Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rundll32.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
raiderman

raiderman

    Member

  • Member
  • PipPip
  • 13 posts
My computer has been running really slow. When I click a link it freezes the screen for a minute or so. Also I notice that zone alarm says that rundll32.exe is trying to access the internet. I have been denying access because I don't know what it is. I notice when I have several windows of internet explorer open I cannot click on the task bar to go back and forth. I have to minimize one window in order to see the other. Yet another quirk is that when I hit control-alt-delete, I don't see the websites I have open under programs. McAfee anti-vrus and Spybot do not find anything. When I run Firefox instead of Explorer the same delay occurs but I get a message saying a script is slowing down Firefox and it gives me the option of stopping the script. I suspect this script is some kind of malware related to rundll32.exe. Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:37 PM, on 7/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O2 - BHO: (no name) - {2DB43E05-FDEF-DD61-C46A-D97835BD9FCF} - C:\WINDOWS\SYSTEM\IRT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {5D14CE3B-3A07-4FF8-B2E3-EAA44406CE83} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.ucs.att.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcaf...d/mcinstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11....es/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com...y/PCPTracks.cab
O21 - SSODL: System - {2216907F-6694-4FEF-8426-1EDB77BAB8E7} - C:\WINDOWS\system32\system32.dll

Thanks for any help you can give me!
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc (obfuscated)
O2 - BHO: (no name) - {2DB43E05-FDEF-DD61-C46A-D97835BD9FCF} - C:\WINDOWS\SYSTEM\IRT.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O21 - SSODL: System - {2216907F-6694-4FEF-8426-1EDB77BAB8E7} - C:\WINDOWS\system32\system32.dll


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\IRT.DLL
C:\WINDOWS\system32\system32.dll


Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I followed all the steps except I could not find the file C:\WINDOWS\SYSTEM\IRT.DLL. The closest I found was C:\WINDOWS\SYSTEM\MSVCIRT.DLL which I left. I restored the default internet explorer page to mail.yahoo.com. I still have the same problem. Here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:42 PM, on 7/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {5D14CE3B-3A07-4FF8-B2E3-EAA44406CE83} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.ucs.att.net
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcaf...d/mcinstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11....es/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com...y/PCPTracks.cab
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Tell me if you can find and delete any of these files:

C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\systr.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll
C:\WINDOWS\System32\SEARCHDLL.DLL


Give me this log:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#5
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I don't have any of the C:\WINDOWS\System32 files you mentioned. Here is the log of the Mwav virus checker:

File C:\WINDOWS\SYSTEM\MGIHRNJP.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\TVUMBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\napv2b9-6.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\backups\backup-20050723-221334-876.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "coolwebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\mcinstall.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\SYSTEM\okshook.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\SYSTEM\sporder.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Web\ADOBEWEB.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Web\ADOBEB~1.AWE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Web\ADOBEB~1.GIF". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpf9xdr0.drv". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfftrc0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfbxtr0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfrelb0.hlp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfpegn0.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfjbui0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfui9x0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfprvw0.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpftbox0.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfeime0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfhlpb0.hlp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfstsc0.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfpimg0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfcfig0.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\hpfpcle0.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\mcinstall.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\okshook.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\sporder.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\JETERR40.CHM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\VFPODBC.TXT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DRVVFP.HLP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\DRVVFP.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCJET.HLP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCJET.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCINST.HLP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ODBCINST.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSORCL32.HLP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSOracle32Readme.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSORCL32.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLSRDME.TXT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLSOLDB.HLP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\SQLOLEDB.TXT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\MSRPJT40.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "C:\PROGRA~1\ONLINE~1\MSN50\OCX\MSNSETUP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B6722BAC-2AD2-11D2-9D63-0040D000BD9D}" refers to invalid object "C:\PROGRA~1\ADAPTEC\SHARED\CDGUIDE\CDGUIDE.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B6722BAB-2AD2-11D2-9D63-0040D000BD9D}" refers to invalid object "C:\PROGRA~1\ADAPTEC\SHARED\CDGUIDE\CDGUIDE.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B738B059-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B738B05B-B74F-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FRCOM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BF1D9E28-C162-11D1-AA87-0000B43695BE}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{873E26D0-23DA-11D3-ADD7-0050043BC574}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\VBFREXT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A8343C81-098C-11d4-8965-00105A5BC1C4}" refers to invalid object "C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWCLIENTEXT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}" refers to invalid object "C:\Program Files\Adobe\Acrobat 4.0\Reader\ActiveX\pdf.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CA8A9784-280D-11CF-A24D-444553540000}" refers to invalid object "C:\Program Files\Adobe\Acrobat 4.0\Reader\ActiveX\pdf.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C98419E-324F-11D3-9A23-00C04FF40D52}" refers to invalid object "C:\WINDOWS\MCBIN\AV\MGAVINST.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43D94B25-2B3C-4635-93DE-3240327DC9CD}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0B76AB44-9926-48b3-8738-D864D8E1BE5F}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1491A15-2BFE-4094-B631-2871FCD35B3B}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}" refers to invalid object "C:\WINDOWS\WT\WEBDRIVER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7a32634b-029c-4836-a023-528983982a49}" refers to invalid object "C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{71b8f2df-0032-48ba-a784-93d9caaab07d}" refers to invalid object "C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6AE4CC6E-999C-11D4-A3F0-009027427750}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\YAUTO.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A748FBEE-D7BC-11D4-A900-000103238366}" refers to invalid object "C:\PROGRAM FILES\YAHOO!\MESSENGER\FT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F88A5FD0-DACB-11D2-AED5-00105AC69454}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\TARP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C37AE20A-4940-11D1-B14A-105C01C13001}" refers to invalid object "C:\PROGRA~1\EARTHL~1\WSPELL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ACEFFC27-4628-11D1-B14A-105C01C13001}" refers to invalid object "C:\PROGRA~1\EARTHL~1\WSPELL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C37AE202-4940-11D1-B14A-105C01C13001}" refers to invalid object "C:\PROGRA~1\EARTHL~1\WSPELL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ACEFFC26-4628-11D1-B14A-105C01C13001}" refers to invalid object "C:\PROGRA~1\EARTHL~1\WSPELL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EADDC260-4E7C-11d4-BBFC-00105AC69477}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\AOLAB5.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EC25C46E-755E-422f-B270-5556A9C75801}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\AOLAB6.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EADDC261-4E7C-11d4-BBFC-00105AC69477}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\AOLBM5.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A70B6F0B-3514-471b-8E8C-63F6CD588098}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\E5AB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E393A23A-23CF-4e12-A96C-D72C0A7409B9}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\E5BM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5872F68F-92FF-11D1-91E0-00A024D1D4D6}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\FIELD_.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77269102-9702-11d1-91E0-00A024D1D4D6}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\IEAB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4EF95362-97C1-11d1-91E0-00A024D1D4D6}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\IEBM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{85D8FC8C-BE7B-11D1-9B38-0060089F7CC9}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\MAIL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FEA4827C-D615-46ca-9F13-6BA768A3E8CD}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\NSAB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F20300E1-BF5A-11d1-8F81-444553540000}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\NSAB4.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4EF95361-97C1-11d1-91E0-00A024D1D4D6}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\NSBM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE0482D8-B2CA-4a95-A01A-7E52F3B256AA}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK 5.0\OEMAIL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C48E6026-B01F-483F-96AE-D89A4763EF3D}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\MAGICCTL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C52AA105-192E-4323-80FE-BE530F534BB3}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D38D306E-F673-4FF3-9A3A-A51C381964D1}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F217046-17D9-4BD4-9216-B66DD7865B61}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{809F805E-9967-4948-B265-0BD8190E260C}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EIMPEXP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{355942B4-F4BD-4E52-BB99-BA47D54A5290}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\NOTIFY.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8026D0C2-258B-4CC2-95F7-2BB474D5836C}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DEVICES.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F08E1EE7-5C82-4B0D-B624-0D2A3E5BBF7F}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DEVICES.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F73C972B-BB9C-4585-BB0C-08B13EF70C0D}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DEVICES.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5828A3F-CC30-4BBD-AE9B-F910540C9697}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DIALER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2698707D-8E34-4419-8857-7D39E6C91ECF}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DIALER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6C78F520-093A-4BE5-835E-B10A154E79B7}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DIALER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DIALER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CCE598AC-6F44-40F6-9CAF-0B44E92D91B1}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\DIALER.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{68AC0D5F-0424-11d5-822F-00C04F6BA8D9}" refers to invalid object "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\EMSMTP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "C:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7D4311A4-4FCD-4CEA-98A4-9BF078105625}" refers to invalid object "C:\WINDOWS\system32\system32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2216907F-6694-4FEF-8426-1EDB77BAB8E7}" refers to invalid object "C:\WINDOWS\system32\system32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F674C38B-1B37-4503-8BBA-0F31DE3BB717}" refers to invalid object "C:\THEAXE~1\BIN\DNAMMC~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{14118FF0-8895-4938-A59E-92357C4BB728}" refers to invalid object "C:\THEAXE~1\BIN\DNAMMC~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C9B50189-F7DA-44E2-8BB7-A2D54A6EA79C}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4A7D96F-436D-4103-AEB4-98666C7DD58F}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2893A75F-979B-4BE4-975A-C310F3E08B79}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{77B53F0C-23FE-41F3-9E7B-C952349D96B6}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B65B658B-7001-4878-83C9-1779072F7B23}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02ADC9A0-16EE-46F8-BB26-D270BA156985}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5650A7A6-188D-461B-A94B-C2503EB2F831}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{64011898-FE63-416F-83E8-490985E98DA3}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{51DE39CB-7036-40BA-8583-381C21E68950}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F8547FE2-7548-4A07-A82C-947F1539B265}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5FF19695-A57C-43D6-B255-E448014038D6}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{983A43FC-3C12-41A6-AC3A-AE08707D110E}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{687DBEF1-80EA-45CB-B7BE-1A3B73953045}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{68B43FA4-7F6C-4B37-A621-71E6025B41DF}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{65D6E0E3-35BB-4843-ADF5-E8A268302066}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B11E5D12-2890-447E-882B-68594F294EF3}" refers to invalid object "C:\THEAXEEFFECT\BIN\DNASVT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}" refers to invalid object "C:\THEAXEEFFECT\BIN\REGTOOL5.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A7BE06-0508-4A22-A361-8D5ED3028D6D}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F42DFC7-F1C3-47AB-9DA3-6AEAC0C15A20}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C8BBE636-FE8A-4122-BA04-69BF9A2D20B7}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3C2FD4B4-FA68-4C0A-A02D-17D0C62588F5}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D5C94876-DA30-49D6-AD45-2F0CB3960E3D}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD1A8EE5-C793-46EB-BE2E-729186358C17}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C2B13C17-343F-40BE-8B48-B8BF97D61360}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A42987AE-10AA-41E1-891B-92D6060BF795}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FBC4AD75-F096-4E95-9982-BE4A4187AC3B}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{04CDF7C9-B874-49B9-9FDE-5976798FB98B}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA8953AC-F0E7-47BF-BBA9-91E6A7D739BF}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBD57DE2-35B6-475C-9105-EC66C2DBC982}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{136FFBC8-AC59-48D5-AD25-C701015E0206}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{05D32F04-BDAD-4951-B304-36EC9ED3FFD5}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4DB7ABCD-ECED-42AC-812E-64A2CBD533AB}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6AF09503-3DFF-4825-8A6C-011DAFB5ABF8}" refers to invalid object "C:\THEAXEEFFECT\BIN\XSPEECHKIT.DLL". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.5.5" refers to invalid object "{53FCF358-5323-11D0-A864-0000B43699FC}". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\RealDownload.CnetDM.1" refers to invalid object "{200CEB6F-CCA5-11D0-9439-00609758E95A}". Action Taken: No Action Taken.
Entry "HKCR\RealDownload.CnetDM" refers to invalid object "{200CEB6F-CCA5-11D0-9439-00609758E95A}". Action Taken: No Action Taken.
Entry "HKCR\AOLCoach.TrainerOCXCtrl" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\AOLCoach.TrainerOCXCtrl.9" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\YBIOCtrl.CompanionBHO.3" refers to invalid object "{02478D28-C3F9-4efb-9B51-7695ECA05670}". Action Taken: No Action Taken.
Entry "HKCR\EasyMail.SMTP.5" refers to invalid object "{4610E7BF-710F-11d3-813D-00C04F6B92D0}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\MediaPassX.Installer" refers to invalid object "{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DUMSVINN.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WPBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\orybxij.exe tagged as "not-a-virus:AdWare.PurityScan.au". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lupcx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DIKAPI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UpdInst.exe tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mgihrnjp.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mfidntld.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\OWCACHE.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WLSDMOD.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\QGWMCI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC42.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lhefx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MKVCP60.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sqfup.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SZIMGVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC40.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\hdinfo.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MzfApi.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\TVUMBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\freepeers-298.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40HK.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AT&T\ATTKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\TEMP\freepeers-298.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DUMSVINN.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WPBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\orybxij.exe tagged as "not-a-virus:AdWare.PurityScan.au". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lupcx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DIKAPI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UpdInst.exe tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mgihrnjp.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mfidntld.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\OWCACHE.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WLSDMOD.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\QGWMCI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC42.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lhefx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MKVCP60.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sqfup.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SZIMGVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC40.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\hdinfo.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MzfApi.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\TVUMBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\Application Data\oocs.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\napv2b9-6.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\backups\backup-20050723-221334-876.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MediaPassX.dll tagged as "not-a-virus:AdWare.WinAD.w". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0334989.CPY tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0347549.CPY tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0347772.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0384161.CPY tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0396066.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418285.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418290.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418293.0 tagged as "not-a-virus:AdWare.Gator.6051". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418295.0 tagged as "not-a-virus:AdWare.Gator.4126". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\BANNER.1 tagged as "not-a-virus:AdWare.Banex.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0430675.CPY tagged as "not-a-virus:AdWare.SaveNow.ak". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0430676.CPY tagged as "not-a-virus:AdWare.SaveNow.aw". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\LAPSD11N.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0454671.CPY tagged as "not-a-virus:AdWare.OnFlow". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MUG_HOOK.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0454779.CPY tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\IJ1X329X.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455004.0 tagged as not-a-virus:Server-Proxy.Win32.MarketScore.o. No Action Taken.
File C:\_RESTORE\TEMP\A0455057.CPY tagged as "not-a-virus:AdWare.OnFlow". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455104.0 tagged as "not-a-virus:AdWare.SaveNow.ay". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455105.CPY tagged as "not-a-virus:AdWare.SaveNow.f". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0474236.CPY tagged as "not-a-virus:AdWare.WinFetcher.b". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500709.CPY tagged as "not-a-virus:AdWare.ToolBar.MyWay.j". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500710.CPY tagged as "not-a-virus:AdWare.ToolBar.MyWay.b". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500827.CPY tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\BANNER.0 tagged as "not-a-virus:AdWare.Banex.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\SNOOLSS.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MZIKBDNO.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\RBCHED.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\CM211_~1.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\QCGR.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\AZDENC32.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS236.CAB tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\My Documents\My Music\From Internet\BS226.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\Program Files\Online Services\Prodigy - English\PIeng.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Typing Quick & Easy\REGISTER.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BearShare\Installer\BSINSTALL.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5160.TMP tagged as "not-a-virus:AdWare.WinAD.ac". Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5191.TMP tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\My Download Files\livecam.exe tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\lolita-server.mpg.zip tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\calendari.exe tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\BSINSTALL.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
File C:\My Download Files\single-step_v105.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.c...bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknigh...LNUninstall.zip
ClearSearch Uninstaller http://www.greyknigh...chUninstall.zip
Kill2Me http://www.greyknigh...spy/Kill2Me.exe

Unzip those zip files that needs unzipping. Now run each of those programs (one at a time...).

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Enable System Restore again by following the same steps as above except you should uncheck 'Disable System Restore'.

Download CCleaner and install it. Run it and go to the Issues tab. Scan for issues. Once it's done, check all of those and hit Fix selected items. Close the program.

Once you are done:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!


Also give me a new scan/log from mwav.
  • 0

#7
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I followed the instructions up to the part where you say "Double click l2mfix.bat." When I do that I get the following message:

Directory already exists
Syntax error
No application is associated with the specified file. Create
an association by using the Explorer.

Please advice.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry about that. It doesn't work on Windows ME :tazz:

OK, run a new mwav scan and post the log here.

You ran those 4 uninstallers already right? Just want to make sure ;)
  • 0

#9
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I ran the 4 uninstallers. Here is the new mwav scan:

File C:\WINDOWS\Desktop\napv2b9-6.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\backups\backup-20050723-221334-876.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "coolwebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\mcinstall.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\SYSTEM\okshook.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\SYSTEM\sporder.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "C:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\MsnSetup.Setup.1" refers to invalid object "{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}". Action Taken: No Action Taken.
Entry "HKCR\MsnSetup.Setup" refers to invalid object "{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}". Action Taken: No Action Taken.
Entry "HKCR\Adaptec.EasyCDGuide" refers to invalid object "{B6722BAB-2AD2-11D2-9D63-0040D000BD9D}". Action Taken: No Action Taken.
Entry "HKCR\CDJewel.Document" refers to invalid object "{8AD66942-46FE-11D1-9934-00A0249B0AB4}". Action Taken: No Action Taken.
Entry "HKCR\CDJewel.JCEng.1" refers to invalid object "{9A2C7EC1-976E-11D2-9897-000092A92198}". Action Taken: No Action Taken.
Entry "HKCR\CDJewel.JCEng" refers to invalid object "{9A2C7EC1-976E-11D2-9897-000092A92198}". Action Taken: No Action Taken.
Entry "HKCR\EasyCDCreator.Document.4" refers to invalid object "{A9C39302-770A-11D1-893F-00802964B632}". Action Taken: No Action Taken.
Entry "HKCR\BackWebFileReplication.BackWebFileReplication.1" refers to invalid object "{B738B059-B74F-11D1-AA87-0000B43695BE}". Action Taken: No Action Taken.
Entry "HKCR\BackWebFileReplicationCleanup.BackWebFileReplicationCleanup.1" refers to invalid object "{B738B05B-B74F-11D1-AA87-0000B43695BE}". Action Taken: No Action Taken.
Entry "HKCR\FrExt.FileReplicationExtension.1" refers to invalid object "{BF1D9E28-C162-11D1-AA87-0000B43695BE}". Action Taken: No Action Taken.
Entry "HKCR\FrExt.FileReplicationExtension" refers to invalid object "{BF1D9E28-C162-11D1-AA87-0000B43695BE}". Action Taken: No Action Taken.
Entry "HKCR\VBFrext.VBFileReplicationExtension.1" refers to invalid object "{873E26D0-23DA-11D3-ADD7-0050043BC574}". Action Taken: No Action Taken.
Entry "HKCR\VBFrext.VBFileReplicationExtension" refers to invalid object "{873E26D0-23DA-11D3-ADD7-0050043BC574}". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.UnTrustChnCertClientExt.1" refers to invalid object "{A8343C81-098C-11d4-8965-00105A5BC1C4}". Action Taken: No Action Taken.
Entry "HKCR\AcroExch.Document" refers to invalid object "{B801CA65-A1FC-11D0-85AD-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\PDF.PdfCtrl.1" refers to invalid object "{CA8A9780-280D-11CF-A24D-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.AV.Installer.1" refers to invalid object "{0C98419E-324F-11D3-9A23-00C04FF40D52}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.AV.Installer" refers to invalid object "{0C98419E-324F-11D3-9A23-00C04FF40D52}". Action Taken: No Action Taken.
Entry "HKCR\WT3D.WT.1" refers to invalid object "{FA13A9FA-CA9B-11D2-9780-00104B242EA3}". Action Taken: No Action Taken.
Entry "HKCR\WT3D.WT" refers to invalid object "{FA13A9FA-CA9B-11D2-9780-00104B242EA3}". Action Taken: No Action Taken.
Entry "HKCR\MessengerSV.MessSV.1" refers to invalid object "{43D94B25-2B3C-4635-93DE-3240327DC9CD}". Action Taken: No Action Taken.
Entry "HKCR\MessengerSV.MessSV" refers to invalid object "{43D94B25-2B3C-4635-93DE-3240327DC9CD}". Action Taken: No Action Taken.
Entry "HKCR\MoneyCentral.Quotes2.1" refers to invalid object "{0B76AB44-9926-48b3-8738-D864D8E1BE5F}". Action Taken: No Action Taken.
Entry "HKCR\MoneyCentral.SharedStock" refers to invalid object "{A1491A15-2BFE-4094-B631-2871FCD35B3B}". Action Taken: No Action Taken.
Entry "HKCR\PServe.Application" refers to invalid object "{3EA9F073-A336-11D1-959C-5849FE000000}". Action Taken: No Action Taken.
Entry "HKCR\Aimster_News.Application" refers to invalid object "{0FEBB464-00D3-46DF-98BB-567A4A14FF87}". Action Taken: No Action Taken.
Entry "HKCR\Yauto.NSAuto.1" refers to invalid object "{6AE4CC6E-999C-11D4-A3F0-009027427750}". Action Taken: No Action Taken.
Entry "HKCR\Yauto.NSAuto" refers to invalid object "{6AE4CC6E-999C-11D4-A3F0-009027427750}". Action Taken: No Action Taken.
Entry "HKCR\FT.MsgrFT.1" refers to invalid object "{A748FBEE-D7BC-11D4-A900-000103238366}". Action Taken: No Action Taken.
Entry "HKCR\FT.MsgrFT" refers to invalid object "{A748FBEE-D7BC-11D4-A900-000103238366}". Action Taken: No Action Taken.
Entry "HKCR\Tarp.Tarp.1" refers to invalid object "{F88A5FD0-DACB-11D2-AED5-00105AC69454}". Action Taken: No Action Taken.
Entry "HKCR\Tarp.Tarp" refers to invalid object "{F88A5FD0-DACB-11D2-AED5-00105AC69454}". Action Taken: No Action Taken.
Entry "HKCR\EasyMail.SMTP" refers to invalid object "{68AC0D5F-0424-11d5-822F-00C04F6BA8D9}". Action Taken: No Action Taken.
Entry "HKCR\WSPELL.WSpellCtrl.1" refers to invalid object "{ACEFFC26-4628-11D1-B14A-105C01C13001}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.RASDevices.1" refers to invalid object "{545BF474-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.RASDevices" refers to invalid object "{545BF474-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Modems.1" refers to invalid object "{545BF476-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Modems" refers to invalid object "{545BF476-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.NetworkAdapters.1" refers to invalid object "{545BF478-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.NetworkAdapters" refers to invalid object "{545BF478-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.AccessDevices.1" refers to invalid object "{545BF47A-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.AccessDevices" refers to invalid object "{545BF47A-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.ActiveRASConnections.1" refers to invalid object "{545BF47C-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.ActiveRASConnections" refers to invalid object "{545BF47C-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.PhoneBookEntries.1" refers to invalid object "{545BF47E-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.PhoneBookEntries" refers to invalid object "{545BF47E-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Connectoid.1" refers to invalid object "{545BF480-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Connectoid" refers to invalid object "{545BF480-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.TAConnect.1" refers to invalid object "{545BF482-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.TAConnect" refers to invalid object "{545BF482-5A12-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Dummy.1" refers to invalid object "{B5F16961-679D-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Conmgr.Dummy" refers to invalid object "{B5F16961-679D-11D3-A51A-00105AC69471}". Action Taken: No Action Taken.
Entry "HKCR\Field.Field.1" refers to invalid object "{5872F68F-92FF-11D1-91E0-00A024D1D4D6}". Action Taken: No Action Taken.
Entry "HKCR\Email.Email.1" refers to invalid object "{85D8FC8C-BE7B-11D1-9B38-0060089F7CC9}". Action Taken: No Action Taken.
Entry "HKCR\ELNhelper.Application" refers to invalid object "{62025762-E692-11D2-9B44-0060089F7CC9}". Action Taken: No Action Taken.
Entry "HKCR\ProfileMgr.Progress.1" refers to invalid object "{7C3292CC-C25A-11D2-9949-00104BD069D6}". Action Taken: No Action Taken.
Entry "HKCR\ProfileMgr.Progress" refers to invalid object "{7C3292CC-C25A-11D2-9949-00104BD069D6}". Action Taken: No Action Taken.
Entry "HKCR\AddressMagic.Converter.1" refers to invalid object "{C48E6026-B01F-483F-96AE-D89A4763EF3D}". Action Taken: No Action Taken.
Entry "HKCR\AddressMagic.Converter" refers to invalid object "{C48E6026-B01F-483F-96AE-D89A4763EF3D}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CMagicABImp.1" refers to invalid object "{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CMagicABImp" refers to invalid object "{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVABExp.1" refers to invalid object "{C52AA105-192E-4323-80FE-BE530F534BB3}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVABExp" refers to invalid object "{C52AA105-192E-4323-80FE-BE530F534BB3}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVABImp.1" refers to invalid object "{D38D306E-F673-4FF3-9A3A-A51C381964D1}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVABImp" refers to invalid object "{D38D306E-F673-4FF3-9A3A-A51C381964D1}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVMsgExp.1" refers to invalid object "{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVMsgExp" refers to invalid object "{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVMsgImp.1" refers to invalid object "{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.CSVMsgImp" refers to invalid object "{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.E5ABImp.1" refers to invalid object "{1F217046-17D9-4BD4-9216-B66DD7865B61}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.E5ABImp" refers to invalid object "{1F217046-17D9-4BD4-9216-B66DD7865B61}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.E5MsgImp.1" refers to invalid object "{809F805E-9967-4948-B265-0BD8190E260C}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.E5MsgImp" refers to invalid object "{809F805E-9967-4948-B265-0BD8190E260C}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.Exchange.1" refers to invalid object "{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.Exchange" refers to invalid object "{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.OEmsgImp.1" refers to invalid object "{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}". Action Taken: No Action Taken.
Entry "HKCR\ImportExport.OEMsgImp" refers to invalid object "{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}". Action Taken: No Action Taken.
Entry "HKCR\Notify.CNotifyImpl.1" refers to invalid object "{355942B4-F4BD-4E52-BB99-BA47D54A5290}". Action Taken: No Action Taken.
Entry "HKCR\Notify.CNotifyImpl" refers to invalid object "{355942B4-F4BD-4E52-BB99-BA47D54A5290}". Action Taken: No Action Taken.
Entry "HKCR\Devices.AccessDevices.1" refers to invalid object "{F08E1EE7-5C82-4B0D-B624-0D2A3E5BBF7F}". Action Taken: No Action Taken.
Entry "HKCR\Devices.AccessDevices" refers to invalid object "{F08E1EE7-5C82-4B0D-B624-0D2A3E5BBF7F}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.ActiveRASConnections.1" refers to invalid object "{E5828A3F-CC30-4BBD-AE9B-F910540C9697}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.ActiveRASConnections" refers to invalid object "{E5828A3F-CC30-4BBD-AE9B-F910540C9697}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.Connectoid.1" refers to invalid object "{2698707D-8E34-4419-8857-7D39E6C91ECF}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.Connectoid" refers to invalid object "{2698707D-8E34-4419-8857-7D39E6C91ECF}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.PhoneBookEntries.1" refers to invalid object "{6C78F520-093A-4BE5-835E-B10A154E79B7}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.PhoneBookEntries" refers to invalid object "{6C78F520-093A-4BE5-835E-B10A154E79B7}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.TAConnect.1" refers to invalid object "{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}". Action Taken: No Action Taken.
Entry "HKCR\Dialer.TAConnect" refers to invalid object "{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}". Action Taken: No Action Taken.
Entry "HKCR\EasyMail.SMTP.6" refers to invalid object "{68AC0D5F-0424-11d5-822F-00C04F6BA8D9}". Action Taken: No Action Taken.
Entry "HKCR\LoaderX.Installer.1" refers to invalid object "{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}". Action Taken: No Action Taken.
Entry "HKCR\LoaderX.Installer" refers to invalid object "{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}". Action Taken: No Action Taken.
Entry "HKCR\DNACorp.DNAMMControl.1" refers to invalid object "{F674C38B-1B37-4503-8BBA-0F31DE3BB717}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.DnaSVEngineFactory" refers to invalid object "{C9B50189-F7DA-44E2-8BB7-A2D54A6EA79C}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.EnrollmentStatus" refers to invalid object "{A4A7D96F-436D-4103-AEB4-98666C7DD58F}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.RecognitionResultBean" refers to invalid object "{2893A75F-979B-4BE4-975A-C310F3E08B79}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.RenditionStatus" refers to invalid object "{77B53F0C-23FE-41F3-9E7B-C952349D96B6}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.UserBean" refers to invalid object "{B65B658B-7001-4878-83C9-1779072F7B23}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.UserStatus" refers to invalid object "{02ADC9A0-16EE-46F8-BB26-D270BA156985}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.VerificationResultBean" refers to invalid object "{5650A7A6-188D-461B-A94B-C2503EB2F831}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.VerificationStatus" refers to invalid object "{64011898-FE63-416F-83E8-490985E98DA3}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.VocableDefinitionBean" refers to invalid object "{51DE39CB-7036-40BA-8583-381C21E68950}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.DnaSVEngineImpl" refers to invalid object "{F8547FE2-7548-4A07-A82C-947F1539B265}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.EnrollmentProcessImpl" refers to invalid object "{5FF19695-A57C-43D6-B255-E448014038D6}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.RecognitionProcessImpl" refers to invalid object "{983A43FC-3C12-41A6-AC3A-AE08707D110E}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.SystemManagerImpl" refers to invalid object "{687DBEF1-80EA-45CB-B7BE-1A3B73953045}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.TrainingProcessImpl" refers to invalid object "{68B43FA4-7F6C-4B37-A621-71E6025B41DF}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.UserManagerImpl" refers to invalid object "{65D6E0E3-35BB-4843-ADF5-E8A268302066}". Action Taken: No Action Taken.
Entry "HKCR\DnaSVT.VerificationProcessImpl" refers to invalid object "{B11E5D12-2890-447E-882B-68594F294EF3}". Action Taken: No Action Taken.
Entry "HKCR\REGTool5.Registry" refers to invalid object "{1BCD446C-7095-11D0-9C4E-00AA00BDD685}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantAlternate.4" refers to invalid object "{C1A7BE06-0508-4A22-A361-8D5ED3028D6D}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantAlternate" refers to invalid object "{C1A7BE06-0508-4A22-A361-8D5ED3028D6D}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationMacro.4" refers to invalid object "{3F42DFC7-F1C3-47AB-9DA3-6AEAC0C15A20}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationMacro" refers to invalid object "{3F42DFC7-F1C3-47AB-9DA3-6AEAC0C15A20}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationTemplateFie.4" refers to invalid object "{C8BBE636-FE8A-4122-BA04-69BF9A2D20B7}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationTemplateField" refers to invalid object "{C8BBE636-FE8A-4122-BA04-69BF9A2D20B7}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationTopic.4" refers to invalid object "{3C2FD4B4-FA68-4C0A-A02D-17D0C62588F5}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDictationTopic" refers to invalid object "{3C2FD4B4-FA68-4C0A-A02D-17D0C62588F5}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDomain.4" refers to invalid object "{D5C94876-DA30-49D6-AD45-2F0CB3960E3D}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantDomain" refers to invalid object "{D5C94876-DA30-49D6-AD45-2F0CB3960E3D}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantGrammarElement.4" refers to invalid object "{FD1A8EE5-C793-46EB-BE2E-729186358C17}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantGrammarElement" refers to invalid object "{FD1A8EE5-C793-46EB-BE2E-729186358C17}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSR.4" refers to invalid object "{C2B13C17-343F-40BE-8B48-B8BF97D61360}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSR" refers to invalid object "{C2B13C17-343F-40BE-8B48-B8BF97D61360}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSREngine.4" refers to invalid object "{A42987AE-10AA-41E1-891B-92D6060BF795}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSREngine" refers to invalid object "{A42987AE-10AA-41E1-891B-92D6060BF795}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSREvent.4" refers to invalid object "{FBC4AD75-F096-4E95-9982-BE4A4187AC3B}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSREvent" refers to invalid object "{FBC4AD75-F096-4E95-9982-BE4A4187AC3B}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSpeaker.4" refers to invalid object "{04CDF7C9-B874-49B9-9FDE-5976798FB98B}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSpeaker" refers to invalid object "{04CDF7C9-B874-49B9-9FDE-5976798FB98B}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSpeakerEnrollment.4" refers to invalid object "{FA8953AC-F0E7-47BF-BBA9-91E6A7D739BF}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantSpeakerEnrollment" refers to invalid object "{FA8953AC-F0E7-47BF-BBA9-91E6A7D739BF}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTS.4" refers to invalid object "{EBD57DE2-35B6-475C-9105-EC66C2DBC982}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTS" refers to invalid object "{EBD57DE2-35B6-475C-9105-EC66C2DBC982}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTSEngine.4" refers to invalid object "{136FFBC8-AC59-48D5-AD25-C701015E0206}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTSEngine" refers to invalid object "{136FFBC8-AC59-48D5-AD25-C701015E0206}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTSEvent.4" refers to invalid object "{05D32F04-BDAD-4951-B304-36EC9ED3FFD5}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantTTSEvent" refers to invalid object "{05D32F04-BDAD-4951-B304-36EC9ED3FFD5}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantWord.4" refers to invalid object "{4DB7ABCD-ECED-42AC-812E-64A2CBD533AB}". Action Taken: No Action Taken.
Entry "HKCR\XSpeechKit.XChantWord" refers to invalid object "{4DB7ABCD-ECED-42AC-812E-64A2CBD533AB}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DUMSVINN.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WPBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\orybxij.exe tagged as "not-a-virus:AdWare.PurityScan.au". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lupcx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DIKAPI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UpdInst.exe tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mfidntld.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\OWCACHE.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WLSDMOD.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\QGWMCI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC42.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lhefx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MKVCP60.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sqfup.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SZIMGVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC40.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\hdinfo.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MzfApi.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DQRAW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DRRAW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\IC41_QCX.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\freepeers-298.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E8UPF9OG\NLNUninstall[1].zip tagged as "not-a-virus:AdWare.IGetNet.c". Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40HK.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\OLS\AT&T\ATTKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM32\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\WINDOWS\TEMP\freepeers-298.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DUMSVINN.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WPBVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\orybxij.exe tagged as "not-a-virus:AdWare.PurityScan.au". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lupcx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DIKAPI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UpdInst.exe tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mfidntld.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\OWCACHE.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WLSDMOD.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\QGWMCI32.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC42.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\lhefx10N.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MKVCP60.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sqfup.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SZIMGVW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MUC40.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\hdinfo.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MzfApi.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DQRAW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\DRRAW.DLL tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\IC41_QCX.dll tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\WINDOWS\Application Data\oocs.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\napv2b9-6.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\backups\backup-20050723-221334-876.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MediaPassX.dll tagged as "not-a-virus:AdWare.WinAD.w". Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\E8UPF9OG\NLNUninstall[1].zip tagged as "not-a-virus:AdWare.IGetNet.c". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0334989.CPY tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0347549.CPY tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0347772.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0384161.CPY tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0396066.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418285.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418290.0 tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418293.0 tagged as "not-a-virus:AdWare.Gator.6051". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0418295.0 tagged as "not-a-virus:AdWare.Gator.4126". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\BANNER.1 tagged as "not-a-virus:AdWare.Banex.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0430675.CPY tagged as "not-a-virus:AdWare.SaveNow.ak". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0430676.CPY tagged as "not-a-virus:AdWare.SaveNow.aw". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\LAPSD11N.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0454671.CPY tagged as "not-a-virus:AdWare.OnFlow". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MUG_HOOK.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0454779.CPY tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\IJ1X329X.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455004.0 tagged as not-a-virus:Server-Proxy.Win32.MarketScore.o. No Action Taken.
File C:\_RESTORE\TEMP\A0455057.CPY tagged as "not-a-virus:AdWare.OnFlow". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455104.0 tagged as "not-a-virus:AdWare.SaveNow.ay". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0455105.CPY tagged as "not-a-virus:AdWare.SaveNow.f". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0474236.CPY tagged as "not-a-virus:AdWare.WinFetcher.b". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500709.CPY tagged as "not-a-virus:AdWare.ToolBar.MyWay.j". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500710.CPY tagged as "not-a-virus:AdWare.ToolBar.MyWay.b". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0500827.CPY tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\BANNER.0 tagged as "not-a-virus:AdWare.Banex.a". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\SNOOLSS.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MZIKBDNO.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\RBCHED.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\CM211_~1.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\QCGR.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\AZDENC32.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\TVUMBVW.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MQCAT32.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\DYMASF.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\MGIHRNJP.0 tagged as "not-a-virus:AdWare.Look2Me.ag". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS236.CAB tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\My Documents\My Music\From Internet\BS226.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\Program Files\Online Services\Prodigy - English\PIeng.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Typing Quick & Easy\REGISTER.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BearShare\Installer\BSINSTALL.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5160.TMP tagged as "not-a-virus:AdWare.WinAD.ac". Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5191.TMP tagged as "not-a-virus:AdWare.WinAD.ab". Action Taken: No Action Taken.
File C:\Recycled\Dc159.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Recycled\Dc160\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\aolextras\Desktop\UnInstaller.exe tagged as "not-a-virus:AdWare.Zestyfind.b". Action Taken: No Action Taken.
File C:\My Download Files\livecam.exe tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\lolita-server.mpg.zip tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\calendari.exe tagged as "not-a-virus:[bleep]-Dialer.Win32.Generic". Action Taken: No Action Taken.
File C:\My Download Files\BSINSTALL.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
File C:\My Download Files\single-step_v105.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Download Files\NLNUninstall.zip tagged as "not-a-virus:AdWare.IGetNet.c". Action Taken: No Action Taken.
File C:\unzipped\NLNUninstall\NLNuninstall.exe tagged as "not-a-virus:AdWare.IGetNet.c". Action Taken: No Action Taken.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, let's do this:

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknigh...spy/Kill2Me.exe
VX2Finder9x http://www.downloads...VX2Finder9x.exe
Hoster http://www.greyknigh.../spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknigh...spy/CleanUp.exe
KillBox http://www.greyknigh...spy/KillBox.exe
DllCompare http://www.greyknigh.../DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.c...bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknigh...LNUninstall.zip
ClearSearch Uninstaller http://www.greyknigh...chUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder9x and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.
  • 0

Advertisements


#11
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When I ran VX2Finder9x and clicked on the Find VX2.BetterInternet button, no files were found. Here is the log of DllCompare:

C:\WINDOWS\SYSTEM\dumsvinn.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\wpbvw.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\lupcx10n.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dikapi32.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\owcache.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\wlsdmod.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\qgwmci32.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\muc42.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\lhefx10n.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mkvcp60.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\sqfup.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\szimgvw.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\muc40.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\hdinfo.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mzfapi.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dqraw.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\drraw.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\ic41_qcx.dll Wed Jul 20 2005 2:38:46p ..S.R 405,504 396.00 K

Here are the recent dll files in C:\WINDOWS\SYSTEM\

WPBW.DLL
WLSDMOD.DLL
SZLIMGVW.DLL
SQFUP.DLL
QGWMCI32.DLL
OWCACHE.DLL
MZFAPI.DLL
MUC42.DLL
MUC40.DLL
MKVCP60.DLL
MIDNTLD.DLL
LUPCX10N.DLL
IC41_QCX.DLL
HDINFO.DLL
DUMSVINN.DLL
DRRAW.DLL
DQRAW.DLL
DIKAPI32.DLL

Here are the files with numbers only in C:\WINDOWS\Downloaded Program Files

name: {41F17733-B041....]
type: ActiveX Control
code base: http://a1540.g.akamai.net...

name: {A326348B....}
type: ActiveX Control
code base: http://fdl.msn/publi...t/msnchat42.cab

The C:\Program Files\Internet Explorer directory does not have a download folder. No suspicious file found. I'm keeping my computer on until I get further instructions.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete all those files found by DllCompare since they are all related to Look2Me in this case.

*Download RegSeeker http://www.hoverdesk.net/freeware.htm and install it.
*Click on 'Clean The Registry' in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click 'Select All' on the bottom. Then right-click on any selected item in the window and select 'Delete Selected Items'.
*Click 'Quit RegSeeker'.

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again. Do the same thing again if anything is found. You may have to run RegSeeker 5 - 6 times, but you want it showing none to very few items.

*Make sure to reboot between each use of the program.


Restart and run a new mwav log.
  • 0

#13
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When I run RegSeeker it finds 488 items. But when I attempt to delete all items a box pops up with a red circle and a cross inside it. The message is:

Violation d'acces a la adresse 0046B768 dans le module 'RegSeeker.exe.' Lecture de l'adresse FFFFFFFF

Why is it in French?
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try again and see if it still gives you that error. If anything, try deleting half of it and see if that error shows up again.
  • 0

#15
raiderman

raiderman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I get the error message when I try to delete the green items. It seems to work for the red items. There are still 129 items left. The problem of a long delay when I click a link remains.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP