 0)
8:43 AM: tahomabd.ttf (ID = 0)
8:43 AM: times.ttf (ID = 0)
8:43 AM: timesbd.ttf (ID = 0)
8:43 AM: timesbi.ttf (ID = 0)
8:43 AM: timesi.ttf (ID = 0)
8:43 AM: tradbdo.ttf (ID = 0)
8:43 AM: trado.ttf (ID = 0)
8:43 AM: trebuc.ttf (ID = 0)
8:43 AM: trebucbd.ttf (ID = 0)
8:43 AM: trebucbi.ttf (ID = 0)
8:43 AM: trebucit.ttf (ID = 0)
8:43 AM: tunga.ttf (ID = 0)
8:43 AM: upcdb.ttf (ID = 0)
8:43 AM: upcdbi.ttf (ID = 0)
8:43 AM: upcdi.ttf (ID = 0)
8:43 AM: upcdl.ttf (ID = 0)
8:43 AM: upceb.ttf (ID = 0)
8:43 AM: upcebi.ttf (ID = 0)
8:43 AM: upcei.ttf (ID = 0)
8:43 AM: upcel.ttf (ID = 0)
8:43 AM: upcfb.ttf (ID = 0)
8:43 AM: upcfbi.ttf (ID = 0)
8:43 AM: upcfi.ttf (ID = 0)
8:44 AM: upcfl.ttf (ID = 0)
8:44 AM: upcib.ttf (ID = 0)
8:44 AM: upcibi.ttf (ID = 0)
8:44 AM: upcii.ttf (ID = 0)
8:44 AM: upcil.ttf (ID = 0)
8:44 AM: upcjb.ttf (ID = 0)
8:44 AM: upcjbi.ttf (ID = 0)
8:44 AM: upcji.ttf (ID = 0)
8:44 AM: upcjl.ttf (ID = 0)
8:44 AM: upckb.ttf (ID = 0)
8:44 AM: upckbi.ttf (ID = 0)
8:44 AM: upcki.ttf (ID = 0)
8:44 AM: upckl.ttf (ID = 0)
8:44 AM: upclb.ttf (ID = 0)
8:44 AM: upclbi.ttf (ID = 0)
8:44 AM: upcli.ttf (ID = 0)
8:44 AM: upcll.ttf (ID = 0)
8:44 AM: verdana.ttf (ID = 0)
8:44 AM: verdanab.ttf (ID = 0)
8:44 AM: verdanai.ttf (ID = 0)
8:44 AM: verdanaz.ttf (ID = 0)
8:44 AM: vga737.fon (ID = 0)
8:44 AM: vga850.fon (ID = 0)
8:44 AM: vga852.fon (ID = 0)
8:44 AM: vga855.fon (ID = 0)
8:44 AM: vga857.fon (ID = 0)
8:44 AM: vga866.fon (ID = 0)
8:44 AM: vga869.fon (ID = 0)
8:44 AM: vgaf1255.fon (ID = 0)
8:44 AM: vgaf1256.fon (ID = 0)
8:44 AM: vgaf874.fon (ID = 0)
8:44 AM: vgafix.fon (ID = 0)
8:44 AM: vgafixe.fon (ID = 0)
8:44 AM: vgafixg.fon (ID = 0)
8:44 AM: vgafixr.fon (ID = 0)
8:44 AM: vgafixt.fon (ID = 0)
8:44 AM: vgaoem.fon (ID = 0)
8:44 AM: vgas1255.fon (ID = 0)
8:44 AM: vgas1256.fon (ID = 0)
8:44 AM: vgas874.fon (ID = 0)
8:44 AM: vgasys.fon (ID = 0)
8:44 AM: vgasyse.fon (ID = 0)
8:44 AM: vgasysg.fon (ID = 0)
8:44 AM: vgasysr.fon (ID = 0)
8:44 AM: vgasyst.fon (ID = 0)
8:44 AM: webdings.ttf (ID = 0)
8:44 AM: wingding.ttf (ID = 0)
8:44 AM: agt0401.hlp (ID = 0)
8:44 AM: agt0405.hlp (ID = 0)
8:44 AM: agt0406.hlp (ID = 0)
8:44 AM: agt0407.hlp (ID = 0)
8:44 AM: agt0408.hlp (ID = 0)
8:44 AM: agt040b.hlp (ID = 0)
8:44 AM: agt040c.hlp (ID = 0)
8:44 AM: agt040d.hlp (ID = 0)
8:44 AM: agt040e.hlp (ID = 0)
8:44 AM: agt0410.hlp (ID = 0)
8:44 AM: agt0413.hlp (ID = 0)
8:44 AM: agt0414.hlp (ID = 0)
8:44 AM: agt0415.hlp (ID = 0)
8:44 AM: agt0416.hlp (ID = 0)
8:44 AM: agt0419.hlp (ID = 0)
8:44 AM: agt041d.hlp (ID = 0)
8:44 AM: agt041f.hlp (ID = 0)
8:44 AM: agt0816.hlp (ID = 0)
8:44 AM: agt0c0a.hlp (ID = 0)
8:44 AM: b57win32.inf (ID = 0)
8:44 AM: b57xp32.inf (ID = 0)
8:44 AM: bcm4sbxp.inf (ID = 0)
8:44 AM: e1000325.inf (ID = 0)
8:44 AM: e100b325.inf (ID = 0)
8:44 AM: e101d325.inf (ID = 0)
8:44 AM: font.inf (ID = 0)
8:44 AM: intl.inf (ID = 0)
8:44 AM: layout.inf (ID = 0)
8:44 AM: net10.inf (ID = 0)
8:44 AM: net1394.inf (ID = 0)
8:44 AM: net21x4.inf (ID = 0)
8:44 AM: net3c556.inf (ID = 0)
8:44 AM: net3c589.inf (ID = 0)
8:44 AM: net3c985.inf (ID = 0)
8:44 AM: net3sr.inf (ID = 0)
8:44 AM: net5515n.inf (ID = 0)
8:44 AM: net557.inf (ID = 0)
8:44 AM: net559ib.inf (ID = 0)
8:44 AM: net575nt.inf (ID = 0)
8:44 AM: net650d.inf (ID = 0)
8:44 AM: net656c5.inf (ID = 0)
8:44 AM: net656n5.inf (ID = 0)
8:44 AM: net713.inf (ID = 0)
8:44 AM: net83820.inf (ID = 0)
8:44 AM: net8511.inf (ID = 0)
8:44 AM: netac300.inf (ID = 0)
8:44 AM: netali.inf (ID = 0)
8:44 AM: netambi.inf (ID = 0)
8:44 AM: netamd.inf (ID = 0)
8:44 AM: netamd2.inf (ID = 0)
8:44 AM: netamdhl.inf (ID = 0)
8:44 AM: netan983.inf (ID = 0)
8:44 AM: netana.inf (ID = 0)
8:44 AM: netasp2k.inf (ID = 0)
8:44 AM: netauni.inf (ID = 0)
8:44 AM: netb57xp.inf (ID = 0)
8:44 AM: netbcm4e.inf (ID = 0)
8:44 AM: netbcm4p.inf (ID = 0)
8:44 AM: netbcm4u.inf (ID = 0)
8:44 AM: netbeac.inf (ID = 0)
8:44 AM: netbrdgm.inf (ID = 0)
8:44 AM: netbrdgs.inf (ID = 0)
8:44 AM: netbrzw.inf (ID = 0)
8:44 AM: netcb102.inf (ID = 0)
8:44 AM: netcb325.inf (ID = 0)
8:44 AM: netcbe.inf (ID = 0)
8:44 AM: netce2.inf (ID = 0)
8:44 AM: netce3.inf (ID = 0)
8:44 AM: netcem28.inf (ID = 0)
8:44 AM: netcem33.inf (ID = 0)
8:44 AM: netcem56.inf (ID = 0)
8:44 AM: netcicap.inf (ID = 0)
8:44 AM: netcis.inf (ID = 0)
8:44 AM: netclass.inf (ID = 0)
8:44 AM: netcpqc.inf (ID = 0)
8:44 AM: netcpqg.inf (ID = 0)
8:44 AM: netcpqi.inf (ID = 0)
8:44 AM: netcpqmt.inf (ID = 0)
8:44 AM: netctmrk.inf (ID = 0)
8:44 AM: netdav.inf (ID = 0)
8:44 AM: netdefxa.inf (ID = 0)
8:44 AM: netdf650.inf (ID = 0)
8:44 AM: netdgdxb.inf (ID = 0)
8:44 AM: netdlh5x.inf (ID = 0)
8:44 AM: netdm.inf (ID = 0)
8:44 AM: nete1000.inf (ID = 0)
8:44 AM: nete100i.inf (ID = 0)
8:44 AM: netejxmp.inf (ID = 0)
8:44 AM: netel515.inf (ID = 0)
8:44 AM: netel574.inf (ID = 0)
8:44 AM: netel5x9.inf (ID = 0)
8:44 AM: netel90a.inf (ID = 0)
8:44 AM: netel90b.inf (ID = 0)
8:44 AM: netel980.inf (ID = 0)
8:44 AM: netel99x.inf (ID = 0)
8:44 AM: netepicn.inf (ID = 0)
8:44 AM: netepro.inf (ID = 0)
8:44 AM: netepvcm.inf (ID = 0)
8:44 AM: netepvcp.inf (ID = 0)
8:44 AM: netex10.inf (ID = 0)
8:44 AM: netf56n5.inf (ID = 0)
8:44 AM: netfa312.inf (ID = 0)
8:44 AM: netfa410.inf (ID = 0)
8:44 AM: netfjvi.inf (ID = 0)
8:44 AM: netfjvj.inf (ID = 0)
8:44 AM: netfore.inf (ID = 0)
8:44 AM: netforeh.inf (ID = 0)
8:44 AM: netfxocm.inf (ID = 0)
8:44 AM: netgpc.inf (ID = 0)
8:44 AM: netias.inf (ID = 0)
8:44 AM: netibm.inf (ID = 0)
8:44 AM: netibm2.inf (ID = 0)
8:44 AM: netip6.inf (ID = 0)
8:44 AM: netiprip.inf (ID = 0)
8:44 AM: netirda.inf (ID = 0)
8:44 AM: netirsir.inf (ID = 0)
8:44 AM: netklsi.inf (ID = 0)
8:44 AM: netktc.inf (ID = 0)
8:44 AM: netlanem.inf (ID = 0)
8:44 AM: netlanep.inf (ID = 0)
8:44 AM: netlm.inf (ID = 0)
8:44 AM: netlm56.inf (ID = 0)
8:44 AM: netlnev2.inf (ID = 0)
8:44 AM: netloop.inf (ID = 0)
8:44 AM: netlpd.inf (ID = 0)
8:44 AM: netmadge.inf (ID = 0)
8:44 AM: netmhzn5.inf (ID = 0)
8:44 AM: netmscli.inf (ID = 0)
8:44 AM: netnb.inf (ID = 0)
8:44 AM: netnf3.inf (ID = 0)
8:44 AM: netngr.inf (ID = 0)
8:44 AM: netnm.inf (ID = 0)
8:44 AM: netnovel.inf (ID = 0)
8:44 AM: netnwcli.inf (ID = 0)
8:44 AM: netnwlnk.inf (ID = 0)
8:44 AM: netoc.inf (ID = 0)
8:44 AM: netosi2c.inf (ID = 0)
8:44 AM: netosi5.inf (ID = 0)
8:44 AM: netpc100.inf (ID = 0)
8:44 AM: netpnic.inf (ID = 0)
8:44 AM: netpsa.inf (ID = 0)
8:44 AM: netpschd.inf (ID = 0)
8:44 AM: netpwr2.inf (ID = 0)
8:44 AM: netrasa.inf (ID = 0)
8:44 AM: netrass.inf (ID = 0)
8:44 AM: netrast.inf (ID = 0)
8:44 AM: netrlw2k.inf (ID = 0)
8:44 AM: netrsvp.inf (ID = 0)
8:44 AM: netrtoem.inf (ID = 0)
8:44 AM: netrtpnt.inf (ID = 0)
8:44 AM: netrtsnt.inf (ID = 0)
8:44 AM: netrwan.inf (ID = 0)
8:44 AM: netsap.inf (ID = 0)
8:44 AM: netserv.inf (ID = 0)
8:44 AM: netsis.inf (ID = 0)
8:44 AM: netsk98.inf (ID = 0)
8:44 AM: netsk_fp.inf (ID = 0)
8:44 AM: netsla30.inf (ID = 0)
8:44 AM: netsmc.inf (ID = 0)
8:44 AM: netsnip.inf (ID = 0)
8:44 AM: netsnmp.inf (ID = 0)
8:44 AM: nettb155.inf (ID = 0)
8:44 AM: nettcpip.inf (ID = 0)
8:44 AM: nettdkb.inf (ID = 0)
8:44 AM: nettiger.inf (ID = 0)
8:44 AM: nettpro.inf (ID = 0)
8:44 AM: nettpsmp.inf (ID = 0)
8:44 AM: nettun.inf (ID = 0)
8:44 AM: netupnp.inf (ID = 0)
8:44 AM: netupnph.inf (ID = 0)
8:44 AM: netvt86.inf (ID = 0)
8:44 AM: netw840.inf (ID = 0)
8:44 AM: netw926.inf (ID = 0)
8:44 AM: netw940.inf (ID = 0)
8:44 AM: netwlan.inf (ID = 0)
8:44 AM: netwlan2.inf (ID = 0)
8:44 AM: netwv48.inf (ID = 0)
8:44 AM: netwzc.inf (ID = 0)
8:44 AM: netx500.inf (ID = 0)
8:44 AM: netx56n5.inf (ID = 0)
8:44 AM: netxcpq.inf (ID = 0)
8:44 AM: ramdrv.inf (ID = 0)
8:44 AM: agt0401.dll (ID = 0)
8:44 AM: agt0405.dll (ID = 0)
8:44 AM: agt0406.dll (ID = 0)
8:44 AM: agt0407.dll (ID = 0)
8:44 AM: agt0408.dll (ID = 0)
8:44 AM: agt040b.dll (ID = 0)
8:44 AM: agt040c.dll (ID = 0)
8:44 AM: agt040d.dll (ID = 0)
8:44 AM: agt040e.dll (ID = 0)
8:44 AM: agt0410.dll (ID = 0)
8:44 AM: agt0413.dll (ID = 0)
8:44 AM: agt0414.dll (ID = 0)
8:44 AM: agt0415.dll (ID = 0)
8:44 AM: agt0416.dll (ID = 0)
8:44 AM: agt0419.dll (ID = 0)
8:44 AM: agt041d.dll (ID = 0)
8:44 AM: agt041f.dll (ID = 0)
8:44 AM: agt0816.dll (ID = 0)
8:44 AM: agt0c0a.dll (ID = 0)
8:44 AM: aclui.dll (ID = 0)
8:44 AM: activeds.dll (ID = 0)
8:44 AM: adsldpc.dll (ID = 0)
8:44 AM: advapi32.dll (ID = 0)
8:44 AM: alrsvc.dll (ID = 0)
8:44 AM: apphelp.dll (ID = 0)
8:44 AM: atl.dll (ID = 0)
8:44 AM: attrib.exe (ID = 0)
8:44 AM: authz.dll (ID = 0)
8:44 AM: autochk.exe (ID = 0)
8:44 AM: autofmt.exe (ID = 0)
8:44 AM: avmc20.dll (ID = 0)
8:44 AM: avmcapi.dll (ID = 0)
8:44 AM: avmenum.dll (ID = 0)
8:44 AM: basesrv.dll (ID = 0)
8:44 AM: biosinfo.inf (ID = 0)
8:44 AM: bootvid.dll (ID = 0)
8:44 AM: browser.dll (ID = 0)
8:44 AM: browseui.dll (ID = 0)
8:44 AM: c218tnt.cod (ID = 0)
8:44 AM: c320tnt.cod (ID = 0)
8:44 AM: cabinet.dll (ID = 0)
8:44 AM: cacls.exe (ID = 0)
8:44 AM: certcli.dll (ID = 0)
8:44 AM: cfgmgr32.dll (ID = 0)
8:44 AM: chkdsk.exe (ID = 0)
8:44 AM: clb.dll (ID = 0)
8:44 AM: clipsrv.exe (ID = 0)
8:44 AM: clusapi.dll (ID = 0)
8:44 AM: cmd.exe (ID = 0)
8:44 AM: cnbjmon.dll (ID = 0)
8:44 AM: comctl32.dll (ID = 0)
8:44 AM: comdlg32.dll (ID = 0)
8:44 AM: credui.dll (ID = 0)
8:44 AM: crypt32.dll (ID = 0)
8:44 AM: cryptdll.dll (ID = 0)
8:44 AM: cryptnet.dll (ID = 0)
8:44 AM: cryptui.dll (ID = 0)
8:44 AM: cscdll.dll (ID = 0)
8:44 AM: csrsrv.dll (ID = 0)
8:44 AM: csrss.exe (ID = 0)
8:44 AM: ctmasetp.dll (ID = 0)
8:44 AM: ctmrclas.dll (ID = 0)
8:44 AM: ctype.nls (ID = 0)
8:44 AM: c_037.nls (ID = 0)
8:44 AM: c_10000.nls (ID = 0)
8:44 AM: c_10004.nls (ID = 0)
8:44 AM: c_10005.nls (ID = 0)
8:44 AM: c_10006.nls (ID = 0)
8:44 AM: c_10007.nls (ID = 0)
8:44 AM: c_10010.nls (ID = 0)
8:44 AM: c_10017.nls (ID = 0)
8:44 AM: c_10021.nls (ID = 0)
8:44 AM: c_10029.nls (ID = 0)
8:44 AM: c_10079.nls (ID = 0)
8:44 AM: c_10081.nls (ID = 0)
8:44 AM: c_10082.nls (ID = 0)
8:44 AM: c_1026.nls (ID = 0)
8:44 AM: c_1250.nls (ID = 0)
8:44 AM: c_1251.nls (ID = 0)
8:44 AM: c_1252.nls (ID = 0)
8:44 AM: c_1253.nls (ID = 0)
8:44 AM: c_1254.nls (ID = 0)
8:44 AM: c_1255.nls (ID = 0)
8:44 AM: c_1256.nls (ID = 0)
8:44 AM: c_1257.nls (ID = 0)
8:44 AM: c_1258.nls (ID = 0)
8:44 AM: c_20127.nls (ID = 0)
8:44 AM: c_20261.nls (ID = 0)
8:44 AM: c_20866.nls (ID = 0)
8:44 AM: c_20905.nls (ID = 0)
8:44 AM: c_21866.nls (ID = 0)
8:44 AM: c_28592.nls (ID = 0)
8:44 AM: c_28593.nls (ID = 0)
8:44 AM: c_28595.nls (ID = 0)
8:44 AM: c_28596.nls (ID = 0)
8:44 AM: c_28597.nls (ID = 0)
8:44 AM: c_28598.nls (ID = 0)
8:44 AM: c_28599.nls (ID = 0)
8:44 AM: c_28605.nls (ID = 0)
8:44 AM: c_437.nls (ID = 0)
8:44 AM: c_500.nls (ID = 0)
8:44 AM: c_708.nls (ID = 0)
8:44 AM: c_720.nls (ID = 0)
8:44 AM: c_737.nls (ID = 0)
8:44 AM: c_775.nls (ID = 0)
8:44 AM: c_850.nls (ID = 0)
8:44 AM: c_852.nls (ID = 0)
8:44 AM: c_855.nls (ID = 0)
8:44 AM: c_857.nls (ID = 0)
8:44 AM: c_860.nls (ID = 0)
8:44 AM: c_861.nls (ID = 0)
8:44 AM: c_862.nls (ID = 0)
8:44 AM: c_863.nls (ID = 0)
8:44 AM: c_864.nls (ID = 0)
8:44 AM: c_865.nls (ID = 0)
8:44 AM: c_866.nls (ID = 0)
8:44 AM: c_869.nls (ID = 0)
8:44 AM: c_874.nls (ID = 0)
8:44 AM: c_875.nls (ID = 0)
8:44 AM: c_932.nls (ID = 0)
8:44 AM: c_936.nls (ID = 0)
8:44 AM: c_949.nls (ID = 0)
8:44 AM: c_950.nls (ID = 0)
8:44 AM: c_iscii.dll (ID = 0)
8:44 AM: dbgeng.dll (ID = 0)
8:44 AM: dbghelp.dll (ID = 0)
8:44 AM: dciman32.dll (ID = 0)
8:44 AM: ddraw.dll (ID = 0)
8:44 AM: devmgr.dll (ID = 0)
8:44 AM: dgclass.dll (ID = 0)
8:44 AM: dgnet.dll (ID = 0)
8:44 AM: dgrpsetu.dll (ID = 0)
8:44 AM: dhcpcsvc.dll (ID = 0)
8:44 AM: diapi2.dll (ID = 0)
8:44 AM: diapi232.dll (ID = 0)
8:44 AM: diapi2nt.dll (ID = 0)
8:44 AM: diskpart.exe (ID = 0)
8:44 AM: disrvpp.dll (ID = 0)
8:44 AM: disrvsu.dll (ID = 0)
8:44 AM: ditrace.exe (ID = 0)
8:44 AM: divaprop.dll (ID = 0)
8:44 AM: divasu.dll (ID = 0)
8:44 AM: dmadmin.exe (ID = 0)
8:44 AM: dmconfig.dll (ID = 0)
8:44 AM: dmintf.dll (ID = 0)
8:44 AM: dmserver.dll (ID = 0)
8:44 AM: dmutil.dll (ID = 0)
8:44 AM: dnsapi.dll (ID = 0)
8:44 AM: dnsrslvr.dll (ID = 0)
8:44 AM: duser.dll (ID = 0)
8:44 AM: e1000325.din (ID = 0)
8:44 AM: e1000msg.dll (ID = 0)
8:44 AM: e100b325.din (ID = 0)
8:44 AM: e100bmsg.dll (ID = 0)
8:44 AM: eqnclass.dll (ID = 0)
8:44 AM: eqndiag.exe (ID = 0)
8:44 AM: eqnlogr.exe (ID = 0)
8:44 AM: eqnloop.exe (ID = 0)
8:44 AM: esent.dll (ID = 0)
8:44 AM: expand.exe (ID = 0)
8:44 AM: factory.exe (ID = 0)
8:44 AM: format.com (ID = 0)
8:44 AM: fpnpbase.sys (ID = 0)
8:44 AM: fpnpbase.usa (ID = 0)
8:44 AM: framebuf.dll (ID = 0)
8:44 AM: ftlx041e.dll (ID = 0)
8:44 AM: fus2base.sys (ID = 0)
8:44 AM: gdi32.dll (ID = 0)
8:44 AM: gptext.dll (ID = 0)
8:44 AM: hal.dll (ID = 0)
8:44 AM: halaacpi.dll (ID = 0)
8:44 AM: halacpi.dll (ID = 0)
8:44 AM: halapic.dll (ID = 0)
8:44 AM: halmacpi.dll (ID = 0)
8:44 AM: halmps.dll (ID = 0)
8:44 AM: halsp.dll (ID = 0)
8:44 AM: hccoin.dll (ID = 0)
8:44 AM: icmp.dll (ID = 0)
8:44 AM: ifsutil.dll (ID = 0)
8:44 AM: imagehlp.dll (ID = 0)
8:44 AM: imgutil.dll (ID = 0)
8:44 AM: imm32.dll (ID = 0)
8:44 AM: initpki.dll (ID = 0)
8:44 AM: intelnic.dll (ID = 0)
8:44 AM: intl.cpl (ID = 0)
8:44 AM: io8ports.dll (ID = 0)
8:44 AM: iologmsg.dll (ID = 0)
8:44 AM: ipconfig.exe (ID = 0)
8:44 AM: iphlpapi.dll (ID = 0)
8:44 AM: ipsecsnp.dll (ID = 0)
8:44 AM: kbda1.dll (ID = 0)
8:44 AM: kbda2.dll (ID = 0)
8:44 AM: kbda3.dll (ID = 0)
8:44 AM: kbdal.dll (ID = 0)
8:44 AM: kbdarme.dll (ID = 0)
8:44 AM: kbdarmw.dll (ID = 0)
8:44 AM: kbdaze.dll (ID = 0)
8:44 AM: kbdazel.dll (ID = 0)
8:44 AM: kbdbe.dll (ID = 0)
8:44 AM: kbdblr.dll (ID = 0)
8:44 AM: kbdbr.dll (ID = 0)
8:44 AM: kbdbu.dll (ID = 0)
8:44 AM: kbdca.dll (ID = 0)
8:44 AM: kbdcr.dll (ID = 0)
8:44 AM: kbdcz.dll (ID = 0)
8:44 AM: kbdcz1.dll (ID = 0)
8:44 AM: kbdcz2.dll (ID = 0)
8:44 AM: kbdda.dll (ID = 0)
8:44 AM: kbddiv1.dll (ID = 0)
8:44 AM: kbddiv2.dll (ID = 0)
8:44 AM: kbddv.dll (ID = 0)
8:44 AM: kbdes.dll (ID = 0)
8:44 AM: kbdfa.dll (ID = 0)
8:44 AM: kbdfc.dll (ID = 0)
8:44 AM: kbdfi.dll (ID = 0)
8:44 AM: kbdfr.dll (ID = 0)
8:44 AM: kbdgae.dll (ID = 0)
8:44 AM: kbdgeo.dll (ID = 0)
8:44 AM: kbdgkl.dll (ID = 0)
8:44 AM: kbdgr.dll (ID = 0)
8:44 AM: kbdgr1.dll (ID = 0)
8:44 AM: kbdhe.dll (ID = 0)
8:44 AM: kbdhe220.dll (ID = 0)
8:44 AM: kbdhe319.dll (ID = 0)
8:44 AM: kbdheb.dll (ID = 0)
8:44 AM: kbdhela2.dll (ID = 0)
8:44 AM: kbdhela3.dll (ID = 0)
8:44 AM: kbdhept.dll (ID = 0)
8:44 AM: kbdhu.dll (ID = 0)
8:44 AM: kbdhu1.dll (ID = 0)
8:44 AM: kbdic.dll (ID = 0)
8:44 AM: kbdindev.dll (ID = 0)
8:44 AM: kbdinguj.dll (ID = 0)
8:44 AM: kbdinhin.dll (ID = 0)
8:44 AM: kbdinkan.dll (ID = 0)
8:44 AM: kbdinmar.dll (ID = 0)
8:44 AM: kbdinpun.dll (ID = 0)
8:44 AM: kbdintam.dll (ID = 0)
8:44 AM: kbdintel.dll (ID = 0)
8:44 AM: kbdir.dll (ID = 0)
8:44 AM: kbdit.dll (ID = 0)
8:44 AM: kbdit142.dll (ID = 0)
8:44 AM: kbdkaz.dll (ID = 0)
8:44 AM: kbdkyr.dll (ID = 0)
8:44 AM: kbdla.dll (ID = 0)
8:44 AM: kbdmac.dll (ID = 0)
8:44 AM: kbdmon.dll (ID = 0)
8:44 AM: kbdne.dll (ID = 0)
8:44 AM: kbdnec.dll (ID = 0)
8:44 AM: kbdno.dll (ID = 0)
8:44 AM: kbdpl.dll (ID = 0)
8:44 AM: kbdpl1.dll (ID = 0)
8:44 AM: kbdpo.dll (ID = 0)
8:44 AM: kbdro.dll (ID = 0)
8:44 AM: kbdru.dll (ID = 0)
8:44 AM: kbdru1.dll (ID = 0)
8:44 AM: kbdsf.dll (ID = 0)
8:44 AM: kbdsg.dll (ID = 0)
8:44 AM: kbdsl.dll (ID = 0)
8:44 AM: kbdsl1.dll (ID = 0)
8:44 AM: kbdsp.dll (ID = 0)
8:44 AM: kbdsw.dll (ID = 0)
8:44 AM: kbdsyr1.dll (ID = 0)
8:44 AM: kbdsyr2.dll (ID = 0)
8:44 AM: kbdtat.dll (ID = 0)
8:44 AM: kbdth0.dll (ID = 0)
8:44 AM: kbdth1.dll (ID = 0)
8:44 AM: kbdth2.dll (ID = 0)
8:44 AM: kbdth3.dll (ID = 0)
8:44 AM: kbdtuf.dll (ID = 0)
8:44 AM: kbdtuq.dll (ID = 0)
8:44 AM: kbduk.dll (ID = 0)
8:44 AM: kbdur.dll (ID = 0)
8:44 AM: kbdurdu.dll (ID = 0)
8:44 AM: kbdus.dll (ID = 0)
8:44 AM: kbdusa.dll (ID = 0)
8:44 AM: kbdusl.dll (ID = 0)
8:44 AM: kbdusr.dll (ID = 0)
8:44 AM: kbdusx.dll (ID = 0)
8:44 AM: kbduzb.dll (ID = 0)
8:44 AM: kbdvntc.dll (ID = 0)
8:44 AM: kbdycc.dll (ID = 0)
8:44 AM: kbdycl.dll (ID = 0)
8:44 AM: kd1394.dll (ID = 0)
8:44 AM: kdcom.dll (ID = 0)
8:44 AM: kerberos.dll (ID = 0)
8:44 AM: kernel32.dll (ID = 0)
8:44 AM: linkinfo.dll (ID = 0)
8:44 AM: lmhsvc.dll (ID = 0)
8:44 AM: loadperf.dll (ID = 0)
8:44 AM: locale.nls (ID = 0)
8:44 AM: localspl.dll (ID = 0)
8:44 AM: locator.exe (ID = 0)
8:44 AM: lpk.dll (ID = 0)
8:44 AM: lsasrv.dll (ID = 0)
8:44 AM: lsass.exe (ID = 0)
8:44 AM: lz32.dll (ID = 0)
8:44 AM: l_intl.nls (ID = 0)
8:44 AM: mfc42.dll (ID = 0)
8:44 AM: mfc42u.dll (ID = 0)
8:44 AM: mobsync.dll (ID = 0)
8:44 AM: mpr.dll (ID = 0)
8:44 AM: mprapi.dll (ID = 0)
8:44 AM: mprui.dll (ID = 0)
8:44 AM: msafd.dll (ID = 0)
8:44 AM: msasn1.dll (ID = 0)
8:44 AM: mscat32.dll (ID = 0)
8:44 AM: mscms.dll (ID = 0)
8:44 AM: msftedit.dll (ID = 0)
8:44 AM: msgina.dll (ID = 0)
8:44 AM: msgsvc.dll (ID = 0)
8:44 AM: msi.dll (ID = 0)
8:44 AM: msimg32.dll (ID = 0)
8:44 AM: msjet40.dll (ID = 0)
8:44 AM: msls31.dll (ID = 0)
8:44 AM: msports.dll (ID = 0)
8:44 AM: msprivs.dll (ID = 0)
8:44 AM: mssign32.dll (ID = 0)
8:44 AM: mssip32.dll (ID = 0)
8:44 AM: msswch.dll (ID = 0)
8:44 AM: msswchx.exe (ID = 0)
8:44 AM: msv1_0.dll (ID = 0)
8:44 AM: msvcirt.dll (ID = 0)
8:44 AM: msvcp60.dll (ID = 0)
8:44 AM: msvcrt.dll (ID = 0)
8:44 AM: mswsock.dll (ID = 0)
8:44 AM: mswstr10.dll (ID = 0)
8:44 AM: ncobjapi.dll (ID = 0)
8:44 AM: nddeapi.dll (ID = 0)
8:44 AM: net.exe (ID = 0)
8:44 AM: net.hlp (ID = 0)
8:44 AM: net1.exe (ID = 0)
8:44 AM: netapi32.dll (ID = 0)
8:44 AM: netcfg.exe (ID = 0)
8:44 AM: netcfgx.dll (ID = 0)
8:44 AM: netevent.dll (ID = 0)
8:44 AM: netlogon.dll (ID = 0)
8:44 AM: netman.dll (ID = 0)
8:44 AM: netmsg.dll (ID = 0)
8:44 AM: netrap.dll (ID = 0)
8:44 AM: netshell.dll (ID = 0)
8:44 AM: netui0.dll (ID = 0)
8:44 AM: netui1.dll (ID = 0)
8:44 AM: netui2.dll (ID = 0)
8:44 AM: newdev.dll (ID = 0)
8:44 AM: notepad.exe (ID = 0)
8:44 AM: ntdll.dll (ID = 0)
8:44 AM: ntdsapi.dll (ID = 0)
8:44 AM: ntkrnlmp.exe (ID = 0)
8:44 AM: ntlanman.dll (ID = 0)
8:44 AM: ntmarta.dll (ID = 0)
8:44 AM: ntsd.exe (ID = 0)
8:44 AM: nwapi32.dll (ID = 0)
8:44 AM: nwcfg.dll (ID = 0)
8:44 AM: nwevent.dll (ID = 0)
8:44 AM: nwprovau.dll (ID = 0)
8:44 AM: nwwks.dll (ID = 0)
8:44 AM: oakley.dll (ID = 0)
8:44 AM: odbc16gt.dll (ID = 0)
8:44 AM: odbc32.dll (ID = 0)
8:44 AM: odbc32gt.dll (ID = 0)
8:44 AM: odbcad32.exe (ID = 0)
8:44 AM: odbcbcp.dll (ID = 0)
8:44 AM: odbcconf.dll (ID = 0)
8:44 AM: odbcconf.exe (ID = 0)
8:44 AM: odbcconf.rsp (ID = 0)
8:44 AM: odbccp32.cpl (ID = 0)
8:44 AM: odbccp32.dll (ID = 0)
8:44 AM: odbccr32.dll (ID = 0)
8:44 AM: netx56n5.pnf (ID = 0)
8:44 AM: odbccu32.dll (ID = 0)
8:44 AM: odbcint.dll (ID = 0)
8:44 AM: odbcji32.dll (ID = 0)
8:44 AM: odbcjt32.dll (ID = 0)
8:44 AM: netxcpq.pnf (ID = 0)
8:44 AM: odbcp32r.dll (ID = 0)
8:44 AM: odbctrac.dll (ID = 0)
8:44 AM: ramdrv.pnf (ID = 0)
8:44 AM: infcache.1 (ID = 0)
8:44 AM: oemwinpe.exe (ID = 0)
8:44 AM: operadef6.adr (ID = 0)
8:44 AM: ole32.dll (ID = 0)
8:44 AM: oleacc.dll (ID = 0)
8:44 AM: oleaut32.dll (ID = 0)
8:44 AM: olecli32.dll (ID = 0)
8:44 AM: olecnv32.dll (ID = 0)
8:44 AM: oledlg.dll (ID = 0)
8:44 AM: olepro32.dll (ID = 0)
8:44 AM: olesvr.dll (ID = 0)
8:44 AM: olesvr32.dll (ID = 0)
8:44 AM: olethk32.dll (ID = 0)
8:44 AM: osk.exe (ID = 0)
8:44 AM: osuninst.dll (ID = 0)
8:44 AM: peer.exe (ID = 0)
8:44 AM: pentnt.exe (ID = 0)
8:44 AM: perfctrs.dll (ID = 0)
8:44 AM: perfnw.dll (ID = 0)
8:44 AM: ping.exe (ID = 0)
8:44 AM: polstore.dll (ID = 0)
8:44 AM: portmon.exe (ID = 0)
8:44 AM: powrprof.dll (ID = 0)
8:44 AM: profmap.dll (ID = 0)
8:44 AM: prounstl.exe (ID = 0)
8:44 AM: psapi.dll (ID = 0)
8:44 AM: pstorec.dll (ID = 0)
8:44 AM: pstorsvc.dll (ID = 0)
8:44 AM: query.dll (ID = 0)
8:44 AM: rasadhlp.dll (ID = 0)
8:44 AM: rasapi32.dll (ID = 0)
8:44 AM: rasdlg.dll (ID = 0)
8:44 AM: rasman.dll (ID = 0)
8:44 AM: reg.exe (ID = 0)
8:44 AM: regapi.dll (ID = 0)
8:44 AM: regedit.exe (ID = 0)
8:44 AM: regedt32.exe (ID = 0)
8:44 AM: regsvr32.exe (ID = 0)
8:44 AM: riched20.dll (ID = 0)
8:44 AM: rnr20.dll (ID = 0)
8:44 AM: rpcrt4.dll (ID = 0)
8:44 AM: rpcss.dll (ID = 0)
8:44 AM: rsaenh.dll (ID = 0)
8:44 AM: rsvp.exe (ID = 0)
8:44 AM: rsvpmsg.dll (ID = 0)
8:44 AM: rsvpperf.dll (ID = 0)
8:44 AM: rtipxmib.dll (ID = 0)
8:44 AM: rtutils.dll (ID = 0)
8:44 AM: rundll32.exe (ID = 0)
8:44 AM: samlib.dll (ID = 0)
8:44 AM: samsrv.dll (ID = 0)
8:44 AM: scecli.dll (ID = 0)
8:44 AM: scesrv.dll (ID = 0)
8:44 AM: schannel.dll (ID = 0)
8:44 AM: secur32.dll (ID = 0)
8:44 AM: security.dll (ID = 0)
8:44 AM: services.exe (ID = 0)
8:44 AM: setup.exe (ID = 0)
8:44 AM: setupapi.dll (ID = 0)
8:44 AM: setupreg.hiv (ID = 0)
8:44 AM: setupreg.hiv.bak (ID = 0)
8:44 AM: sfc.dll (ID = 0)
8:44 AM: sfcfiles.dll (ID = 0)
8:44 AM: sfc_os.dll (ID = 0)
8:44 AM: shdocvw.dll (ID = 0)
8:44 AM: shell32.dll (ID = 0)
8:44 AM: shlwapi.dll (ID = 0)
8:44 AM: shsvcs.dll (ID = 0)
8:44 AM: smss.exe (ID = 0)
8:44 AM: snmpapi.dll (ID = 0)
8:44 AM: softpub.dll (ID = 0)
8:44 AM: sortkey.nls (ID = 0)
8:44 AM: sorttbls.nls (ID = 0)
8:44 AM: spdports.dll (ID = 0)
8:44 AM: spoolss.dll (ID = 0)
8:44 AM: spoolsv.exe (ID = 0)
8:44 AM: spxcoins.dll (ID = 0)
8:44 AM: spxports.dll (ID = 0)
8:44 AM: stlnprop.dll (ID = 0)
8:44 AM: svchost.exe (ID = 0)
8:44 AM: sxports.dll (ID = 0)
8:44 AM: sxs.dll (ID = 0)
8:44 AM: syssetup.dll (ID = 0)
8:44 AM: tapi32.dll (ID = 0)
8:44 AM: taskmgr.exe (ID = 0)
8:44 AM: thawbrkr.dll (ID = 0)
8:44 AM: ufat.dll (ID = 0)
8:44 AM: ulib.dll (ID = 0)
8:44 AM: umpnpmgr.dll (ID = 0)
8:44 AM: unicode.nls (ID = 0)
8:44 AM: untfs.dll (ID = 0)
8:44 AM: ureg.dll (ID = 0)
8:44 AM: url.dll (ID = 0)
8:44 AM: urlmon.dll (ID = 0)
8:44 AM: user32.dll (ID = 0)
8:44 AM: userenv.dll (ID = 0)
8:44 AM: userinit.exe (ID = 0)
8:44 AM: usp10.dll (ID = 0)
8:44 AM: utildll.dll (ID = 0)
8:44 AM: uxtheme.dll (ID = 0)
8:44 AM: vdmdbg.dll (ID = 0)
8:44 AM: version.dll (ID = 0)
8:44 AM: vga.dll (ID = 0)
8:44 AM: vga256.dll (ID = 0)
8:44 AM: vga64k.dll (ID = 0)
8:44 AM: vga850.fon (ID = 0)
8:44 AM: vga860.fon (ID = 0)
8:44 AM: vga861.fon (ID = 0)
8:44 AM: vga863.fon (ID = 0)
8:44 AM: vga865.fon (ID = 0)
8:44 AM: vgaoem.fon (ID = 0)
8:44 AM: w32time.dll (ID = 0)
8:44 AM: w32topl.dll (ID = 0)
8:44 AM: watchdog.sys (ID = 0)
8:44 AM: wdigest.dll (ID = 0)
8:44 AM: win32k.sys (ID = 0)
8:44 AM: win32spl.dll (ID = 0)
8:44 AM: winhttp.dll (ID = 0)
8:44 AM: wininet.dll (ID = 0)
8:44 AM: winipsec.dll (ID = 0)
8:44 AM: winlogon.exe (ID = 0)
8:44 AM: winmm.dll (ID = 0)
8:44 AM: winpe.bmp (ID = 0)
8:44 AM: winpeoem.sif (ID = 0)
8:44 AM: winpeshl.exe (ID = 0)
8:44 AM: winrnr.dll (ID = 0)
8:44 AM: winscard.dll (ID = 0)
8:44 AM: winspool.drv (ID = 0)
8:44 AM: winsrv.dll (ID = 0)
8:44 AM: winsta.dll (ID = 0)
8:44 AM: wintrust.dll (ID = 0)
8:44 AM: wkssvc.dll (ID = 0)
8:44 AM: wldap32.dll (ID = 0)
8:44 AM: wmi.dll (ID = 0)
8:44 AM: ws2help.dll (ID = 0)
8:44 AM: ws2_32.dll (ID = 0)
8:44 AM: wshisn.dll (ID = 0)
8:44 AM: wshnetbs.dll (ID = 0)
8:44 AM: wshtcpip.dll (ID = 0)
8:44 AM: wsock32.dll (ID = 0)
8:44 AM: wtsapi32.dll (ID = 0)
8:44 AM: wzcsapi.dll (ID = 0)
8:44 AM: wzcsvc.dll (ID = 0)
8:44 AM: xcopy.exe (ID = 0)
8:44 AM: xlog.exe (ID = 0)
8:44 AM: xpsp1res.dll (ID = 0)
8:44 AM: default (ID = 0)
8:44 AM: default.bak (ID = 0)
8:44 AM: software (ID = 0)
8:44 AM: software.bak (ID = 0)
8:44 AM: 1394bus.sys (ID = 0)
8:44 AM: 1394vdbg.sys (ID = 0)
8:44 AM: abp480n5.sys (ID = 0)
8:44 AM: ac300nd5.sys (ID = 0)
8:44 AM: acpi.sys (ID = 0)
8:44 AM: acpiec.sys (ID = 0)
8:44 AM: adm8511.sys (ID = 0)
8:44 AM: adptsf50.sys (ID = 0)
8:44 AM: adpu160m.sys (ID = 0)
8:44 AM: afd.sys (ID = 0)
8:44 AM: aha154x.sys (ID = 0)
8:44 AM: aic78u2.sys (ID = 0)
8:44 AM: aic78xx.sys (ID = 0)
8:44 AM: ali5261.sys (ID = 0)
8:44 AM: aliide.sys (ID = 0)
8:44 AM: amb8002.sys (ID = 0)
8:44 AM: amsint.sys (ID = 0)
8:44 AM: an983.sys (ID = 0)
8:44 AM: arp1394.sys (ID = 0)
8:44 AM: asc.sys (ID = 0)
8:44 AM: asc3350p.sys (ID = 0)
8:44 AM: asc3550.sys (ID = 0)
8:44 AM: aspndis3.sys (ID = 0)
8:44 AM: asyncmac.sys (ID = 0)
8:44 AM: atapi.sys (ID = 0)
8:44 AM: atmarpc.sys (ID = 0)
8:44 AM: atmlane.sys (ID = 0)
8:44 AM: atmuni.sys (ID = 0)
8:44 AM: b1.t4 (ID = 0)
8:44 AM: b1cbase.sys (ID = 0)
8:44 AM: b1tr6.t4 (ID = 0)
8:44 AM: b1usa.t4 (ID = 0)
8:44 AM: b57xp32.sys (ID = 0)
8:44 AM: bcm42u.sys (ID = 0)
8:44 AM: bcm42xx5.sys (ID = 0)
8:44 AM: bcm4e5.sys (ID = 0)
8:44 AM: bcm4sbxp.sys (ID = 0)
8:44 AM: beep.sys (ID = 0)
8:44 AM: bioprime.bin (ID = 0)
8:44 AM: brzwlan.sys (ID = 0)
8:44 AM: c4.bin (ID = 0)
8:44 AM: cb102.sys (ID = 0)
8:44 AM: cb325.sys (ID = 0)
8:44 AM: cben5.sys (ID = 0)
8:44 AM: cbidf2k.sys (ID = 0)
8:44 AM: cd20xrnt.sys (ID = 0)
8:44 AM: cdaudio.sys (ID = 0)
8:44 AM: cdfs.sys (ID = 0)
8:44 AM: cdrom.sys (ID = 0)
8:44 AM: ce2n5.sys (ID = 0)
8:44 AM: ce3n5.sys (ID = 0)
8:44 AM: cem28n5.sys (ID = 0)
8:44 AM: cem33n5.sys (ID = 0)
8:44 AM: cem56n5.sys (ID = 0)
8:44 AM: cinemst2.sys (ID = 0)
8:44 AM: classpnp.sys (ID = 0)
8:44 AM: cmdide.sys (ID = 0)
8:44 AM: cnxt1803.sys (ID = 0)
8:44 AM: cpqarray.sys (ID = 0)
8:44 AM: cpqndis5.sys (ID = 0)
8:44 AM: cpqtrnd5.sys (ID = 0)
8:44 AM: d100ib5.sys (ID = 0)
8:44 AM: dac2w2k.sys (ID = 0)
8:44 AM: dac960nt.sys (ID = 0)
8:44 AM: dc21x4.sys (ID = 0)
8:44 AM: defpa.sys (ID = 0)
8:44 AM: dfe650.sys (ID = 0)
8:44 AM: dfe650d.sys (ID = 0)
8:44 AM: dgapci.sys (ID = 0)
8:44 AM: dgsetup.dll (ID = 0)
8:44 AM: diapi2.sys (ID = 0)
8:44 AM: digirlpt.sys (ID = 0)
8:44 AM: dimaint.sys (ID = 0)
8:44 AM: disk.sys (ID = 0)
8:44 AM: diskdump.sys (ID = 0)
8:44 AM: diwan.sys (ID = 0)
8:44 AM: dlh5xnd5.sys (ID = 0)
8:44 AM: dm9pci5.sys (ID = 0)
8:44 AM: dmboot.sys (ID = 0)
8:44 AM: dmio.sys (ID = 0)
8:44 AM: dmload.sys (ID = 0)
8:44 AM: dp83820.sys (ID = 0)
8:44 AM: dpti2o.sys (ID = 0)
8:44 AM: ds4bri.bit (ID = 0)
8:44 AM: dspcli.bin (ID = 0)
8:44 AM: dspdload.bin (ID = 0)
8:44 AM: dspdqsig.bin (ID = 0)
8:44 AM: dxapi.sys (ID = 0)
8:44 AM: dxg.sys (ID = 0)
8:44 AM: dxgthk.sys (ID = 0)
8:44 AM: e1000325.sys (ID = 0)
8:44 AM: e1000nt5.sys (ID = 0)
8:44 AM: e100b325.sys (ID = 0)
8:44 AM: e100isa4.sys (ID = 0)
8:44 AM: el515.sys (ID = 0)
8:44 AM: el556nd5.sys (ID = 0)
8:44 AM: el574nd4.sys (ID = 0)
8:44 AM: el575nd5.sys (ID = 0)
8:44 AM: el589nd5.sys (ID = 0)
8:44 AM: el656cd5.sys (ID = 0)
8:44 AM: el656ct5.sys (ID = 0)
8:44 AM: el656nd5.sys (ID = 0)
8:44 AM: el656se5.sys (ID = 0)
8:44 AM: el90xbc5.sys (ID = 0)
8:44 AM: el90xnd5.sys (ID = 0)
8:44 AM: el985n51.sys (ID = 0)
8:44 AM: el98xn5.sys (ID = 0)
8:44 AM: el99xn51.sys (ID = 0)
8:44 AM: el99xrun.out (ID = 0)
8:44 AM: em556n4.sys (ID = 0)
8:44 AM: emu10k1m.sys (ID = 0)
8:44 AM: enum1394.sys (ID = 0)
8:44 AM: epro4.sys (ID = 0)
8:44 AM: eqn.sys (ID = 0)
8:44 AM: et4000.sys (ID = 0)
8:44 AM: ex10.sys (ID = 0)
8:44 AM: f3ab18xi.sys (ID = 0)
8:44 AM: f3ab18xj.sys (ID = 0)
8:44 AM: fa312nd5.sys (ID = 0)
8:44 AM: fa410nd5.sys (ID = 0)
8:44 AM: fastfat.sys (ID = 0)
8:44 AM: fdc.sys (ID = 0)
8:44 AM: fem556n5.sys (ID = 0)
8:44 AM: fetnd5.sys (ID = 0)
8:44 AM: flpydisk.sys (ID = 0)
8:44 AM: forehe.sys (ID = 0)
8:44 AM: fpcibase.sys (ID = 0)
8:44 AM: fpcibase.usa (ID = 0)
8:44 AM: fpcmbase.sys (ID = 0)
8:44 AM: fpcmbase.usa (ID = 0)
8:44 AM: fsvga.sys (ID = 0)
8:44 AM: fs_rec.sys (ID = 0)
8:44 AM: ftdisk.sys (ID = 0)
8:44 AM: fusbbase.sys (ID = 0)
8:44 AM: fusbbase.usa (ID = 0)
8:44 AM: fxusbase.sys (ID = 0)
8:44 AM: gm.dls (ID = 0)
8:44 AM: hidclass.sys (ID = 0)
8:44 AM: hidparse.sys (ID = 0)
8:44 AM: hidusb.sys (ID = 0)
8:44 AM: hpn.sys (ID = 0)
8:44 AM: i2omgmt.sys (ID = 0)
8:44 AM: i2omp.sys (ID = 0)
8:44 AM: i8042prt.sys (ID = 0)
8:44 AM: ibmexmp.sys (ID = 0)
8:44 AM: ibmtok.sys (ID = 0)
8:44 AM: ibmtrp.sys (ID = 0)
8:44 AM: ini910u.sys (ID = 0)
8:44 AM: inport.sys (ID = 0)
8:44 AM: intelide.sys (ID = 0)
8:44 AM: io8.sys (ID = 0)
8:44 AM: ip5515.sys (ID = 0)
8:44 AM: ipfltdrv.sys (ID = 0)
8:44 AM: ipinip.sys (ID = 0)
8:44 AM: ipnat.sys (ID = 0)
8:44 AM: ipsec.sys (ID = 0)
8:44 AM: isapnp.sys (ID = 0)
8:44 AM: kbdclass.sys (ID = 0)
8:44 AM: kbdhid.sys (ID = 0)
8:44 AM: ks.sys (ID = 0)
8:44 AM: ksecdd.sys (ID = 0)
8:44 AM: ktc111.sys (ID = 0)
8:44 AM: lanepic5.sys (ID = 0)
8:44 AM: lbrtfdc.sys (ID = 0)
8:44 AM: lmndis3.sys (ID = 0)
8:44 AM: lne100.sys (ID = 0)
8:44 AM: lne100tx.sys (ID = 0)
8:44 AM: loop.sys (ID = 0)
8:44 AM: mcd.sys (ID = 0)
8:44 AM: mdgndis5.sys (ID = 0)
8:44 AM: mf.sys (ID = 0)
8:44 AM: mnmdd.sys (ID = 0)
8:44 AM: modem.sys (ID = 0)
8:44 AM: mouclass.sys (ID = 0)
8:44 AM: mouhid.sys (ID = 0)
8:44 AM: mountmgr.sys (ID = 0)
8:44 AM: mraid35x.sys (ID = 0)
8:44 AM: mrxsmb.sys (ID = 0)
8:44 AM: msfs.sys (ID = 0)
8:44 AM: msgpc.sys (ID = 0)
8:44 AM: mup.sys (ID = 0)
8:44 AM: mxnic.sys (ID = 0)
8:44 AM: n1000nt5.sys (ID = 0)
8:44 AM: n100325.sys (ID = 0)
8:44 AM: ndis.sys (ID = 0)
8:44 AM: ndistapi.sys (ID = 0)
8:44 AM: ndiswan.sys (ID = 0)
8:44 AM: ndproxy.sys (ID = 0)
8:44 AM: ne2000.sys (ID = 0)
8:44 AM: netbios.sys (ID = 0)
8:44 AM: netbt.sys (ID = 0)
8:44 AM: netflx3.sys (ID = 0)
8:44 AM: netwlan5.img (ID = 0)
8:44 AM: netwlan5.sys (ID = 0)
8:44 AM: ngrpci.sys (ID = 0)
8:44 AM: nic1394.sys (ID = 0)
8:44 AM: nmnt.sys (ID = 0)
8:44 AM: npfs.sys (ID = 0)
8:44 AM: ntfs.sys (ID = 0)
8:44 AM: null.sys (ID = 0)
8:44 AM: nwlnkflt.sys (ID = 0)
8:44 AM: nwlnkfwd.sys (ID = 0)
8:44 AM: nwlnkipx.sys (ID = 0)
8:44 AM: nwlnknb.sys (ID = 0)
8:44 AM: nwlnkspx.sys (ID = 0)
8:44 AM: nwrdr.sys (ID = 0)
8:44 AM: ohci1394.sys (ID = 0)
8:44 AM: oprghdlr.sys (ID = 0)
8:44 AM: otc06x5.sys (ID = 0)
8:44 AM: otceth5.sys (ID = 0)
8:44 AM: parport.sys (ID = 0)
8:44 AM: partmgr.sys (ID = 0)
8:44 AM: parvdm.sys (ID = 0)
8:44 AM: pc100nds.sys (ID = 0)
8:44 AM: pca200e.bin (ID = 0)
8:44 AM: pca200e.sys (ID = 0)
8:44 AM: pci.sys (ID = 0)
8:44 AM: pcibios.bin (ID = 0)
8:44 AM: pcifep.bin (ID = 0)
8:44 AM: pcii
  • 0

#6
williesbest2
Posted 18 May 2006 - 05:39 PM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
How is your computer running? It appears that you didn't do the Look2me part two, because you did not post a log. If you did, please post the log, if you did not, please follow the Look2me instructions in post 4.
  • 0

#7
Lilaan
Posted 21 May 2006 - 11:14 PM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Oh, sorry :whistling: I thought I did post the log ^^

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"LoginDomain"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName"="QConGina.dll"
"Logoff"="QConGinaWLEventLogoff"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\djdmo.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
@=""
"DllName"="tphklock.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,6d,f7,d4,23,a9,4b,47,4f,be,59,8f,39,69,1d,80,c2,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f8,93,18,a6,e9,0b,ce,e6,\
b9,d3,5b,7c,3e,61,cc,01,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,12,\
a3,b9,54,46,c0,c6,03,e0,72,52,d5,c6,9a,98,9d,20,00,00,00,e1,31,fa,f9,e7,20,\
c9,c9,dd,ae,0c,5a,bb,3b,bd,11,43,a3,68,b3,02,eb,4c,c0,f5,d1,4b,f3,cc,84,82,\
16,14,00,00,00,31,89,a1,df,03,7d,66,9b,95,ba,eb,e7,77,4e,ee,56,38,58,1d,a8

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9BB2828E-C00C-7370-0FBE-53E7E855FC60}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}"="Record ISO Image to CD"
"{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2941BE81-0766-48DA-9B9B-D8B5D431AAF5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Mon Mar 27 2006 8:24:16p A.... 14,848 14.50 K
browseui.dll Fri Mar 3 2006 11:58:42p A.... 1,022,976 999.00 K
cdfview.dll Fri Mar 3 2006 11:58:42p ..... 151,040 147.50 K
danim.dll Fri Mar 3 2006 11:58:44p ..... 1,054,208 1.00 M
dxtrans.dll Fri Mar 3 2006 11:58:44p A.... 205,312 200.50 K
extmgr.dll Fri Mar 3 2006 11:58:44p ..... 55,808 54.50 K
iepeers.dll Fri Mar 3 2006 11:58:44p A.... 251,904 246.00 K
inetcomm.dll Fri Mar 17 2006 5:07:18a ..... 679,424 663.50 K
inseng.dll Fri Mar 3 2006 11:58:44p ..... 96,256 94.00 K
legitc~1.dll Mon Apr 10 2006 1:00:34p A.... 555,824 542.80 K
lvpq09~1.dll Thu May 4 2006 2:11:40p ..S.R 234,851 229.34 K
mshtml.dll Thu Mar 23 2006 4:31:40p A.... 3,055,616 2.91 M
mshtmled.dll Fri Mar 3 2006 11:58:48p A.... 448,512 438.00 K
msrating.dll Fri Mar 3 2006 11:58:48p ..... 146,432 143.00 K
mstime.dll Fri Mar 3 2006 11:58:48p ..... 532,480 520.00 K
pacifisy.dll Thu May 4 2006 2:10:10p A.... 22 0.02 K
pncrt.dll Thu Mar 9 2006 10:11:18p A.... 278,528 272.00 K
pndx5016.dll Thu Mar 9 2006 10:11:20p A.... 6,656 6.50 K
pndx5032.dll Thu Mar 9 2006 10:11:20p A.... 5,632 5.50 K
pngfilt.dll Fri Mar 3 2006 11:58:48p ..... 39,424 38.50 K
rmoc3260.dll Thu Mar 9 2006 10:11:32p A.... 176,167 172.04 K
shdocvw.dll Thu Mar 30 2006 5:27:02a A.... 1,495,040 1.43 M
shell32.dll Fri Mar 17 2006 12:03:54a A.... 8,452,096 8.06 M
shlwapi.dll Fri Mar 3 2006 11:58:50p A.... 474,112 463.00 K
sporder.dll Thu May 4 2006 2:08:18p A.... 8,464 8.27 K
urlmon.dll Sat Mar 18 2006 7:04:10a A.... 614,400 600.00 K
w028067d.dll Thu May 4 2006 2:08:44p A.... 51,712 50.50 K
wdigest.dll Fri Mar 24 2006 12:37:50a A.... 49,152 48.00 K
wgalogon.dll Mon Apr 10 2006 1:00:30p A.... 144,688 141.30 K
wininet.dll Fri Mar 3 2006 11:58:52p A.... 663,552 648.00 K
wmp.dll Fri Mar 10 2006 6:09:14a ..... 5,533,696 5.28 M
xpsp3res.dll Wed Mar 29 2006 9:31:04p A.... 23,040 22.50 K

32 items found: 32 files (1 H/S), 0 directories.
Total of file sizes: 26,521,872 bytes 25.29 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
set34d.tmp Fri Mar 3 2006 11:58:52p A.... 663,552 648.00 K
set34e.tmp Sat Mar 18 2006 7:04:10a A.... 614,400 600.00 K
set34f.tmp Fri Mar 3 2006 11:58:50p A.... 474,112 463.00 K
set350.tmp Thu Mar 30 2006 5:27:02a A.... 1,495,040 1.43 M
set354.tmp Fri Mar 3 2006 11:58:48p A.... 448,512 438.00 K
set355.tmp Thu Mar 23 2006 4:31:40p A.... 3,055,616 2.91 M
set357.tmp Fri Mar 3 2006 11:58:44p A.... 251,904 246.00 K
set358.tmp Fri Mar 3 2006 11:58:44p A.... 205,312 200.50 K
set35b.tmp Fri Mar 3 2006 11:58:42p A.... 1,022,976 999.00 K
set35d.tmp Wed Mar 29 2006 9:31:04p A.... 23,040 22.50 K
set362.tmp Fri Mar 24 2006 12:37:50a A.... 49,152 48.00 K
set371.tmp Mon Apr 10 2006 1:00:34p ..... 555,824 542.80 K
set37c.tmp Fri Mar 17 2006 12:03:54a A.... 8,452,096 8.06 M

13 items found: 13 files, 0 directories.
Total of file sizes: 17,311,536 bytes 16.51 M
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is DCB5-F9B0

Directory of C:\WINDOWS\System32

05/13/2006 02:12 PM <DIR> ..
05/13/2006 02:12 PM <DIR> .
05/04/2006 04:35 PM <DIR> dllcache
05/04/2006 02:11 PM 234,851 lvpq0975e.dll
06/16/2004 08:51 AM <DIR> Microsoft
1 File(s) 234,851 bytes
4 Dir(s) 10,289,377,280 bytes free
--

Computer seems to be running fine now, I don't see explorer trying to popup anymore.
  • 0

#8
williesbest2
Posted 22 May 2006 - 09:02 PM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
Hi Lilaan. Glad to here your computer is running better. Please do the following:

1. Get rid of L2M
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

Please post the new L2M log, along with an updated HijackThis log
  • 0

#9
Lilaan
Posted 25 May 2006 - 02:52 AM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here are the requested logs :whistling:
--

L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (836)
Killing 'winlogon.exe'
winlogon.exe (960)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (2560)
Killing 'rundll32.exe'
"C:\WINDOWS\system32\RunDll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor (2144)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"LoginDomain"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName"="QConGina.dll"
"Logoff"="QConGinaWLEventLogoff"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\djdmo.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
@=""
"DllName"="tphklock.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,6d,f7,d4,23,a9,4b,47,4f,be,59,8f,39,69,1d,80,c2,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f8,93,18,a6,e9,0b,ce,e6,\
b9,d3,5b,7c,3e,61,cc,01,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,12,\
a3,b9,54,46,c0,c6,03,e0,72,52,d5,c6,9a,98,9d,20,00,00,00,e1,31,fa,f9,e7,20,\
c9,c9,dd,ae,0c,5a,bb,3b,bd,11,43,a3,68,b3,02,eb,4c,c0,f5,d1,4b,f3,cc,84,82,\
16,14,00,00,00,31,89,a1,df,03,7d,66,9b,95,ba,eb,e7,77,4e,ee,56,38,58,1d,a8

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/2941BE81-0766-48DA-9B9B-D8B5D431AAF5.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 87%)
adding: backregs/shell.reg (152 bytes security) (deflated 73%)

--

Logfile of HijackThis v1.99.1
Scan saved at 8:14:04 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\marvin74\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\Software\..\Telephony: DomainName = csntprod.morrisville.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csntprod.morrisville.edu
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\djdmo.dll (file missing)
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#10
williesbest2
Posted 29 May 2006 - 12:34 PM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
Sorry for the delay in getting back to you. Please do the following:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Please post an updated HijackThis log and the Look2me-destroyer.txt file
  • 0

#11
Lilaan
Posted 29 May 2006 - 10:37 PM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello again :whistling:
Here are the requested log files.
--

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/30/2006 12:22:05 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
--
Logfile of HijackThis v1.99.1
Scan saved at 12:33:22 AM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B73AF86-B81B-4999-89F9-FF924C83E880}: NameServer = 170.215.255.114 66.133.170.2
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
Also, just as an aside question. Why the delay on the Look2Me program? Curious.

Thanks!
  • 0

#12
williesbest2
Posted 30 May 2006 - 12:37 AM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
Hi. It seemed you had a nasty version of Look2me, I apologize for the delay. How is your computer running?
  • 0

#13
Lilaan
Posted 30 May 2006 - 01:53 AM

Lilaan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Seems fine now :whistling: Must've been embedded quite deep, eh? No worries about the delay. Better to get rid of it slowly, than to let it fester and create havoc.
  • 0

#14
williesbest2
Posted 31 May 2006 - 12:06 AM

williesbest2

    Visiting Staff

  • Member
  • PipPipPip
  • 892 posts
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Ewido Security Suite- Uber powerful tool which can search and annhilate nasties that make it onto your system.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP