[mcbirdo]

Please help me get rid of this evil virus. I would appreciate it so much.



Logfile of HijackThis v1.99.1
Scan saved at 22:20:54, on 03/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\q4rqle951h.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\fpl8033ue.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[Advertisements]

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

-=jonnyrotten=-

[-=jonnyrotten=-]

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

-=jonnyrotten=-

[mcbirdo]

Here is the log. Cheers. It's huge

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q4rqle951h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpl8033ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{23124B26-9923-CC34-41DA-B07714E2B5D6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1AFBA0D0-E790-4341-B96F-94B659A76E28}"=""
"{51046DE0-6991-4541-A688-03CD923A9E14}"=""
"{2D6B5763-44C1-4319-878E-45EB6BC020FA}"=""
"{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1AFBA0D0-E790-4341-B96F-94B659A76E28}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AFBA0D0-E790-4341-B96F-94B659A76E28}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AFBA0D0-E790-4341-B96F-94B659A76E28}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AFBA0D0-E790-4341-B96F-94B659A76E28}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{51046DE0-6991-4541-A688-03CD923A9E14}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51046DE0-6991-4541-A688-03CD923A9E14}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51046DE0-6991-4541-A688-03CD923A9E14}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51046DE0-6991-4541-A688-03CD923A9E14}\InprocServer32]
@="C:\\WINDOWS\\system32\\lu6m09j1e.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2D6B5763-44C1-4319-878E-45EB6BC020FA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D6B5763-44C1-4319-878E-45EB6BC020FA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D6B5763-44C1-4319-878E-45EB6BC020FA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2D6B5763-44C1-4319-878E-45EB6BC020FA}\InprocServer32]
@="C:\\WINDOWS\\system32\\srfolder.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aui2cqag.dll Sat 12 Mar 2005 11:39:04 ..S.R 234,931 229.42 K
aza6l3~1.dll Wed 9 Mar 2005 19:07:30 ..S.R 229,169 223.80 K
baackbox.dll Mon 7 Mar 2005 21:50:32 ..S.R 228,527 223.17 K
browseui.dll Thu 27 Jan 2005 17:13:16 A.... 1,016,832 993.00 K
cdfview.dll Thu 27 Jan 2005 17:13:16 A.... 151,040 147.50 K
cdgmgr32.dll Thu 10 Mar 2005 19:46:26 ..S.R 235,107 229.59 K
cogmgr32.dll Thu 10 Mar 2005 19:53:44 ..S.R 232,918 227.46 K
dcound3d.dll Sat 5 Mar 2005 16:33:26 ..S.R 228,926 223.56 K
dfcompos.dll Fri 18 Feb 2005 18:37:44 ..S.R 230,863 225.45 K
djao36.dll Sat 5 Mar 2005 16:38:08 ..S.R 231,471 226.04 K
dn8s01~1.dll Thu 3 Mar 2005 14:23:28 ..S.R 229,222 223.85 K
duvmgr.dll Tue 15 Feb 2005 8:57:50 ..S.R 231,657 226.23 K
f0l0la~1.dll Sat 26 Feb 2005 10:49:28 ..S.R 231,893 226.46 K
fp8s03~1.dll Thu 24 Feb 2005 17:16:08 ..S.R 230,863 225.45 K
fpl803~1.dll Sun 13 Mar 2005 21:45:36 ..S.R 233,598 228.12 K
gccoll~1.dll Thu 10 Feb 2005 22:32:20 A.... 119,520 116.72 K
gcmd5q~1.dll Thu 3 Mar 2005 13:33:42 A.... 10,752 10.50 K
gcunco~1.dll Thu 10 Feb 2005 22:32:20 A.... 130,272 127.22 K
gp02l3~1.dll Sun 6 Mar 2005 16:09:04 ..S.R 231,207 225.79 K
gp26l3~1.dll Tue 22 Feb 2005 21:26:10 ..S.R 230,863 225.45 K
gwfspi~1.dll Fri 28 Jan 2005 15:37:58 A.... 23,304 22.76 K
h8j4li~1.dll Sat 12 Mar 2005 13:47:38 ..S.R 234,429 228.93 K
hashlib.dll Thu 10 Feb 2005 22:32:18 A.... 81,120 79.22 K
hr2o05~1.dll Tue 22 Feb 2005 19:16:56 ..S.R 230,863 225.45 K
i060la~1.dll Mon 7 Mar 2005 22:16:14 ..S.R 230,606 225.20 K
i260lc~1.dll Sat 12 Mar 2005 20:26:50 ..S.R 235,606 230.08 K
i806li~1.dll Tue 8 Mar 2005 6:43:04 ..S.R 231,856 226.42 K
