Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FRUSTRATED! Please help!


  • This topic is locked This topic is locked

#1
davenmillie

davenmillie

    Member

  • Member
  • PipPip
  • 15 posts
Hi, I hope somebody can help me (Im just about ready to throw this computer away and buy a new one). I have been inundated with pop-ups and self-loading programs clogging up my computer. Its even gotten to the point where I get pop-ups when Im offline (I surf the web via modem).
I have downloaded and used ad-aware, spybot, the Google toolbar pop-up blocker, and spyware blaster, but none of these programs seem to have any effect. Today I found the Hijack This program and ran it, coming up with a lengthy log file.
Im afraid to delete any of the listed files, because I dont know what they are or what they do. (Its probably plainly obvious that I know very little about computers unless a program tells me exactly what to do).
Can somebody please help?? Thanks in advance- Dave
Oh, by the way, I did follow the instructions at the header of this message board before posting. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 3:50:58 PM, on 3/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\d3lv32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\il979nre\il979nre.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\windows\system32\tdxregrs.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\netat32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\sskmr.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system\optgn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\il979nre\53338932.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\srnwave.exe
C:\PROGRA~1\COMMON~1\wofw\wofwm.exe
C:\Documents and Settings\Administrator\Application Data\aarm.exe
C:\PROGRA~1\COMMON~1\wofw\wofwa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\wofw\wofwl.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7D8EB849-58B1-5CF1-521F-8E561A2D3F5E} - C:\WINDOWS\syswb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [oexyefh] c:\windows\system32\oexyefh.exe
O4 - HKLM\..\Run: [il979nre] C:\Program Files\il979nre\il979nre.exe
O4 - HKLM\..\Run: [AutoLoader4F0z1NMVIaaa] "C:\WINDOWS\System32\drmnetbs.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\tdxregrs.exe lee0105
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\hjisysi6.exe lee0105
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehum32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WINDOWS\system32\netat32.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [4srP33R] sskmr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [LB0FRTd5T] srnwave.exe
O4 - HKCU\..\Run: [wofw] C:\PROGRA~1\COMMON~1\wofw\wofwm.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Edct] C:\Documents and Settings\Administrator\Application Data\aarm.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\ezstub.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_5307411] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: ruia.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\esurobri.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com/....chm::/open.exe
O23 - Service: Network Security Service ( 11F #`I) - Unknown owner - C:\WINDOWS\system32\javagq32.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

Advertisements


#2
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Dave and welcome to the GTG forums. Before you go and throw your computer out the window just remember that computers are your friend! Yes, you do have a mess here but we can get that cleaned up. Afterward, we will want to get some freely available applicaations to help protect your compuer, the main one being an anti-virus application.

So let's start cleaning this up, shall we. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Step #2

Click Start>Run, type services.msc into the editbox and click the Ok button. In the Services window locate the Network Security Service and click the Stop button. In the Startup type dropdown box select Disabled. Click the Apply button and then the Ok button. Close the Services window.

Click Start>Run, type cmd into the editbox and click the Ok button. Copy/paste the line below into the command prompt window and then press the Enter key:sc delete 11F #`I
Close the command prompt window.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nmvoz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7D8EB849-58B1-5CF1-521F-8E561A2D3F5E} - C:\WINDOWS\syswb32.dll
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [oexyefh] c:\windows\system32\oexyefh.exe
O4 - HKLM\..\Run: [il979nre] C:\Program Files\il979nre\il979nre.exe
O4 - HKLM\..\Run: [AutoLoader4F0z1NMVIaaa] "C:\WINDOWS\System32\drmnetbs.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\tdxregrs.exe lee0105
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\hjisysi6.exe lee0105
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehum32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WINDOWS\system32\netat32.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [4srP33R] sskmr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [LB0FRTd5T] srnwave.exe
O4 - HKCU\..\Run: [wofw] C:\PROGRA~1\COMMON~1\wofw\wofwm.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Edct] C:\Documents and Settings\Administrator\Application Data\aarm.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\ezstub.exe
O4 - Global Startup: ruia.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\esurobri.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com/....chm::/open.exe
O23 - Service: Network Security Service ( 11F #`I) - Unknown owner - C:\WINDOWS\system32\javagq32.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\syswb32.dll
C:\WINDOWS\d3lv32.exe
C:\WINDOWS\isrvs\ <--folder
C:\WINDOWS\system\optgn.exe
C:\WINDOWS\system32\nmvoz.dll
C:\WINDOWS\System32\winupdt.exe
c:\windows\system32\oexyefh.exe
C:\WINDOWS\System32\drmnetbs.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\windows\system32\tdxregrs.exe
C:\WINDOWS\System32\hjisysi6.exe
C:\WINDOWS\System32\msmc.exe
C:\WINDOWS\System32\netsync.exe
C:\windows\system32\elitehum32.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\netat32.exe
C:\WINDOWS\System32\sskmr.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\srnwave.exe
C:\WINDOWS\System32\Cache\ezstub.exe
C:\WINDOWS\system32\javagq32.exe
C:\Program Files\il979nre\ <--folder
C:\Program Files\AutoUpdate\ <--folder
C:\PROGRAM FILES\COMMON FILES\wofw\ <--folder
C:\Program Files\sf\ <--folder
C:\Documents and Settings\Administrator\Application Data\aarm.exe
E6F1873B.DLL (search for this file and delete all instances - see the note below regarding searching in XP)
D0CE0C16B1 (search for this file and delete all instances - see the note below regarding searching in XP)
C:\Documents and Settings\All Users\Application Data\msw\ <--folder
AUNPS2.DLL (search for this file and delete all instances - see the note below regarding searching in XP)
stlb2.dll (search for this file and delete all instances - see the note below regarding searching in XP)
ruia.exe (search for this file and delete all instances - see the note below regarding searching in XP)

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Step #6

Make sure that all other windows are closed, start CWShredder and choose FIX.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in. Please try and keep your internet surfing to a minimum if at all possible until I can check your new laog and then get you some information on protection programs.

OT
  • 0

#3
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi OT! Thanks for the reply- I followed the directions you gave step by step, but got this message after the last part of step #2 (on the cmd line):


[B]Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>sc delete 11F #`I
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


Should I move on to step #3, or do something different?

Thanks- Dave
  • 0

#4
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi davenmillie. Go ahead and continue with Step 3 and complete the rest of the steps. I'll see what the new log looks like when you post it back.

Cheers.

OT
  • 0

#5
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi OT!
Well, I got through the steps you laid out. My computer already seems to be running smoother while offline. I keep getting booted off when online, however. Anyways heres my HijackThis logfile: (hows it look?)
-Dave



Logfile of HijackThis v1.99.1
Scan saved at 5:39:09 PM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\sysiw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E2E2B119-D1A3-9315-CE56-02822929B0FA} - C:\WINDOWS\system32\sysiw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoLoader4F0z1NMVIaaa] "C:\WINDOWS\System32\sskmr.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\Run: [sysiw32.exe] C:\WINDOWS\system32\sysiw32.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\Advtg.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_93103] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#6
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi again davenmillie. I'm glad to hear that things are running a little better but you still have quite an infection here. Let's go at this again. Please open Notepad and copy/paste these directions into the new document and then save it on your desktop for reference as we go along. Then proceed with the following steps in order.

Step #1

Download Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Click on Replace on Reboot and click in the checkbox for Use Dummy (you have to repeat this for each file - these settings are not retained).
  • Now paste this file into the top Full Path of File to Delete field:
    • C:\WINDOWS\System32\iakznm.exe
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
Repeat the above steps for each of the following files. The only difference is that you will be substituting the file listed in the second step with each of the files below. C:\WINDOWS\system32\sysiw32.exe
C:\WINDOWS\system32\bxouk.dll
C:\WINDOWS\system32\sysiw32.dll
C:\WINDOWS\System32\sskmr.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\sysiw32.exe
C:\WINDOWS\System32\Cache\Advtg.exe
C:\WINDOWS\winac32.exe

After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E2E2B119-D1A3-9315-CE56-02822929B0FA} - C:\WINDOWS\system32\sysiw32.dll
O4 - HKLM\..\Run: [AutoLoader4F0z1NMVIaaa] "C:\WINDOWS\System32\sskmr.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\Run: [sysiw32.exe] C:\WINDOWS\system32\sysiw32.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\Advtg.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Verify that the following files/folders are gone and if not delete them:C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\bxouk.dll
C:\WINDOWS\system32\sysiw32.dll
C:\WINDOWS\System32\sskmr.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\sysiw32.exe
C:\WINDOWS\System32\Cache\Advtg.exe
C:\WINDOWS\winac32.exe

Step #4

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT

Edited by OldTimer, 10 April 2005 - 10:47 PM.

  • 0

#7
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello OT, and thanks again for the prompts reply. I went through all the steps on your last post except Step #4 I dont have the Cleanup! program. Can you please include a link to where I can download that one and Ill run through it again.
I ran the HijackThis program again and have the latest logfile. It looks like some of the ones I checked for removal are still there!
Also: before and after rebooting (while typing this letter even- grrrrrr), I got several pop-up error messages as follows:

C:\WINDOWS\system32\appsc32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\winfr32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\iakznm.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\syson32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\apphm.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\d3np.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\sdkgn32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\addfv.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\netei32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\javaik32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\addxh32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\system32\crry.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\msqe.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.

C:\WINDOWS\crgt32.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:ffe2 OP:fe ff 1e 09 05 Choose Close to terminate the application.




Heres the latest HijackThis logfile: Thanks again! -Dave

Logfile of HijackThis v1.99.1
Scan saved at 12:05:34 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mfckd32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ruia.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D1D3F629-D478-30C0-AA11-597B3DEFBC62} - C:\WINDOWS\system32\javagw32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\RunOnce: [mfckd32.exe] C:\WINDOWS\system32\mfckd32.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_182682] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#8
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hey davenmillie. Actually, things are beginning to look better. The error messages you are receiving ar for DOS programs and we will look aat those later. For now, I want to eliminate the infection you hve in windows. Let's go at it again. Print these directions (or open Notepad and copy/paste them into the new document and save it to your desktop) and then proceed with the following steps in order.

Step #1

Download CleanUp! and install it but do not run it yet. Sorry about the confusion earlier I thought we had already done this (too many logs I guess).

Download StartupList1521.zip. Unzip it to its own diretory. Do not run this yet either, we will do this later.

Step #2

Click Start>Run, type services.msc into the edit box and click the Ok button. In the services window locate Remote Procedure Call (RPC) Helper and double-click on it. Click on the Stop button and then in the Startup type dropdown box select Disabled. Click the Apply button and then the Ok button.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bxouk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D1D3F629-D478-30C0-AA11-597B3DEFBC62} - C:\WINDOWS\system32\javagw32.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\RunOnce: [mfckd32.exe] C:\WINDOWS\system32\mfckd32.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\bxouk.dll
C:\WINDOWS\system32\javagw32.dll
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\system32\mfckd32.exe
C:\WINDOWS\winac32.exe (verify that this file is actually gone and if not then delete it)

Step #6

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #7

Reboot your computer normally. Start the StartupList program. It will create a log file. Save that file and copy/paste the entire contents of the log file created back here with your next log and I will review it.

Step #8

Start Windows Explorer and navigate to c:\windows\system32\. Locate Autoexec.nt and Config.nt and open them in Notepad and copy/paste the contents of each into the post with your next log file.

Step #9

OK. Start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps, the StartupList log and the contents of Autoexec.nt and Config.net using the Add Reply button and I will review it when it comes in.

OT
  • 0

#9
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi OT- Thanks for getting back to me so quickly- That link you posted for the "Cleanup!" program is broken.... =( Do you know of another safe site to download it from?? -Dave
  • 0

#10
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Dave. I have had some other users that cannot get there either. I don't know why. The link I gave is the direct download. Here is a link to the website itself:

Steven Gould's CleanUp!

If you still cannot get to the site then there is another tool we can use. Download CCleaner and install it.

When you start CCleaner click the Analyze button and then click the Run Cleaner button.

Cheers.

OT

Edited by OldTimer, 12 April 2005 - 10:17 AM.

  • 0

Advertisements


#11
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello OT!
OK, looks like all of the steps went without a hitch. Just for clarification: on step #4 of your instructions, if the items you list dont match up exactly with the items on my logfile, I should not check them for deletion, correct? (Im only asking because there are some that are close, but differ by numerics or names of files).
Anyways- heres the requested logfile, startupList log, Autoexec.nt & config.net contents.
Thank you so much for your efforts! -Dave

Logfile of HijackThis v1.99.1
Scan saved at 8:34:13 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\apizm32.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {66CB6D22-78A1-C880-862B-C3F798B2B51E} - C:\WINDOWS\system32\mseu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [apizm32.exe] C:\WINDOWS\apizm32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [L03AXLRD_48690] C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

StartupList report, 4/12/2005, 8:26:25 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\startuplist\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\apizm32.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Administrator\Desktop\startuplist\StartupList.exe
C:\WINDOWS\System32\wuauclt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
RIS2PostReboot = C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
CamMonitor = C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
apizm32.exe = C:\WINDOWS\apizm32.exe
KavSvc = C:\WINDOWS\System32\iakznm.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

spc_w = "C:\Program Files\JUSearch\juspc.exe" -w
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

L03AXLRD_48690 = C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE -m

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\mseu.dll - {66CB6D22-78A1-C880-862B-C3F798B2B51E}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,994 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

@echo off

REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.

REM Install CD ROM extensions
lh %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
lh %SystemRoot%\system32\redir

REM Install DPMI support
lh %SystemRoot%\system32\dosx

REM The following line enables Sound Blaster 2.0 support on NTVDM.
REM The command for setting the BLASTER environment is as follows:
REM SET BLASTER=A220 I5 D1 P330
REM where:
REM A specifies the sound blaster's base I/O port
REM I specifies the interrupt request line
REM D specifies the 8-bit DMA channel
REM P specifies the MPU-401 base I/O port
REM T specifies the type of sound blaster card
REM 1 - Sound Blaster 1.5
REM 2 - Sound Blaster Pro I
REM 3 - Sound Blaster 2.0
REM 4 - Sound Blaster Pro II
REM 6 - SOund Blaster 16/AWE 32/32/64
REM
REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
REM left unspecified, the default value will be used. (NOTE, since all the
REM ports are virtualized, the information provided here does not have to
REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
REM The T switch must be set to 3, if specified.
SET BLASTER=A220 I5 D1 P330 T3

REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
REM SB base I/O port address. For example:
REM SET BLASTER=A0

REM Windows MS-DOS Startup File
REM
REM CONFIG.SYS vs CONFIG.NT
REM CONFIG.SYS is not used to initialize the MS-DOS environment.
REM CONFIG.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.
REM
REM ECHOCONFIG
REM By default, no information is displayed when the MS-DOS environment
REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
REM the command echoconfig to CONFIG.NT or other startup file.
REM
REM NTCMDPROMPT
REM When you return to the command prompt from a TSR or while running an
REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
REM other startup file.
REM
REM DOSONLY
REM By default, you can start any type of application when running
REM COMMAND.COM. If you start an application other than an MS-DOS-based
REM application, any running TSR may be disrupted. To ensure that only
REM MS-DOS-based applications can be started, add the command dosonly to
REM CONFIG.NT or other startup file.
REM
REM EMM
REM You can use EMM command line to configure EMM(Expanded Memory Manager).
REM The syntax is:
REM
REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
REM
REM AltRegSets
REM specifies the total Alternative Mapping Register Sets you
REM want the system to support. 1 <= AltRegSets <= 255. The
REM default value is 8.
REM BaseSegment
REM specifies the starting segment address in the Dos conventional
REM memory you want the system to allocate for EMM page frames.
REM The value must be given in Hexdecimal.
REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
REM 16KB boundary. The default value is 0x4000
REM RAM
REM specifies that the system should only allocate 64Kb address
REM space from the Upper Memory Block(UMB) area for EMM page frames
REM and leave the rests(if available) to be used by DOS to support
REM loadhigh and devicehigh commands. The system, by default, would
REM allocate all possible and available UMB for page frames.
REM
REM The EMM size is determined by pif file(either the one associated
REM with your application or _default.pif). If the size from PIF file
REM is zero, EMM will be disabled and the EMM line will be ignored.
REM
dos=high, umb
device=%SystemRoot%\system32\himem.sys
files=40
  • 0

#12
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi davenmillie. I apologize for not getting back sooner. I got to doing some research on this one and then got busy and you fell by the wayside for a couple of days.

Here's what I would like to try next:
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy/paste the contents of that log into this thread.

I will review the information when it comes in.

Cheers.

OT
  • 0

#13
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi OT! Don't worry about the delay in response... I'm just grateful for all the help!! Here's the log from that l2mfix program:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{9EF56D61-A50F-11ce-B105-0000C04B2D52}"="VirusScan 95 Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aajel.dll Fri Mar 4 2005 2:32:22p A.... 66,560 65.00 K
aascf.dll Thu Feb 24 2005 4:02:54p A.... 66,560 65.00 K
aayjp.dll Sat Mar 5 2005 3:58:42a A.... 66,560 65.00 K
acesz.dll Fri Feb 18 2005 5:00:56p A.... 66,560 65.00 K
addcf32.dll Wed Feb 16 2005 7:32:08a A.... 0 0.00 K
adddg32.dll Fri Feb 4 2005 9:03:52p A.... 0 0.00 K
addox.dll Thu Feb 24 2005 4:30:28p A.... 0 0.00 K
addvb32.dll Sun Feb 13 2005 10:36:22a A.... 0 0.00 K
aducr.dll Fri Feb 18 2005 1:46:20a A.... 66,560 65.00 K
aehcj.dll Sat Feb 19 2005 6:38:24a A.... 66,560 65.00 K
aepxw.dll Mon Mar 7 2005 3:59:18a A.... 66,560 65.00 K
aezvn.dll Sun Mar 6 2005 8:32:42a A.... 66,560 65.00 K
afdul.dll Wed Mar 9 2005 7:29:08p A.... 66,560 65.00 K
afdzl.dll Sat Feb 19 2005 7:30:36a A.... 66,560 65.00 K
affrq.dll Mon Mar 14 2005 9:20:56p A.... 66,560 65.00 K
aiqnq.dll Thu Mar 17 2005 3:56:56a A.... 66,560 65.00 K
ajjed.dll Sat Mar 5 2005 3:12:34a A.... 66,560 65.00 K
akevk.dll Sun Mar 6 2005 6:15:58a A.... 66,560 65.00 K
akwln.dll Sun Feb 20 2005 1:14:10p A.... 66,560 65.00 K
alenj.dll Sat Mar 12 2005 3:26:30p A.... 66,560 65.00 K
amyvf.dll Sun Mar 6 2005 9:12:56p A.... 66,560 65.00 K
anpkv.dll Mon Mar 7 2005 10:45:48a A.... 66,560 65.00 K
apfyd.dll Sat Feb 26 2005 6:06:14p A.... 66,560 65.00 K
apijy32.dll Thu Feb 24 2005 4:08:06a A.... 0 0.00 K
apiwj32.dll Thu Feb 3 2005 9:34:00p A.... 0 0.00 K
appao.dll Tue Feb 1 2005 8:07:10p A.... 0 0.00 K
appkk32.dll Thu Feb 17 2005 2:13:36p A.... 0 0.00 K
appsk.dll Thu Feb 24 2005 8:33:56p A.... 0 0.00 K
apvkh.dll Thu Mar 17 2005 8:57:54a A.... 66,560 65.00 K
aqrvs.dll Sun Feb 27 2005 1:03:32a A.... 66,560 65.00 K
aqymh.dll Thu Mar 3 2005 10:23:02p A.... 66,560 65.00 K
ariuh.dll Sun Mar 13 2005 8:31:06p A.... 66,560 65.00 K
arnib.dll Mon Mar 7 2005 9:05:58p A.... 66,560 65.00 K
atl71.dll Sat Mar 5 2005 8:47:58a A.... 89,088 87.00 K
atlgv32.dll Sun Jan 30 2005 11:12:26p A.... 0 0.00 K
atloi32.dll Sun Jan 30 2005 5:22:34p A.... 0 0.00 K
atloj.dll Tue Feb 15 2005 7:45:24a A.... 0 0.00 K
atlzt32.dll Mon Feb 21 2005 7:49:52a ..... 104,211 101.77 K
atpax.dll Sat Mar 12 2005 2:47:32p A.... 66,560 65.00 K
aufam.dll Fri Mar 18 2005 3:49:58a A.... 66,560 65.00 K
aunbho.dll Sun Feb 27 2005 5:12:54p ..... 43,496 42.48 K
aunps.dll Sun Feb 27 2005 5:12:54p A.... 25,600 25.00 K
avpci.dll Mon Feb 21 2005 6:10:52p A.... 66,560 65.00 K
avxkn.dll Mon Mar 7 2005 11:26:02p A.... 66,560 65.00 K
awzcs.dll Fri Mar 4 2005 12:12:18p A.... 66,560 65.00 K
axfrz.dll Mon Mar 14 2005 8:40:44a A.... 66,560 65.00 K
axjzg.dll Fri Mar 11 2005 10:54:08p A.... 66,560 65.00 K
ayrng.dll Mon Feb 28 2005 9:16:46p A.... 66,560 65.00 K
bahjl.dll Sun Mar 13 2005 7:22:30a A.... 66,560 65.00 K
bbdsd.dll Mon Feb 21 2005 4:36:16a A.... 0 0.00 K
bciqs.dll Wed Mar 9 2005 5:06:42p A.... 66,560 65.00 K
bdens.dll Sat Mar 12 2005 2:46:18a A.... 66,560 65.00 K
bdpoj.dll Mon Feb 14 2005 6:15:10p A.... 66,560 65.00 K
beleo.dll Wed Feb 23 2005 7:28:08p A.... 66,560 65.00 K
bfdxc.dll Fri Feb 25 2005 3:48:32p A.... 66,560 65.00 K
bfmgq.dll Sat Mar 5 2005 12:45:46p A.... 66,560 65.00 K
bgfhm.dll Fri Mar 11 2005 11:40:08p A.... 66,560 65.00 K
bgfoy.dll Thu Feb 24 2005 9:12:46a A.... 66,560 65.00 K
bgqxx.dll Mon Mar 14 2005 12:40:30p A.... 66,560 65.00 K
bhqbk.dll Thu Feb 17 2005 4:53:16a A.... 66,560 65.00 K
bkxzf.dll Tue Mar 8 2005 12:10:00p A.... 66,560 65.00 K
bkzvm.dll Thu Mar 3 2005 10:37:30a A.... 66,560 65.00 K
blgzw.dll Wed Feb 16 2005 2:35:36p A.... 66,560 65.00 K
blhbf.dll Sat Mar 12 2005 2:00:10a A.... 66,560 65.00 K
blqqk.dll Thu Mar 10 2005 5:46:56a A.... 66,560 65.00 K
bmzpx.dll Sun Mar 13 2005 8:57:34p A.... 66,560 65.00 K
bomol.dll Thu Mar 3 2005 3:45:08a A.... 66,560 65.00 K
bozhw.dll Wed Mar 23 2005 2:24:20a A.... 66,560 65.00 K
bprgt.dll Thu Feb 24 2005 8:19:38a A.... 66,560 65.00 K
bpwoc.dll Sun Mar 13 2005 2:00:24a A.... 66,560 65.00 K
bqqha.dll Wed Mar 9 2005 6:32:50a A.... 66,560 65.00 K
brrtr.dll Sun Feb 20 2005 1:24:34p A.... 66,560 65.00 K
brvso.dll Thu Feb 10 2005 4:00:36p A.... 0 0.00 K
bsxrs.dll Thu Mar 10 2005 9:10:38p A.... 66,560 65.00 K
bszsy.dll Tue Mar 1 2005 7:05:40p A.... 66,560 65.00 K
bttui.dll Sat Mar 12 2005 11:33:10p A.... 66,560 65.00 K
bufuk.dll Wed Mar 9 2005 11:34:44a A.... 66,560 65.00 K
bugau.dll Sun Feb 20 2005 6:26:18p A.... 66,560 65.00 K
bveve.dll Thu Mar 10 2005 6:25:54a A.... 66,560 65.00 K
bwehy.dll Sat Mar 5 2005 12:05:32a A.... 66,560 65.00 K
bwpix.dll Wed Feb 16 2005 10:04:42p A.... 66,560 65.00 K
bxpsq.dll Sat Mar 5 2005 1:45:12a A.... 66,560 65.00 K
bxvgp.dll Mon Mar 14 2005 10:13:38p A.... 66,560 65.00 K
byfph.dll Wed Feb 23 2005 8:25:24p A.... 66,560 65.00 K
byxhu.dll Fri Mar 11 2005 10:59:54a A.... 66,560 65.00 K
byzhw.dll Thu Mar 10 2005 8:39:28p A.... 66,560 65.00 K
camto.dll Tue Mar 1 2005 11:39:58a A.... 66,560 65.00 K
cbqti.dll Mon Feb 28 2005 10:13:46p A.... 66,560 65.00 K
ccxgs.dll Sun Mar 6 2005 3:49:36p A.... 66,560 65.00 K
ccyhq.dll Thu Mar 3 2005 2:50:30p A.... 66,560 65.00 K
cfwuz.dll Tue Mar 1 2005 2:00:00p A.... 66,560 65.00 K
cgdnk.dll Sun Feb 20 2005 9:47:18p A.... 66,560 65.00 K
cgmvm.dll Fri Mar 4 2005 2:43:34p A.... 66,560 65.00 K
chwep.dll Thu Mar 10 2005 4:59:46p A.... 66,560 65.00 K
chwok.dll Sat Mar 12 2005 1:13:00p A.... 66,560 65.00 K
cjelb.dll Thu Mar 3 2005 8:00:22a A.... 66,560 65.00 K
cjile.dll Wed Mar 16 2005 12:41:08p A.... 66,560 65.00 K
ckksa.dll Thu Mar 3 2005 4:30:10p A.... 66,560 65.00 K
clmvq.dll Sat Mar 12 2005 10:52:58a A.... 66,560 65.00 K
cnonv.dll Tue Feb 15 2005 8:44:50a A.... 66,560 65.00 K
colmb.dll Wed Mar 9 2005 12:03:04p A.... 66,560 65.00 K
cqaas.dll Wed Mar 9 2005 1:53:34p A.... 66,560 65.00 K
cqkln.dll Thu Mar 10 2005 2:32:44a A.... 66,560 65.00 K
cqypp.dll Wed Mar 9 2005 1:59:18a A.... 66,560 65.00 K
crcar.dll Wed Feb 16 2005 8:37:54a A.... 66,560 65.00 K
crddo.dll Sat Mar 5 2005 4:53:48p A.... 66,560 65.00 K
crhg.dll Mon Feb 7 2005 7:33:10a A.... 0 0.00 K
crnn32.dll Fri Feb 25 2005 10:14:06a A.... 0 0.00 K
crnqy.dll Tue Mar 8 2005 4:38:32p A.... 66,560 65.00 K
crog32.dll Sat Jan 29 2005 9:40:56a A.... 0 0.00 K
crvs32.dll Mon Feb 21 2005 11:01:36p A.... 0 0.00 K
cupww.dll Mon Mar 14 2005 5:04:14a A.... 66,560 65.00 K
cuqyf.dll Tue Feb 22 2005 2:32:12a A.... 66,560 65.00 K
cuypd.dll Tue Mar 1 2005 5:49:54a A.... 66,560 65.00 K
cwdfx.dll Wed Feb 23 2005 6:47:54a A.... 66,560 65.00 K
cxdah.dll Thu Mar 17 2005 5:13:30a A.... 66,560 65.00 K
cxlhl.dll Tue Mar 15 2005 8:53:06a A.... 66,560 65.00 K
czjjv.dll Wed Mar 16 2005 11:30:52p A.... 66,560 65.00 K
czops.dll Sat Mar 12 2005 12:32:48a A.... 66,560 65.00 K
czvha.dll Mon Mar 14 2005 8:38:08a A.... 66,560 65.00 K
czwex.dll Thu Mar 10 2005 4:19:34a A.... 66,560 65.00 K
d3id.dll Thu Feb 3 2005 5:52:46p A.... 0 0.00 K
d3lb.dll Fri Jan 28 2005 3:11:58p ..... 104,211 101.77 K
d3mm.dll Wed Feb 16 2005 9:54:00a A.... 0 0.00 K
d3nf32.dll Sat Feb 5 2005 10:38:26a A.... 0 0.00 K
d3po.dll Sun Feb 6 2005 2:55:42p A.... 0 0.00 K
d3uw.dll Fri Feb 4 2005 9:16:08a A.... 0 0.00 K
d3vn32.dll Thu Mar 17 2005 12:28:42p A.... 197 0.19 K
daemj.dll Wed Mar 16 2005 1:27:06p A.... 66,560 65.00 K
dakzz.dll Mon Mar 14 2005 1:50:02a A.... 66,560 65.00 K
dbuba.dll Tue Feb 15 2005 7:17:30a A.... 66,560 65.00 K
deetz.dll Fri Mar 11 2005 6:23:58p A.... 66,560 65.00 K
dfszg.dll Thu Mar 17 2005 1:27:20p A.... 66,560 65.00 K
dikyq.dll Mon Mar 14 2005 2:37:26p A.... 66,560 65.00 K
diwms.dll Mon Mar 7 2005 7:18:56p A.... 66,560 65.00 K
diyim.dll Wed Mar 16 2005 4:29:36a A.... 66,560 65.00 K
dizbr.dll Tue Feb 15 2005 11:51:52p A.... 66,560 65.00 K
djlzt.dll Wed Mar 9 2005 5:10:46p A.... 66,560 65.00 K
djuaz.dll Tue Feb 15 2005 7:57:42p A.... 66,560 65.00 K
dkebj.dll Sat Feb 26 2005 1:59:08p A.... 66,560 65.00 K
dketw.dll Mon Feb 28 2005 10:19:32a A.... 66,560 65.00 K
doovq.dll Mon Mar 14 2005 6:53:42a A.... 66,560 65.00 K
doura.dll Thu Mar 24 2005 7:46:50p A.... 4,096 4.00 K
dpdhu.dll Mon Mar 14 2005 8:12:52p A.... 66,560 65.00 K
dpgci.dll Sun Mar 6 2005 4:28:46p A.... 66,560 65.00 K
dpxcu.dll Sun Feb 27 2005 4:59:24a A.... 66,560 65.00 K
dqkje.dll Mon Feb 28 2005 9:15:06a A.... 66,560 65.00 K
dqoef.dll Wed Mar 9 2005 3:32:10p A.... 66,560 65.00 K
dqtjf.dll Tue Feb 22 2005 3:45:42a A.... 66,560 65.00 K
dseto.dll Mon Feb 28 2005 10:59:44p A.... 66,560 65.00 K
dsxjm.dll Thu Feb 17 2005 6:37:50a A.... 66,560 65.00 K
dtqad.dll Sat Feb 26 2005 1:13:10p A.... 66,560 65.00 K
dvern.dll Tue Feb 15 2005 7:59:54p A.... 66,560 65.00 K
dxkzo.dll Thu Mar 17 2005 12:39:56a A.... 66,560 65.00 K
dxovi.dll Mon Mar 14 2005 7:33:54p A.... 66,560 65.00 K
dydpp.dll Sat Mar 12 2005 11:12:16a A.... 66,560 65.00 K
dygbm.dll Wed Feb 16 2005 2:54:52p A.... 66,560 65.00 K
dynad.dll Fri Feb 18 2005 7:07:44a A.... 0 0.00 K
dzonf.dll Sun Mar 13 2005 1:36:10p A.... 66,560 65.00 K
ealzc.dll Wed Mar 9 2005 4:30:34a A.... 66,560 65.00 K
ebcmr.dll Thu Feb 17 2005 2:17:20p A.... 66,560 65.00 K
ecnjd.dll Mon Mar 14 2005 5:26:20a A.... 66,560 65.00 K
edbng.dll Sun Feb 20 2005 10:24:54p A.... 66,560 65.00 K
egcpb.dll Wed Feb 16 2005 9:21:54p A.... 66,560 65.00 K
egxca.dll Sat Mar 5 2005 7:36:52p A.... 66,560 65.00 K
ejkmj.dll Fri Feb 18 2005 2:57:34a A.... 66,560 65.00 K
ejnhf.dll Sat Mar 5 2005 3:06:46p A.... 66,560 65.00 K
ekqdx.dll Thu Feb 17 2005 9:14:56p A.... 66,560 65.00 K
elivt.dll Sat Feb 19 2005 5:35:20p A.... 66,560 65.00 K
elvjv.dll Mon Mar 14 2005 6:06:32p A.... 66,560 65.00 K
eotht.dll Tue Mar 15 2005 4:26:42a A.... 66,560 65.00 K
epjwr.dll Tue Mar 15 2005 5:59:36p A.... 66,560 65.00 K
erbew.dll Sat Feb 19 2005 11:10:48p A.... 66,560 65.00 K
ervhx.dll Sun Mar 6 2005 3:47:00a A.... 66,560 65.00 K
eskhm.dll Fri Mar 11 2005 4:56:36p A.... 66,560 65.00 K
ettff.dll Thu Mar 10 2005 7:27:42a A.... 66,560 65.00 K
etvim.dll Tue Mar 15 2005 6:46:46a A.... 66,560 65.00 K
eukyy.dll Mon Mar 7 2005 9:47:20p A.... 66,560 65.00 K
eulfd.dll Sun Mar 6 2005 1:26:56a A.... 66,560 65.00 K
evpxg.dll Sat Mar 5 2005 12:00:44p A.... 66,560 65.00 K
ewitu.dll Sun Feb 20 2005 9:50:42p A.... 66,560 65.00 K
ezyba.dll Mon Mar 14 2005 12:17:24a A.... 66,560 65.00 K
fakbw.dll Thu Mar 17 2005 1:46:38p A.... 66,560 65.00 K
fbnlz.dll Thu Mar 3 2005 4:37:46p A.... 66,560 65.00 K
fciwb.dll Fri Mar 4 2005 11:02:06p A.... 66,560 65.00 K
fcvqh.dll Sat Mar 12 2005 9:05:56a A.... 66,560 65.00 K
fedgu.dll Sat Mar 5 2005 12:06:30a A.... 66,560 65.00 K
felny.dll Thu Mar 3 2005 4:26:20p A.... 66,560 65.00 K
fepnt.dll Thu Mar 3 2005 3:00:08a A.... 66,560 65.00 K
ffwrk.dll Sat Feb 19 2005 10:08:42p A.... 66,560 65.00 K
fhggp.dll Mon Feb 28 2005 3:24:38a A.... 66,560 65.00 K
fipbl.dll Mon Feb 21 2005 4:31:14p A.... 66,560 65.00 K
firtq.dll Sat Mar 19 2005 6:13:42p A.... 66,560 65.00 K
fjmfw.dll Wed Feb 23 2005 9:49:08p A.... 66,560 65.00 K
fjvpk.dll Thu Mar 3 2005 6:53:32p A.... 66,560 65.00 K
fkdie.dll Sun Mar 13 2005 5:00:22a A.... 66,560 65.00 K
fkkjr.dll Tue Mar 1 2005 10:31:54a A.... 66,560 65.00 K
fmjlb.dll Wed Mar 16 2005 7:23:48p A.... 66,560 65.00 K
fmjtx.dll Tue Mar 8 2005 7:46:44p A.... 66,560 65.00 K
fmknl.dll Wed Mar 9 2005 10:25:40p A.... 66,560 65.00 K
fmlgl.dll Sat Mar 5 2005 12:46:44p A.... 66,560 65.00 K
fmvok.dll Mon Feb 21 2005 8:24:48p A.... 66,560 65.00 K
fnbub.dll Fri Feb 18 2005 1:24:18p A.... 66,560 65.00 K
fpowy.dll Tue Mar 15 2005 8:05:06p A.... 66,560 65.00 K
fqcxw.dll Wed Mar 16 2005 8:10:58a A.... 66,560 65.00 K
fqumq.dll Sun Feb 20 2005 1:25:00p A.... 66,560 65.00 K
frrld.dll Sun Feb 20 2005 7:24:38a A.... 66,560 65.00 K
frrti.dll Sun Mar 6 2005 12:39:48p A.... 66,560 65.00 K
fscce.dll Thu Mar 17 2005 1:06:24a A.... 66,560 65.00 K
fujdo.dll Wed Feb 16 2005 7:54:32p A.... 66,560 65.00 K
fukfy.dll Sat Mar 12 2005 7:26:16a A.... 66,560 65.00 K
fuklr.dll Mon Mar 14 2005 7:04:54a A.... 66,560 65.00 K
fumze.dll Wed Mar 2 2005 2:55:50p A.... 66,560 65.00 K
fvbnp.dll Sun Feb 20 2005 9:44:40a A.... 66,560 65.00 K
fwbpf.dll Sat Feb 19 2005 8:57:14a A.... 0 0.00 K
fwlny.dll Thu Mar 3 2005 3:46:08a A.... 66,560 65.00 K
gbwfj.dll Wed Feb 16 2005 1:56:50p A.... 66,560 65.00 K
gdiyy.dll Tue Feb 22 2005 4:44:32p A.... 66,560 65.00 K
gdtgq.dll Mon Mar 7 2005 3:20:56p A.... 66,560 65.00 K
gejlj.dll Wed Mar 16 2005 6:43:34a A.... 66,560 65.00 K
gejto.dll Mon Mar 14 2005 10:23:10a A.... 66,560 65.00 K
gfcco.dll Fri Mar 4 2005 6:06:24a A.... 66,560 65.00 K
gfpii.dll Thu Feb 24 2005 7:22:20a A.... 66,560 65.00 K
gfxpn.dll Tue Feb 22 2005 11:42:10p A.... 66,560 65.00 K
gfzsu.dll Mon Mar 14 2005 9:14:42p A.... 66,560 65.00 K
ggjsb.dll Thu Mar 10 2005 3:13:56p A.... 66,560 65.00 K
ghfpj.dll Thu Mar 3 2005 6:23:16p A.... 66,560 65.00 K
ghnkv.dll Thu Mar 10 2005 1:47:44a A.... 66,560 65.00 K
gkjjd.dll Mon Mar 7 2005 4:24:02p A.... 66,560 65.00 K
gldvh.dll Sun Feb 20 2005 3:47:30a A.... 66,560 65.00 K
glutm.dll Thu Mar 10 2005 5:41:08p A.... 66,560 65.00 K
glvzj.dll Fri Mar 4 2005 4:42:40a A.... 66,560 65.00 K
glyfx.dll Fri Mar 11 2005 3:14:08p A.... 66,560 65.00 K
gmjgt.dll Tue Mar 8 2005 9:19:30a A.... 66,560 65.00 K
gmkte.dll Fri Mar 11 2005 10:04:18p A.... 66,560 65.00 K
goudf.dll Tue Feb 15 2005 3:03:14a A.... 66,560 65.00 K
gpare.dll Fri Feb 25 2005 12:11:52p A.... 66,560 65.00 K
gpizi.dll Fri Mar 11 2005 5:34:12p A.... 66,560 65.00 K
gsbcz.dll Mon Feb 21 2005 11:08:52a A.... 66,560 65.00 K
gtbxr.dll Fri Mar 11 2005 2:21:00p A.... 66,560 65.00 K
gtyyk.dll Sun Mar 13 2005 11:27:24a A.... 66,560 65.00 K
guubh.dll Tue Mar 8 2005 8:40:32a A.... 66,560 65.00 K
gxlyg.dll Sun Feb 27 2005 11:47:10a A.... 0 0.00 K
gxuvk.dll Thu Feb 17 2005 12:03:52p A.... 66,560 65.00 K
gyksj.dll Thu Mar 10 2005 2:33:42a A.... 66,560 65.00 K
gyyzo.dll Wed Feb 23 2005 1:24:34a A.... 66,560 65.00 K
hafui.dll Wed Mar 2 2005 5:46:10a A.... 66,560 65.00 K
hcbqq.dll Tue Feb 22 2005 11:52:34p A.... 66,560 65.00 K
hdgev.dll Sat Mar 12 2005 8:52:02a A.... 66,560 65.00 K
hdyff.dll Fri Mar 11 2005 2:26:46a A.... 66,560 65.00 K
hejgc.dll Sat Feb 19 2005 7:03:42p A.... 66,560 65.00 K
heufp.dll Sat Mar 12 2005 10:23:38a A.... 66,560 65.00 K
hgckk.dll Tue Mar 15 2005 2:39:40a A.... 66,560 65.00 K
hgqyq.dll Sat Feb 19 2005 1:21:06p A.... 66,560 65.00 K
hgqza.dll Tue Mar 15 2005 12:52:52a A.... 66,560 65.00 K
hgrft.dll Thu Mar 17 2005 12:31:30a A.... 66,560 65.00 K
hgubu.dll Tue Mar 1 2005 9:37:52a A.... 66,560 65.00 K
hhahr.dll Wed Feb 23 2005 3:18:26a A.... 66,560 65.00 K
hlqyt.dll Thu Feb 24 2005 9:11:36p A.... 66,560 65.00 K
hmsvi.dll Thu Mar 3 2005 1:15:30a A.... 66,560 65.00 K
hogax.dll Sun Mar 6 2005 7:38:10p A.... 66,560 65.00 K
hoqxi.dll Sun Feb 20 2005 2:01:20a A.... 66,560 65.00 K
hoqyo.dll Thu Feb 17 2005 1:02:14a A.... 66,560 65.00 K
hovud.dll Fri Feb 18 2005 11:29:24a A.... 0 0.00 K
hqkao.dll Tue Mar 8 2005 6:20:28a A.... 66,560 65.00 K
hrapm.dll Tue Mar 8 2005 7:53:22p A.... 66,560 65.00 K
hrdiq.dll Sun Feb 27 2005 12:54:56p A.... 66,560 65.00 K
hrgel.dll Wed Mar 2 2005 2:46:14p A.... 66,560 65.00 K
huqgo.dll Thu Mar 10 2005 1:46:34p A.... 66,560 65.00 K
huyns.dll Tue Mar 8 2005 5:33:20p A.... 66,560 65.00 K
hwjog.dll Sun Mar 6 2005 12:18:52a A.... 66,560 65.00 K
hxuim.dll Sat Mar 12 2005 3:34:06p A.... 66,560 65.00 K
hyqfd.dll Thu Feb 17 2005 5:07:52p A.... 66,560 65.00 K
hzaiz.dll Tue Feb 22 2005 2:31:04p A.... 66,560 65.00 K
hziod.dll Wed Mar 9 2005 8:33:34a A.... 66,560 65.00 K
hzomx.dll Tue Mar 1 2005 9:49:32a A.... 66,560 65.00 K
ibgjx.dll Sun Mar 6 2005 2:03:32p A.... 66,560 65.00 K
ibhlg.dll Mon Feb 14 2005 11:31:30a A.... 66,560 65.00 K
ibhtk.dll Mon Mar 14 2005 11:00:46a A.... 66,560 65.00 K
icvjj.dll Mon Feb 28 2005 12:18:28p A.... 66,560 65.00 K
idzzx.dll Wed Mar 2 2005 12:35:52a A.... 66,560 65.00 K
iebe32.dll Sat Feb 5 2005 6:03:54p A.... 0 0.00 K
ifwci.dll Fri Mar 18 2005 1:14:22a A.... 66,560 65.00 K
ifxkm.dll Wed Mar 16 2005 5:01:08a A.... 66,560 65.00 K
ihpsi.dll Sun Mar 13 2005 11:46:42a A.... 66,560 65.00 K
iibxz.dll Sun Mar 6 2005 10:52:46a A.... 66,560 65.00 K
ijhlx.dll Tue Feb 15 2005 12:11:44a A.... 66,560 65.00 K
ijnub.dll Sat Mar 12 2005 2:36:04a A.... 66,560 65.00 K
ikjml.dll Sat Mar 12 2005 8:07:28p A.... 66,560 65.00 K
ilgqv.dll Tue Feb 22 2005 5:32:20p A.... 66,560 65.00 K
ilycp.dll Tue Mar 8 2005 8:21:02a A.... 66,560 65.00 K
imbzf.dll Mon Mar 14 2005 12:24:56p A.... 66,560 65.00 K
imeak.dll Sat Mar 12 2005 6:11:12p A.... 66,560 65.00 K
ineje.dll Wed Mar 16 2005 5:41:20p A.... 66,560 65.00 K
inijh.dll Wed Mar 16 2005 4:15:08a A.... 66,560 65.00 K
inpdq.dll Mon Feb 21 2005 5:30:40a A.... 66,560 65.00 K
ipgs32.dll Sun Feb 20 2005 4:25:44p ..... 104,211 101.77 K
ipgtf.dll Sat Feb 19 2005 10:40:18p A.... 66,560 65.00 K
ipjo32.dll Fri Feb 18 2005 7:31:20a A.... 0 0.00 K
ippfm.dll Tue Mar 15 2005 5:26:14p A.... 66,560 65.00 K
iprm32.dll Sun Feb 20 2005 8:09:20p A.... 0 0.00 K
iptm32.dll Mon Feb 14 2005 11:13:46p A.... 0 0.00 K
iqocs.dll Sun Feb 27 2005 12:48:54a A.... 66,560 65.00 K
iqqfl.dll Thu Feb 17 2005 4:20:30a A.... 66,560 65.00 K
iryws.dll Thu Feb 17 2005 3:12:00p A.... 66,560 65.00 K
isfru.dll Thu Feb 17 2005 11:42:48p A.... 66,560 65.00 K
isiwq.dll Tue Mar 15 2005 5:08:04a A.... 66,560 65.00 K
ityky.dll Sun Mar 6 2005 5:56:54a A.... 66,560 65.00 K
itzmo.dll Sun Feb 27 2005 5:05:24p A.... 66,560 65.00 K
ixykm.dll Thu Feb 17 2005 3:55:24p A.... 66,560 65.00 K
iyhtj.dll Sat Mar 12 2005 11:06:28p A.... 66,560 65.00 K
iyiyz.dll Sat Feb 19 2005 12:40:54a A.... 66,560 65.00 K
iyqav.dll Fri Mar 11 2005 2:53:14a A.... 66,560 65.00 K
iyqxr.dll Tue Mar 1 2005 3:24:40a A.... 66,560 65.00 K
izigw.dll Thu Feb 17 2005 2:47:28a A.... 66,560 65.00 K
jaokf.dll Thu Feb 24 2005 3:55:28p A.... 66,560 65.00 K
javabk.dll Sat Feb 5 2005 11:12:28p A.... 0 0.00 K
javael.dll Sat Feb 12 2005 5:42:32a A.... 0 0.00 K
javafp.dll Tue Feb 22 2005 9:36:08p A.... 0 0.00 K
javalm32.dll Thu Feb 17 2005 2:11:36a A.... 0 0.00 K
jazto.dll Thu Mar 3 2005 1:53:04a A.... 66,560 65.00 K
jbbco.dll Tue Mar 15 2005 9:00:42a A.... 66,560 65.00 K
jbmrn.dll Sun Feb 27 2005 8:32:42p A.... 66,560 65.00 K
jbofy.dll Fri Mar 18 2005 1:40:50a A.... 66,560 65.00 K
jdbsf.dll Wed Mar 16 2005 6:50:04p A.... 66,560 65.00 K
jdhbo.dll Fri Mar 11 2005 1:19:58p A.... 66,560 65.00 K
jdnyv.dll Sat Feb 19 2005 1:58:42p A.... 66,560 65.00 K
jebzh.dll Mon Feb 28 2005 1:41:38a A.... 66,560 65.00 K
jeqsx.dll Thu Mar 10 2005 2:58:36a A.... 66,560 65.00 K
jgxaq.dll Sun Mar 13 2005 7:20:18a A.... 66,560 65.00 K
jiqii.dll Tue Mar 8 2005 5:52:38p A.... 66,560 65.00 K
jjbvj.dll Thu Mar 17 2005 5:21:06a A.... 66,560 65.00 K
jjxip.dll Sat Feb 19 2005 10:57:32p A.... 66,560 65.00 K
jkpss.dll Tue Feb 22 2005 6:54:50a A.... 66,560 65.00 K
jkqad.dll Sat Mar 5 2005 11:03:44a A.... 66,560 65.00 K
jlvga.dll Fri Mar 4 2005 3:23:16a A.... 66,560 65.00 K
jlvvs.dll Mon Feb 28 2005 2:10:44p A.... 66,560 65.00 K
jlwgf.dll Fri Feb 25 2005 9:23:58p A.... 66,560 65.00 K
jlzub.dll Sun Mar 13 2005 9:40:22a A.... 66,560 65.00 K
joehg.dll Wed Feb 16 2005 9:49:46a A.... 66,560 65.00 K
joxsh.dll Sun Mar 13 2005 8:00:32p A.... 66,560 65.00 K
jpcyz.dll Sun Mar 13 2005 7:33:12p A.... 66,560 65.00 K
jpnzt.dll Mon Feb 28 2005 4:18:16a A.... 66,560 65.00 K
jqibe.dll Thu Mar 10 2005 2:05:52p A.... 66,560 65.00 K
jqjgn.dll Sun Mar 13 2005 7:44:28p A.... 66,560 65.00 K
jsnie.dll Wed Mar 2 2005 11:33:10a A.... 66,560 65.00 K
jsoko.dll Thu Feb 24 2005 3:08:06a A.... 66,560 65.00 K
jspsq.dll Mon Mar 7 2005 8:04:22p A.... 66,560 65.00 K
jthtt.dll Sun Mar 13 2005 10:20:34p A.... 66,560 65.00 K
jvqtn.dll Mon Mar 7 2005 9:26:04p A.... 66,560 65.00 K
jwdxk.dll Fri Feb 25 2005 3:08:18a A.... 66,560 65.00 K
jxxkv.dll Tue Mar 15 2005 4:20:54p A.... 66,560 65.00 K
jzdwb.dll Sat Feb 19 2005 11:38:40a A.... 66,560 65.00 K
jzhoe.dll Fri Feb 18 2005 10:12:28p A.... 66,560 65.00 K
kawex.dll Fri Mar 18 2005 9:47:30a A.... 66,560 65.00 K
kaxqi.dll Sat Mar 5 2005 2:26:10p A.... 66,560 65.00 K
kcpsb.dll Mon Feb 21 2005 6:14:38p A.... 66,560 65.00 K
kctoe.dll Sat Mar 12 2005 9:41:28p A.... 66,560 65.00 K
kepqs.dll Thu Mar 17 2005 10:34:40p A.... 66,560 65.00 K
kfggq.dll Wed Feb 16 2005 4:17:52p A.... 66,560 65.00 K
kftrv.dll Tue Feb 15 2005 1:18:48p A.... 66,560 65.00 K
khcwn.dll Sat Feb 26 2005 6:18:12a A.... 66,560 65.00 K
khohg.dll Fri Feb 25 2005 7:17:38p A.... 66,560 65.00 K
kivxs.dll Fri Feb 18 2005 10:18:14a A.... 66,560 65.00 K
kjeeo.dll Fri Mar 18 2005 10:27:44p A.... 66,560 65.00 K
kkont.dll Tue Mar 15 2005 4:40:12p A.... 66,560 65.00 K
kkpuy.dll Sun Mar 13 2005 8:19:48p A.... 66,560 65.00 K
kmjnf.dll Wed Mar 16 2005 7:37:10a A.... 66,560 65.00 K
kmnod.dll Tue Mar 1 2005 5:42:26a A.... 66,560 65.00 K
kmvwh.dll Tue Mar 15 2005 10:57:36a A.... 66,560 65.00 K
kmzah.dll Thu Mar 10 2005 1:11:50p A.... 66,560 65.00 K
knfwu.dll Fri Mar 11 2005 3:50:32a A.... 66,560 65.00 K
knndz.dll Wed Feb 23 2005 1:23:10p A.... 66,560 65.00 K
knofi.dll Thu Feb 17 2005 4:58:06a A.... 66,560 65.00 K
kqomv.dll Mon Feb 21 2005 11:51:40a A.... 66,560 65.00 K
kqxid.dll Thu Mar 10 2005 10:19:42p A.... 66,560 65.00 K
krhvj.dll Thu Feb 17 2005 1:52:04a A.... 66,560 65.00 K
krvwk.dll Fri Feb 18 2005 10:58:26p A.... 66,560 65.00 K
ksokh.dll Sat Mar 5 2005 5:11:40p A.... 66,560 65.00 K
ksthr.dll Fri Mar 4 2005 6:39:30a A.... 66,560 65.00 K
kugkl.dll Wed Mar 16 2005 1:44:22a A.... 66,560 65.00 K
kuqiq.dll Thu Mar 3 2005 2:10:18a A.... 66,560 65.00 K
kuwsr.dll Sat Mar 12 2005 10:45:44p A.... 66,560 65.00 K
kvfyd.dll Sat Feb 19 2005 1:18:30a A.... 66,560 65.00 K
kxymv.dll Sun Mar 6 2005 2:22:50p A.... 66,560 65.00 K
kylnv.dll Fri Feb 25 2005 10:24:36a A.... 66,560 65.00 K
kywix.dll Thu Mar 17 2005 4:11:50a A.... 66,560 65.00 K
kzcww.dll Fri Feb 25 2005 5:30:50p A.... 66,560 65.00 K
ladme.dll Sun Feb 20 2005 11:36:44p A.... 66,560 65.00 K
lbbid.dll Wed Mar 2 2005 8:05:10p A.... 66,560 65.00 K
lcgnt.dll Tue Mar 15 2005 4:00:00a A.... 66,560 65.00 K
lcpvg.dll Sun Mar 13 2005 7:39:36a A.... 66,560 65.00 K
leneq.dll Sat Feb 26 2005 8:41:50p A.... 66,560 65.00 K
lfonv.dll Mon Feb 14 2005 8:04:38p A.... 66,560 65.00 K
lgvil.dll Thu Feb 24 2005 3:45:40a A.... 66,560 65.00 K
lhiay.dll Thu Mar 3 2005 11:48:24p A.... 66,560 65.00 K
lhmsx.dll Tue Feb 22 2005 7:32:26a A.... 66,560 65.00 K
licjm.dll Sun Feb 27 2005 8:34:54p A.... 66,560 65.00 K
liqyc.dll Sun Feb 27 2005 6:55:14p A.... 66,560 65.00 K
ljmmi.dll Fri Mar 4 2005 6:05:14p A.... 66,560 65.00 K
ljutn.dll Thu Feb 17 2005 4:18:06p A.... 66,560 65.00 K
llcjz.dll Thu Feb 24 2005 1:25:38a A.... 66,560 65.00 K
llgbu.dll Wed Feb 23 2005 11:59:26a A.... 66,560 65.00 K
llgig.dll Mon Feb 21 2005 3:39:02p A.... 66,560 65.00 K
llkqd.dll Thu Mar 10 2005 6:47:58a A.... 66,560 65.00 K
lmoxg.dll Sat Mar 12 2005 9:58:30a A.... 66,560 65.00 K
logom.dll Tue Mar 15 2005 2:26:44p A.... 66,560 65.00 K
lpdap.dll Wed Mar 16 2005 4:33:16p A.... 66,560 65.00 K
lpmck.dll Thu Feb 24 2005 3:52:50a A.... 66,560 65.00 K
lppas.dll Sun Mar 6 2005 4:15:28a A.... 66,560 65.00 K
lswff.dll Thu Mar 17 2005 9:07:18p A.... 66,560 65.00 K
lswms.dll Wed Mar 16 2005 12:46:54a A.... 66,560 65.00 K
luqux.dll Sun Feb 20 2005 9:32:34p A.... 0 0.00 K
lvapm.dll Fri Feb 18 2005 2:58:00a A.... 66,560 65.00 K
lwnfy.dll Sat Feb 26 2005 8:01:36a A.... 66,560 65.00 K
lwoeb.dll Thu Mar 10 2005 12:57:54a A.... 66,560 65.00 K
lwwmc.dll Sun Mar 13 2005 1:57:00a A.... 66,560 65.00 K
lwxuf.dll Tue Mar 8 2005 4:37:30a A.... 66,560 65.00 K
lxggz.dll Wed Feb 16 2005 3:37:40a A.... 66,560 65.00 K
lxgod.dll Mon Feb 14 2005 7:17:16a A.... 66,560 65.00 K
lybcz.dll Wed Mar 2 2005 5:35:30a A.... 66,560 65.00 K
lyodq.dll Tue Mar 8 2005 6:07:32p A.... 66,560 65.00 K
mbhij.dll Mon Mar 14 2005 3:47:34a A.... 66,560 65.00 K
mcnzk.dll Sat Feb 26 2005 1:38:40a A.... 66,560 65.00 K
mcwuf.dll Sun Mar 13 2005 3:46:16p A.... 66,560 65.00 K
mdcjz.dll Wed Feb 23 2005 12:45:26p A.... 66,560 65.00 K
mdcqm.dll Mon Feb 21 2005 4:32:12p A.... 66,560 65.00 K
mdhgr.dll Tue Mar 8 2005 4:26:16a A.... 66,560 65.00 K
mdqbp.dll Wed Mar 16 2005 7:24:22a A.... 66,560 65.00 K
menri.dll Fri Feb 18 2005 10:37:32a A.... 66,560 65.00 K
mfcfd32.dll Thu Feb 24 2005 12:04:36a A.... 0 0.00 K
mfcfv.dll Sun Jan 30 2005 12:40:50p A.... 0 0.00 K
mfchb.dll Wed Feb 2 2005 10:11:10a A.... 0 0.00 K
mfcki32.dll Mon Jan 31 2005 3:23:04a A.... 0 0.00 K
mfcob32.dll Sun Feb 20 2005 3:47:02p A.... 0 0.00 K
mhmsf.dll Mon Feb 21 2005 6:52:14p A.... 66,560 65.00 K
mhztb.dll Tue Feb 22 2005 4:45:00p A.... 66,560 65.00 K
mjbff.dll Sat Feb 19 2005 10:30:36a A.... 66,560 65.00 K
mjwrk.dll Fri Mar 11 2005 4:09:50a A.... 66,560 65.00 K
mkaop.dll Sun Mar 6 2005 7:22:30p A.... 66,560 65.00 K
mkwma.dll Tue Mar 15 2005 12:06:40p A.... 66,560 65.00 K
mmdyz.dll Mon Mar 7 2005 9:07:08a A.... 66,560 65.00 K
moubk.dll Sun Mar 6 2005 8:09:38a A.... 66,560 65.00 K
mrnas.dll Sat Feb 19 2005 9:51:38a A.... 66,560 65.00 K
mseu.dll Fri Apr 1 2005 11:41:20p A.... 104,211 101.77 K
msvcrt10.dll Mon Feb 14 2005 6:58:40p A.... 210,944 206.00 K
mszw32.dll Sat Feb 12 2005 10:04:50a A.... 0 0.00 K
mtmud.dll Wed Mar 2 2005 9:04:38a A.... 66,560 65.00 K
mtnbi.dll Mon Feb 14 2005 6:37:16p A.... 66,560 65.00 K
mucru.dll Mon Feb 21 2005 3:44:48a A.... 66,560 65.00 K
mvfs1232.dll Mon Feb 14 2005 6:58:40p A.... 39,936 39.00 K
mvgqt.dll Sat Feb 19 2005 6:45:36a A.... 66,560 65.00 K
mwvhv.dll Fri Mar 18 2005 10:06:48a A.... 66,560 65.00 K
mxfgm.dll Sat Feb 26 2005 12:32:22p A.... 66,560 65.00 K
myuif.dll Fri Feb 18 2005 4:54:54a A.... 66,560 65.00 K
mzfso.dll Mon Feb 21 2005 6:12:02a A.... 66,560 65.00 K
mznzk.dll Sat Feb 19 2005 10:31:50p A.... 66,560 65.00 K
nanif.dll Thu Feb 17 2005 12:51:00a A.... 66,560 65.00 K
nathp.dll Sat Mar 5 2005 3:04:32a A.... 66,560 65.00 K
nblwn.dll Sat Feb 26 2005 9:19:26p A.... 66,560 65.00 K
nclzj.dll Wed Mar 9 2005 9:28:12a A.... 66,560 65.00 K
ndtgk.dll Tue Feb 22 2005 6:05:04a A.... 66,560 65.00 K
nedzh.dll Fri Feb 18 2005 6:44:12p A.... 66,560 65.00 K
netdh32.dll Sun Feb 6 2005 10:11:58a A.... 0 0.00 K
netdx.dll Sat Feb 19 2005 11:48:36a A.... 0 0.00 K
netlj.dll Sun Feb 13 2005 5:19:34a A.... 0 0.00 K
netmp32.dll Thu Feb 24 2005 2:08:36p A.... 0 0.00 K
netxr.dll Tue Feb 22 2005 1:23:28a A.... 0 0.00 K
netyy32.dll Wed Mar 2 2005 5:42:38a ..... 104,211 101.77 K
netze.dll Tue Feb 15 2005 12:53:02a A.... 0 0.00 K
nfbno.dll Mon Feb 28 2005 3:19:46p A.... 66,560 65.00 K
nfoue.dll Fri Mar 11 2005 9:00:16p A.... 66,560 65.00 K
nifab.dll Fri Feb 18 2005 9:11:24p A.... 66,560 65.00 K
nivzd.dll Sat Mar 12 2005 6:24:28p A.... 66,560 65.00 K
nkqaz.dll Mon Feb 21 2005 6:49:24a A.... 66,560 65.00 K
nlajh.dll Sat Feb 26 2005 9:18:10a A.... 66,560 65.00 K
nmxgj.dll Wed Feb 23 2005 3:57:00a A.... 66,560 65.00 K
npryz.dll Wed Feb 23 2005 9:19:46p A.... 66,560 65.00 K
nqnrq.dll Mon Mar 14 2005 2:44:52p A.... 66,560 65.00 K
nqujn.dll Thu Mar 3 2005 10:28:48a A.... 66,560 65.00 K
nquqs.dll Thu Mar 17 2005 3:43:58p A.... 66,560 65.00 K
nqxsi.dll Thu Feb 17 2005 7:13:50p A.... 66,560 65.00 K
ntfc.dll Tue Feb 22 2005 7:25:00a A.... 0 0.00 K
ntkxr.dll Sun Mar 6 2005 9:16:20p A.... 66,560 65.00 K
ntlxv.dll Sat Feb 26 2005 8:39:12a A.... 66,560 65.00 K
ntpx.dll Tue Feb 1 2005 9:39:46p A.... 0 0.00 K
nuawk.dll Fri Mar 4 2005 10:21:52a A.... 66,560 65.00 K
nvruu.dll Thu Feb 17 2005 6:38:52a A.... 66,560 65.00 K
nvtgk.dll Mon Mar 7 2005 11:38:58a A.... 66,560 65.00 K
nwixs.dll Wed Mar 9 2005 10:11:10p A.... 66,560 65.00 K
nxjvb.dll Mon Mar 14 2005 8:34:56p A.... 66,560 65.00 K
nxnve.dll Sat Feb 26 2005 5:33:12a A.... 66,560 65.00 K
nxqxo.dll Sun Feb 27 2005 5:11:40p A.... 66,560 65.00 K
nyhvm.dll Thu Mar 10 2005 5:47:18a A.... 66,560 65.00 K
nyjrk.dll Sat Feb 19 2005 6:49:08p A.... 0 0.00 K
nzzcm.dll Thu Feb 24 2005 2:50:38p A.... 66,560 65.00 K
oapch.dll Thu Mar 3 2005 1:33:04p A.... 0 0.00 K
oawgq.dll Thu Mar 10 2005 9:23:52a A.... 66,560 65.00 K
odfrt.dll Tue Mar 1 2005 5:15:44a A.... 66,560 65.00 K
odiru.dll Thu Feb 24 2005 1:04:56p A.... 66,560 65.00 K
odleq.dll Wed Feb 23 2005 11:38:36p A.... 66,560 65.00 K
odmuv.dll Thu Mar 10 2005 4:53:46a A.... 66,560 65.00 K
oeidv.dll Sat Mar 5 2005 12:51:32a A.... 66,560 65.00 K
oftof.dll Sat Feb 19 2005 8:24:14a A.... 66,560 65.00 K
ogblw.dll Fri Mar 11 2005 10:54:06p A.... 66,560 65.00 K
ogdxm.dll Mon Feb 28 2005 2:50:54p A.... 66,560 65.00 K
ohasm.dll Thu Feb 24 2005 11:31:40p A.... 66,560 65.00 K
oiull.dll Mon Feb 21 2005 4:04:06a A.... 66,560 65.00 K
ojrqf.dll Tue Feb 15 2005 5:11:24p A.... 66,560 65.00 K
okbch.dll Sun Feb 20 2005 10:28:40p A.... 66,560 65.00 K
okttz.dll Tue Mar 8 2005 3:21:48p A.... 66,560 65.00 K
olktt.dll Wed Mar 16 2005 11:10:32p A.... 66,560 65.00 K
ollei.dll Thu Feb 24 2005 12:18:50p A.... 66,560 65.00 K
olpjo.dll Sat Feb 26 2005 5:32:00p A.... 66,560 65.00 K
oojko.dll Sat Mar 12 2005 11:34:20a A.... 66,560 65.00 K
oommi.dll Wed Mar 2 2005 3:32:48p A.... 66,560 65.00 K
ooutm.dll Mon Feb 28 2005 7:12:24p A.... 66,560 65.00 K
  • 0

#14
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Holy mackeral davenmillie, we hit the motherload! This is the major infection currently on your computer. Let's take care of this one and then we should be able to clean up the rest of them.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop:
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and I will review the information when it comes in. If the L2m infection is gone we can then tackle the rest of the infections.

OT
  • 0

#15
davenmillie

davenmillie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey OT- Wow! Thats one way to get my attention: Holy Mackeral, we hit the motherload! Hah! Heres that L2M fix log and the latest HijackThis log. Thanks again for your persistence. -Dave

L2Mfix 1.03

Running From:
C:\Documents and Settings\Administrator\Desktop\anti-spyware stuff\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Desktop\anti-spyware stuff\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\anti-spyware stuff\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1024 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 71%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 80%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 8:49:04 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\javaon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\apizm32.exe
C:\WINDOWS\System32\iakznm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bozhw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {66CB6D22-78A1-C880-862B-C3F798B2B51E} - C:\WINDOWS\system32\mseu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [apizm32.exe] C:\WINDOWS\apizm32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iakznm.exe
O4 - HKLM\..\RunOnce: [javaon.exe] C:\WINDOWS\javaon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\winac32.exe" /s (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP