Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

address websearch [RESOLVED]

Started by UBYANKEES , May 03 2005 07:44 AM

This topic is locked

#1
UBYANKEES

Posted 03 May 2005 - 07:44 AM

Member

Member
19 posts

Good morning, everytime I type an address in the address line it brings me to a web search page. I was having problems with my wireless router and linksys support had me type in an I.P. address but I kept getting more web search pages and i was never able to pull up the the I.P.. I tried in internet explorer an with optimum online, same thing happens. I am inserting my hijack logs. Is their anything I can do to stop the websearch page from showing up. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:53:37 AM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mshm32.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\2h5hb2pb\2h5hb2pb.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\atldi32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\2h5hb2pb\41505678.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qygwc.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4FBCB9CF-DA72-BD56-EC50-BD7B5736C970} - C:\WINDOWS\system32\sysan.dll
O2 - BHO: (no name) - {6819E8F9-6B65-C66F-C5D9-F681C6CDEFBF} - C:\WINDOWS\netkl.dll
O2 - BHO: (no name) - {A3C5C0CE-5122-E73A-AB92-E8EE67589A00} - C:\WINDOWS\system32\syspa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AC9BAEB7-A211-7E28-D9C4-52F98A8F5720} - C:\WINDOWS\system32\iepf.dll
O2 - BHO: (no name) - {B7B31397-93FC-5ABD-5E72-3C4626580399} - C:\WINDOWS\apiwh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WAKgDA] C:\documents and settings\jesse mack\local settings\temp\WAKgDA.exe
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\system32\OjqN0Y44.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [2h5hb2pb] C:\Program Files\2h5hb2pb\2h5hb2pb.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [atldi32.exe] C:\WINDOWS\system32\atldi32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Workstation NetLogon Service ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mshm32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2
UBYANKEES

Posted 07 May 2005 - 12:17 AM

Member

Topic Starter
Member
19 posts

here's a new log, plus i can not start my norton virus protectionand I keep getting a popup saying my virus protection is turned off.

Scan saved at 2:01:14 AM, on 5/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\winyi32.exe
C:\WINDOWS\msyd32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\looef.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\looef.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {ED800884-CF0B-46CC-6B33-43B8AA363DE1} - C:\WINDOWS\winyi32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\system32\OjqN0Y44.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [winyi32.exe] C:\WINDOWS\winyi32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyd32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#3
Guest_usetobe_*

Posted 07 May 2005 - 09:48 AM

Guest

Hi ubyankees,

You have a sick computer, but we can cure it for you. You just need to follow these instructions. Please print off a copy of these instructions so that you have them handy when you need to reboot your PC

You have the Peper trojan.

First, we need to remove the peper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal):
http://www.geekstogo...=download&id=18

Next Please read this post completely.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. We will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

#4
UBYANKEES

Posted 11 May 2005 - 10:24 PM

Member

Topic Starter
Member
19 posts

Good evening, I couldn't download CLEANUP, KASPERSKY, TRENDMICRO or BIT DEFENDER, They all gave me WEBSITE NOT AVAILABLE and then a searchlist below the heading. I have include 2 logs one from spsehjfix and one from hijacklogs. I did the rest of the scans like you asked. I am still pulling upsearch menus instead of the address I typed in. Thanks again for all your help.

(5/11/05 11:45:49 PM) SPSeHjFix started v1.1.2
(5/11/05 11:45:49 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/11/05 11:45:49 PM) Language: english
(5/11/05 11:45:49 PM) Win-Path: C:\WINDOWS
(5/11/05 11:45:49 PM) System-Path: C:\WINDOWS\system32
(5/11/05 11:45:49 PM) Temp-Path: C:\DOCUME~1\MIKEC~1.MAC\LOCALS~1\Temp\
(5/11/05 11:46:02 PM) Disinfection started
(5/11/05 11:46:02 PM) Bad-Dll(IEP): (not found)
(5/11/05 11:46:02 PM) Bad-Dll(IEP) in BHO: (not found)
(5/11/05 11:46:02 PM) UBF: 4 - UBB: 3 - UBR: 182
(5/11/05 11:46:02 PM) UBF: 4 - UBB: 3 - UBR: 182
(5/11/05 11:46:02 PM) Bad IE-pages: (none)
(5/11/05 11:46:02 PM) Stealth-String not found
(5/11/05 11:46:02 PM) Not infected->END

Scan saved at 12:21:58 AM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\winyi32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fekew.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fekew.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6BE5F602-57FC-035D-69BB-0127DBDAD5A1} - C:\WINDOWS\system32\winij32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {ED800884-CF0B-46CC-6B33-43B8AA363DE1} - C:\WINDOWS\winyi32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [winyi32.exe] C:\WINDOWS\winyi32.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\javajb.exe
O4 - HKLM\..\RunOnce: [msyd32.exe] C:\WINDOWS\msyd32.exe
O4 - HKLM\..\RunOnce: [syscx.exe] C:\WINDOWS\system32\syscx.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [javamn32.exe] C:\WINDOWS\javamn32.exe
O4 - HKLM\..\RunOnce: [apirp.exe] C:\WINDOWS\system32\apirp.exe
O4 - HKLM\..\RunOnce: [netfl32.exe] C:\WINDOWS\system32\netfl32.exe
O4 - HKLM\..\RunOnce: [winkf32.exe] C:\WINDOWS\system32\winkf32.exe
O4 - HKLM\..\RunOnce: [appap32.exe] C:\WINDOWS\appap32.exe
O4 - HKLM\..\RunOnce: [msor.exe] C:\WINDOWS\system32\msor.exe
O4 - HKLM\..\RunOnce: [addik.exe] C:\WINDOWS\addik.exe
O4 - HKLM\..\RunOnce: [mfcug32.exe] C:\WINDOWS\system32\mfcug32.exe
O4 - HKLM\..\RunOnce: [ieib.exe] C:\WINDOWS\system32\ieib.exe
O4 - HKLM\..\RunOnce: [ipto.exe] C:\WINDOWS\system32\ipto.exe
O4 - HKLM\..\RunOnce: [appyi.exe] C:\WINDOWS\appyi.exe
O4 - HKLM\..\RunOnce: [atljb.exe] C:\WINDOWS\atljb.exe
O4 - HKLM\..\RunOnce: [iexv32.exe] C:\WINDOWS\system32\iexv32.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [crmk32.exe] C:\WINDOWS\system32\crmk32.exe
O4 - HKLM\..\RunOnce: [d3rb32.exe] C:\WINDOWS\system32\d3rb32.exe
O4 - HKLM\..\RunOnce: [msdu.exe] C:\WINDOWS\msdu.exe
O4 - HKLM\..\RunOnce: [sdkbi.exe] C:\WINDOWS\system32\sdkbi.exe
O4 - HKLM\..\RunOnce: [msfm.exe] C:\WINDOWS\system32\msfm.exe
O4 - HKLM\..\RunOnce: [addqe32.exe] C:\WINDOWS\system32\addqe32.exe
O4 - HKLM\..\RunOnce: [mfcgu.exe] C:\WINDOWS\system32\mfcgu.exe
O4 - HKLM\..\RunOnce: [sdkkq32.exe] C:\WINDOWS\system32\sdkkq32.exe
O4 - HKLM\..\RunOnce: [netty.exe] C:\WINDOWS\system32\netty.exe
O4 - HKLM\..\RunOnce: [ipzn32.exe] C:\WINDOWS\system32\ipzn32.exe
O4 - HKLM\..\RunOnce: [netok32.exe] C:\WINDOWS\system32\netok32.exe
O4 - HKLM\..\RunOnce: [addso32.exe] C:\WINDOWS\system32\addso32.exe
O4 - HKLM\..\RunOnce: [ipva32.exe] C:\WINDOWS\ipva32.exe
O4 - HKLM\..\RunOnce: [javaae.exe] C:\WINDOWS\javaae.exe
O4 - HKLM\..\RunOnce: [ntbe32.exe] C:\WINDOWS\ntbe32.exe
O4 - HKLM\..\RunOnce: [ntpb32.exe] C:\WINDOWS\ntpb32.exe
O4 - HKLM\..\RunOnce: [appuy.exe] C:\WINDOWS\appuy.exe
O4 - HKLM\..\RunOnce: [sysyc.exe] C:\WINDOWS\system32\sysyc.exe
O4 - HKLM\..\RunOnce: [apinz32.exe] C:\WINDOWS\apinz32.exe
O4 - HKLM\..\RunOnce: [nteg32.exe] C:\WINDOWS\nteg32.exe
O4 - HKLM\..\RunOnce: [mswx.exe] C:\WINDOWS\mswx.exe
O4 - HKLM\..\RunOnce: [appuv32.exe] C:\WINDOWS\appuv32.exe
O4 - HKLM\..\RunOnce: [atlng.exe] C:\WINDOWS\atlng.exe
O4 - HKLM\..\RunOnce: [sdkuj32.exe] C:\WINDOWS\sdkuj32.exe
O4 - HKLM\..\RunOnce: [sdkur.exe] C:\WINDOWS\sdkur.exe
O4 - HKLM\..\RunOnce: [ntcs.exe] C:\WINDOWS\system32\ntcs.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [ieuy.exe] C:\WINDOWS\ieuy.exe
O4 - HKLM\..\RunOnce: [crqk.exe] C:\WINDOWS\system32\crqk.exe
O4 - HKLM\..\RunOnce: [wingz32.exe] C:\WINDOWS\wingz32.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKLM\..\RunOnce: [ntal32.exe] C:\WINDOWS\system32\ntal32.exe
O4 - HKLM\..\RunOnce: [apijl.exe] C:\WINDOWS\apijl.exe
O4 - HKLM\..\RunOnce: [netxi32.exe] C:\WINDOWS\system32\netxi32.exe
O4 - HKLM\..\RunOnce: [apimf32.exe] C:\WINDOWS\apimf32.exe
O4 - HKLM\..\RunOnce: [winib32.exe] C:\WINDOWS\winib32.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\system32\netln32.exe
O4 - HKLM\..\RunOnce: [sdkqr.exe] C:\WINDOWS\system32\sdkqr.exe
O4 - HKLM\..\RunOnce: [ntzr32.exe] C:\WINDOWS\ntzr32.exe
O4 - HKLM\..\RunOnce: [ipfo32.exe] C:\WINDOWS\system32\ipfo32.exe
O4 - HKLM\..\RunOnce: [appkt.exe] C:\WINDOWS\system32\appkt.exe
O4 - HKLM\..\RunOnce: [ieox.exe] C:\WINDOWS\ieox.exe
O4 - HKLM\..\RunOnce: [netxd32.exe] C:\WINDOWS\netxd32.exe
O4 - HKLM\..\RunOnce: [addws.exe] C:\WINDOWS\system32\addws.exe
O4 - HKLM\..\RunOnce: [d3vi32.exe] C:\WINDOWS\system32\d3vi32.exe
O4 - HKLM\..\RunOnce: [ntlp32.exe] C:\WINDOWS\ntlp32.exe
O4 - HKLM\..\RunOnce: [sdktf.exe] C:\WINDOWS\sdktf.exe
O4 - HKLM\..\RunOnce: [iptg.exe] C:\WINDOWS\system32\iptg.exe
O4 - HKLM\..\RunOnce: [addhc32.exe] C:\WINDOWS\addhc32.exe
O4 - HKLM\..\RunOnce: [sdkbe32.exe] C:\WINDOWS\sdkbe32.exe
O4 - HKLM\..\RunOnce: [apirl32.exe] C:\WINDOWS\system32\apirl32.exe
O4 - HKLM\..\RunOnce: [netzb.exe] C:\WINDOWS\system32\netzb.exe
O4 - HKLM\..\RunOnce: [apiab.exe] C:\WINDOWS\apiab.exe
O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINDOWS\system32\javapr32.exe
O4 - HKLM\..\RunOnce: [d3jk.exe] C:\WINDOWS\d3jk.exe
O4 - HKLM\..\RunOnce: [appgh32.exe] C:\WINDOWS\system32\appgh32.exe
O4 - HKLM\..\RunOnce: [appgx.exe] C:\WINDOWS\system32\appgx.exe
O4 - HKLM\..\RunOnce: [apitb32.exe] C:\WINDOWS\apitb32.exe
O4 - HKLM\..\RunOnce: [javair32.exe] C:\WINDOWS\system32\javair32.exe
O4 - HKLM\..\RunOnce: [ntsr.exe] C:\WINDOWS\system32\ntsr.exe
O4 - HKLM\..\RunOnce: [ntyo32.exe] C:\WINDOWS\system32\ntyo32.exe
O4 - HKLM\..\RunOnce: [ntml32.exe] C:\WINDOWS\system32\ntml32.exe
O4 - HKLM\..\RunOnce: [ntmt32.exe] C:\WINDOWS\ntmt32.exe
O4 - HKLM\..\RunOnce: [javaax32.exe] C:\WINDOWS\system32\javaax32.exe
O4 - HKLM\..\RunOnce: [d3oi.exe] C:\WINDOWS\system32\d3oi.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\mfcoi32.exe
O4 - HKLM\..\RunOnce: [winmx32.exe] C:\WINDOWS\system32\winmx32.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [sdkak32.exe] C:\WINDOWS\sdkak32.exe
O4 - HKLM\..\RunOnce: [winuv32.exe] C:\WINDOWS\system32\winuv32.exe
O4 - HKLM\..\RunOnce: [ieew.exe] C:\WINDOWS\system32\ieew.exe
O4 - HKLM\..\RunOnce: [ieyp32.exe] C:\WINDOWS\ieyp32.exe
O4 - HKLM\..\RunOnce: [d3py.exe] C:\WINDOWS\d3py.exe
O4 - HKLM\..\RunOnce: [iejz32.exe] C:\WINDOWS\iejz32.exe
O4 - HKLM\..\RunOnce: [netvl32.exe] C:\WINDOWS\system32\netvl32.exe
O4 - HKLM\..\RunOnce: [ipxk.exe] C:\WINDOWS\ipxk.exe
O4 - HKLM\..\RunOnce: [appwa32.exe] C:\WINDOWS\appwa32.exe
O4 - HKLM\..\RunOnce: [ievp32.exe] C:\WINDOWS\system32\ievp32.exe
O4 - HKLM\..\RunOnce: [ieux.exe] C:\WINDOWS\ieux.exe
O4 - HKLM\..\RunOnce: [msdf.exe] C:\WINDOWS\system32\msdf.exe
O4 - HKLM\..\RunOnce: [atlsv32.exe] C:\WINDOWS\atlsv32.exe
O4 - HKLM\..\RunOnce: [netjc32.exe] C:\WINDOWS\system32\netjc32.exe
O4 - HKLM\..\RunOnce: [mfceg.exe] C:\WINDOWS\system32\mfceg.exe
O4 - HKLM\..\RunOnce: [sysdv32.exe] C:\WINDOWS\system32\sysdv32.exe
O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\crbl32.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\d3ce32.exe
O4 - HKLM\..\RunOnce: [addvb32.exe] C:\WINDOWS\system32\addvb32.exe
O4 - HKLM\..\RunOnce: [sdkpw.exe] C:\WINDOWS\sdkpw.exe
O4 - HKLM\..\RunOnce: [winkg.exe] C:\WINDOWS\system32\winkg.exe
O4 - HKLM\..\RunOnce: [javaxi32.exe] C:\WINDOWS\system32\javaxi32.exe
O4 - HKLM\..\RunOnce: [javarw32.exe] C:\WINDOWS\system32\javarw32.exe
O4 - HKLM\..\RunOnce: [iecu32.exe] C:\WINDOWS\system32\iecu32.exe
O4 - HKLM\..\RunOnce: [sysvg32.exe] C:\WINDOWS\system32\sysvg32.exe
O4 - HKLM\..\RunOnce: [javabi.exe] C:\WINDOWS\javabi.exe
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\ntqf32.exe
O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe
O4 - HKLM\..\RunOnce: [atljw32.exe] C:\WINDOWS\atljw32.exe
O4 - HKLM\..\RunOnce: [winee.exe] C:\WINDOWS\winee.exe
O4 - HKLM\..\RunOnce: [ietb32.exe] C:\WINDOWS\ietb32.exe
O4 - HKLM\..\RunOnce: [nthd.exe] C:\WINDOWS\nthd.exe
O4 - HKLM\..\RunOnce: [ntvy32.exe] C:\WINDOWS\system32\ntvy32.exe
O4 - HKLM\..\RunOnce: [atlbs.exe] C:\WINDOWS\atlbs.exe
O4 - HKLM\..\RunOnce: [msye32.exe] C:\WINDOWS\system32\msye32.exe
O4 - HKLM\..\RunOnce: [iegm32.exe] C:\WINDOWS\iegm32.exe
O4 - HKLM\..\RunOnce: [ntlg.exe] C:\WINDOWS\system32\ntlg.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINDOWS\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [crqn.exe] C:\WINDOWS\crqn.exe
O4 - HKLM\..\RunOnce: [nttz.exe] C:\WINDOWS\system32\nttz.exe
O4 - HKLM\..\RunOnce: [msjo32.exe] C:\WINDOWS\system32\msjo32.exe
O4 - HKLM\..\RunOnce: [addzv.exe] C:\WINDOWS\system32\addzv.exe
O4 - HKLM\..\RunOnce: [msyj.exe] C:\WINDOWS\msyj.exe
O4 - HKLM\..\RunOnce: [addun32.exe] C:\WINDOWS\addun32.exe
O4 - HKLM\..\RunOnce: [javaqx32.exe] C:\WINDOWS\javaqx32.exe
O4 - HKLM\..\RunOnce: [mfcws32.exe] C:\WINDOWS\mfcws32.exe
O4 - HKLM\..\RunOnce: [crye.exe] C:\WINDOWS\system32\crye.exe
O4 - HKLM\..\RunOnce: [winrb.exe] C:\WINDOWS\winrb.exe
O4 - HKLM\..\RunOnce: [sdkwc.exe] C:\WINDOWS\system32\sdkwc.exe
O4 - HKLM\..\RunOnce: [iptv32.exe] C:\WINDOWS\iptv32.exe
O4 - HKLM\..\RunOnce: [javayz.exe] C:\WINDOWS\system32\javayz.exe
O4 - HKLM\..\RunOnce: [mfcmt.exe] C:\WINDOWS\system32\mfcmt.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\apipr.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [crnm.exe] C:\WINDOWS\system32\crnm.exe
O4 - HKLM\..\RunOnce: [ntgm32.exe] C:\WINDOWS\system32\ntgm32.exe
O4 - HKLM\..\RunOnce: [addtd.exe] C:\WINDOWS\system32\addtd.exe
O4 - HKLM\..\RunOnce: [d3yx32.exe] C:\WINDOWS\d3yx32.exe
O4 - HKLM\..\RunOnce: [wincb32.exe] C:\WINDOWS\wincb32.exe
O4 - HKLM\..\RunOnce: [atlhf.exe] C:\WINDOWS\system32\atlhf.exe
O4 - HKLM\..\RunOnce: [iemh.exe] C:\WINDOWS\iemh.exe
O4 - HKLM\..\RunOnce: [appqf32.exe] C:\WINDOWS\appqf32.exe
O4 - HKLM\..\RunOnce: [d3vi.exe] C:\WINDOWS\system32\d3vi.exe
O4 - HKLM\..\RunOnce: [sdkzm.exe] C:\WINDOWS\sdkzm.exe
O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\mfceo32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyd32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5
UBYANKEES

Posted 11 May 2005 - 10:26 PM

Member

Topic Starter
Member
19 posts

#6
Guest_usetobe_*

Posted 12 May 2005 - 02:55 AM

Guest

Hi UBYANKEES,

Ding Ding there is the bell for round two.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#7
UBYANKEES

Posted 12 May 2005 - 12:31 PM

Member

Topic Starter
Member
19 posts

Here is the l2fix log:

These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="America Online"
"{D1FB6C78-10FD-45cd-8FF4-8267D62992FB}"="CompuServe"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{3AA2EA10-0C2E-4FAD-9F18-EB3DCC991CBF}"="IDMC1Mnu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B5FB6487-7E79-4816-B73B-8A65E41971DA}"="BullGuard Antivirus v4"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aalxz.dll Thu Mar 3 2005 10:33:48p A.... 64,000 62.50 K
addkh32.dll Wed Apr 27 2005 1:06:10p A.... 0 0.00 K
apilb32.dll Mon Apr 18 2005 8:30:38a A.... 0 0.00 K
apiri32.dll Sun Apr 3 2005 10:53:10p A.... 0 0.00 K
apirq32.dll Thu Apr 28 2005 9:08:30a ..... 84,015 82.04 K
apiyq.dll Sun Apr 17 2005 12:29:48a A.... 0 0.00 K
atlmk32.dll Thu Apr 14 2005 6:44:22p ..... 84,015 82.04 K
atlny.dll Sat Apr 23 2005 5:08:00p ..... 84,015 82.04 K
atlpy.dll Tue Apr 12 2005 9:03:42a A.... 0 0.00 K
authz.dll Wed Mar 2 2005 2:09:30p A.... 56,832 55.50 K
bcrbh.dll Thu Feb 17 2005 8:14:58a A.... 64,000 62.50 K
bkead.dll Sun Apr 24 2005 8:05:12p A.... 0 0.00 K
browseui.dll Thu Mar 10 2005 4:02:34a A.... 1,016,832 993.00 K
burnq.dll Sun Feb 13 2005 11:03:36a A.... 64,000 62.50 K
byotv.dll Wed Mar 2 2005 11:43:26p A.... 64,000 62.50 K
bzryl.dll Sun Mar 6 2005 9:54:24a A.... 64,000 62.50 K
cdfview.dll Thu Mar 10 2005 4:02:34a A.... 151,040 147.50 K
crar.dll Fri Apr 15 2005 10:11:12a ..... 80,959 79.06 K
crcm.dll Sun Apr 17 2005 4:11:36p ..... 84,015 82.04 K
crhr32.dll Tue Apr 5 2005 12:39:36a ..... 80,959 79.06 K
criy.dll Wed Apr 27 2005 7:44:14p A.... 0 0.00 K
crlu32.dll Mon Apr 18 2005 6:03:48p ..... 80,959 79.06 K
crpt32.dll Sat Apr 16 2005 2:23:12a ..... 80,959 79.06 K
cssry.dll Fri Feb 11 2005 1:19:28p A.... 64,000 62.50 K
d3bx.dll Sun Apr 10 2005 2:21:12a ..... 80,959 79.06 K
d3fz32.dll Fri Apr 29 2005 9:54:52a A.... 0 0.00 K
d3pg32.dll Mon Apr 18 2005 3:46:08p ..... 80,959 79.06 K
dgmsm.dll Wed May 4 2005 3:32:24a A.... 66,560 65.00 K
ehgae.dll Tue Mar 8 2005 4:46:40a A.... 64,000 62.50 K
emexi.dll Sun Feb 27 2005 9:09:20a A.... 64,000 62.50 K
ftpmr.dll Mon Feb 14 2005 8:56:58a A.... 64,000 62.50 K
gxlsr.dll Thu Mar 10 2005 3:36:06a A.... 64,000 62.50 K
gzyze.dll Thu Feb 24 2005 4:10:54p A.... 64,000 62.50 K
hgffl.dll Wed Mar 9 2005 3:42:28a A.... 64,000 62.50 K
hjwpf.dll Wed Feb 16 2005 8:24:34p A.... 64,000 62.50 K
hlfjc.dll Wed Mar 2 2005 2:56:50a A.... 64,000 62.50 K
hswom.dll Sun Feb 20 2005 4:16:28p A.... 64,000 62.50 K
ieoo32.dll Fri Apr 22 2005 11:08:32p A.... 0 0.00 K
iepeers.dll Thu Mar 10 2005 4:02:34a A.... 250,880 245.00 K
ignuk.dll Tue Feb 22 2005 4:34:24p A.... 64,000 62.50 K
inseng.dll Thu Mar 10 2005 4:02:34a A.... 96,256 94.00 K
ipjd.dll Thu Apr 28 2005 9:58:38p ..... 80,959 79.06 K
ipoe.dll Thu Apr 28 2005 7:12:10p A.... 0 0.00 K
ipyo32.dll Sat Apr 2 2005 6:00:50a A.... 0 0.00 K
ivwgd.dll Sun Feb 20 2005 7:44:08p A.... 64,000 62.50 K
ixhvq.dll Mon Feb 21 2005 4:54:42p A.... 64,000 62.50 K
javapq.dll Sat Apr 16 2005 10:07:56p A.... 0 0.00 K
javaxn32.dll Mon Apr 25 2005 2:55:38a A.... 0 0.00 K
jbcsh.dll Sun Mar 13 2005 2:55:22a A.... 64,000 62.50 K
jictz.dll Mon Feb 28 2005 8:29:16p A.... 64,000 62.50 K
jjbqh.dll Fri Feb 25 2005 4:03:08p A.... 64,000 62.50 K
jlina.dll Wed Feb 23 2005 1:39:44a A.... 64,000 62.50 K
kqisd.dll Sun Mar 6 2005 2:15:18a A.... 64,000 62.50 K
ldzwq.dll Tue Feb 22 2005 3:32:12p A.... 64,000 62.50 K
lutyc.dll Mon Feb 28 2005 9:11:26a A.... 64,000 62.50 K
lzffi.dll Thu Mar 3 2005 4:27:30p A.... 64,000 62.50 K
mfcvn32.dll Wed Apr 13 2005 5:31:36p A.... 0 0.00 K
mfcvt.dll Mon Apr 25 2005 4:01:48a A.... 0 0.00 K
mfczy.dll Tue Apr 26 2005 12:49:56a A.... 0 0.00 K
msfp32.dll Tue Apr 12 2005 3:41:48p A.... 0 0.00 K
mshtml.dll Thu Mar 10 2005 4:02:34a A.... 3,010,560 2.87 M
msi.dll Mon Mar 21 2005 3:00:20p A.... 2,890,240 2.75 M
msihnd.dll Mon Mar 21 2005 3:00:22p A.... 271,360 265.00 K
msimsg.dll Mon Mar 21 2005 3:00:22p A.... 884,736 864.00 K
msir32.dll Mon Apr 18 2005 10:19:04p A.... 0 0.00 K
msisip.dll Mon Mar 21 2005 3:00:22p A.... 15,360 15.00 K
mslj32.dll Mon Apr 18 2005 9:26:30p A.... 0 0.00 K
msnu32.dll Wed Apr 20 2005 3:44:50a A.... 0 0.00 K
msrating.dll Thu Mar 10 2005 4:02:34a A.... 146,432 143.00 K
msxt.dll Mon May 9 2005 8:22:52a ..... 84,015 82.04 K
mxuag.dll Fri Mar 11 2005 6:55:02p A.... 64,000 62.50 K
netho32.dll Fri Apr 8 2005 1:52:14p A.... 0 0.00 K
netlj32.dll Sun Apr 17 2005 3:46:00p A.... 0 0.00 K
netvk32.dll Thu Apr 21 2005 9:28:14p ..... 80,959 79.06 K
ntgy.dll Tue Apr 12 2005 8:59:36p ..... 80,959 79.06 K
ntzq32.dll Thu Apr 14 2005 12:20:26a ..... 80,959 79.06 K
omcun.dll Thu Feb 24 2005 6:04:08p A.... 64,000 62.50 K
osspw.dll Wed Mar 9 2005 2:43:28p A.... 64,000 62.50 K
ovqct.dll Mon Feb 28 2005 8:15:10p A.... 64,000 62.50 K
pkklb.dll Sun Mar 6 2005 11:03:32p A.... 64,000 62.50 K
prhfk.dll Tue Feb 22 2005 7:37:10a A.... 64,000 62.50 K
qnpnc.dll Thu Feb 17 2005 5:05:02a A.... 64,000 62.50 K
qqgjn.dll Thu Feb 17 2005 9:52:30p A.... 64,000 62.50 K
qvozw.dll Thu Feb 24 2005 6:43:44a A.... 64,000 62.50 K
qxxqi.dll Thu Apr 28 2005 12:27:22a A.... 0 0.00 K
qzhjz.dll Wed Mar 9 2005 5:33:30a A.... 64,000 62.50 K
ridew.dll Sat Mar 5 2005 3:34:38p A.... 64,000 62.50 K
sdkdm32.dll Tue Apr 26 2005 1:32:30a ..... 80,959 79.06 K
sdkgm.dll Sat Apr 30 2005 7:31:14a ..... 80,959 79.06 K
sdkqr32.dll Thu Apr 14 2005 8:42:40p A.... 0 0.00 K
sdkrk.dll Tue Apr 5 2005 4:49:58a ..... 80,959 79.06 K
shdocvw.dll Thu Mar 10 2005 4:02:34a A.... 1,483,264 1.41 M
shell32.dll Mon Feb 28 2005 7:11:18p A.... 8,450,048 8.06 M
shlwapi.dll Thu Mar 10 2005 4:02:34a A.... 473,600 462.50 K
spmsg.dll Thu Feb 24 2005 7:35:06p ..... 14,048 13.72 K
svuxk.dll Mon Feb 14 2005 2:33:46p A.... 64,000 62.50 K
sxxln.dll Wed May 11 2005 6:38:40p A.... 66,560 65.00 K
symneti.dll Tue Apr 5 2005 11:17:04a A.... 517,848 505.71 K
symredir.dll Tue Apr 5 2005 11:17:04a A.... 132,824 129.71 K
systi.dll Fri Apr 15 2005 10:00:54a ..... 84,015 82.04 K
teuqj.dll Sun Feb 27 2005 7:47:50p A.... 64,000 62.50 K
tijrs.dll Sun Feb 20 2005 6:58:30p A.... 64,000 62.50 K
tjqfk.dll Wed Feb 23 2005 9:30:00p A.... 64,000 62.50 K
urlmon.dll Thu Mar 10 2005 4:02:36a A.... 607,744 593.50 K
user32.dll Wed Mar 2 2005 2:09:30p A.... 577,024 563.50 K
uzmyn.dll Wed Feb 16 2005 4:07:06a A.... 64,000 62.50 K
vqppc.dll Wed Mar 9 2005 12:06:22a A.... 64,000 62.50 K
vrhvs.dll Mon Mar 14 2005 8:03:56p A.... 64,000 62.50 K
wingz32.dll Wed Apr 27 2005 5:22:24p A.... 0 0.00 K
winij32.dll Wed Apr 20 2005 6:47:46a ..... 84,015 82.04 K
wininet.dll Thu Mar 10 2005 4:02:36a A.... 656,896 641.50 K
winsrv.dll Wed Mar 2 2005 2:09:30p A.... 291,328 284.50 K
winsusrm.dll Mon Apr 25 2005 1:21:14p A.... 264 0.26 K
xkxkv.dll Fri Apr 29 2005 8:08:22a A.... 66,560 65.00 K
xxlvg.dll Tue Feb 15 2005 5:50:02a A.... 64,000 62.50 K
ywmsf.dll Sat Feb 19 2005 8:49:54a A.... 64,000 62.50 K
yyggg.dll Mon Feb 21 2005 8:14:16p A.... 64,000 62.50 K
ztiwh.dll Wed Apr 20 2005 2:29:04p A.... 0 0.00 K
zwsdx.dll Wed May 11 2005 7:45:36p A.... 66,560 65.00 K
zwxsw.dll Fri Mar 11 2005 5:09:58a A.... 64,000 62.50 K
zzwdh.dll Sun Feb 20 2005 2:46:36a A.... 64,000 62.50 K

121 items found: 121 files, 0 directories.
Total of file sizes: 27,038,228 bytes 25.79 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8DC-65E8

Directory of C:\WINDOWS\System32

05/12/2005 02:07 PM <DIR> dllcache
05/07/2005 10:15 AM 32 {9C36DC3E-C18A-449A-AC2C-301221B31A01}.dat
04/07/2005 08:14 PM 846 LkhAX92.yd2
03/25/2005 09:57 PM 846 Ahm8.dv7
03/19/2005 05:07 PM 846 NuaK63G.i9q
02/01/2005 03:41 AM 11,592 igsqo.txt
01/27/2005 04:34 PM 11,592 ckhxp.log
01/22/2005 06:55 PM 3,547 vyruq.txt
01/21/2005 03:05 PM 11,592 eoqdd.log
01/21/2005 09:01 AM 3,547 ybacc.txt
01/21/2005 12:38 AM 11,592 tgxud.log
01/20/2005 09:53 PM 846 Xek8.b76
01/19/2005 05:28 PM 11,592 ckyfv.log
01/19/2005 01:18 AM 11,592 rvaxs.txt
01/17/2005 09:26 PM 846 FmrCj.a90
01/17/2005 08:21 PM 4,402 moxqh.txt
01/10/2005 10:09 AM 4,402 qjfsr.log
01/07/2005 01:07 PM 11,592 uhffl.log
01/05/2005 08:44 AM 4,402 ottiy.txt
01/03/2005 07:25 PM 11,592 spvui.txt
01/03/2005 02:08 AM 7,305 diynf.txt
12/26/2004 01:24 PM 11,592 siskg.log
12/18/2004 01:46 PM 11,591 sjjgc.log
12/15/2004 08:00 AM 3,347 yalkk.txt
12/15/2004 06:27 AM 11,591 cgquu.log
12/14/2004 04:01 PM 3,547 fmcvg.txt
12/09/2004 02:10 PM 7,305 roino.log
12/07/2004 02:38 AM 11,591 fbnrp.log
12/06/2004 03:11 PM 3,347 cplyl.txt
12/06/2004 09:20 AM 7,305 qcycl.log
11/29/2004 11:49 PM 7,305 vgazo.txt
11/27/2004 12:52 PM 7,305 inqnw.txt
11/25/2004 04:46 PM 3,347 bgbja.log
11/18/2004 12:39 AM 11,591 ccoqd.log
11/16/2004 05:22 PM 3,347 mgkzs.txt
11/14/2004 06:29 AM 3,347 ctyfo.log
11/13/2004 10:31 AM 3,362 ytxwu.txt
11/11/2004 05:44 AM 11,388 rfcgm.log
11/10/2004 07:30 PM 11,591 ppfld.log
11/10/2004 06:05 PM 11,591 qkrlj.log
11/10/2004 02:05 PM 7,305 yolsm.log
11/06/2004 07:27 PM 3,347 wzufa.log
11/05/2004 12:18 PM 11,591 gsukv.txt
11/03/2004 11:00 PM 11,591 xdunq.log
11/03/2004 12:42 AM 11,388 wjpqa.log
11/02/2004 09:28 PM 11,591 repbt.log
11/02/2004 09:17 PM 11,591 otdzn.txt
11/02/2004 09:04 AM 3,362 dewzn.txt
10/31/2004 04:41 PM 3,362 zhfus.log
10/30/2004 03:36 PM 11,388 pqkbv.txt
10/29/2004 06:09 PM 512 Djp9g.y89
10/29/2004 11:42 AM 11,591 xxcig.txt
10/29/2004 04:31 AM 11,591 krbda.log
10/26/2004 10:09 PM 11,591 jzrax.txt
10/25/2004 05:23 PM 11,388 aqnbd.txt
10/24/2004 09:39 PM 11,591 euuzd.log
10/24/2004 06:49 AM 11,388 jyjvr.txt
10/23/2004 11:17 PM 11,388 lsdme.txt
10/23/2004 01:55 PM 11,591 mpwlm.log
10/23/2004 02:43 AM 11,388 bkxml.log
10/22/2004 08:37 PM 11,388 xqhwi.txt
10/20/2004 03:57 PM 512 Wdi7.06p
10/19/2004 07:05 PM 3,063 kfvzv.txt
10/19/2004 02:45 AM 3,063 wvgkb.txt
10/19/2004 02:13 AM 3,063 yodkr.txt
10/17/2004 12:26 PM 11,591 lpajn.txt
10/16/2004 07:01 PM 11,388 wrdcb.txt
10/16/2004 02:50 PM 11,591 qzwyy.txt
10/14/2004 08:56 PM 11,591 xracz.txt
10/14/2004 12:32 PM 11,591 scnfi.txt
10/12/2004 04:30 PM 3,063 oppnw.txt
10/12/2004 12:03 AM 11,591 gsnqs.log
10/11/2004 07:21 PM 11,591 mwvwb.log
10/10/2004 07:27 PM 11,591 oxexn.log
10/10/2004 02:09 PM 3,063 zhyst.log
10/08/2004 08:54 PM 11,591 klwwi.log
10/08/2004 06:47 AM 11,591 rhoky.txt
10/05/2004 05:12 PM 11,388 fpgqc.log
10/05/2004 01:52 PM 11,388 dlnjo.log
10/02/2004 11:39 AM 11,591 jcnej.txt
10/02/2004 06:21 AM 11,591 hixqf.log
10/01/2004 05:03 AM 3,362 pqpax.txt
09/29/2004 07:26 AM 11,388 hqprx.txt
09/28/2004 05:12 PM 512 IpuFld.016
09/28/2004 08:11 AM 11,591 sgkld.txt
09/27/2004 02:20 PM 11,388 dwfln.txt
09/27/2004 11:13 AM 11,591 mxjyg.log
09/27/2004 04:39 AM 11,591 qknpw.log
09/26/2004 12:18 PM 11,591 kcvpy.txt
09/24/2004 03:14 PM 11,591 qguog.log
09/24/2004 08:55 AM 11,591 ybhfw.txt
09/23/2004 08:21 PM 3,063 kowws.log
09/23/2004 04:18 PM 3,063 khxek.log
09/22/2004 09:31 PM 512 Yfk8.bt6
09/21/2004 06:00 PM 11,388 bjwnk.log
09/20/2004 07:26 PM 11,591 oiemh.txt
09/19/2004 08:04 AM 11,591 axhjz.log
09/16/2004 01:46 PM 11,591 xqssm.txt
09/15/2004 10:22 AM 11,388 wvnef.log
09/14/2004 09:17 AM 11,591 cjkjo.txt
09/13/2004 12:51 PM 11,591 mhadt.txt
09/13/2004 08:32 AM 3,063 rbssr.txt
09/12/2004 07:01 PM 11,388 pmgpt.txt
09/11/2004 11:11 PM 3,063 astgq.log
09/10/2004 07:52 PM 11,591 qonke.log
09/08/2004 07:49 AM 11,591 npifp.log
09/07/2004 01:30 PM 11,591 evoyu.txt
09/06/2004 06:47 PM 512 AkuB238.6w2
09/06/2004 04:47 PM 512 Cjo9g.x88
09/06/2004 03:47 PM 1,104 IpuFmd.017
09/06/2004 11:47 AM 1,104 HotElc.006
09/05/2004 05:43 AM 3,063 hjals.txt
09/04/2004 02:21 PM 11,591 tthar.txt
09/04/2004 10:13 AM 11,591 daihf.log
09/01/2004 11:16 AM 11,388 ygwjv.txt
08/30/2004 06:53 PM 11,591 ezrbz.log
08/29/2004 10:56 PM 11,591 rnnfi.log
08/25/2004 10:58 PM 1,104 DozNu4.su6
08/22/2004 11:28 PM 0 mxbwb.dat
08/22/2004 08:57 PM 1,020 Wdit.06p
08/22/2004 08:57 PM 11,591 iyqnc.txt
08/22/2004 09:53 AM 11,388 lgpck.txt
08/21/2004 03:43 AM 11,591 djtzv.txt
08/20/2004 04:01 PM 1,020 LsxI52.e28
08/20/2004 01:01 PM 1,020 Bio9f.x88
08/18/2004 02:54 PM 11,591 soxvf.log
08/16/2004 02:58 AM 11,591 rnlrq.log
08/07/2004 09:26 PM 11,591 mryhw.txt
08/06/2004 11:51 AM 11,388 usszw.txt
08/06/2004 06:42 AM 11,591 ndbbr.log
07/31/2004 08:20 PM 3,063 ukgia.txt
07/30/2004 12:53 AM 11,591 gxehx.log
07/29/2004 03:11 AM 11,591 iaaci.log
07/25/2004 02:15 AM 11,591 wyjox.txt
07/21/2004 01:29 PM 11,591 nygvn.txt
07/19/2004 03:16 PM 11,591 dyjug.log
07/13/2004 07:01 PM 11,591 wlqqv.txt
08/13/2003 09:32 AM <DIR> Microsoft
136 File(s) 1,118,402 bytes
2 Dir(s) 107,127,418,880 bytes free

#8
Guest_usetobe_*

Posted 12 May 2005 - 01:25 PM

Guest

Hi UBYANKEES,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#9
UBYANKEES

Posted 13 May 2005 - 07:26 AM

Member

Topic Starter
Member
19 posts

Here is the lsmfix log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Mike C. Mack\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Mike C. Mack\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mike C. Mack\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'
Killing PID 288 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: l2fixlog.txt (164 bytes security) (deflated 69%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Here is the new hijack this log;

Logfile of HijackThis v1.99.1
Scan saved at 9:23:36 AM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\atlan.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Optimum Online\Netsurf.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {06039B55-DB4E-4D9C-8E0E-05C2FBF1DF99} - C:\WINDOWS\system32\d3jr32.dll
O2 - BHO: Class - {09E2E16F-44FB-B809-85FD-6FA8F19E5D1D} - C:\WINDOWS\system32\ipae32.dll
O2 - BHO: Class - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addre.dll
O2 - BHO: Class - {27CEADBF-8802-1454-DF9C-24D6A13A1552} - C:\WINDOWS\ipco32.dll
O2 - BHO: Class - {33894CDF-39DC-A5B5-7657-E16A8CBB005D} - C:\WINDOWS\appfy.dll
O2 - BHO: Class - {389793A1-16BF-5CDB-995A-72BC57DA44B5} - C:\WINDOWS\creg32.dll
O2 - BHO: Class - {3AF7AF61-E9EC-FF85-4730-D2B5711A9B30} - C:\WINDOWS\ipqv32.dll
O2 - BHO: Class - {3B9E29FC-B55C-4B07-C8C7-05C371517100} - C:\WINDOWS\system32\mfctr.dll
O2 - BHO: Class - {43DB29D4-B055-B011-24C0-044F81AC210D} - C:\WINDOWS\addbn.dll
O2 - BHO: Class - {50D9F2AB-8EC8-43E6-7C24-956820685690} - C:\WINDOWS\system32\d3nc.dll
O2 - BHO: Class - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - C:\WINDOWS\netka.dll
O2 - BHO: Class - {61D7C233-1C3C-2344-8212-77DF99E12940} - C:\WINDOWS\apphi32.dll
O2 - BHO: Class - {65E38C5A-C2E5-319D-507E-7617213EEC42} - C:\WINDOWS\netot32.dll
O2 - BHO: Class - {8461D228-678D-F4BF-6A52-E718252DA67B} - C:\WINDOWS\d3lb.dll
O2 - BHO: Class - {95ABB26D-0589-E8EC-C50A-38E6173427BB} - C:\WINDOWS\system32\netmk32.dll
O2 - BHO: Class - {A2C966BB-815B-DCAD-24A6-3F7A19912F9B} - C:\WINDOWS\msxl.dll
O2 - BHO: Class - {A69B7D98-9DAC-21C6-7ADB-7FF21D28CEC1} - C:\WINDOWS\system32\adddx.dll
O2 - BHO: Class - {A6B40426-CF3F-2B35-A955-E0B5DEB9EE41} - C:\WINDOWS\d3gq32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FFCF604D-210A-9317-A8C5-80208D4AD348} - C:\WINDOWS\atlit.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [winyi32.exe] C:\WINDOWS\winyi32.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [atlan.exe] C:\WINDOWS\atlan.exe
O4 - HKLM\..\RunOnce: [msyd32.exe] C:\WINDOWS\msyd32.exe
O4 - HKLM\..\RunOnce: [syscx.exe] C:\WINDOWS\system32\syscx.exe
O4 - HKLM\..\RunOnce: [netfl32.exe] C:\WINDOWS\system32\netfl32.exe
O4 - HKLM\..\RunOnce: [winkf32.exe] C:\WINDOWS\system32\winkf32.exe
O4 - HKLM\..\RunOnce: [appap32.exe] C:\WINDOWS\appap32.exe
O4 - HKLM\..\RunOnce: [mfcug32.exe] C:\WINDOWS\system32\mfcug32.exe
O4 - HKLM\..\RunOnce: [ieib.exe] C:\WINDOWS\system32\ieib.exe
O4 - HKLM\..\RunOnce: [ipto.exe] C:\WINDOWS\system32\ipto.exe
O4 - HKLM\..\RunOnce: [atljb.exe] C:\WINDOWS\atljb.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [crmk32.exe] C:\WINDOWS\system32\crmk32.exe
O4 - HKLM\..\RunOnce: [msdu.exe] C:\WINDOWS\msdu.exe
O4 - HKLM\..\RunOnce: [sdkbi.exe] C:\WINDOWS\system32\sdkbi.exe
O4 - HKLM\..\RunOnce: [mfcgu.exe] C:\WINDOWS\system32\mfcgu.exe
O4 - HKLM\..\RunOnce: [netty.exe] C:\WINDOWS\netty.exe
O4 - HKLM\..\RunOnce: [ipva32.exe] C:\WINDOWS\ipva32.exe
O4 - HKLM\..\RunOnce: [javaae.exe] C:\WINDOWS\javaae.exe
O4 - HKLM\..\RunOnce: [apinz32.exe] C:\WINDOWS\apinz32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [crqk.exe] C:\WINDOWS\system32\crqk.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKLM\..\RunOnce: [ntal32.exe] C:\WINDOWS\system32\ntal32.exe
O4 - HKLM\..\RunOnce: [netxi32.exe] C:\WINDOWS\system32\netxi32.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\system32\netln32.exe
O4 - HKLM\..\RunOnce: [ipfo32.exe] C:\WINDOWS\system32\ipfo32.exe
O4 - HKLM\..\RunOnce: [netxd32.exe] C:\WINDOWS\netxd32.exe
O4 - HKLM\..\RunOnce: [ntlp32.exe] C:\WINDOWS\ntlp32.exe
O4 - HKLM\..\RunOnce: [addhc32.exe] C:\WINDOWS\addhc32.exe
O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINDOWS\system32\javapr32.exe
O4 - HKLM\..\RunOnce: [apitb32.exe] C:\WINDOWS\apitb32.exe
O4 - HKLM\..\RunOnce: [ntsr.exe] C:\WINDOWS\system32\ntsr.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\mfcoi32.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [ieew.exe] C:\WINDOWS\system32\ieew.exe
O4 - HKLM\..\RunOnce: [d3py.exe] C:\WINDOWS\d3py.exe
O4 - HKLM\..\RunOnce: [netvl32.exe] C:\WINDOWS\system32\netvl32.exe
O4 - HKLM\..\RunOnce: [appwa32.exe] C:\WINDOWS\appwa32.exe
O4 - HKLM\..\RunOnce: [ievp32.exe] C:\WINDOWS\system32\ievp32.exe
O4 - HKLM\..\RunOnce: [msdf.exe] C:\WINDOWS\system32\msdf.exe
O4 - HKLM\..\RunOnce: [netjc32.exe] C:\WINDOWS\system32\netjc32.exe
O4 - HKLM\..\RunOnce: [sysdv32.exe] C:\WINDOWS\system32\sysdv32.exe
O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\crbl32.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\d3ce32.exe
O4 - HKLM\..\RunOnce: [sdkpw.exe] C:\WINDOWS\sdkpw.exe
O4 - HKLM\..\RunOnce: [javaxi32.exe] C:\WINDOWS\system32\javaxi32.exe
O4 - HKLM\..\RunOnce: [iecu32.exe] C:\WINDOWS\system32\iecu32.exe
O4 - HKLM\..\RunOnce: [javabi.exe] C:\WINDOWS\javabi.exe
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\ntqf32.exe
O4 - HKLM\..\RunOnce: [atljw32.exe] C:\WINDOWS\atljw32.exe
O4 - HKLM\..\RunOnce: [msye32.exe] C:\WINDOWS\system32\msye32.exe
O4 - HKLM\..\RunOnce: [ntlg.exe] C:\WINDOWS\system32\ntlg.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINDOWS\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [nttz.exe] C:\WINDOWS\system32\nttz.exe
O4 - HKLM\..\RunOnce: [msjo32.exe] C:\WINDOWS\system32\msjo32.exe
O4 - HKLM\..\RunOnce: [javaqx32.exe] C:\WINDOWS\javaqx32.exe
O4 - HKLM\..\RunOnce: [mfcws32.exe] C:\WINDOWS\mfcws32.exe
O4 - HKLM\..\RunOnce: [crye.exe] C:\WINDOWS\system32\crye.exe
O4 - HKLM\..\RunOnce: [sdkwc.exe] C:\WINDOWS\system32\sdkwc.exe
O4 - HKLM\..\RunOnce: [javayz.exe] C:\WINDOWS\system32\javayz.exe
O4 - HKLM\..\RunOnce: [mfcmt.exe] C:\WINDOWS\system32\mfcmt.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [ntgm32.exe] C:\WINDOWS\system32\ntgm32.exe
O4 - HKLM\..\RunOnce: [addtd.exe] C:\WINDOWS\system32\addtd.exe
O4 - HKLM\..\RunOnce: [d3yx32.exe] C:\WINDOWS\d3yx32.exe
O4 - HKLM\..\RunOnce: [atlhf.exe] C:\WINDOWS\system32\atlhf.exe
O4 - HKLM\..\RunOnce: [iemh.exe] C:\WINDOWS\iemh.exe
O4 - HKLM\..\RunOnce: [sdkzm.exe] C:\WINDOWS\sdkzm.exe
O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\mfceo32.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\addon32.exe
O4 - HKLM\..\RunOnce: [mfctr.exe] C:\WINDOWS\system32\mfctr.exe
O4 - HKLM\..\RunOnce: [msht.exe] C:\WINDOWS\system32\msht.exe
O4 - HKLM\..\RunOnce: [javalx32.exe] C:\WINDOWS\javalx32.exe
O4 - HKLM\..\RunOnce: [winam.exe] C:\WINDOWS\system32\winam.exe
O4 - HKLM\..\RunOnce: [atlrc.exe] C:\WINDOWS\system32\atlrc.exe
O4 - HKLM\..\RunOnce: [wingj.exe] C:\WINDOWS\system32\wingj.exe
O4 - HKLM\..\RunOnce: [atlqw.exe] C:\WINDOWS\system32\atlqw.exe
O4 - HKLM\..\RunOnce: [ntjs32.exe] C:\WINDOWS\ntjs32.exe
O4 - HKLM\..\RunOnce: [crov32.exe] C:\WINDOWS\system32\crov32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyd32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again for sharing your seemingly unending knowledge!

#10
Guest_usetobe_*

Posted 13 May 2005 - 12:27 PM

Guest

Hi UB

I've not seen such an infected PC before. It's not just poorly it's almost terminal. :tazz:

This is where your real work kicks in and you must be careful and methodical. It's not a race to get to the end as quickly as you can.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document and print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection as well as other nasties. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Download Pocket killbox

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop

Set PC to show hidden files (click link if you do not know how)LINK

Go to ADD/REMOVE in control Panel and remove the following.

Limewire
Spykiller
mywebsearch
myweb
Gator
Gain
Bargain buddy
and any other dubious searchbars and things you do not recognise as specifically installing

Next

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Click on Start > then >run and type in

services.msc

Click OK.

In the services window find Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.

Then also find Service: ISEXEng
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.

Exit the Services utility.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ucgtr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {06039B55-DB4E-4D9C-8E0E-05C2FBF1DF99} - C:\WINDOWS\system32\d3jr32.dll
O2 - BHO: Class - {09E2E16F-44FB-B809-85FD-6FA8F19E5D1D} - C:\WINDOWS\system32\ipae32.dll
O2 - BHO: Class - {20FBF908-0E40-FE23-831C-A7091EC44CAE} - C:\WINDOWS\system32\addre.dll
O2 - BHO: Class - {27CEADBF-8802-1454-DF9C-24D6A13A1552} - C:\WINDOWS\ipco32.dll
O2 - BHO: Class - {33894CDF-39DC-A5B5-7657-E16A8CBB005D} - C:\WINDOWS\appfy.dll
O2 - BHO: Class - {389793A1-16BF-5CDB-995A-72BC57DA44B5} - C:\WINDOWS\creg32.dll
O2 - BHO: Class - {3AF7AF61-E9EC-FF85-4730-D2B5711A9B30} - C:\WINDOWS\ipqv32.dll
O2 - BHO: Class - {3B9E29FC-B55C-4B07-C8C7-05C371517100} - C:\WINDOWS\system32\mfctr.dll
O2 - BHO: Class - {43DB29D4-B055-B011-24C0-044F81AC210D} - C:\WINDOWS\addbn.dll
O2 - BHO: Class - {50D9F2AB-8EC8-43E6-7C24-956820685690} - C:\WINDOWS\system32\d3nc.dll
O2 - BHO: Class - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - C:\WINDOWS\netka.dll
O2 - BHO: Class - {61D7C233-1C3C-2344-8212-77DF99E12940} - C:\WINDOWS\apphi32.dll
O2 - BHO: Class - {65E38C5A-C2E5-319D-507E-7617213EEC42} - C:\WINDOWS\netot32.dll
O2 - BHO: Class - {8461D228-678D-F4BF-6A52-E718252DA67B} - C:\WINDOWS\d3lb.dll
O2 - BHO: Class - {95ABB26D-0589-E8EC-C50A-38E6173427BB} - C:\WINDOWS\system32\netmk32.dll
O2 - BHO: Class - {A2C966BB-815B-DCAD-24A6-3F7A19912F9B} - C:\WINDOWS\msxl.dll
O2 - BHO: Class - {A69B7D98-9DAC-21C6-7ADB-7FF21D28CEC1} - C:\WINDOWS\system32\adddx.dll
O2 - BHO: Class - {A6B40426-CF3F-2B35-A955-E0B5DEB9EE41} - C:\WINDOWS\d3gq32.dll
O2 - BHO: Class - {FFCF604D-210A-9317-A8C5-80208D4AD348} - C:\WINDOWS\atlit.dll
O4 - HKLM\..\Run: [winyi32.exe] C:\WINDOWS\winyi32.exe
O4 - HKLM\..\Run: [atlan.exe] C:\WINDOWS\atlan.exe
O4 - HKLM\..\RunOnce: [msyd32.exe] C:\WINDOWS\msyd32.exe
O4 - HKLM\..\RunOnce: [syscx.exe] C:\WINDOWS\system32\syscx.exe
O4 - HKLM\..\RunOnce: [netfl32.exe] C:\WINDOWS\system32\netfl32.exe
O4 - HKLM\..\RunOnce: [winkf32.exe] C:\WINDOWS\system32\winkf32.exe
O4 - HKLM\..\RunOnce: [appap32.exe] C:\WINDOWS\appap32.exe
O4 - HKLM\..\RunOnce: [mfcug32.exe] C:\WINDOWS\system32\mfcug32.exe
O4 - HKLM\..\RunOnce: [ieib.exe] C:\WINDOWS\system32\ieib.exe
O4 - HKLM\..\RunOnce: [ipto.exe] C:\WINDOWS\system32\ipto.exe
O4 - HKLM\..\RunOnce: [atljb.exe] C:\WINDOWS\atljb.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [crmk32.exe] C:\WINDOWS\system32\crmk32.exe
O4 - HKLM\..\RunOnce: [msdu.exe] C:\WINDOWS\msdu.exe
O4 - HKLM\..\RunOnce: [sdkbi.exe] C:\WINDOWS\system32\sdkbi.exe
O4 - HKLM\..\RunOnce: [mfcgu.exe] C:\WINDOWS\system32\mfcgu.exe
O4 - HKLM\..\RunOnce: [netty.exe] C:\WINDOWS\netty.exe
O4 - HKLM\..\RunOnce: [ipva32.exe] C:\WINDOWS\ipva32.exe
O4 - HKLM\..\RunOnce: [javaae.exe] C:\WINDOWS\javaae.exe
O4 - HKLM\..\RunOnce: [apinz32.exe] C:WINDOWS\apinz32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\system32\netmy32.exe
O4 - HKLM\..\RunOnce: [crqk.exe] C:\WINDOWS\system32\crqk.exe
O4 - HKLM\..\RunOnce: [mfceh.exe] C:\WINDOWS\mfceh.exe
O4 - HKLM\..\RunOnce: [ntal32.exe] C:\WINDOWS\system32\ntal32.exe
O4 - HKLM\..\RunOnce: [netxi32.exe] C:\WINDOWS\system32\netxi32.exe
O4 - HKLM\..\RunOnce: [netln32.exe] C:\WINDOWS\system32\netln32.exe
O4 - HKLM\..\RunOnce: [ipfo32.exe] C:\WINDOWS\system32\ipfo32.exe
O4 - HKLM\..\RunOnce: [netxd32.exe] C:\WINDOWS\netxd32.exe
O4 - HKLM\..\RunOnce: [ntlp32.exe] C:\WINDOWS\ntlp32.exe
O4 - HKLM\..\RunOnce: [addhc32.exe] C:\WINDOWS\addhc32.exe
O4 - HKLM\..\RunOnce: [javapr32.exe] C:\WINDOWS\system32\javapr32.exe
O4 - HKLM\..\RunOnce: [apitb32.exe] C:\WINDOWS\apitb32.exe
O4 - HKLM\..\RunOnce: [ntsr.exe] C:\WINDOWS\system32\ntsr.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\mfcoi32.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [ieew.exe] C:\WINDOWS\system32\ieew.exe
O4 - HKLM\..\RunOnce: [d3py.exe] C:\WINDOWS\d3py.exe
O4 - HKLM\..\RunOnce: [netvl32.exe] C:\WINDOWS\system32\netvl32.exe
O4 - HKLM\..\RunOnce: [appwa32.exe] C:\WINDOWS\appwa32.exe
O4 - HKLM\..\RunOnce: [ievp32.exe] C:\WINDOWS\system32\ievp32.exe
O4 - HKLM\..\RunOnce: [msdf.exe] C:\WINDOWS\system32\msdf.exe
O4 - HKLM\..\RunOnce: [netjc32.exe] C:\WINDOWS\system32\netjc32.exe
O4 - HKLM\..\RunOnce: [sysdv32.exe] C:\WINDOWS\system32\sysdv32.exe
O4 - HKLM\..\RunOnce: [crbl32.exe] C:\WINDOWS\crbl32.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\d3ce32.exe
O4 - HKLM\..\RunOnce: [sdkpw.exe] C:\WINDOWS\sdkpw.exe
O4 - HKLM\..\RunOnce: [javaxi32.exe] C:\WINDOWS\system32\javaxi32.exe
O4 - HKLM\..\RunOnce: [iecu32.exe] C:\WINDOWS\system32\iecu32.exe
O4 - HKLM\..\RunOnce: [javabi.exe] C:\WINDOWS\javabi.exe
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\ntqf32.exe
O4 - HKLM\..\RunOnce: [atljw32.exe] C:\WINDOWS\atljw32.exe
O4 - HKLM\..\RunOnce: [msye32.exe] C:\WINDOWS\system32\msye32.exe
O4 - HKLM\..\RunOnce: [ntlg.exe] C:\WINDOWS\system32\ntlg.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINDOWS\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [nttz.exe] C:\WINDOWS\system32\nttz.exe
O4 - HKLM\..\RunOnce: [msjo32.exe] C:\WINDOWS\system32\msjo32.exe
O4 - HKLM\..\RunOnce: [javaqx32.exe] C:\WINDOWS\javaqx32.exe
O4 - HKLM\..\RunOnce: [mfcws32.exe] C:\WINDOWS\mfcws32.exe
O4 - HKLM\..\RunOnce: [crye.exe] C:\WINDOWS\system32\crye.exe
O4 - HKLM\..\RunOnce: [sdkwc.exe] C:\WINDOWS\system32\sdkwc.exe
O4 - HKLM\..\RunOnce: [javayz.exe] C:\WINDOWS\system32\javayz.exe
O4 - HKLM\..\RunOnce: [mfcmt.exe] C:\WINDOWS\system32\mfcmt.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [ntgm32.exe] C:\WINDOWS\system32\ntgm32.exe
O4 - HKLM\..\RunOnce: [addtd.exe] C:\WINDOWS\system32\addtd.exe
O4 - HKLM\..\RunOnce: [d3yx32.exe] C:\WINDOWS\d3yx32.exe
O4 - HKLM\..\RunOnce: [atlhf.exe] C:\WINDOWS\system32\atlhf.exe
O4 - HKLM\..\RunOnce: [iemh.exe] C:\WINDOWS\iemh.exe
O4 - HKLM\..\RunOnce: [sdkzm.exe] C:\WINDOWS\sdkzm.exe
O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\mfceo32.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [addon32.exe] C:\WINDOWS\addon32.exe
O4 - HKLM\..\RunOnce: [mfctr.exe] C:\WINDOWS\system32\mfctr.exe
O4 - HKLM\..\RunOnce: [msht.exe] C:\WINDOWS\system32\msht.exe
O4 - HKLM\..\RunOnce: [javalx32.exe] C:\WINDOWS\javalx32.exe
O4 - HKLM\..\RunOnce: [winam.exe] C:\WINDOWS\system32\winam.exe
O4 - HKLM\..\RunOnce: [atlrc.exe] C:\WINDOWS\system32\atlrc.exe
O4 - HKLM\..\RunOnce: [wingj.exe] C:\WINDOWS\system32\wingj.exe
O4 - HKLM\..\RunOnce: [atlqw.exe] C:\WINDOWS\system32\atlqw.exe
O4 - HKLM\..\RunOnce: [ntjs32.exe] C:\WINDOWS\ntjs32.exe
O4 - HKLM\..\RunOnce: [crov32.exe] C:\WINDOWS\system32\crov32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msyd32.exe" /s (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe

Ensure no windows open except HJT and click FIX CHECKED.

Now using Windows explorer, locate and delete the following files. Make a note of any not found or that you cannot delete in a note pad as you will need them in a later process.

c:\searchpage.html
C:\WINDOWS\system32\ucgtr.dll
C:\WINDOWS\system32\d3jr32.dll
C:\WINDOWS\system32\ipae32.dll
C:\WINDOWS\system32\addre.dll
C:\WINDOWS\ipco32.dll
C:\WINDOWS\appfy.dll
C:\WINDOWS\creg32.dll
C:\WINDOWS\ipqv32.dll
C:\WINDOWS\system32\mfctr.dll
C:\WINDOWS\addbn.dll
C:\WINDOWS\system32\d3nc.dll
C:\WINDOWS\netka.dll
C:\WINDOWS\apphi32.dll
C:\WINDOWS\netot32.dll
C:\WINDOWS\d3lb.dll
C:\WINDOWS\system32\netmk32.dll
C:\WINDOWS\msxl.dll
C:\WINDOWS\system32\adddx.dll
C:\WINDOWS\d3gq32.dll
C:\WINDOWS\atlit.dll
C:\WINDOWS\winyi32.exe
C:\WINDOWS\atlan.exe
C:\WINDOWS\msyd32.exe
C:\WINDOWS\system32\syscx.exe
C:\WINDOWS\system32\netfl32.exe
C:\WINDOWS\system32\winkf32.exe
C:\WINDOWS\appap32.exe
C:\WINDOWS\system32\mfcug32.exe
C:\WINDOWS\system32\ieib.exe
C:\WINDOWS\system32\ipto.exe
C:\WINDOWS\atljb.exe
C:\WINDOWS\winzi.exe
C:\WINDOWS\system32\crmk32.exe
C:\WINDOWS\msdu.exe
C:\WINDOWS\system32\sdkbi.exe
C:\WINDOWS\system32\mfcgu.exe
C:\WINDOWS\netty.exe
C:\WINDOWS\ipva32.exe
C:\WINDOWS\javaae.exe
C:WINDOWS\apinz32.exe
C:\WINDOWS\system32\netmy32.exe
C:\WINDOWS\system32\crqk.exe
C:\WINDOWS\mfceh.exe
C:\WINDOWS\system32\ntal32.exe
C:\WINDOWS\system32\netxi32.exe
C:\WINDOWS\system32\netln32.exe
C:\WINDOWS\system32\ipfo32.exe
C:\WINDOWS\netxd32.exe
C:\WINDOWS\ntlp32.exe
C:\WINDOWS\addhc32.exe
C:\WINDOWS\system32\javapr32.exe
C:\WINDOWS\apitb32.exe
C:\WINDOWS\system32\ntsr.exe
C:\WINDOWS\mfcoi32.exe
C:\WINDOWS\system32\atllv.exe
C:\WINDOWS\system32\ieew.exe
C:\WINDOWS\d3py.exe
C:\WINDOWS\system32\netvl32.exe
C:\WINDOWS\appwa32.exe
C:\WINDOWS\system32\ievp32.exe
C:\WINDOWS\system32\msdf.exe
C:\WINDOWS\system32\netjc32.exe
C:\WINDOWS\system32\sysdv32.exe
C:\WINDOWS\crbl32.exe
C:\WINDOWS\d3ce32.exe
C:\WINDOWS\sdkpw.exe
C:\WINDOWS\system32\javaxi32.exe
C:\WINDOWS\system32\iecu32.exe
C:\WINDOWS\javabi.exe
C:\WINDOWS\ntqf32.exe
C:\WINWINDOWS\sdkzm.exe
C:\WINDOWS\mfceo32.exe
C:\WINDOWS\system32\netdy.exe
C:\WINDOWS\addon32.exe
C:\WINDOWS\system32\mfctr.exe
C:\WINDOWS\system32\msht.exe
C:\WINDOWS\javalx32.exe
C:\WINDOWS\system32\winam.exe
C:\WINDOWS\system32\atlrc.exe
C:\WINDOWS\system32\wingj.exe
C:\WINDOWS\system32\atlqw.exe
C:\WINDOWS\ntjs32.exe
C:\WINDOWS\system32\crov32.exe
C:\Programme Files\SpyKiller\spykiller.exe
C:\Program Files\MyWebSearch\ <<<----entire folder
C:\Program Files\LimeWire\LimeWire
C:\WINDOWS\msyd32.exe
C:\WINDOWS\System32\angelex.exe DOWS\atljw32.exe
C:\WINDOWS\system32\msye32.exe
C:\WINDOWS\system32\ntlg.exe
C:\WINDOWS\system32\atlqf32.exe
C:\WINDOWS\system32\nttz.exe
C:\WINDOWS\system32\msjo32.exe
C:\WINDOWS\javaqx32.exe
C:\WINDOWS\mfcws32.exe
C:\WINDOWS\system32\crye.exe
C:\WINDOWS\system32\sdkwc.exe
C:\WINDOWS\system32\javayz.exe
C:\WINDOWS\system32\mfcmt.exe
C:\WINDOWS\system32\winij32.exe
C:\WINDOWS\system32\ntgm32.exe
C:\WINDOWS\system32\addtd.exe
C:\WINDOWS\d3yx32.exe
C:\WINDOWS\system32\atlhf.exe
C:\WINDOWS\iemh.exe
C:\WINDOWS\sdkzm.exe
C:\WINDOWS\mfceo32.exe
C:\WINDOWS\system32\netdy.exe
C:\WINDOWS\addon32.exe
C:\WINDOWS\system32\mfctr.exe
C:\WINDOWS\system32\msht.exe
C:\WINDOWS\javalx32.exe
C:\WINDOWS\system32\winam.exe
C:\WINDOWS\system32\atlrc.exe
C:\WINDOWS\system32\wingj.exe
C:\WINDOWS\system32\atlqw.exe
C:\WINDOWS\ntjs32.exe
C:\WINDOWS\system32\crov32.exe
C:\Program Files\SpyKiller\spykiller.exe /startup
C:\Program Files\MyWebSearch\ <<-----ENTIRE FOLDER
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\WINDOWS\msyd32.exe" /s
C:\WINDOWS\System32\angelex.exe

Now double-click on KILLBOX, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

Enter any files from above that you could not find or delete

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Reboot into SAFE MODE again

Start up HJT and click on MISC TOOLS. then Click on Delete an NT Service.

copy and paste the following into the box in the pop up. IT IS IMPORTANT THAT THERE IS A SPACE BEFORE THE FIRST NUMBER 1 OR IT WILL NOT WORK

11Fßä#·ºÄÖ`I

THEN CLICK OK

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.

Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Reboot into SAFE MODE

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Rebot PC normally, Carry out another HJT scan and post the log back here, so we can sort out any remnants

#11
UBYANKEES

Posted 17 May 2005 - 02:51 PM

Member

Topic Starter
Member
19 posts

Sorry it took so long, here are the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:01 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FD58D0EF-6B05-A1B1-205C-7FF5D9CFD4D2} - C:\WINDOWS\addjr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [javagc32.exe] C:\WINDOWS\javagc32.exe
O4 - HKLM\..\Run: [ipia32.exe] C:\WINDOWS\ipia32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipir.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:13:21 AM, 5/17/2005
+ Report-Checksum: ADD00D72

+ Date of database: 5/15/2005
+ Version of scan engine: v3.0

+ Duration: 1061 min
+ Scanned Files: 105728
+ Speed: 1.66 Files/Second
+ Infected files: 39
+ Removed files: 28
+ Files put in quarantine: 28
+ Files that could not be opened: 0
+ Files that could not be cleaned: 11

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/bargains.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy.n -> Error during cleaning
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy.n -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exdl.exe -> Spyware.BargainBuddy.q -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/mqexdlm.srg -> Spyware.BargainBuddy.q -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exul.exe -> Spyware.BargainBuddy.q -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/javexulm.vxd -> Spyware.BargainBuddy.q -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/bbchk.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/msexreg.exe -> Spyware.Bargainbuddy -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/instsrv.exe -> Spyware.BargainBuddy -> Error during cleaning
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exclean.exe -> Spyware.BargainBuddy -> Error during cleaning
C:\WINDOWS\system32\netxj32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\netyo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\nthv.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ntvc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\nxahu.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\sdkek.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sdkqh32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sdkvr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysbf.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysnr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\sysov.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\syswj.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\syswy32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\vribc.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\wincg.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\winjb.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\winqv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\winyt.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\ybpnu.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\syswu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\vetdvx.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\vswvk.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\winai32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winfm32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winjx.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\winlx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winnu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winps.exe -> Trojan.Agent.bi -> Cleaned with backup

::Report End

#12
UBYANKEES

Posted 17 May 2005 - 02:55 PM

Member

Topic Starter
Member
19 posts

(5/13/05 9:48:23 PM) SPSeHjFix started v1.1.2
(5/13/05 9:48:23 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/13/05 9:48:23 PM) Language: english
(5/13/05 9:48:23 PM) Win-Path: C:\WINDOWS
(5/13/05 9:48:23 PM) System-Path: C:\WINDOWS\system32
(5/13/05 9:48:23 PM) Temp-Path: C:\DOCUME~1\MIKEC~1.MAC\LOCALS~1\Temp\
(5/13/05 9:48:25 PM) Disinfection started
(5/13/05 9:48:25 PM) Bad-Dll(IEP): (not found)
(5/13/05 9:48:25 PM) Bad-Dll(IEP) in BHO: (not found)
(5/13/05 9:48:25 PM) UBF: 4 - UBB: 2 - UBR: 36
(5/13/05 9:48:25 PM) UBF: 4 - UBB: 2 - UBR: 36
(5/13/05 9:48:25 PM) Bad IE-pages: (none)
(5/13/05 9:48:25 PM) Stealth-String not found
(5/13/05 9:48:25 PM) Not infected->END

(5/14/05 12:55:58 AM) SPSeHjFix started v1.1.2
(5/14/05 12:55:58 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/14/05 12:55:58 AM) Language: english
(5/14/05 12:55:58 AM) Win-Path: C:\WINDOWS
(5/14/05 12:55:58 AM) System-Path: C:\WINDOWS\system32
(5/14/05 12:55:58 AM) Temp-Path: C:\DOCUME~1\MIKEC~1.MAC\

#13
Guest_usetobe_*

Posted 18 May 2005 - 05:15 AM

Guest

Hi UB,

Things still not looking too good.

Have you uninstalled Limewire as instructed Please click on the link below and follow the instructions after you have uninstalled it in ADD/REMOVE in control panel. Also remove the following if in ADD/REMOVE

Bullseye
bargainbuddy
gator

Remove Limewire

Next We need to Reboot into Safe mode again.

Rerun About.Buster Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

Click on Start > then >run and type in

services.msc

Click OK.

In the services window find Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.

Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Start up HJT and click on MISC TOOLS. then Click on Delete an NT Service.

copy and paste the following into the box in the pop up. IT IS IMPORTANT THAT THERE IS 1 SPACE BEFORE THE FIRST NUMBER 1 OR IT WILL NOT WORK

11Fßä#·ºÄÖ`I

THEN CLICK OK

Reboot your PC into SAFE MODE again

Rescan with HJT and check the following entries if present:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yeqri.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FD58D0EF-6B05-A1B1-205C-7FF5D9CFD4D2} - C:\WINDOWS\addjr.dll
O4 - HKLM\..\Run: [javagc32.exe] C:\WINDOWS\javagc32.exe
O4 - HKLM\..\Run: [ipia32.exe] C:\WINDOWS\ipia32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipir.exe" /s (file missing)

Ensure no windows open except HJT and click FIX CHECKED.

Set up PC to show Hiden files.

Using windows explorer locate and delete the following:

c:\searchpage.html
C:\WINDOWS\yeqri <<--- with anything after this part.
C:\WINDOWS\javagc32.exe
C:\WINDOWS\ipia32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\GMT\GMT.exe

Now re-run KILLBOX.Now double-click on KILLBOX, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

c:\searchpage.html
C:\WINDOWS\javagc32.exe
C:\WINDOWS\ipia32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/bargains.exe
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe
C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exdl.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/mqexdlm.srg
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exul.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/javexulm.vxd
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/bbchk.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/msexreg.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/instsrv.exe
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exclean.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

Boot into safe mode again.

Rescan with Ewido, and copy the log to post back.

Try the following online anti virus programs to see if any will run.

Kaspersky

Trend

Panda Activescan

Bitdefender

F-secure

Reboot normally, rescan with HJT and post the log back.

#14
UBYANKEES

Posted 03 June 2005 - 08:29 PM

Member

Topic Starter
Member
19 posts

Sorry again fo taking so long to post results. I honestly really do appreciate all your help. The computer is running much better because of your suggestions. I did not remove Limewire because it is a music download site and my son(to whom the computer belongs) doesn't want to remove it. I have done all the other cleanups. Here are the latest logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:08 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {0E9DABF6-6D46-1FC5-3AC4-33E64ADC9FC9} - C:\WINDOWS\system32\wruy.dll (file missing)
O2 - BHO: (no name) - {8F053341-FAA1-D87F-D8E0-A10FD4964DCB} - C:\WINDOWS\system32\ppjucgoa.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www.stopzill...es/SZScanLE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RUN: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
RUN: [CHotkey] zHotkey.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
RUN: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
RUN: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
RUN: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
RUN: [javagc32.exe] C:\WINDOWS\javagc32.exe
RUN: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
RUN: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
RUN: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
RUN: [Spyware Begone] C:\freescan\freescan.exe -FastScan
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

**** Browser Helper Objects ****

BHO: [] C:\WINDOWS\system32\wruy.dll
BHO: [] C:\WINDOWS\system32\ppjucgoa.dll
BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar1.dll
BHO: [CNavExtBho Class] C:\Program Files\Norton AntiVirus\NavShExt.dll

**** IE Toolbars ****

TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll
TOOLBAR: [Norton AntiVirus] C:\Program Files\Norton AntiVirus\NavShExt.dll

**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll
IEExt: [ICQ] C:\Program Files\ICQ\ICQ.exe
IEExt: [AIM] C:\Program Files\AIM\aim.exe
IEExt: [PartyPoker.com] C:\Program Files\PartyPoker\PartyPoker.exe
IEExt: [Real.com] C:\Program Files\PartyPoker\PartyPoker.exe
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe

**** Hosts File Entries ****

**** IE Settings ****

Default Page: http://www.google.com
Default Search: http://www.google.com
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar:
Search Page: http://www.google.com

**** IE Context Menu (Right click) ****

**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{686E74E9-BB8A-4F83-A2B7-6FFD31A7DBBC}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{686E74E9-BB8A-4F83-A2B7-6FFD31A7DBBC}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{53B0E174-7D36-458C-97D9-C762B83F7802}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{53B0E174-7D36-458C-97D9-C762B83F7802}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EDAB0EA9-C83C-484C-9F6E-ADC90AC3F5DC}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EDAB0EA9-C83C-484C-9F6E-ADC90AC3F5DC}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D001687C-D938-4330-B88F-3936EFDEAC72}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D001687C-D938-4330-B88F-3936EFDEAC72}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CB518631-EA49-42FC-9B7D-92A627ADF738}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CB518631-EA49-42FC-9B7D-92A627ADF738}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA318070-F1C0-4379-9D40-7847049AE4A8}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA318070-F1C0-4379-9D40-7847049AE4A8}] DATAGRAM 4

**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No

**** Downloaded Program Files ****

DirectAnimation Java Classes [file://C:\WINDOWS\Java\classes\dajava.cab]
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} [http://www.kaspersky...kavwebscan.cab] C:\WINDOWS\system32\mfc42.dll C:\WINDOWS\kavwebscan.ico C:\WINDOWS\Downloaded Program Files\kavwebscan.reg C:\WINDOWS\Downloaded Program Files\kavwebscan.dll C:\WINDOWS\Downloaded Program Files\kavuninstall.bat C:\WINDOWS\Downloaded Program Files\0009AB83.key C:\WINDOWS\Downloaded Program Files\ipc.dll C:\WINDOWS\Downloaded Program Files\kavss.exe C:\WINDOWS\Downloaded Program Files\kavss.dll C:\WINDOWS\Downloaded Program Files\kavssi.dll C:\WINDOWS\Downloaded Program Files\kavssd.dll C:\WINDOWS\Downloaded Program Files\kavssdi.dll C:\WINDOWS\Downloaded Program Files\kavupd.dll C:\WINDOWS\Downloaded Program Files\kaveula.txt
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macr...ctor/swdir.cab]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.micros...tent/opuc2.cab]
{5A447319-0EA2-447B-A063-A5F849B097D0} [https://www.stopzill...s/SZScanLE.cab]
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} [http://a840.g.akamai...ll/xscan53.cab]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/...ndows-i586.cab]
{A93D84FD-641F-43AE-B963-E6FA84BE7FE7} [http://www.linksysfi...l/gtdownls.cab]
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} [http://java.sun.com/...ndows-i586.cab]
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} [http://www.symantec....a/SymAData.cab]

**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[ewido security suite control] C:\Program Files\ewido\security suite\ewidoctrl.exe
[ewido security suite guard] C:\Program Files\ewido\security suite\ewidoguard.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\System32\imapi.exe
[ISEXEng] C:\WINDOWS\System32\angelex.exe
[KodakCCS] %SystemRoot%\system32\drivers\KodakCCS.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LexBceS] C:\WINDOWS\system32\LEXBCES.EXE
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[navapsvc] "C:\Program Files\Norton AntiVirus\navapsvc.exe"
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NPFMntor] "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SAVScan] "C:\Program Files\Norton AntiVirus\SAVScan.exe"
[SBService] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SLService] slserv.exe
[SNDSrvc] "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
[SPBBCSvc] "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{4176C957-1927-4AD7-8915-AF95EEA89A50}
[Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[SymWSC] "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WANMiniportService] "C:\WINDOWS\wanmpsvc.exe"
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs

**** Custom IE Search Items ****

SEARCH: [SearchAssistant]
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm

**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Use Custom Search URL]
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] no
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [FullScreen] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Friendly http errors] yes
IEOPT: [Use Search Asst] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Default_Search_URL] http://www.msn.com/access/allinone.htm
IEOPT: [Default_Page_URL] c:\searchpage.html
IEOPT: [Window_Placement] ,
IEOPT: [Enable Browser Extensions] yes
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [mastersettings]
IEOPT: [masterupdatetime] 1108752729¿T²8(ådb§ÂI‰SVÝÁ}Ä¾ÑÁßC@>å"×Ï9à9>á‡Èå!ro§RÓ7¡vÚUcR,æ|{æUˆRQß™#Î
¿’ˆ-%aÇ[ƒ‰@ƒgT˜À±›c|*JIÔ#å5Õ >,î{øÃ_JÁ™!¼’‡ÂH-%
IEOPT: [payloadupdatetime] 1108752731¿T²8(ådb§ÂI‰SVÝÁ}Ä¾ÑÁßC@>å"×Ï9à9>á‡Èå!ro§RÓ7¡vÚUcR,æ|{æUˆRQß™#Î
¿’ˆ-%aÇ[ƒ‰@ƒgT˜À±›c|*JIÔ#å5Õ >,î{øÃ_JÁ™!¼’‡ÂH-%
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Check_Associations] no
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [LastCheckedHi]
IEOPT: [Save Directory] C:\Documents and Settings\Mike C. Mack\My Documents\
IEOPT: [Start Page] http://www.google.com
IEOPT: [Search Page] http://www.google.com
IEOPT: [Search Bar]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2524.0000
IEOPT: [FullScreen] no
IEOPT: [Use Search Assistant] yes
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL] 1o
IEOPT: [Check_Associations] no
IEOPT: [Default_Page_URL] http://www.google.com
IEOPT: [Start Page] http://www.google.com
IEOPT: [Default_Search_URL] http://www.google.com
IEOPT: [Search Page] http://www.google.com
IEOPT: [Search Bar]

Thanks for your help!

#15
Guest_usetobe_*

Posted 03 June 2005 - 11:15 PM

Guest

Hi UB,

Now we are cooking on gas.

Please remove SpywareBegone in add/remove in control panel if installed. This is classed as rogue software, giving false positives, using out of date databases.

Reboot into SAFE MODE again.

Rescan with HJT and check the following :

O2 - BHO: (no name) - {0E9DABF6-6D46-1FC5-3AC4-33E64ADC9FC9} - C:\WINDOWS\system32\wruy.dll (file missing)
O2 - BHO: (no name) - {8F053341-FAA1-D87F-D8E0-A10FD4964DCB} - C:\WINDOWS\system32\ppjucgoa.dll (file missing)
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

Ensure no windows open except HJT and click fix checked

Ensure PC set up to show hidden files and using windows explorer delete the following

C:\freescan\freescan.exe -FastScan

Rerun with ewido, save the log

Reboot with HJT and post the log back with the ewido log