ok, thanks for all of the instructions. all 4 logs are posted below. i'll await a reply to find out what to do next.
joe
FRESH HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 5:12:23 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\dfrfat.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://red.clientapp...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dslR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsd503.dll
O2 - BHO: (no name) - {9AEE1255-A45A-15CC-CB2D-ACB498D8BD8C} - C:\Program Files\drvi\awvkxbcxyc.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINNT\system32\n.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Wmfmmdb] C:\Program Files\Yhsfpbx\Vxcqivq.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [bmb] C:\WINNT\bmb.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [372g3sW] dfrfat.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\klnpln.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [IwtmRiaEV] catalspl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windup...Bridge-c139.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exeO16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) -
http://downloads.sho...budsinc1001.cabO16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -
http://www.pacimedia...ll/pcs_0006.exeO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo....plorer1_9us.cabO20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
l2mfix(option 2) log:
L2Mfix 1.03
Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1760 'rundll32.exe'
Killing PID 1760 'rundll32.exe'
Killing PID 1760 'rundll32.exe'
Killing PID 1760 'rundll32.exe'
Killing PID 1760 'rundll32.exe'
Killing PID 1760 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Killing PID 1884 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINNT\system32\djdlgs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\djdlgs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iaakui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iaakui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iepromon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iepromon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ixitpki.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ixitpki.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\izfxexps.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\izfxexps.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\izss.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\izss.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lrcalsec.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lrcalsec.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mzxlegih.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mzxlegih.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\porfctrs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\porfctrs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rqm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rqm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rRssapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rRssapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwcdlg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwcdlg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\djdlgs.dll
Successfully Deleted: C:\WINNT\system32\djdlgs.dll
deleting: C:\WINNT\system32\djdlgs.dll
Successfully Deleted: C:\WINNT\system32\djdlgs.dll
deleting: C:\WINNT\system32\iaakui.dll
Successfully Deleted: C:\WINNT\system32\iaakui.dll
deleting: C:\WINNT\system32\iaakui.dll
Successfully Deleted: C:\WINNT\system32\iaakui.dll
deleting: C:\WINNT\system32\iepromon.dll
Successfully Deleted: C:\WINNT\system32\iepromon.dll
deleting: C:\WINNT\system32\iepromon.dll
Successfully Deleted: C:\WINNT\system32\iepromon.dll
deleting: C:\WINNT\system32\ixitpki.dll
Successfully Deleted: C:\WINNT\system32\ixitpki.dll
deleting: C:\WINNT\system32\ixitpki.dll
Successfully Deleted: C:\WINNT\system32\ixitpki.dll
deleting: C:\WINNT\system32\izfxexps.dll
Successfully Deleted: C:\WINNT\system32\izfxexps.dll
deleting: C:\WINNT\system32\izfxexps.dll
Successfully Deleted: C:\WINNT\system32\izfxexps.dll
deleting: C:\WINNT\system32\izss.dll
Successfully Deleted: C:\WINNT\system32\izss.dll
deleting: C:\WINNT\system32\izss.dll
Successfully Deleted: C:\WINNT\system32\izss.dll
deleting: C:\WINNT\system32\lrcalsec.dll
Successfully Deleted: C:\WINNT\system32\lrcalsec.dll
deleting: C:\WINNT\system32\lrcalsec.dll
Successfully Deleted: C:\WINNT\system32\lrcalsec.dll
deleting: C:\WINNT\system32\mzxlegih.dll
Successfully Deleted: C:\WINNT\system32\mzxlegih.dll
deleting: C:\WINNT\system32\mzxlegih.dll
Successfully Deleted: C:\WINNT\system32\mzxlegih.dll
deleting: C:\WINNT\system32\porfctrs.dll
Successfully Deleted: C:\WINNT\system32\porfctrs.dll
deleting: C:\WINNT\system32\porfctrs.dll
Successfully Deleted: C:\WINNT\system32\porfctrs.dll
deleting: C:\WINNT\system32\rqm.dll
Successfully Deleted: C:\WINNT\system32\rqm.dll
deleting: C:\WINNT\system32\rqm.dll
Successfully Deleted: C:\WINNT\system32\rqm.dll
deleting: C:\WINNT\system32\rRssapi.dll
Successfully Deleted: C:\WINNT\system32\rRssapi.dll
deleting: C:\WINNT\system32\rRssapi.dll
Successfully Deleted: C:\WINNT\system32\rRssapi.dll
deleting: C:\WINNT\system32\wwcdlg.dll
Successfully Deleted: C:\WINNT\system32\wwcdlg.dll
deleting: C:\WINNT\system32\wwcdlg.dll
Successfully Deleted: C:\WINNT\system32\wwcdlg.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
Zipping up files for submission:
adding: djdlgs.dll (164 bytes security) (deflated 48%)
adding: iaakui.dll (164 bytes security) (deflated 48%)
adding: iepromon.dll (164 bytes security) (deflated 48%)
adding: ixitpki.dll (164 bytes security) (deflated 48%)
adding: izfxexps.dll (164 bytes security) (deflated 48%)
adding: izss.dll (164 bytes security) (deflated 48%)
adding: lrcalsec.dll (164 bytes security) (deflated 48%)
adding: mzxlegih.dll (164 bytes security) (deflated 48%)
adding: porfctrs.dll (164 bytes security) (deflated 48%)
adding: rqm.dll (164 bytes security) (deflated 48%)
adding: rRssapi.dll (164 bytes security) (deflated 48%)
adding: wwcdlg.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 90%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 64%)
adding: test.txt (164 bytes security) (deflated 87%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 83%)
adding: backregs/641678F3-F03C-4A08-8980-0E60DCD14B88.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: djdlgs.dll
deleting local copy: djdlgs.dll
deleting local copy: iaakui.dll
deleting local copy: iaakui.dll
deleting local copy: iepromon.dll
deleting local copy: iepromon.dll
deleting local copy: ixitpki.dll
deleting local copy: ixitpki.dll
deleting local copy: izfxexps.dll
deleting local copy: izfxexps.dll
deleting local copy: izss.dll
deleting local copy: izss.dll
deleting local copy: lrcalsec.dll
deleting local copy: lrcalsec.dll
deleting local copy: mzxlegih.dll
deleting local copy: mzxlegih.dll
deleting local copy: porfctrs.dll
deleting local copy: porfctrs.dll
deleting local copy: rqm.dll
deleting local copy: rqm.dll
deleting local copy: rRssapi.dll
deleting local copy: rRssapi.dll
deleting local copy: wwcdlg.dll
deleting local copy: wwcdlg.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINNT\system32\djdlgs.dll
C:\WINNT\system32\djdlgs.dll
C:\WINNT\system32\iaakui.dll
C:\WINNT\system32\iaakui.dll
C:\WINNT\system32\iepromon.dll
C:\WINNT\system32\iepromon.dll
C:\WINNT\system32\ixitpki.dll
C:\WINNT\system32\ixitpki.dll
C:\WINNT\system32\izfxexps.dll
C:\WINNT\system32\izfxexps.dll
C:\WINNT\system32\izss.dll
C:\WINNT\system32\izss.dll
C:\WINNT\system32\lrcalsec.dll
C:\WINNT\system32\lrcalsec.dll
C:\WINNT\system32\mzxlegih.dll
C:\WINNT\system32\mzxlegih.dll
C:\WINNT\system32\porfctrs.dll
C:\WINNT\system32\porfctrs.dll
C:\WINNT\system32\rqm.dll
C:\WINNT\system32\rqm.dll
C:\WINNT\system32\rRssapi.dll
C:\WINNT\system32\rRssapi.dll
C:\WINNT\system32\wwcdlg.dll
C:\WINNT\system32\wwcdlg.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{641678F3-F03C-4A08-8980-0E60DCD14B88}"=-
[-HKEY_CLASSES_ROOT\CLSID\{641678F3-F03C-4A08-8980-0E60DCD14B88}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
EWIDO LOG:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:29:42 PM, 7/9/2005
+ Report-Checksum: 2B95BC60
+ Scan result:
HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\30t61YLKOZPJ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\30tG1YLKOZPJ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4FE82BA0-9335-4D4E-8E98-76409A88F2C1} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{ACE5B10B-92A3-4103-8583-3684BB09409F} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{487E7682-B976-41FB-A944-E8B83689A454} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\Tasks -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Virtual Bouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-3911507150-1939016839-30617071-1003\Software\WinTools -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\
[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\
[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\
[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/djdlgs.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/iaakui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/iepromon.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/ixitpki.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/izfxexps.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/izss.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/lrcalsec.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mzxlegih.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/porfctrs.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/rqm.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/rRssapi.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wwcdlg.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0YNF1NXS\n[1].dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TIHFZ722\My404[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\AdDestroyer\AdDestroyer.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\ddd.exe -> TrojanDropper.Agent.hh : Cleaned with backup
C:\Program Files\sdf.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\VBouncer\VirtualBouncer.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe -> Spyware.WeirWeb : Cleaned with backup
C:\Program Files\Yhsfpbx\Vxcqivq.exe -> Trojan.Small.cy : Cleaned with backup
C:\WINNT\autoheal.exe -> Spyware.BargainBuddy.n : Cleaned with backup
C:\WINNT\bmb.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\Downloaded Program Files\clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\Downloaded Program Files\installer_MARKETING14.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINNT\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINNT\installer_SIAC.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
C:\WINNT\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINNT\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINNT\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINNT\system32\dun.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINNT\system32\exdl0.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINNT\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\HookPopup.dll -> Spyware.DealHelper : Cleaned with backup
C:\WINNT\system32\instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\LeisureBoxInst_ppi1a.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\main.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\WINNT\system32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\msxct.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\n.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvsvc.exe -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\patch.exe -> Spyware.iSearch : Cleaned with backup
C:\WINNT\system32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\system32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\system32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\system32\thin-144-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\thin-175-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\thin-178-1-3-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\thin-94-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\uaknnup.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\VB3.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINNT\system32\weird.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\system32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINNT\system32\wrapperouter.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINNT\thin-114-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\vmblsae.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\wisibmhd.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\wsem303.dll -> TrojanDownloader.Dyfuca.dt : Cleaned with backup
::Report End
KAPERSKY LOG:
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, July 09, 2005 16:38:19
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/07/2005