iepeers.dll Thu 27 Jan 2005 17:13:16 A.... 249,856 244.00 K
inseng.dll Thu 27 Jan 2005 17:13:16 A.... 96,256 94.00 K
irr2l5~1.dll Wed 9 Mar 2005 19:09:02 ..S.R 230,464 225.06 K
j0n2la~1.dll Mon 7 Mar 2005 22:08:14 ..S.R 231,856 226.42 K
k0pmla~1.dll Tue 22 Feb 2005 19:07:06 ..S.R 232,265 226.82 K
k8jsli~1.dll Thu 3 Mar 2005 15:42:26 ..S.R 228,441 223.09 K
kedinbe1.dll Mon 7 Mar 2005 21:31:10 ..S.R 231,897 226.46 K
kfdbr.dll Sat 26 Feb 2005 11:13:22 ..S.R 230,863 225.45 K
kldpl1.dll Sun 13 Mar 2005 20:54:12 ..S.R 232,765 227.31 K
kndhe220.dll Fri 25 Feb 2005 20:19:48 ..S.R 230,863 225.45 K
kodbene.dll Thu 10 Mar 2005 11:33:54 ..S.R 232,736 227.28 K
kt20l7~1.dll Sun 13 Mar 2005 21:54:44 ..S.R 234,625 229.13 K
l06o0a~1.dll Sun 27 Feb 2005 4:39:04 ..S.R 228,738 223.38 K
l2j8lc~1.dll Sat 5 Mar 2005 19:10:56 ..S.R 231,070 225.65 K
l48m0e~1.dll Tue 22 Feb 2005 20:19:58 ..S.R 230,863 225.45 K
ldkrn10n.dll Wed 9 Mar 2005 19:06:04 ..S.R 232,736 227.28 K
legitc~1.dll Fri 28 Jan 2005 15:38:00 A.... 421,128 411.26 K
lmfpx7.dll Sat 12 Mar 2005 14:51:40 ..S.R 233,011 227.55 K
lu6m09~1.dll Sun 13 Mar 2005 21:54:44 ..S.R 233,598 228.12 K
lv6m09~1.dll Fri 25 Feb 2005 19:54:16 ..S.R 231,032 225.62 K
lvcgm12n.dll Sun 6 Mar 2005 21:31:26 ..S.R 230,056 224.66 K
mctask.dll Sun 20 Feb 2005 18:39:26 ..S.R 229,133 223.76 K
mepmsnsv.dll Sat 26 Feb 2005 11:22:56 ..S.R 231,502 226.07 K
mixex.dll Sat 12 Mar 2005 16:26:28 ..S.R 234,621 229.12 K
mng4dmod.dll Sat 12 Mar 2005 16:33:10 ..S.R 235,484 229.96 K
mqvfw32.dll Thu 10 Mar 2005 19:43:00 ..S.R 235,107 229.59 K
mshtml.dll Thu 27 Jan 2005 17:13:18 A.... 3,006,976 2.87 M
msvcp71.dll Fri 17 Dec 2004 19:38:14 A.... 499,712 488.00 K
msvcr71.dll Fri 17 Dec 2004 19:38:14 A.... 348,160 340.00 K
mvl6l9~1.dll Tue 15 Feb 2005 10:55:40 ..S.R 230,772 225.36 K
mvl8l9~1.dll Sun 6 Mar 2005 21:42:22 ..S.R 230,458 225.05 K
ngprint.dll Sat 5 Mar 2005 18:24:20 ..S.R 231,070 225.65 K
nhtui2.dll Mon 14 Feb 2005 15:49:38 ..S.R 231,657 226.23 K
o8840i~1.dll Sun 13 Mar 2005 20:58:06 ..S.R 233,253 227.79 K
ole32.dll Fri 14 Jan 2005 8:55:50 A.... 1,285,120 1.22 M
olecli32.dll Fri 14 Jan 2005 8:55:50 A.... 74,752 73.00 K
olecnv32.dll Fri 14 Jan 2005 8:55:50 A.... 37,888 37.00 K
oqeacc.dll Sun 6 Mar 2005 21:33:32 ..S.R 230,458 225.05 K
ozecli.dll Mon 7 Mar 2005 18:17:14 ..S.R 231,086 225.67 K
p8r40i~1.dll Sat 26 Feb 2005 11:13:22 ..S.R 231,361 225.94 K
pgbole32.dll Mon 7 Mar 2005 21:55:28 ..S.R 229,967 224.57 K
pkpgasvc.dll Mon 7 Mar 2005 21:33:50 ..S.R 231,086 225.67 K
rdschap.dll Fri 11 Mar 2005 21:40:50 ..S.R 234,931 229.42 K
realbap1.dll Fri 4 Mar 2005 18:46:38 A.... 69,632 68.00 K
realbsf1.dll Fri 4 Mar 2005 18:46:38 A.... 45,568 44.50 K
rkcns4.dll Sat 12 Mar 2005 13:47:38 ..S.R 233,011 227.55 K
rpcss.dll Fri 14 Jan 2005 8:55:50 A.... 395,776 386.50 K
sceio.dll Fri 25 Feb 2005 19:54:16 ..S.R 230,863 225.45 K
seredir.dll Sun 6 Mar 2005 18:39:44 ..S.R 229,089 223.72 K
sfmsrv.dll Mon 7 Mar 2005 21:41:48 ..S.R 231,897 226.46 K
shdocvw.dll Thu 27 Jan 2005 17:13:18 A.... 1,483,264 1.41 M
shell32.dll Tue 21 Dec 2004 20:49:36 A.... 8,450,048 8.06 M
shlwapi.dll Thu 27 Jan 2005 17:13:18 A.... 473,600 462.50 K
skgen.dll Sun 20 Feb 2005 18:41:08 ..S.R 230,863 225.45 K
sqmpsnap.dll Thu 10 Mar 2005 17:41:26 ..S.R 234,437 228.94 K
srfolder.dll Sun 13 Mar 2005 18:02:46 ..S.R 232,765 227.31 K
sudpapi.dll Sat 12 Mar 2005 13:33:20 ..S.R 233,011 227.55 K
ugrcoina.dll Sat 12 Mar 2005 16:35:50 ..S.R 235,606 230.08 K
uqdmxfrm.dll Wed 9 Mar 2005 19:09:02 ..S.R 229,169 223.80 K
urlmon.dll Thu 27 Jan 2005 17:13:18 A.... 607,744 593.50 K
wfnstrm.dll Sat 5 Mar 2005 17:28:12 ..S.R 228,926 223.56 K
wininet.dll Thu 27 Jan 2005 17:13:18 A.... 656,896 641.50 K
wrcsvc.dll Wed 2 Mar 2005 20:30:24 ..S.R 229,043 223.67 K
wzaudsdk.dll Sat 5 Mar 2005 10:54:56 ..S.R 231,471 226.04 K

91 items found: 91 files (67 H/S), 0 directories.
Total of file sizes: 35,259,767 bytes 33.63 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/13/2005 21:54 233,598 lu6m09j1e.dll
03/13/2005 21:54 234,625 kt20l7fm1.dll
03/13/2005 21:45 233,598 fpl8033ue.dll
03/13/2005 20:58 233,253 o8840ilqe8qe0.dll
03/13/2005 20:54 232,765 kldpl1.dll
03/13/2005 18:02 232,765 srfolder.dll
03/12/2005 20:26 235,606 i260lcjm1foa.dll
03/12/2005 16:35 235,606 ugrcoina.dll
03/12/2005 16:33 235,484 mng4dmod.dll
03/12/2005 16:26 234,621 mixex.dll
03/12/2005 14:51 233,011 lmfpx7.dll
03/12/2005 13:47 233,011 rkcns4.dll
03/12/2005 13:47 234,429 h8j4li1q18.dll
03/12/2005 13:33 233,011 sudpapi.dll
03/12/2005 11:39 234,931 aui2cqag.dll
03/11/2005 21:40 234,931 rDschap.dll
03/10/2005 19:53 232,918 cogmgr32.dll
03/10/2005 19:46 235,107 cdgmgr32.dll
03/10/2005 19:42 235,107 mqvfw32.dll
03/10/2005 17:41 234,437 sqmpsnap.dll
03/10/2005 11:33 232,736 kodbene.dll
03/09/2005 19:09 229,169 uqdmxfrm.dll
03/09/2005 19:09 230,464 irr2l59o1.dll
03/09/2005 19:07 229,169 aza6l3fs1.dll
03/09/2005 19:06 232,736 Ldkrn10n.dll
03/08/2005 20:42 <DIR> dllcache
03/08/2005 06:43 231,856 i806lids1806.dll
03/07/2005 22:16 230,606 i060lajm1doa.dll
03/07/2005 22:08 231,856 j0n2la5o1d.dll
03/07/2005 21:55 229,967 Pgbole32.dll
03/07/2005 21:50 228,527 baackbox.dll
03/07/2005 21:41 231,897 sFmsrv.dll
03/07/2005 21:33 231,086 pKpgasvc.dll
03/07/2005 21:31 231,897 kedinbe1.dll
03/07/2005 18:17 231,086 ozecli.dll
03/06/2005 21:42 230,458 mvl8l93u1.dll
03/06/2005 21:33 230,458 oqeacc.dll
03/06/2005 21:31 230,056 Lvcgm12n.dll
03/06/2005 18:39 229,089 seredir.dll
03/06/2005 16:09 231,207 gp02l3do1.dll
03/05/2005 19:10 231,070 l2j8lc1u1f.dll
03/05/2005 18:24 231,070 ngprint.dll
03/05/2005 17:28 228,926 wfnstrm.dll
03/05/2005 16:38 231,471 DJAO36.DLL
03/05/2005 16:33 228,926 dcound3d.dll
03/05/2005 10:54 231,471 wzaudsdk.dll
03/03/2005 15:42 228,441 k8jsli1718.dll
03/03/2005 14:23 229,222 dn8s01l7e.dll
03/02/2005 20:30 229,043 wrcsvc.dll
02/27/2005 04:39 228,738 l06o0aj3edo.dll
02/26/2005 11:22 231,502 MePMSNSv.dll
02/26/2005 11:13 230,863 kfdbr.dll
02/26/2005 11:13 231,361 p8r40i9qe8.dll
02/26/2005 10:49 231,893 f0l0la3m1d.dll
02/25/2005 20:19 230,863 kndhe220.dll
02/25/2005 19:54 230,863 sceio.dll
02/25/2005 19:54 231,032 lv6m09j1e.dll
02/24/2005 17:16 230,863 fp8s03l7e.dll
02/22/2005 21:26 230,863 gp26l3fs1.dll
02/22/2005 20:19 230,863 l48m0el1ehq.dll
02/22/2005 19:16 230,863 hr2o05f3e.dll
02/22/2005 19:07 232,265 k0pmla711d.dll
02/20/2005 18:41 230,863 skgen.dll
02/20/2005 18:39 229,133 mctask.dll
02/18/2005 18:37 230,863 dfcompos.dll
02/15/2005 10:55 230,772 mvl6l93s1.dll
02/15/2005 08:57 231,657 duvmgr.dll
02/14/2005 15:49 231,657 nhtui2.dll
06/03/2003 21:57 <DIR> Microsoft
67 File(s) 15,524,551 bytes
2 Dir(s) 14,705,737,728 bytes free

[-=jonnyrotten=-]

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

-=jonnyrotten=-

[mcbirdo]

here are the logs you requested

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Mark Bird\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Mark Bird\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mark Bird\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1480 'explorer.exe'
Killing PID 1480 'explorer.exe'
Killing PID 1480 'explorer.exe'
Killing PID 1480 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1148 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aza6l3fs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\baackbox.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcound3d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dfcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DJAO36.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn8s01l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\duvmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0l0la3m1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8s03l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp02l3do1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp26l3fs1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr2o05f3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i060lajm1doa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i806lids1806.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irr2l59o1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j0n2la5o1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0pmla711d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k8jsli1718.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedinbe1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdbr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kndhe220.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l06o0aj3edo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l2j8lc1u1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l48m0el1ehq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6m09j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lvcgm12n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mctask.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MePMSNSv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvl6l93s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvl8l93u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ngprint.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhtui2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oqeacc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ozecli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8r40i9qe8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Pgbole32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pKpgasvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sceio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\seredir.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sFmsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skgen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uqdmxfrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfnstrm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wrcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wzaudsdk.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\aza6l3fs1.dll
Successfully Deleted: C:\WINDOWS\system32\aza6l3fs1.dll
deleting: C:\WINDOWS\system32\baackbox.dll
Successfully Deleted: C:\WINDOWS\system32\baackbox.dll
deleting: C:\WINDOWS\system32\dcound3d.dll
Successfully Deleted: C:\WINDOWS\system32\dcound3d.dll
deleting: C:\WINDOWS\system32\dfcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dfcompos.dll
deleting: C:\WINDOWS\system32\DJAO36.DLL
Successfully Deleted: C:\WINDOWS\system32\DJAO36.DLL
deleting: C:\WINDOWS\system32\dn8s01l7e.dll
Successfully Deleted: C:\WINDOWS\system32\dn8s01l7e.dll
deleting: C:\WINDOWS\system32\duvmgr.dll
Successfully Deleted: C:\WINDOWS\system32\duvmgr.dll
deleting: C:\WINDOWS\system32\f0l0la3m1d.dll
Successfully Deleted: C:\WINDOWS\system32\f0l0la3m1d.dll
deleting: C:\WINDOWS\system32\fp8s03l7e.dll
Successfully Deleted: C:\WINDOWS\system32\fp8s03l7e.dll
deleting: C:\WINDOWS\system32\gp02l3do1.dll
Successfully Deleted: C:\WINDOWS\system32\gp02l3do1.dll
deleting: C:\WINDOWS\system32\gp26l3fs1.dll
Successfully Deleted: C:\WINDOWS\system32\gp26l3fs1.dll
deleting: C:\WINDOWS\system32\hr2o05f3e.dll
Successfully Deleted: C:\WINDOWS\system32\hr2o05f3e.dll
deleting: C:\WINDOWS\system32\i060lajm1doa.dll
Successfully Deleted: C:\WINDOWS\system32\i060lajm1doa.dll
deleting: C:\WINDOWS\system32\i806lids1806.dll
Successfully Deleted: C:\WINDOWS\system32\i806lids1806.dll
deleting: C:\WINDOWS\system32\irr2l59o1.dll
Successfully Deleted: C:\WINDOWS\system32\irr2l59o1.dll
deleting: C:\WINDOWS\system32\j0n2la5o1d.dll
Successfully Deleted: C:\WINDOWS\system32\j0n2la5o1d.dll
deleting: C:\WINDOWS\system32\k0pmla711d.dll
Successfully Deleted: C:\WINDOWS\system32\k0pmla711d.dll
deleting: C:\WINDOWS\system32\k8jsli1718.dll
Successfully Deleted: C:\WINDOWS\system32\k8jsli1718.dll
deleting: C:\WINDOWS\system32\kedinbe1.dll
Successfully Deleted: C:\WINDOWS\system32\kedinbe1.dll
deleting: C:\WINDOWS\system32\kfdbr.dll
Successfully Deleted: C:\WINDOWS\system32\kfdbr.dll
deleting: C:\WINDOWS\system32\kndhe220.dll
Successfully Deleted: C:\WINDOWS\system32\kndhe220.dll
deleting: C:\WINDOWS\system32\l06o0aj3edo.dll
Successfully Deleted: C:\WINDOWS\system32\l06o0aj3edo.dll
deleting: C:\WINDOWS\system32\l2j8lc1u1f.dll
Successfully Deleted: C:\WINDOWS\system32\l2j8lc1u1f.dll
deleting: C:\WINDOWS\system32\l48m0el1ehq.dll
Successfully Deleted: C:\WINDOWS\system32\l48m0el1ehq.dll
deleting: C:\WINDOWS\system32\lv6m09j1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6m09j1e.dll
deleting: C:\WINDOWS\system32\Lvcgm12n.dll
Successfully Deleted: C:\WINDOWS\system32\Lvcgm12n.dll
deleting: C:\WINDOWS\system32\mctask.dll
Successfully Deleted: C:\WINDOWS\system32\mctask.dll
deleting: C:\WINDOWS\system32\MePMSNSv.dll
Successfully Deleted: C:\WINDOWS\system32\MePMSNSv.dll
deleting: C:\WINDOWS\system32\mvl6l93s1.dll
Successfully Deleted: C:\WINDOWS\system32\mvl6l93s1.dll
deleting: C:\WINDOWS\system32\mvl8l93u1.dll
Successfully Deleted: C:\WINDOWS\system32\mvl8l93u1.dll
deleting: C:\WINDOWS\system32\ngprint.dll
Successfully Deleted: C:\WINDOWS\system32\ngprint.dll
deleting: C:\WINDOWS\system32\nhtui2.dll
Successfully Deleted: C:\WINDOWS\system32\nhtui2.dll
deleting: C:\WINDOWS\system32\oqeacc.dll
Successfully Deleted: C:\WINDOWS\system32\oqeacc.dll
deleting: C:\WINDOWS\system32\ozecli.dll
Successfully Deleted: C:\WINDOWS\system32\ozecli.dll
deleting: C:\WINDOWS\system32\p8r40i9qe8.dll
Successfully Deleted: C:\WINDOWS\system32\p8r40i9qe8.dll
deleting: C:\WINDOWS\system32\Pgbole32.dll
Successfully Deleted: C:\WINDOWS\system32\Pgbole32.dll
deleting: C:\WINDOWS\system32\pKpgasvc.dll
Successfully Deleted: C:\WINDOWS\system32\pKpgasvc.dll
deleting: C:\WINDOWS\system32\sceio.dll
Successfully Deleted: C:\WINDOWS\system32\sceio.dll
deleting: C:\WINDOWS\system32\seredir.dll
Successfully Deleted: C:\WINDOWS\system32\seredir.dll
deleting: C:\WINDOWS\system32\sFmsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sFmsrv.dll
deleting: C:\WINDOWS\system32\skgen.dll
Successfully Deleted: C:\WINDOWS\system32\skgen.dll
deleting: C:\WINDOWS\system32\uqdmxfrm.dll
Successfully Deleted: C:\WINDOWS\system32\uqdmxfrm.dll
deleting: C:\WINDOWS\system32\wfnstrm.dll
Successfully Deleted: C:\WINDOWS\system32\wfnstrm.dll
deleting: C:\WINDOWS\system32\wrcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wrcsvc.dll
deleting: C:\WINDOWS\system32\wzaudsdk.dll
Successfully Deleted: C:\WINDOWS\system32\wzaudsdk.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aza6l3fs1.dll (164 bytes security) (deflated 5%)
adding: baackbox.dll (164 bytes security) (deflated 4%)
adding: dcound3d.dll (164 bytes security) (deflated 5%)
adding: dfcompos.dll (164 bytes security) (deflated 5%)
adding: DJAO36.DLL (164 bytes security) (deflated 6%)
adding: dn8s01l7e.dll (164 bytes security) (deflated 5%)
adding: duvmgr.dll (164 bytes security) (deflated 5%)
adding: f0l0la3m1d.dll (164 bytes security) (deflated 6%)
adding: fp8s03l7e.dll (164 bytes security) (deflated 5%)
adding: gp02l3do1.dll (164 bytes security) (deflated 6%)
adding: gp26l3fs1.dll (164 bytes security) (deflated 5%)
adding: hr2o05f3e.dll (164 bytes security) (deflated 5%)
adding: i060lajm1doa.dll (164 bytes security) (deflated 5%)
adding: i806lids1806.dll (164 bytes security) (deflated 6%)
adding: irr2l59o1.dll (164 bytes security) (deflated 5%)
adding: j0n2la5o1d.dll (164 bytes security) (deflated 6%)
adding: k0pmla711d.dll (164 bytes security) (deflated 6%)
adding: k8jsli1718.dll (164 bytes security) (deflated 4%)
adding: kedinbe1.dll (164 bytes security) (deflated 6%)
adding: kfdbr.dll (164 bytes security) (deflated 5%)
adding: kndhe220.dll (164 bytes security) (deflated 5%)
adding: l06o0aj3edo.dll (164 bytes security) (deflated 4%)
adding: l2j8lc1u1f.dll (164 bytes security) (deflated 5%)
adding: l48m0el1ehq.dll (164 bytes security) (deflated 5%)
adding: lv6m09j1e.dll (164 bytes security) (deflated 5%)
adding: Lvcgm12n.dll (164 bytes security) (deflated 5%)
adding: mctask.dll (164 bytes security) (deflated 5%)
adding: MePMSNSv.dll (164 bytes security) (deflated 6%)
adding: mvl6l93s1.dll (164 bytes security) (deflated 5%)
adding: mvl8l93u1.dll (164 bytes security) (deflated 5%)
adding: ngprint.dll (164 bytes security) (deflated 5%)
adding: nhtui2.dll (164 bytes security) (deflated 5%)
adding: oqeacc.dll (164 bytes security) (deflated 5%)
adding: ozecli.dll (164 bytes security) (deflated 5%)
adding: p8r40i9qe8.dll (164 bytes security) (deflated 6%)
adding: Pgbole32.dll (164 bytes security) (deflated 5%)
adding: pKpgasvc.dll (164 bytes security) (deflated 5%)
adding: sceio.dll (164 bytes security) (deflated 5%)
adding: seredir.dll (164 bytes security) (deflated 5%)
adding: sFmsrv.dll (164 bytes security) (deflated 6%)
adding: skgen.dll (164 bytes security) (deflated 5%)
adding: uqdmxfrm.dll (164 bytes security) (deflated 5%)
adding: wfnstrm.dll (164 bytes security) (deflated 5%)
adding: wrcsvc.dll (164 bytes security) (deflated 5%)
adding: wzaudsdk.dll (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 51%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 33%)
adding: test3.txt (164 bytes security) (deflated 33%)
adding: test5.txt (164 bytes security) (deflated 33%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7.reg (164 bytes security) (deflated 70%)
adding: backregs/1AFBA0D0-E790-4341-B96F-94B659A76E28.reg (164 bytes security) (deflated 70%)
adding: backregs/2D6B5763-44C1-4319-878E-45EB6BC020FA.reg (164 bytes security) (deflated 70%)
adding: backregs/51046DE0-6991-4541-A688-03CD923A9E14.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza6l3fs1.dll
deleting local copy: baackbox.dll
deleting local copy: dcound3d.dll
deleting local copy: dfcompos.dll
deleting local copy: DJAO36.DLL
deleting local copy: dn8s01l7e.dll
deleting local copy: duvmgr.dll
deleting local copy: f0l0la3m1d.dll
deleting local copy: fp8s03l7e.dll
deleting local copy: gp02l3do1.dll
deleting local copy: gp26l3fs1.dll
deleting local copy: hr2o05f3e.dll
deleting local copy: i060lajm1doa.dll
deleting local copy: i806lids1806.dll
deleting local copy: irr2l59o1.dll
deleting local copy: j0n2la5o1d.dll
deleting local copy: k0pmla711d.dll
deleting local copy: k8jsli1718.dll
deleting local copy: kedinbe1.dll
deleting local copy: kfdbr.dll
deleting local copy: kndhe220.dll
deleting local copy: l06o0aj3edo.dll
deleting local copy: l2j8lc1u1f.dll
deleting local copy: l48m0el1ehq.dll
deleting local copy: lv6m09j1e.dll
deleting local copy: Lvcgm12n.dll
deleting local copy: mctask.dll
deleting local copy: MePMSNSv.dll
deleting local copy: mvl6l93s1.dll
deleting local copy: mvl8l93u1.dll
deleting local copy: ngprint.dll
deleting local copy: nhtui2.dll
deleting local copy: oqeacc.dll
deleting local copy: ozecli.dll
deleting local copy: p8r40i9qe8.dll
deleting local copy: Pgbole32.dll
deleting local copy: pKpgasvc.dll
deleting local copy: sceio.dll
deleting local copy: seredir.dll
deleting local copy: sFmsrv.dll
deleting local copy: skgen.dll
deleting local copy: uqdmxfrm.dll
deleting local copy: wfnstrm.dll
deleting local copy: wrcsvc.dll
deleting local copy: wzaudsdk.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpj0031me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q4rqle951h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza6l3fs1.dll
C:\WINDOWS\system32\baackbox.dll
C:\WINDOWS\system32\dcound3d.dll
C:\WINDOWS\system32\dfcompos.dll
C:\WINDOWS\system32\DJAO36.DLL
C:\WINDOWS\system32\dn8s01l7e.dll
C:\WINDOWS\system32\duvmgr.dll
C:\WINDOWS\system32\f0l0la3m1d.dll
C:\WINDOWS\system32\fp8s03l7e.dll
C:\WINDOWS\system32\gp02l3do1.dll
C:\WINDOWS\system32\gp26l3fs1.dll
C:\WINDOWS\system32\hr2o05f3e.dll
C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\i806lids1806.dll
C:\WINDOWS\system32\irr2l59o1.dll
C:\WINDOWS\system32\j0n2la5o1d.dll
C:\WINDOWS\system32\k0pmla711d.dll
C:\WINDOWS\system32\k8jsli1718.dll
C:\WINDOWS\system32\kedinbe1.dll
C:\WINDOWS\system32\kfdbr.dll
C:\WINDOWS\system32\kndhe220.dll
C:\WINDOWS\system32\l06o0aj3edo.dll
C:\WINDOWS\system32\l2j8lc1u1f.dll
C:\WINDOWS\system32\l48m0el1ehq.dll
C:\WINDOWS\system32\lv6m09j1e.dll
C:\WINDOWS\system32\Lvcgm12n.dll
C:\WINDOWS\system32\mctask.dll
C:\WINDOWS\system32\MePMSNSv.dll
C:\WINDOWS\system32\mvl6l93s1.dll
C:\WINDOWS\system32\mvl8l93u1.dll
C:\WINDOWS\system32\ngprint.dll
C:\WINDOWS\system32\nhtui2.dll
C:\WINDOWS\system32\oqeacc.dll
C:\WINDOWS\system32\ozecli.dll
C:\WINDOWS\system32\p8r40i9qe8.dll
C:\WINDOWS\system32\Pgbole32.dll
C:\WINDOWS\system32\pKpgasvc.dll
C:\WINDOWS\system32\sceio.dll
C:\WINDOWS\system32\seredir.dll
C:\WINDOWS\system32\sFmsrv.dll
C:\WINDOWS\system32\skgen.dll
C:\WINDOWS\system32\uqdmxfrm.dll
C:\WINDOWS\system32\wfnstrm.dll
C:\WINDOWS\system32\wrcsvc.dll
C:\WINDOWS\system32\wzaudsdk.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{1AFBA0D0-E790-4341-B96F-94B659A76E28}"=-
"{51046DE0-6991-4541-A688-03CD923A9E14}"=-
"{2D6B5763-44C1-4319-878E-45EB6BC020FA}"=-
"{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{1AFBA0D0-E790-4341-B96F-94B659A76E28}]
[-HKEY_CLASSES_ROOT\CLSID\{51046DE0-6991-4541-A688-03CD923A9E14}]
[-HKEY_CLASSES_ROOT\CLSID\{2D6B5763-44C1-4319-878E-45EB6BC020FA}]
[-HKEY_CLASSES_ROOT\CLSID\{0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD165A8B-2757-4E9A-AE9F-26C520DA6908}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{AD165A8B-2757-4E9A-AE9F-26C520DA6908}</IDone>
<IDtwo>DS4</IDtwo>
<VERSION>200</VERSION>
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 19:17:15, on 03/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\fpj0031me.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\q4rqle951h.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[-=jonnyrotten=-]

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\q4rqle951h.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\fpl8033ue.dll

Reboot normally and post a new hijack this log. How are things running now?

-=jonnyrotten=-

[mcbirdo]

Thanks Johnny but things still not running great and the items don't seem to have gone.

I checked the boxes you said except the 020 Winlogon Notify:ThemeManager etc because it wasn't there.

A "Remove Spyware" icon keeps appearing on my desktop (http://hop.clickball)

Adware adverts also keep popping up (EG. adv.eblocs.com?spyblocs)

And I keep getting Trojan Horse Dropper alerts through AVG.

As i was writing the last message the PC turned itself reporting an error with winlogon.exe

But at least my recycle bin is back

ogfile of HijackThis v1.99.1
Scan saved at 21:35:47, on 03/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\jtn0075me.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[-=jonnyrotten=-]

Hmm, lets keep workin on this. Download this stuff in normal mode, then boot into safe mode to use them.

Please download CleanUp!and install it. Now run the program and click the "CleanUp!" button. When finished reboot into Safe Mode again and move onto the next step.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

Now open Hijack This again while still in Safe Mode and remove the following entries if still found.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\jtn0075me.dll

Reboot and post a new log with any new details.

Bye the way are you on a network, or just a pc at home? Do you know by any chance what this IP address range is about?

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87

-=jonnyrotten=-

[mcbirdo]

Thanks mate. I'm just on a PC at home. I'm not sure what the IP address is about but I asked a friend and this is what he said:

"You need to ask the guy to send the full reference. I would have
expected
to see something like:

Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

...

Value 17
Name: DhcpNameServer
Type: REG_SZ
Data: 156.4.100.92 172.21.18.92 172.21.34.12 156.4.108.120
156.4.100.7 156.4.108.8

which is how this information is usually stored in the XP registry. If
HiJackThis is finding this, probably you can remove it as this is
possibly
trying to by-pass your DNS settings."

I'm still getting adware popping up all the time and alerts about Trojan Horse Dropper 8 and 13. I also sometimes get a message saying, "An exception occured while trying to run C:\Windows\system32\wtsdmod.dll,DllGetVersion.

The hosts disappeared in safe made but the bloody things are back

Here is the log. Thanks JR

Mark

ogfile of HijackThis v1.99.1
Scan saved at 20:46:52, on 03/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\dn0s01d7e.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[-=jonnyrotten=-]

Could you run L2mfix.bat again and post the results back here for me. It looks like it did not work, or maybe the infection has been "upgraded" and somehow gets past the fix. Don't reboot the computer after running step 1. You can actually go ahead and run step two right after that and let it reboot. Post that log too.

-=jonnyrotten=-

[mcbirdo]

here are the two logs:

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtl6073se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD26821D-7E32-D26A-56C7-41F320848D99}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{82DC66E8-00DB-4603-8A31-A12C19A88C37}"=""
"{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}"=""
"{B8529531-E2D0-4394-A554-8B1E00563859}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{82DC66E8-00DB-4603-8A31-A12C19A88C37}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{82DC66E8-00DB-4603-8A31-A12C19A88C37}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{82DC66E8-00DB-4603-8A31-A12C19A88C37}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{82DC66E8-00DB-4603-8A31-A12C19A88C37}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B8529531-E2D0-4394-A554-8B1E00563859}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8529531-E2D0-4394-A554-8B1E00563859}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8529531-E2D0-4394-A554-8B1E00563859}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8529531-E2D0-4394-A554-8B1E00563859}\InprocServer32]
@="C:\\WINDOWS\\system32\\nemsdba.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aui2cqag.dll Sat 12 Mar 2005 11:39:04 ..S.R 234,931 229.42 K
browseui.dll Thu 27 Jan 2005 17:13:16 A.... 1,016,832 993.00 K
cdfview.dll Thu 27 Jan 2005 17:13:16 A.... 151,040 147.50 K
cdgmgr32.dll Thu 10 Mar 2005 19:46:26 ..S.R 235,107 229.59 K
cgbcatex.dll Tue 15 Mar 2005 20:13:42 ..S.R 233,248 227.78 K
cogmgr32.dll Thu 10 Mar 2005 19:53:44 ..S.R 232,918 227.46 K
dwgest.dll Mon 14 Mar 2005 21:27:08 ..S.R 233,668 228.19 K
gccoll~1.dll Thu 10 Feb 2005 22:32:20 A.... 119,520 116.72 K
gcmd5q~1.dll Thu 3 Mar 2005 13:33:42 A.... 10,752 10.50 K
gcunco~1.dll Thu 10 Feb 2005 22:32:20 A.... 130,272 127.22 K
gwfspi~1.dll Fri 28 Jan 2005 15:37:58 A.... 23,304 22.76 K
h8j4li~1.dll Sat 12 Mar 2005 13:47:38 ..S.R 234,429 228.93 K
hashlib.dll Thu 10 Feb 2005 22:32:18 A.... 81,120 79.22 K
i260lc~1.dll Sat 12 Mar 2005 20:26:50 ..S.R 235,606 230.08 K
ibssam.dll Tue 15 Mar 2005 19:09:04 ..S.R 233,248 227.78 K
iepeers.dll Thu 27 Jan 2005 17:13:16 A.... 249,856 244.00 K
inseng.dll Thu 27 Jan 2005 17:13:16 A.... 96,256 94.00 K
ir28l5~1.dll Mon 14 Mar 2005 21:27:08 ..S.R 235,493 229.97 K
jtl607~1.dll Tue 15 Mar 2005 20:35:42 ..S.R 232,542 227.09 K
jtn007~1.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,668 228.19 K
kldpl1.dll Sun 13 Mar 2005 20:54:12 ..S.R 232,765 227.31 K
kodbene.dll Thu 10 Mar 2005 11:33:54 ..S.R 232,736 227.28 K
lcpng12n.dll Mon 14 Mar 2005 14:45:16 ..S.R 233,598 228.12 K
ldkrn10n.dll Wed 9 Mar 2005 19:06:04 ..S.R 232,736 227.28 K
legitc~1.dll Fri 28 Jan 2005 15:38:00 A.... 421,128 411.26 K
lmfpx7.dll Sat 12 Mar 2005 14:51:40 ..S.R 233,011 227.55 K
lv6m09~1.dll Mon 14 Mar 2005 18:51:48 ..S.R 233,611 228.13 K
lvnq09~1.dll Tue 15 Mar 2005 20:54:24 ..S.R 233,101 227.64 K
mipi.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,611 228.13 K
mixex.dll Sat 12 Mar 2005 16:26:28 ..S.R 234,621 229.12 K
mng4dmod.dll Sat 12 Mar 2005 16:33:10 ..S.R 235,484 229.96 K
mqvfw32.dll Thu 10 Mar 2005 19:43:00 ..S.R 235,107 229.59 K
mshtml.dll Thu 27 Jan 2005 17:13:18 A.... 3,006,976 2.87 M
msvcp71.dll Fri 17 Dec 2004 19:38:14 A.... 499,712 488.00 K
msvcr71.dll Fri 17 Dec 2004 19:38:14 A.... 348,160 340.00 K
nemsdba.dll Tue 15 Mar 2005 20:54:24 ..S.R 232,542 227.09 K
o8840i~1.dll Sun 13 Mar 2005 20:58:06 ..S.R 233,253 227.79 K
ole32.dll Fri 14 Jan 2005 8:55:50 A.... 1,285,120 1.22 M
olecli32.dll Fri 14 Jan 2005 8:55:50 A.... 74,752 73.00 K
olecnv32.dll Fri 14 Jan 2005 8:55:50 A.... 37,888 37.00 K
pfnmap.dll Tue 15 Mar 2005 20:25:34 ..S.R 233,164 227.70 K
rdschap.dll Fri 11 Mar 2005 21:40:50 ..S.R 234,931 229.42 K
realbap1.dll Fri 4 Mar 2005 18:46:38 A.... 69,632 68.00 K
realbsf1.dll Fri 4 Mar 2005 18:46:38 A.... 45,568 44.50 K
rhsadhlp.dll Tue 15 Mar 2005 20:11:12 ..S.R 234,495 228.99 K
rkcns4.dll Sat 12 Mar 2005 13:47:38 ..S.R 233,011 227.55 K
rpcss.dll Fri 14 Jan 2005 8:55:50 A.... 395,776 386.50 K
shdocvw.dll Thu 27 Jan 2005 17:13:18 A.... 1,483,264 1.41 M
shell32.dll Tue 21 Dec 2004 20:49:36 A.... 8,450,048 8.06 M
shlwapi.dll Thu 27 Jan 2005 17:13:18 A.... 473,600 462.50 K
sqmpsnap.dll Thu 10 Mar 2005 17:41:26 ..S.R 234,437 228.94 K
srfolder.dll Sun 13 Mar 2005 18:02:46 ..S.R 232,765 227.31 K
sudpapi.dll Sat 12 Mar 2005 13:33:20 ..S.R 233,011 227.55 K
ugrcoina.dll Sat 12 Mar 2005 16:35:50 ..S.R 235,606 230.08 K
urlmon.dll Thu 27 Jan 2005 17:13:18 A.... 607,744 593.50 K
wininet.dll Thu 27 Jan 2005 17:13:18 A.... 656,896 641.50 K
wistream.dll Tue 15 Mar 2005 19:51:00 ..S.R 234,495 228.99 K

57 items found: 57 files (33 H/S), 0 directories.
Total of file sizes: 27,452,165 bytes 26.18 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/15/2005 20:54 232,542 nemsdba.dll
03/15/2005 20:54 233,101 lvnq0955e.dll
03/15/2005 20:35 232,542 jtl6073se.dll
03/15/2005 20:25 233,164 pFnmap.dll
03/15/2005 20:13 233,248 cgbcatex.dll
03/15/2005 20:11 234,495 rHsadhlp.dll
03/15/2005 19:50 234,495 wistream.dll
03/15/2005 19:09 233,248 iBssam.dll
03/14/2005 21:27 233,668 dwgest.dll
03/14/2005 21:27 235,493 ir28l5fu1.dll
03/14/2005 18:51 233,611 lv6m09j1e.dll
03/14/2005 18:50 233,611 MIPI.DLL
03/14/2005 18:50 233,668 jtn0075me.dll
03/14/2005 14:45 233,598 Lcpng12n.dll
03/13/2005 20:58 233,253 o8840ilqe8qe0.dll
03/13/2005 20:54 232,765 kldpl1.dll
03/13/2005 18:02 232,765 srfolder.dll
03/12/2005 20:26 235,606 i260lcjm1foa.dll
03/12/2005 16:35 235,606 ugrcoina.dll
03/12/2005 16:33 235,484 mng4dmod.dll
03/12/2005 16:26 234,621 mixex.dll
03/12/2005 14:51 233,011 lmfpx7.dll
03/12/2005 13:47 233,011 rkcns4.dll
03/12/2005 13:47 234,429 h8j4li1q18.dll
03/12/2005 13:33 233,011 sudpapi.dll
03/12/2005 11:39 234,931 aui2cqag.dll
03/11/2005 21:40 234,931 rDschap.dll
03/10/2005 19:53 232,918 cogmgr32.dll
03/10/2005 19:46 235,107 cdgmgr32.dll
03/10/2005 19:42 235,107 mqvfw32.dll
03/10/2005 17:41 234,437 sqmpsnap.dll
03/10/2005 11:33 232,736 kodbene.dll
03/09/2005 19:06 232,736 Ldkrn10n.dll
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:57 <DIR> Microsoft
33 File(s) 7,716,949 bytes
2 Dir(s) 7,463,329,792 bytes free


L2Mfix 1.02b

Running From:
C:\DOCUME~1\MARKBI~1\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Mark Bird\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mark Bird\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1472 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1260 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 46%)
updating: echo.reg (164 bytes security) (deflated 9%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 72%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: report.txt (164 bytes security) (deflated 65%)
updating: test.txt (164 bytes security) (deflated 81%)
updating: test2.txt (164 bytes security) (deflated 26%)
updating: test3.txt (164 bytes security) (deflated 26%)
updating: test5.txt (164 bytes security) (deflated 26%)
adding: log.txt (164 bytes security) (deflated 85%)
updating: backregs/0E0CDE8A-B458-4E15-B9A0-B3E6EC7608B7.reg (164 bytes security) (deflated 70%)
updating: backregs/1AFBA0D0-E790-4341-B96F-94B659A76E28.reg (164 bytes security) (deflated 70%)
updating: backregs/2D6B5763-44C1-4319-878E-45EB6BC020FA.reg (164 bytes security) (deflated 70%)
updating: backregs/51046DE0-6991-4541-A688-03CD923A9E14.reg (164 bytes security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)
adding: backregs/82DC66E8-00DB-4603-8A31-A12C19A88C37.reg (164 bytes security) (deflated 70%)
adding: backregs/B8529531-E2D0-4394-A554-8B1E00563859.reg (164 bytes security) (deflated 70%)
adding: backregs/EDBBD898-EAF6-4EFB-B9F7-062C897A4656.reg (164 bytes security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvnq0955e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{82DC66E8-00DB-4603-8A31-A12C19A88C37}"=-
"{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}"=-
"{B8529531-E2D0-4394-A554-8B1E00563859}"=-
[-HKEY_CLASSES_ROOT\CLSID\{82DC66E8-00DB-4603-8A31-A12C19A88C37}]
[-HKEY_CLASSES_ROOT\CLSID\{EDBBD898-EAF6-4EFB-B9F7-062C897A4656}]
[-HKEY_CLASSES_ROOT\CLSID\{B8529531-E2D0-4394-A554-8B1E00563859}]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


cheers JR


ps an adware just popped up

let's see how it goes

[-=jonnyrotten=-]

Cool, looks like it deleted some files again. Try posting another Hijack This log so we can check it out.

-=jonnyrotten=-

[mcbirdo]

Things running a bit better but still getting ads and stuff popping up alot. Cheers


Logfile of HijackThis v1.99.1
Scan saved at 19:45:38, on 03/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\lvnq0955e.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[-=jonnyrotten=-]

Ok, remove these with Hijack This (do it in safe mode)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\lvnq0955e.dll

Now run CleanUp!, DelDomains, and reset the Host File again. Reboot.

Spybot Search & Destroy Download and install. Start Spybot S&D, Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

-> Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

-> Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

-=jonnyrotten=-

[mcbirdo]

Here is the latest logfile. Things are running quite well. Just those bloody adware pop ups keep popping up.

Logfile of HijackThis v1.99.1
Scan saved at 17:08:32, on 03/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\en0sl1d71.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

Here is the ad-aware log


Ad-Aware SE Build 1.05
Logfile Created on:18 March 2005 16:36:35
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R33 16.03.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):33 total references
Redirected hostfile entry(TAC index:4):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R33 16.03.2005
Internal build : 38
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 431409 Bytes
Total size : 1357573 Bytes
Signature data size : 1327668 Bytes
Reference data size : 29393 Bytes
Signatures total : 37814
Fingerprints total : 720
Fingerprints size : 26761 Bytes
Target categories : 15
Target families : 641


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:46 %
Total physical memory:523248 kb
Available physical memory:236176 kb
Total page file size:1277476 kb
Available on page file:1060376 kb
Total virtual memory:2097024 kb
Available virtual memory:2045228 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Let Windows remove files in use at next reboot
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


03/18/2005 16:36:35 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 504
ThreadCreationTime : 03/18/2005 16:34:23
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 03/18/2005 16:34:28
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 636
ThreadCreationTime : 03/18/2005 16:34:29
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 03/18/2005 16:34:29
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 788
ThreadCreationTime : 03/18/2005 16:34:29
BasePriority : Normal
FileVersion : 6.14.10.4107
ProductVersion : 6.14.10.4107.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 800
ThreadCreationTime : 03/18/2005 16:34:30
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 908
ThreadCreationTime : 03/18/2005 16:34:30
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1168
ThreadCreationTime : 03/18/2005 16:34:31
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1216
ThreadCreationTime : 03/18/2005 16:34:32
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:10 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1336
ThreadCreationTime : 03/18/2005 16:34:32
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:11 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1380
ThreadCreationTime : 03/18/2005 16:34:34
BasePriority : Normal
FileVersion : 7,1,0,285
ProductVersion : 7.1.0.285
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1476
ThreadCreationTime : 03/18/2005 16:34:35
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1644
ThreadCreationTime : 03/18/2005 16:34:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1928
ThreadCreationTime : 03/18/2005 16:34:39
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:15 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1940
ThreadCreationTime : 03/18/2005 16:34:39
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:16 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 232
ThreadCreationTime : 03/18/2005 16:34:49
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1548
ThreadCreationTime : 03/18/2005 16:34:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2328
ThreadCreationTime : 03/18/2005 16:35:22
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\publisher\recent file list
Description : list of recent files used by microsoft publisher


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : software\microsoft\office\9.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : C:\Documents and Settings\Mark Bird\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Mark Bird\recent
Description : list of recently opened documents



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 33



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 33


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
14 entries scanned.
New critical objects:3
Objects found so far: 36




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 36

17:04:38 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:28:03.250
Objects scanned:152818
Objects identified:3
Objects ignored:0
New critical objects:3

Cheers