Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Friend's Computer [RESOLVED]


  • This topic is locked This topic is locked

#1
isolationary

isolationary

    Member

  • Member
  • PipPip
  • 46 posts
Hey again,

(Pieter are you there? Heheh)

My friend's parents ended up downloading a bunch of spyware onto her computer so we're trying to fix it up. I just need you to check if everything is okay because we're still running a little slow, and some programs are saying they don't want to be deleted. So here you go, here's my hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 2:49:14 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: XBTP04967 - {2587B037-ABF4-44b9-925D-3D797B26E5AB} - C:\PROGRA~1\GAMEFI~2\GF-TOO~1.DLL
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmfyfcfl] C:\WINDOWS\wgdyfhnn.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [VideoDriver] C:\WINDOWS\System32\gspotbot.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [PSSetup] "C:\Program Files\PowerStrip\PSSetup.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [zumshlgv] c:\windows\system32\zumshlgv.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\RunOnce: [WMC_0] "C:\WINDOWS\System32\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [WMC_1] C:\Program Files\Windows Media Player\WMPEnc.exe /RegServer
O4 - HKLM\..\RunOnce: [WMC_2] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: tddc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {128C8936-F457-4CCB-818E-05484514171A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {43FE2E1B-3221-4E2F-9F15-48F41BA9C455} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {837F5520-272E-419C-AA9D-89419AC21072} - http://www.comcast.net (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...b.2004.5.24.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {980105AE-6031-4855-98F0-2CBF5A76F700} (PowerFTP Control) - http://rfonline.x2ga...om/PowerFTP.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks again guys!
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Isolationary,


We are sorry to have missed your log due to heavy traffic.

If you still need help, please post back a fresh Hijack This log.

In the problem has been resolved, please let us know.
  • 0

#3
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thanks for responding. Sorry my reply is slow in coming but I just got back to her house.

Here is the new Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 1:37:12 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\HijackThis.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: XBTP04967 - {2587B037-ABF4-44b9-925D-3D797B26E5AB} - C:\PROGRA~1\GAMEFI~2\GF-TOO~1.DLL (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmfyfcfl] C:\WINDOWS\wgdyfhnn.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [VideoDriver] C:\WINDOWS\System32\gspotbot.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [PSSetup] "C:\Program Files\PowerStrip\PSSetup.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [zumshlgv] c:\windows\system32\zumshlgv.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\oaalnj.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {128C8936-F457-4CCB-818E-05484514171A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {43FE2E1B-3221-4E2F-9F15-48F41BA9C455} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {837F5520-272E-419C-AA9D-89419AC21072} - http://www.comcast.net (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...b.2004.5.24.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {980105AE-6031-4855-98F0-2CBF5A76F700} (PowerFTP Control) - http://rfonline.x2ga...om/PowerFTP.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Isolationary,



Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

About Buster
CWShredder

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
O2 - BHO: XBTP04967 - {2587B037-ABF4-44b9-925D-3D797B26E5AB} - C:\PROGRA~1\GAMEFI~2\GF-TOO~1.DLL (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [mmfyfcfl] C:\WINDOWS\wgdyfhnn.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [VideoDriver] C:\WINDOWS\System32\gspotbot.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [PSSetup] "C:\Program Files\PowerStrip\PSSetup.exe"
O4 - HKLM\..\Run: [zumshlgv] c:\windows\system32\zumshlgv.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

3. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -


Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -


C:\PROGRA~1\GAMEFI~2 <--- Full Folder
C:\Program Files\PowerStrip <---- Full Folder

C:\WINDOWS\wgdyfhnn.exe
C:\WINDOWS\System32\a.exe
C:\WINDOWS\System32\gspotbot.exe
c:\WINDOWS\System32\zzb.exe
c:\windows\system32\zumshlgv.exe
c:\WINDOWS\System32\zzb.exe


4. Remove Infections

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report along with About Buster log.
  • 0

#5
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thank you for your help. It's very much appreciated.

HEre is the new Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 4:29:08 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Desktop Architect\datray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\HijackThis.exe

F3 - REG:win.ini: load=??? ??? ??? ? ?
?
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\oaalnj.exe reg_run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {128C8936-F457-4CCB-818E-05484514171A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {43FE2E1B-3221-4E2F-9F15-48F41BA9C455} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {837F5520-272E-419C-AA9D-89419AC21072} - http://www.comcast.net (file missing) (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...b.2004.5.24.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {980105AE-6031-4855-98F0-2CBF5A76F700} (PowerFTP Control) - http://rfonline.x2ga...om/PowerFTP.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

===================================

Attached Files


Edited by isolationary, 25 July 2005 - 02:36 PM.

  • 0

#6
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
And the last log: Buster

Started Scanning
Internet Cookies
Programs in Memory
Found 'DAP.exe' in 'C:\Program Files\DAP'
Windows Registry
Found '' in 'Software\SpeedBit\Download Accelerator'
Found '' in 'Software\SpeedBit\Download Accelerator\ADS'
Found '' in 'Software\SpeedBit\Download Accelerator\ADS\Default'
Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger'
Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\Always'
Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\WhenFound'
Found '' in 'Software\SpeedBit\Download Accelerator\NoTrigger\WhenNotFound'
Found '' in 'SOFTWARE\Classes\eAnthology.DWare'
Found '' in 'SOFTWARE\Classes\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67}'
Found '' in 'SOFTWARE\Classes\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}'
Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08}'
Found '' in 'SOFTWARE\Classes\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}'
Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{8110AEA1-AD5B-4B90-883F-04A9A33B106E}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}'
Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}\InProcServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{9738B9E6-8AFA-11D2-959E-444553540002}\ProgID'
Found '' in 'SOFTWARE\Classes\DAPIE.Catcher.1\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.Catcher\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CurVer'
Found '' in 'SOFTWARE\Classes\DAPIEBar.CBAREventer'
Found '' in 'SOFTWARE\Classes\DAPIEBar.CBAREventer.1'
Found '' in 'SOFTWARE\Classes\DAPIEBar.CBAREventer.1\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIEBar.CBAREventer\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIEBar.CBAREventer\CurVer'
Found '' in 'SOFTWARE\Classes\DAPIEBar.DAPIEBarBand'
Found '' in 'SOFTWARE\Classes\DAPIEBar.DAPIEBarBand.1'
Found '' in 'SOFTWARE\Classes\DAPIEBar.DAPIEBarBand.1\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIEBar.DAPIEBarBand\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIEBar.DAPIEBarBand\CurVer'
Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1'
Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1\CLSID'
Found '' in 'SOFTWARE\Classes\Interface\{03D365CB-878A-4495-9350-7C67743335D9}'
Found '' in 'SOFTWARE\Classes\Interface\{03D365CB-878A-4495-9350-7C67743335D9}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{03D365CB-878A-4495-9350-7C67743335D9}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{03D365CB-878A-4495-9350-7C67743335D9}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}'
Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{5BFA1DAE-5EDC-11D2-959E-00C00C02DA5E}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7892BA33-7984-43A5-A8F5-27ED0AFE6143}'
Found '' in 'SOFTWARE\Classes\Interface\{7892BA33-7984-43A5-A8F5-27ED0AFE6143}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7892BA33-7984-43A5-A8F5-27ED0AFE6143}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7892BA33-7984-43A5-A8F5-27ED0AFE6143}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{5BFA1DA1-5EDC-11D2-959E-00C00C02DA5E}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{79516451-3E3E-453A-8968-37942F7979F3}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{79516451-3E3E-453A-8968-37942F7979F3}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{79516451-3E3E-453A-8968-37942F7979F3}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{79516451-3E3E-453A-8968-37942F7979F3}\1.0\HELPDIR'
Found '' in 'SOFTWARE\SpeedBit\Download Accelerator\Updates'
Found '' in 'SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\VERSION'
Found '' in 'SOFTWARE\Classes\AppID\{BAC984C9-78C8-4105-9E97-1675A4052686}'
Found '' in 'SOFTWARE\Classes\AppID\DMServer.EXE'
Found '' in 'SOFTWARE\Classes\SBITAX7.SBITAX7Ctrl.1'
Found '' in 'SOFTWARE\Classes\SBITAX7.SBITAX7Ctrl.1\CLSID'
Found '' in 'SOFTWARE\Classes\Interface\{EC99CBB3-6275-4923-BC54-8F27AC45F577}'
Found '' in 'SOFTWARE\Classes\Interface\{EC99CBB3-6275-4923-BC54-8F27AC45F577}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EC99CBB3-6275-4923-BC54-8F27AC45F577}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EC99CBB3-6275-4923-BC54-8F27AC45F577}\TypeLib'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\InprocServer32'
Found 'Location' in 'SOFTWARE\Magnet'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMVLite'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Recommended Hotfix - 421701D'
Found '' in 'SOFTWARE\MyWay'
Found '{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinMX'
Internet URL Shortcuts
Files and Directories
Found 'config.xml' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}'
Found 'iebgr.bmp' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}'
Found '400.dfn' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\Adverts'
Found 'delfinAF.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinBD.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinCO.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinDL.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinED.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinID.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinKY.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinLD.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinSI.edx' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinST.ebd' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found 'delfinTG.ebd' in 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs'
Found '' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX'
Found '' in 'C:\Program Files\Common Files\OE'
Found '' in 'C:\Program Files\Common Files\updater'
Found 'DAP.exe' in 'C:\Program Files\DAP'
Found 'dapupd.exe' in 'C:\Program Files\DAP'
Found 'nnez_388.exe' in 'C:\Program Files\FileSubmit\From Heaven Above'
Found '' in 'C:\Program Files\WinMX'
Found 'errcatch.exe' in 'C:\Program Files\WinMX'
Found 'uninstall.exe' in 'C:\Program Files\WinMX'
Found 'WinMX.exe' in 'C:\Program Files\WinMX'
Found 'Belt.inf' in 'C:\WINDOWS\inf'
Found 'biini.inf' in 'C:\WINDOWS\inf'
Found 'btgrab.inf' in 'C:\WINDOWS\inf'
Found 'dlmax.inf' in 'C:\WINDOWS\inf'
Found '' in 'C:\WINDOWS\inst'
Found '' in 'C:\WINDOWS\isrvs'
Found '' in 'C:\WINDOWS\isrvs\icons'
Found 'spywareavenger.ico' in 'C:\WINDOWS\isrvs\icons'
Found 'virushunter.ico' in 'C:\WINDOWS\isrvs\icons'
Found 'uninstall.html' in 'C:\WINDOWS\system32\wsxsvc'
Found 'xmlparse.dll' in 'C:\WINDOWS\system32'
Found 'xmltok.dll' in 'C:\WINDOWS\system32'
Found 'bdedata2.dll' in 'C:\WINNT\Temp\Altnet'
Found 'bdedownloader.dll' in 'C:\WINNT\Temp\Altnet'
Found 'dman25.dll' in 'C:\WINNT\Temp\Altnet'
Found 'dmanu4.cab' in 'C:\WINNT\Temp\Altnet'
Found 'dmfiles.cab' in 'C:\WINNT\Temp\Altnet'
Found 'DMinfo2.cab' in 'C:\WINNT\Temp\Altnet'
Found 'dminstall2.cab' in 'C:\WINNT\Temp\Altnet'
Found 'pmexe.cab' in 'C:\WINNT\Temp\Altnet'
Found 'pminstall.cab' in 'C:\WINNT\Temp\Altnet'
Found 'Setup.cab' in 'C:\WINNT\Temp\Altnet'
Found 'setup.exe' in 'C:\WINNT\Temp\Altnet'
Found 'bulldownload.exe' in 'C:\WINNT\Temp\BullGuard'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\DAP\DAP.exe' in shortcut areas.
Found 'Download Accelerator.lnk' in 'C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Download Accelerator\'
Found 'Download Accelerator Plus.lnk' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\'
Checking for 'C:\Program Files\DAP\DAP.exe' in startup areas.
Cleaning 'C:\Program Files\DAP\DAP.exe'
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'. Error=5.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\config.xml' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\config.xml' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\config.xml'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\iebgr.bmp' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\iebgr.bmp' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\Hyperbar\{1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257}\iebgr.bmp'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\Adverts\400.dfn' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\Adverts\400.dfn' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\Adverts\400.dfn'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinAF.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinAF.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinAF.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinBD.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinBD.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinBD.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinCO.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinCO.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinCO.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinDL.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinDL.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinDL.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinED.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinED.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinED.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinID.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinID.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinID.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinKY.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinKY.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinKY.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinLD.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinLD.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinLD.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinSI.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinSI.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinSI.edx'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinST.ebd' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinST.ebd' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinST.ebd'
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinTG.ebd' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinTG.ebd' in startup areas.
Cleaning 'C:\Documents and Settings\All Users.WINDOWS\Application Data\wsxs\delfinTG.ebd'
Checking for 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX' in startup areas.
Cleaning 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX'
Checking for 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\WinMX.lnk' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\WinMX.lnk' in startup areas.
Cleaning 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\WinMX.lnk'
Checking for 'C:\Program Files\Common Files\OE' in shortcut areas.
Checking for 'C:\Program Files\Common Files\OE' in startup areas.
Cleaning 'C:\Program Files\Common Files\OE'
Checking for 'C:\Program Files\Common Files\updater' in shortcut areas.
Checking for 'C:\Program Files\Common Files\updater' in startup areas.
Cleaning 'C:\Program Files\Common Files\updater'
Checking for 'C:\Program Files\DAP\DAP.exe' in shortcut areas.
Checking for 'C:\Program Files\DAP\DAP.exe' in startup areas.
Cleaning 'C:\Program Files\DAP\DAP.exe'
[SCANMODS] The file 'C:\Program Files\DAP\DAP.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\DAP\dapupd.exe' in shortcut areas.
Found 'DAP Update.lnk' in 'C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Download Accelerator\'
Checking for 'C:\Program Files\DAP\dapupd.exe' in startup areas.
Cleaning 'C:\Program Files\DAP\dapupd.exe'
Checking for 'C:\Program Files\FileSubmit\From Heaven Above\nnez_388.exe' in shortcut areas.
Checking for 'C:\Program Files\FileSubmit\From Heaven Above\nnez_388.exe' in startup areas.
Cleaning 'C:\Program Files\FileSubmit\From Heaven Above\nnez_388.exe'
Checking for 'C:\Program Files\WinMX' in shortcut areas.
Checking for 'C:\Program Files\WinMX' in startup areas.
Cleaning 'C:\Program Files\WinMX'
Checking for 'C:\Program Files\WinMX\colors.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\colors.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\colors.dat'
Checking for 'C:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\errcatch.exe'
Checking for 'C:\Program Files\WinMX\library.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\library.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\library.dat'
Checking for 'C:\Program Files\WinMX\license.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\license.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\license.txt'
Checking for 'C:\Program Files\WinMX\opennapconfig.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\opennapconfig.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\opennapconfig.dat'
Checking for 'C:\Program Files\WinMX\settings.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\settings.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\settings.dat'
Checking for 'C:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\uninstall.exe'
Checking for 'C:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\Games\'
[SCANMODS] The file 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\WinMX.exe'
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt'
Checking for 'C:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\errcatch.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\errcatch.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\uninstall.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\uninstall.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\Games\'
[SCANMODS] The file 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
[SCANMODS] The file 'C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\Games\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\WinMX.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\WinMX.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\inf\Belt.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\Belt.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\Belt.inf'
Checking for 'C:\WINDOWS\inf\biini.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\biini.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\biini.inf'
Checking for 'C:\WINDOWS\inf\btgrab.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\btgrab.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\btgrab.inf'
Checking for 'C:\WINDOWS\inf\dlmax.inf' in shortcut areas.
Checking for 'C:\WINDOWS\inf\dlmax.inf' in startup areas.
Cleaning 'C:\WINDOWS\inf\dlmax.inf'
Checking for 'C:\WINDOWS\inst' in shortcut areas.
Checking for 'C:\WINDOWS\inst' in startup areas.
Cleaning 'C:\WINDOWS\inst'
Checking for 'C:\WINDOWS\isrvs' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs' in startup areas.
Cleaning 'C:\WINDOWS\isrvs'
Checking for 'C:\WINDOWS\isrvs\icons\hushware.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\hushware.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\hushware.ico'
Checking for 'C:\WINDOWS\isrvs\icons\popupblocker.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\popupblocker.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\popupblocker.ico'
Checking for 'C:\WINDOWS\isrvs\icons\spywareavenger.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\spywareavenger.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\spywareavenger.ico'
Checking for 'C:\WINDOWS\isrvs\icons\usaplatinum.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\usaplatinum.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\usaplatinum.ico'
Checking for 'C:\WINDOWS\isrvs\icons\virushunter.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\virushunter.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\virushunter.ico'
Checking for 'C:\WINDOWS\isrvs\icons' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons'
[SCANMODS] The file 'C:\WINDOWS\isrvs\icons' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\isrvs\icons\spywareavenger.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\spywareavenger.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\spywareavenger.ico'
[SCANMODS] The file 'C:\WINDOWS\isrvs\icons\spywareavenger.ico' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\isrvs\icons\virushunter.ico' in shortcut areas.
Checking for 'C:\WINDOWS\isrvs\icons\virushunter.ico' in startup areas.
Cleaning 'C:\WINDOWS\isrvs\icons\virushunter.ico'
[SCANMODS] The file 'C:\WINDOWS\isrvs\icons\virushunter.ico' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\system32\wsxsvc\uninstall.html' in shortcut areas.
Checking for 'C:\WINDOWS\system32\wsxsvc\uninstall.html' in startup areas.
Cleaning 'C:\WINDOWS\system32\wsxsvc\uninstall.html'
Checking for 'C:\WINDOWS\system32\xmlparse.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\xmlparse.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\xmlparse.dll'
Checking for 'C:\WINDOWS\system32\xmltok.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\xmltok.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\xmltok.dll'
Checking for 'C:\WINNT\Temp\Altnet\bdedata2.dll' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\bdedata2.dll' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\bdedata2.dll'
Checking for 'C:\WINNT\Temp\Altnet\bdedownloader.dll' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\bdedownloader.dll' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\bdedownloader.dll'
Checking for 'C:\WINNT\Temp\Altnet\dman25.dll' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\dman25.dll' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\dman25.dll'
Checking for 'C:\WINNT\Temp\Altnet\dmanu4.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\dmanu4.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\dmanu4.cab'
Checking for 'C:\WINNT\Temp\Altnet\dmfiles.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\dmfiles.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\dmfiles.cab'
Checking for 'C:\WINNT\Temp\Altnet\DMinfo2.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\DMinfo2.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\DMinfo2.cab'
Checking for 'C:\WINNT\Temp\Altnet\dminstall2.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\dminstall2.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\dminstall2.cab'
Checking for 'C:\WINNT\Temp\Altnet\pmexe.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\pmexe.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\pmexe.cab'
Checking for 'C:\WINNT\Temp\Altnet\pminstall.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\pminstall.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\pminstall.cab'
Checking for 'C:\WINNT\Temp\Altnet\Setup.cab' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\Setup.cab' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\Setup.cab'
Checking for 'C:\WINNT\Temp\Altnet\setup.exe' in shortcut areas.
Checking for 'C:\WINNT\Temp\Altnet\setup.exe' in startup areas.
Cleaning 'C:\WINNT\Temp\Altnet\setup.exe'
Checking for 'C:\WINNT\Temp\BullGuard\bulldownload.exe' in shortcut areas.
Checking for 'C:\WINNT\Temp\BullGuard\bulldownload.exe' in startup areas.
Cleaning 'C:\WINNT\Temp\BullGuard\bulldownload.exe'
Finished Cleaning
  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#8
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I"m having trouble downoading Track qoo...the link you've given me is brokenish.

Edited by isolationary, 25 July 2005 - 02:53 PM.

  • 0

#9
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
The link works fine for me !!

Anyway please try this link - http://forums.subrat...e=post&id=39295
  • 0

#10
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 4/30/2005 6:44:02 PM 65536 C:\WINDOWS\IFinst27.exe
UPX! 5/13/2003 5:38:48 PM 429032 C:\WINDOWS\mgs_snakeeater.jpg

Checking %System% folder...
UPX! 9/17/2001 1:20:02 PM 9216 C:\WINDOWS\SYSTEM32\cpuinf32.dll
PEC2 9/3/2002 9:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/24/2001 7:31:48 PM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 11/24/2001 7:28:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
WinShutDown 7/11/2005 2:04:36 PM 235467 C:\WINDOWS\SYSTEM32\f8j2li1o18.dll
ad-w-a-r-e.com 7/11/2005 2:04:36 PM 235467 C:\WINDOWS\SYSTEM32\f8j2li1o18.dll
WinShutDown 7/11/2005 1:57:04 PM 233760 C:\WINDOWS\SYSTEM32\g6402ghmg64a2.dll
ad-w-a-r-e.com 7/11/2005 1:57:04 PM 233760 C:\WINDOWS\SYSTEM32\g6402ghmg64a2.dll
WinShutDown 7/11/2005 1:56:04 PM 233760 C:\WINDOWS\SYSTEM32\icq.dll
ad-w-a-r-e.com 7/11/2005 1:56:04 PM 233760 C:\WINDOWS\SYSTEM32\icq.dll
UPX! 5/14/2001 1:11:52 PM 536064 C:\WINDOWS\SYSTEM32\ivivideo.ax
WinShutDown 7/11/2005 11:52:36 AM 233760 C:\WINDOWS\SYSTEM32\mlisam11.dll
ad-w-a-r-e.com 7/11/2005 11:52:36 AM 233760 C:\WINDOWS\SYSTEM32\mlisam11.dll
UPX! 11/8/2003 12:34:00 PM 36864 C:\WINDOWS\SYSTEM32\MPCDec.ax
UPX! 10/31/2001 11:14:40 AM 30720 C:\WINDOWS\SYSTEM32\mplaa6.dll
UPX! 10/31/2001 11:14:40 AM 30208 C:\WINDOWS\SYSTEM32\mplam6.dll
UPX! 10/31/2001 11:14:40 AM 29184 C:\WINDOWS\SYSTEM32\mplapx.dll
UPX! 10/31/2001 11:14:40 AM 30720 C:\WINDOWS\SYSTEM32\mplaw7.dll
UPX! 10/31/2001 11:14:40 AM 215040 C:\WINDOWS\SYSTEM32\mplva6.dll
UPX! 10/31/2001 11:14:40 AM 203264 C:\WINDOWS\SYSTEM32\mplvm6.dll
UPX! 10/31/2001 11:14:40 AM 245760 C:\WINDOWS\SYSTEM32\mplvpx.dll
UPX! 10/31/2001 11:14:40 AM 211456 C:\WINDOWS\SYSTEM32\mplvw7.dll
PEC2 2/11/2004 9:38:40 PM 283648 C:\WINDOWS\SYSTEM32\NPSCAN.DLL
PEC2 1/28/2004 8:28:14 PM 46080 C:\WINDOWS\SYSTEM32\npunzip.dll
PEC2 7/11/1997 1:00:00 AM 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
Umonitor 9/3/2002 9:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/3/2002 9:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
qoologic 7/25/2005 5:17:08 PM 3116 C:\WINDOWS\SYSTEM32\drivers\etc\hosts
urllogic 7/25/2005 5:17:08 PM 3116 C:\WINDOWS\SYSTEM32\drivers\etc\hosts
urllogic 7/25/2005 5:17:08 PM 3116 C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder for system and hidden files within the last 60 days...
7/13/2005 10:56:12 PM 0 C:\WINDOWS\LastGood\INF\codecs10.inf
7/13/2005 10:56:12 PM 0 C:\WINDOWS\LastGood\INF\codecs10.PNF
7/13/2005 10:56:06 PM 0 C:\WINDOWS\LastGood\INF\DRM10.inf
7/13/2005 10:56:06 PM 0 C:\WINDOWS\LastGood\INF\DRM10.PNF
7/13/2005 10:56:58 PM 0 C:\WINDOWS\LastGood\INF\MPCD10.inf
7/13/2005 10:56:58 PM 0 C:\WINDOWS\LastGood\INF\MPCD10.PNF
7/13/2005 10:55:54 PM 0 C:\WINDOWS\LastGood\INF\MPPRE10.inf
7/13/2005 10:55:54 PM 0 C:\WINDOWS\LastGood\INF\MPPRE10.PNF
7/13/2005 10:57:06 PM 0 C:\WINDOWS\LastGood\INF\MPSTUB10.inf
7/13/2005 10:57:06 PM 0 C:\WINDOWS\LastGood\INF\MPSTUB10.PNF
7/13/2005 10:56:28 PM 0 C:\WINDOWS\LastGood\INF\WMDM10.inf
7/13/2005 10:56:28 PM 0 C:\WINDOWS\LastGood\INF\WMDM10.PNF
7/13/2005 10:56:22 PM 0 C:\WINDOWS\LastGood\INF\WMFSDK10.inf
7/13/2005 10:56:22 PM 0 C:\WINDOWS\LastGood\INF\WMFSDK10.PNF
7/13/2005 10:56:50 PM 0 C:\WINDOWS\LastGood\INF\WMP10.inf
7/13/2005 10:56:50 PM 0 C:\WINDOWS\LastGood\INF\WMP10.PNF
7/13/2005 10:57:12 PM 0 C:\WINDOWS\LastGood\INF\WMSET10.inf
7/13/2005 10:57:12 PM 0 C:\WINDOWS\LastGood\INF\WMSET10.PNF
7/13/2005 10:56:34 PM 0 C:\WINDOWS\LastGood\INF\WPD10.inf
7/13/2005 10:56:34 PM 0 C:\WINDOWS\LastGood\INF\WPD10.PNF
7/25/2005 5:30:22 PM 8192 C:\WINDOWS\system32\config\default.LOG
7/25/2005 5:31:18 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
7/25/2005 5:30:54 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/25/2005 5:31:18 PM 49152 C:\WINDOWS\system32\config\software.LOG
7/25/2005 5:31:20 PM 983040 C:\WINDOWS\system32\config\system.LOG
7/25/2005 4:29:16 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1ELVE4BC\desktop.ini
7/25/2005 4:29:16 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1U7G9QF\desktop.ini
7/25/2005 4:29:16 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q35E7IBZ\desktop.ini
7/25/2005 4:29:16 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WVSJ2JIZ\desktop.ini
7/7/2005 2:32:16 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\045c6f61-701a-4bfa-8a05-e8050105a2a8
6/2/2005 12:20:54 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1974a97c-5fad-487f-98fa-c1f9f1485bd5
5/29/2005 2:14:24 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1a36f8ff-93e2-48d5-b0bc-2bfcaecaffaa
7/25/2005 5:29:40 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1bcbf949-0f30-491c-ab73-3acc892d082d
7/11/2005 11:44:58 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\27eabdff-c62c-43ef-9b0f-ada4e95db6d7
7/1/2005 3:04:38 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\27f3577a-f79e-444f-bd93-bc1e4f4372b0
7/24/2005 11:29:32 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ed4891d-5081-427c-8745-e607832ea1fd
7/18/2005 9:28:28 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3194f6cf-c280-4ac7-a80a-159b28e6fb9c
5/31/2005 12:03:30 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\326f056d-7d4f-43ad-8f53-5f9a523b3483
7/19/2005 4:19:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\35443cb4-59b0-4677-b63e-c323e5f02c18
6/20/2005 9:15:16 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3932dfef-729d-456d-a441-147f7b2dc668
6/29/2005 10:43:28 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3a1af973-6d72-4f40-8b43-de63f13740fb
6/9/2005 3:21:46 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\41d8432b-04e9-4016-9985-e5ef2e63fd2f
6/7/2005 6:54:32 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\43b0e12f-ac28-42eb-84ba-7e87d5d16a93
6/18/2005 7:30:08 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\45711cef-e90b-40b6-9cc0-aad54121b724
6/4/2005 12:08:50 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\45d3d8eb-cebd-433f-ad76-7259e084d9e6
6/21/2005 3:33:32 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\49a66804-244b-40e4-a43e-08a2912ab9b2
6/25/2005 12:18:44 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4d32e643-dd2e-4710-b300-0eb6af2fc0ff
7/25/2005 2:48:12 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4e7d18e2-99db-4d54-af90-fd2fca7a58af
7/2/2005 2:44:46 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\551ea6e3-0958-4a2f-8c69-5c556a106523
6/8/2005 3:22:22 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\571b54e9-1e18-4eda-84a2-aa8b0daf1b8b
6/11/2005 12:17:40 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5c7477f9-1813-4dd0-8bbb-a72c699ce56f
6/12/2005 1:15:46 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5d899909-ec2b-4c4e-b112-a80d2d2f0435
5/28/2005 12:37:30 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\603ce9ad-f9b9-4165-bbab-ec0dfb106e0e
6/16/2005 3:34:22 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\64193344-44f6-4981-b4a4-aed6880863f9
7/5/2005 11:30:14 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\686c852f-5636-4c39-96c9-b638f8885340
5/27/2005 11:02:00 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6fea7035-f563-4126-8a61-de7b34dbce52
7/8/2005 8:59:42 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7be97d0d-a9b2-4dfb-879b-66fbe729b7d3
7/8/2005 8:54:24 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\878a6f71-71c3-4c8e-95fc-d1d24fd77661
6/5/2005 1:33:48 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\87d7669c-4670-4a29-b5b5-d43467fcbfa8
6/3/2005 8:10:40 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\938a55c7-03d8-49ee-99f0-dda7ee5f0198
6/14/2005 11:05:48 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9f2c71aa-2e3d-4f78-8db9-18b8e631639c
7/23/2005 12:30:10 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a28ffbf3-3577-4caa-ba21-4f20f5eccb1e
6/13/2005 4:06:36 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b09228b7-0dc4-47fa-9066-6a9fc6f5579a
6/12/2005 11:19:02 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b14eab4c-eb53-4062-913b-d7b8f7124382
7/25/2005 5:15:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b3cc3f06-e16b-4ee8-84c3-661006f4920d
5/29/2005 9:51:02 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\baa2efa7-4250-4e56-ad01-48b5ff70f73a
6/8/2005 3:35:06 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bcf5e055-0d88-463a-931f-74db39677beb
6/21/2005 4:18:40 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c1069417-093e-4d28-befb-103843803d95
6/19/2005 4:01:28 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c3fb7b5e-fb2c-4460-b194-8f1bea46d324
6/10/2005 11:18:40 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c75fe916-f2b7-4cef-81bd-a99dfb8ea8d4
6/3/2005 1:49:20 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d8ec0dfd-ed7e-46ed-adfd-33a2f2f9b6db
7/12/2005 3:14:50 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e1f83d26-7a94-4d03-b82e-e67ff995f2bb
7/5/2005 7:12:16 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ec86a5fd-d755-4c57-8882-4224ad9ebf37
6/5/2005 9:57:22 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ee84d055-f454-4de6-90a3-23beeb7f9dbf
7/5/2005 2:22:18 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f361d987-ac75-45cc-94e2-0390056ece0c
6/5/2005 2:44:08 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f5475783-6e95-4c3d-9f43-fba80830a56d
6/17/2005 7:48:20 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f6eb366b-aa55-40fc-aab3-1151a115f61f
7/24/2005 10:42:58 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fc3354b0-e76b-4480-9f1e-89b2b7760993
6/25/2005 10:16:36 PM 13698 C:\WINDOWS\system32\Restore\filelist.xml
7/25/2005 5:17:22 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{A61279B8-8E91-1136-B7F3-F8ACAF6FDB47}
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E982866-63B2-422D-AFB5-57F719CFD89B}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{188D6048-1C40-4563-B332-E9106968049E}
= C:\WINDOWS\system32\ngtapi32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E207C06A-0F56-438C-A08E-85735A17E080}
= C:\WINDOWS\system32\dbvvox.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6783E725-4038-46A2-AA88-987171642635}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}
= C:\WINDOWS\system32\iDlmdd5.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}
= C:\WINDOWS\system32\dlrawex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}
= C:\WINDOWS\system32\rU6u0gj9e6o.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFE3DE92-EABB-443E-9410-5A0B2F561F37}
= C:\WINDOWS\system32\isfxdgps.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0812933A-F59B-4513-9D3A-721386429BA0}
= C:\WINDOWS\system32\ttemeui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EA866444-BFA2-43DD-869E-DCDA7F200A67}
= C:\WINDOWS\system32\kfdlv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{89840745-8584-48BE-9C55-66726049B6D1}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2F76D314-2059-4744-8416-09C64E540CC0}
= C:\WINDOWS\system32\vrbsub.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{91686B17-DCCA-4636-A73B-4D83927A3BE7}
= C:\WINDOWS\system32\mmndex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E288C06D-2DCC-4966-A69E-550818538808}
= C:\WINDOWS\system32\icrtrmgr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}
= C:\WINDOWS\system32\mbpmspsv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7F94A65-FF42-45E1-9588-104635791009}
= C:\WINDOWS\system32\iaj0l51m1.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5CCCB8F-1523-4E06-80F0-5A23438EB025}
= C:\WINDOWS\system32\coetcfg.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B272591-4516-481A-B1FE-73B54F211CEE}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F590B4E3-0658-4375-BA59-11CA1FE4B644}
= C:\WINDOWS\system32\kqdlt1.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57456DE7-4F90-48B7-8BDC-696C23165FAD}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B613A94E-68CC-427D-A455-7EFEB64027A4}
= C:\WINDOWS\system32\ewpsrv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}
= C:\WINDOWS\system32\guard.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}
= C:\WINDOWS\system32\icq.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qggkyf
{9eb5064e-7853-4e39-b3b6-e94c23ddb7bf} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qggkyfmk
{309fbc94-d6dc-49a5-995b-5e26e15308af} = C:\WINDOWS\System32\bddka.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
STOPzilla C:\Program Files\STOPzilla!\STOPzilla.exe /autostart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu 0
NoActiveDesktopChanges 0
DisableLocalMachineRun 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
DisableLocalUserRun 0
NoActiveDesktopChanges 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0
DisableTaskMgr 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\System32\Userinit.exe
Shell = Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla
= IS3WLHandler.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.


As for the Track qoo, I'm getting a VBscript error "Can't find script engine". So the thing won't run...
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Isolationary,

I was looking signs of one infection but found two infections in the winpfind log !!!!!


Lets fix them one at a time. At the moment we need to put the winpfind log on the backburner.


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#12
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
And here's the l2mfix log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A61279B8-8E91-1136-B7F3-F8ACAF6FDB47}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{08267B21-223F-11d3-ACD4-004F4902B913}"="Desktop Architect"
"{2E982866-63B2-422D-AFB5-57F719CFD89B}"=""
"{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}"=""
"{188D6048-1C40-4563-B332-E9106968049E}"=""
"{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}"=""
"{E207C06A-0F56-438C-A08E-85735A17E080}"=""
"{6783E725-4038-46A2-AA88-987171642635}"=""
"{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}"=""
"{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}"=""
"{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}"=""
"{AFE3DE92-EABB-443E-9410-5A0B2F561F37}"=""
"{0812933A-F59B-4513-9D3A-721386429BA0}"=""
"{EA866444-BFA2-43DD-869E-DCDA7F200A67}"=""
"{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}"=""
"{89840745-8584-48BE-9C55-66726049B6D1}"=""
"{2F76D314-2059-4744-8416-09C64E540CC0}"=""
"{91686B17-DCCA-4636-A73B-4D83927A3BE7}"=""
"{E288C06D-2DCC-4966-A69E-550818538808}"=""
"{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}"=""
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}"=""
"{A7F94A65-FF42-45E1-9588-104635791009}"=""
"{A5CCCB8F-1523-4E06-80F0-5A23438EB025}"=""
"{6B272591-4516-481A-B1FE-73B54F211CEE}"=""
"{F590B4E3-0658-4375-BA59-11CA1FE4B644}"=""
"{57456DE7-4F90-48B7-8BDC-696C23165FAD}"=""
"{B613A94E-68CC-427D-A455-7EFEB64027A4}"=""
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}"=""
"{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BD686519-BED7-4A9D-9CB8-934EDBAF4C11}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{188D6048-1C40-4563-B332-E9106968049E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{188D6048-1C40-4563-B332-E9106968049E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{188D6048-1C40-4563-B332-E9106968049E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{188D6048-1C40-4563-B332-E9106968049E}\InprocServer32]
@="C:\\WINDOWS\\system32\\ngtapi32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{07DD914E-EB6C-4F46-A3C2-00E0F1526FA5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E207C06A-0F56-438C-A08E-85735A17E080}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E207C06A-0F56-438C-A08E-85735A17E080}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E207C06A-0F56-438C-A08E-85735A17E080}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E207C06A-0F56-438C-A08E-85735A17E080}\InprocServer32]
@="C:\\WINDOWS\\system32\\dbvvox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6783E725-4038-46A2-AA88-987171642635}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6783E725-4038-46A2-AA88-987171642635}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6783E725-4038-46A2-AA88-987171642635}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6783E725-4038-46A2-AA88-987171642635}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7552632A-FA61-4164-BDC1-F99B3FE9AD6C}\InprocServer32]
@="C:\\WINDOWS\\system32\\iDlmdd5.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0171B4E-4AA8-4F1E-B9C4-FE237F654CE3}\InprocServer32]
@="C:\\WINDOWS\\system32\\dlrawex.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5BC68AC2-8598-4F83-8BAA-B830B48A5A90}\InprocServer32]
@="C:\\WINDOWS\\system32\\rU6u0gj9e6o.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AFE3DE92-EABB-443E-9410-5A0B2F561F37}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AFE3DE92-EABB-443E-9410-5A0B2F561F37}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AFE3DE92-EABB-443E-9410-5A0B2F561F37}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AFE3DE92-EABB-443E-9410-5A0B2F561F37}\InprocServer32]
@="C:\\WINDOWS\\system32\\isfxdgps.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0812933A-F59B-4513-9D3A-721386429BA0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0812933A-F59B-4513-9D3A-721386429BA0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0812933A-F59B-4513-9D3A-721386429BA0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0812933A-F59B-4513-9D3A-721386429BA0}\InprocServer32]
@="C:\\WINDOWS\\system32\\ttemeui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA866444-BFA2-43DD-869E-DCDA7F200A67}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA866444-BFA2-43DD-869E-DCDA7F200A67}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA866444-BFA2-43DD-869E-DCDA7F200A67}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA866444-BFA2-43DD-869E-DCDA7F200A67}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfdlv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D68E3E0B-0BF5-48DE-972E-FDD48F8F9E7A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{89840745-8584-48BE-9C55-66726049B6D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89840745-8584-48BE-9C55-66726049B6D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89840745-8584-48BE-9C55-66726049B6D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{89840745-8584-48BE-9C55-66726049B6D1}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2F76D314-2059-4744-8416-09C64E540CC0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F76D314-2059-4744-8416-09C64E540CC0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F76D314-2059-4744-8416-09C64E540CC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F76D314-2059-4744-8416-09C64E540CC0}\InprocServer32]
@="C:\\WINDOWS\\system32\\vrbsub.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{91686B17-DCCA-4636-A73B-4D83927A3BE7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91686B17-DCCA-4636-A73B-4D83927A3BE7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91686B17-DCCA-4636-A73B-4D83927A3BE7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91686B17-DCCA-4636-A73B-4D83927A3BE7}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmndex.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E288C06D-2DCC-4966-A69E-550818538808}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E288C06D-2DCC-4966-A69E-550818538808}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E288C06D-2DCC-4966-A69E-550818538808}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E288C06D-2DCC-4966-A69E-550818538808}\InprocServer32]
@="C:\\WINDOWS\\system32\\icrtrmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7680F1F-2AAF-4A55-BB02-9438F7F0C44D}\InprocServer32]
@="C:\\WINDOWS\\system32\\mbpmspsv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3391D5B7-B3AA-4A33-9EA6-00C8075F1985}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A7F94A65-FF42-45E1-9588-104635791009}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7F94A65-FF42-45E1-9588-104635791009}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7F94A65-FF42-45E1-9588-104635791009}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7F94A65-FF42-45E1-9588-104635791009}\InprocServer32]
@="C:\\WINDOWS\\system32\\iaj0l51m1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A5CCCB8F-1523-4E06-80F0-5A23438EB025}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5CCCB8F-1523-4E06-80F0-5A23438EB025}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5CCCB8F-1523-4E06-80F0-5A23438EB025}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5CCCB8F-1523-4E06-80F0-5A23438EB025}\InprocServer32]
@="C:\\WINDOWS\\system32\\coetcfg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B272591-4516-481A-B1FE-73B54F211CEE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B272591-4516-481A-B1FE-73B54F211CEE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B272591-4516-481A-B1FE-73B54F211CEE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B272591-4516-481A-B1FE-73B54F211CEE}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F590B4E3-0658-4375-BA59-11CA1FE4B644}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{F590B4E3-0658-4375-BA59-11CA1FE4B644}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F590B4E3-0658-4375-BA59-11CA1FE4B644}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F590B4E3-0658-4375-BA59-11CA1FE4B644}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqdlt1.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{57456DE7-4F90-48B7-8BDC-696C23165FAD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57456DE7-4F90-48B7-8BDC-696C23165FAD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57456DE7-4F90-48B7-8BDC-696C23165FAD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57456DE7-4F90-48B7-8BDC-696C23165FAD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B613A94E-68CC-427D-A455-7EFEB64027A4}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{B613A94E-68CC-427D-A455-7EFEB64027A4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B613A94E-68CC-427D-A455-7EFEB64027A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B613A94E-68CC-427D-A455-7EFEB64027A4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ewpsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C9713A1-62B3-48EC-B4FE-76EC9C3B2C56}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{26E7DD34-BE2B-4C20-90B1-1702BD3E2AC2}\InprocServer32]
@="C:\\WINDOWS\\system32\\icq.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aza6l9~1.dll Sat Jul 2 2005 2:50:40p ..S.R 0 0.00 K
e2200c~1.dll Mon Jul 11 2005 11:53:26a ..S.R 0 0.00 K
f8j2li~1.dll Mon Jul 11 2005 2:04:36p ..S.R 235,467 229.95 K
g6402g~1.dll Mon Jul 11 2005 1:57:04p ..S.R 233,760 228.28 K
icq.dll Mon Jul 11 2005 1:56:04p ..S.R 233,760 228.28 K
l2n40c~1.dll Mon May 16 2005 7:55:54a ..S.R 0 0.00 K
mlisam11.dll Mon Jul 11 2005 11:52:36a ..S.R 233,760 228.28 K
p66s0g~1.dll Fri Jul 8 2005 8:57:26p ..S.R 0 0.00 K
wbhelp2.dll Sun May 8 2005 12:52:52a A.... 50,688 49.50 K

9 items found: 9 files (8 H/S), 0 directories.
Total of file sizes: 987,435 bytes 964.29 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is FC02-5F2F

Directory of C:\WINDOWS\System32

07/11/2005 02:04 PM 235,467 f8j2li1o18.dll
07/11/2005 01:57 PM 233,760 g6402ghmg64a2.dll
07/11/2005 01:56 PM 233,760 icq.dll
07/11/2005 11:53 AM 0 e2200cfmef2a0.dll
07/11/2005 11:52 AM 233,760 mlisam11.dll
07/08/2005 08:57 PM 0 p66s0gj7e6o.dll
07/02/2005 02:50 PM 0 aza6l9ls1.dll
05/16/2005 07:55 AM 0 l2n40c5qef.dll
03/12/2005 09:56 AM 0 ktnul7591.dll
09/17/2004 10:34 PM <DIR> dllcache
09/14/2004 02:38 PM 56 7490327ECA.sys
02/16/2004 09:00 PM 7,168 Thumbs.db
01/02/2004 05:13 PM <DIR> Microsoft
11 File(s) 943,971 bytes
2 Dir(s) 12,055,134,208 bytes free
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#14
isolationary

isolationary

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Here's the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:45 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\oaalnj.exe reg_run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Owner.DEBORAH-ZLB4L6K\Desktop\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabino...b.2004.5.24.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {980105AE-6031-4855-98F0-2CBF5A76F700} (PowerFTP Control) - http://rfonline.x2ga...om/PowerFTP.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

=====================================

Attached the l2mfix log.

Attached Files

  • Attached File  log.txt   64.16KB   49 downloads

Edited by isolationary, 25 July 2005 - 09:01 PM.

  • 0

#15
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Lets try this now -

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP