[kittyatmu]

here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:59 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ornu\nslo.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM95\AIM95\aim.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mansfield.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124072443234
O16 - DPF: {D6B2DD49-9184-4334-92E1-D2432EBD2C4E} (Ircchat Control) - http://www.eyechat.org/ircchat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\iWlmrnt5.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\450RGZO7\CWShredder[1].exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


I'm mostly getting popups and whatnot and LOTS, OMG LOTS of Trojans on my comp. When I DO get a popup from Winfixer2005, it will more often than not redirect me to their site, and make me click to get out of it a bunch. Last night I DL'd AVAST! antivirus, so thas what I have in THAT area, and well....it got "rid" of 30 something Trojans from Qoologic. Also, Winfixer seems to be a HUGE problem. I don't know what to do...please help.

[Advertisements]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[Buckeye_Sam]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[kittyatmu]

(PLEASE REASSURE ME THAT NO ONE WILL HACK ME HERE!!! I'm going out on a limb to trust people I don't even know... )
Here's the log:


L2MFIX find log 1.03c
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iWlmrnt5.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BAAB0EB5-A418-834A-F8E0-33CBDDD1CA24}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{6A26D936-FC8D-4F28-8560-7C20D9EA4C82}"=""
"{C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6A26D936-FC8D-4F28-8560-7C20D9EA4C82}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A26D936-FC8D-4F28-8560-7C20D9EA4C82}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A26D936-FC8D-4F28-8560-7C20D9EA4C82}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6A26D936-FC8D-4F28-8560-7C20D9EA4C82}\InprocServer32]
@="C:\\WINDOWS\\system32\\sqsvcs.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B}\InprocServer32]
@="C:\\WINDOWS\\system32\\dwghelp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat Jul 2 2005 7:11:28p A.... 1,019,904 996.00 K
cdfview.dll Sat Jul 2 2005 7:11:28p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
dkrawex.dll Mon Aug 15 2005 7:06:00p ..S.R 417,792 408.00 K
dwghelp.dll Tue Aug 16 2005 9:42:08p ..S.R 417,792 408.00 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Tue Jul 12 2005 6:04:22p A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
iepeers.dll Sat Jul 2 2005 7:11:28p A.... 251,392 245.50 K
inseng.dll Sat Jul 2 2005 7:11:28p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
iwlmrnt5.dll Mon Aug 15 2005 4:34:28a ..S.R 417,792 408.00 K
jbddr.dll Sat Aug 13 2005 9:17:28p A.... 0 0.00 K
kerberos.dll Wed Jun 15 2005 10:49:30a A.... 295,936 289.00 K
kndpo.dll Tue Aug 16 2005 9:37:28p ..S.R 417,792 408.00 K
kwdic.dll Mon Aug 15 2005 4:35:22a ..S.R 417,792 408.00 K
legitc~1.dll Tue Jul 12 2005 6:04:22p A.... 520,456 508.26 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 7:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 7:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 7:11:30p A.... 146,432 143.00 K
myiole32.dll Tue Aug 16 2005 11:39:30p ..S.R 417,792 408.00 K
pncrt.dll Fri Jun 17 2005 10:20:00p A.... 278,528 272.00 K
pndx5016.dll Fri Jun 17 2005 10:20:04p A.... 6,656 6.50 K
pndx5032.dll Fri Jun 17 2005 10:20:04p A.... 5,632 5.50 K
pngfilt.dll Sat Jul 2 2005 7:11:30p A.... 39,424 38.50 K
rmoc3260.dll Fri Jun 17 2005 10:20:26p A.... 176,167 172.04 K
shdocvw.dll Sat Jul 2 2005 7:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 7:11:30p A.... 473,600 462.50 K
sqsvcs.dll Tue Aug 16 2005 11:48:18p ..S.R 417,792 408.00 K
supdate.dll Mon Aug 15 2005 6:54:14p A.... 29,184 28.50 K
tapisrv.dll Fri Jul 8 2005 9:27:56a A.... 249,344 243.50 K
umpnpmgr.dll Wed Jun 29 2005 7:02:40p A.... 118,272 115.50 K
urlmon.dll Sat Jul 2 2005 7:11:30p A.... 607,744 593.50 K
wininet.dll Sat Jul 2 2005 7:11:30p A.... 658,432 643.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:19:32a A.... 173,536 169.47 K

47 items found: 47 files (7 H/S), 0 directories.
Total of file sizes: 16,659,295 bytes 15.89 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Aug 15 2005 6:40:12p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HP_PAVILION
Volume Serial Number is 54CF-E6F8

Directory of C:\WINDOWS\System32

08/16/2005 11:48 PM 417,792 sqsvcs.dll
08/16/2005 11:39 PM 417,792 myiole32.dll
08/16/2005 09:42 PM 417,792 dwghelp.dll
08/16/2005 09:37 PM 417,792 kndpo.dll
08/15/2005 07:05 PM 417,792 dkrawex.dll
08/15/2005 06:41 PM <DIR> dllcache
08/15/2005 06:40 PM 417,792 guard.tmp
08/15/2005 04:35 AM 417,792 kwdic.dll
08/15/2005 04:34 AM 417,792 iWlmrnt5.dll
07/19/2005 01:24 AM 3,350 KGyGaAvL.sys
07/19/2005 01:23 AM 56 EC6E2F7A30.sys
08/11/2004 06:15 PM <DIR> Microsoft
10 File(s) 3,345,742 bytes
2 Dir(s) 14,279,688,192 bytes free

[Buckeye_Sam]

I assure you that no one here is interested in hacking you. We are here to help.
In fact, when we have you all cleaned up I will offer you some recommendations on what you can do to further secure your computer from attack.

Right now you have a LooktoMe(VX2) infection that we need to get rid of.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

[kittyatmu]

L2Mfix 1.03c

Running From:
C:\Documents and Settings\HP_Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\HP_Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\HP_Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1328 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dkrawex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkrawex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dwghelp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dwghelp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iWlmrnt5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iWlmrnt5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kndpo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kndpo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdic.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdic.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myiole32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myiole32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dkrawex.dll
Successfully Deleted: C:\WINDOWS\system32\dkrawex.dll
deleting: C:\WINDOWS\system32\dkrawex.dll
Successfully Deleted: C:\WINDOWS\system32\dkrawex.dll
deleting: C:\WINDOWS\system32\dwghelp.dll
Successfully Deleted: C:\WINDOWS\system32\dwghelp.dll
deleting: C:\WINDOWS\system32\dwghelp.dll
Successfully Deleted: C:\WINDOWS\system32\dwghelp.dll
deleting: C:\WINDOWS\system32\iWlmrnt5.dll
Successfully Deleted: C:\WINDOWS\system32\iWlmrnt5.dll
deleting: C:\WINDOWS\system32\iWlmrnt5.dll
Successfully Deleted: C:\WINDOWS\system32\iWlmrnt5.dll
deleting: C:\WINDOWS\system32\kndpo.dll
Successfully Deleted: C:\WINDOWS\system32\kndpo.dll
deleting: C:\WINDOWS\system32\kndpo.dll
Successfully Deleted: C:\WINDOWS\system32\kndpo.dll
deleting: C:\WINDOWS\system32\kwdic.dll
Successfully Deleted: C:\WINDOWS\system32\kwdic.dll
deleting: C:\WINDOWS\system32\kwdic.dll
Successfully Deleted: C:\WINDOWS\system32\kwdic.dll
deleting: C:\WINDOWS\system32\myiole32.dll
Successfully Deleted: C:\WINDOWS\system32\myiole32.dll
deleting: C:\WINDOWS\system32\myiole32.dll
Successfully Deleted: C:\WINDOWS\system32\myiole32.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: dkrawex.dll (164 bytes security) (deflated 48%)
adding: dwghelp.dll (164 bytes security) (deflated 48%)
adding: iWlmrnt5.dll (164 bytes security) (deflated 48%)
adding: kndpo.dll (164 bytes security) (deflated 48%)
adding: kwdic.dll (164 bytes security) (deflated 48%)
adding: myiole32.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 50%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/6A26D936-FC8D-4F28-8560-7C20D9EA4C82.reg (164 bytes security) (deflated 70%)
adding: backregs/C2ED7BDA-FC57-4F3D-96DB-A2095B7E116B.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dkrawex.dll
deleting local copy: dkrawex.dll
deleting local copy: dwghelp.dll
deleting local copy: dwghelp.dll
deleting local copy: iWlmrnt5.dll
deleting local copy: iWlmrnt5.dll
deleting local copy: kndpo.dll
deleting local copy: kndpo.dll
deleting local copy: kwdic.dll
deleting local copy: kwdic.dll
deleting local copy: myiole32.dll
deleting local copy: myiole32.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dkrawex.dll
C:\WINDOWS\system32\dkrawex.dll
C:\WINDOWS\system32\dwghelp.dll
C:\WINDOWS\system32\dwghelp.dll
C:\WINDOWS\system32\iWlmrnt5.dll
C:\WINDOWS\system32\iWlmrnt5.dll
C:\WINDOWS\system32\kndpo.dll
C:\WINDOWS\system32\kndpo.dll
C:\WINDOWS\system32\kwdic.dll
C:\WINDOWS\system32\kwdic.dll
C:\WINDOWS\system32\myiole32.dll
C:\WINDOWS\system32\myiole32.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

[Buckeye_Sam]

Please post a new hijackthis log also.

[kittyatmu]

Here, because I have NO IDEA what I'm doing:


L2MFIX find log 1.03c
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat Jul 2 2005 7:11:28p A.... 1,019,904 996.00 K
cdfview.dll Sat Jul 2 2005 7:11:28p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Tue Jul 12 2005 6:04:22p A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
iepeers.dll Sat Jul 2 2005 7:11:28p A.... 251,392 245.50 K
inseng.dll Sat Jul 2 2005 7:11:28p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
jbddr.dll Sat Aug 13 2005 9:17:28p A.... 0 0.00 K
kerberos.dll Wed Jun 15 2005 10:49:30a A.... 295,936 289.00 K
legitc~1.dll Tue Jul 12 2005 6:04:22p A.... 520,456 508.26 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 7:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 7:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 7:11:30p A.... 146,432 143.00 K
pncrt.dll Fri Jun 17 2005 10:20:00p A.... 278,528 272.00 K
pndx5016.dll Fri Jun 17 2005 10:20:04p A.... 6,656 6.50 K
pndx5032.dll Fri Jun 17 2005 10:20:04p A.... 5,632 5.50 K
pngfilt.dll Sat Jul 2 2005 7:11:30p A.... 39,424 38.50 K
rmoc3260.dll Fri Jun 17 2005 10:20:26p A.... 176,167 172.04 K
shdocvw.dll Sat Jul 2 2005 7:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 7:11:30p A.... 473,600 462.50 K
supdate.dll Mon Aug 15 2005 6:54:14p A.... 29,184 28.50 K
tapisrv.dll Fri Jul 8 2005 9:27:56a A.... 249,344 243.50 K
umpnpmgr.dll Wed Jun 29 2005 7:02:40p A.... 118,272 115.50 K
urlmon.dll Sat Jul 2 2005 7:11:30p A.... 607,744 593.50 K
wininet.dll Sat Jul 2 2005 7:11:30p A.... 658,432 643.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:19:32a A.... 173,536 169.47 K

40 items found: 40 files, 0 directories.
Total of file sizes: 13,734,751 bytes 13.10 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HP_PAVILION
Volume Serial Number is 54CF-E6F8

Directory of C:\WINDOWS\System32

08/15/2005 06:41 PM <DIR> dllcache
07/19/2005 01:24 AM 3,350 KGyGaAvL.sys
07/19/2005 01:23 AM 56 EC6E2F7A30.sys
08/11/2004 06:15 PM <DIR> Microsoft
2 File(s) 3,406 bytes
2 Dir(s) 14,575,677,440 bytes free


Logfile of HijackThis v1.99.1
Scan saved at 6:34:58 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mansfield.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124072443234
O16 - DPF: {D6B2DD49-9184-4334-92E1-D2432EBD2C4E} (Ircchat Control) - http://www.eyechat.org/ircchat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\450RGZO7\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[Buckeye_Sam]

Good job! You are doing great!

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)


===========


Please run Panda Online Virus Scan

• Make sure it is set to clean automatically.
• There may be files that this scan will not remove.
• Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scan.

[kittyatmu]

MEEP! x_x An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

I hit install for activeX, NOW what do I do? ^_^;;;*panicks*

Edited by kittyatmu, 17 August 2005 - 05:32 PM.

[Buckeye_Sam]

That's ok. We can run a different program that should show us the same info.

Please download Ewido Security Suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.

[kittyatmu]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:10:26 PM, 8/17/2005
+ Report-Checksum: 8AD0182C

+ Scan result:

HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
:mozilla.30:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.36:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.37:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.39:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.40:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
-> : Error during cleaning
:mozilla.51:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.52:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.61:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.79:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.92:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.93:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
-> : Error during cleaning
:mozilla.108:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.113:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.114:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
-> : Error during cleaning
:mozilla.117:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.121:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.123:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.124:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.125:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
-> : Error during cleaning
:mozilla.128:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.129:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.130:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.131:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.132:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.133:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.134:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
-> : Error during cleaning
:mozilla.136:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.139:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.140:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.141:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.142:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.143:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.145:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.146:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.155:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.156:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.157:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.182:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.183:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.184:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.190:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.191:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.192:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.193:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.194:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.195:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.196:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.207:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.229:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.230:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.231:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.232:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.233:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.234:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.235:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.236:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.237:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.238:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.239:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.240:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.241:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.242:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.243:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.244:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.245:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.247:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.248:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.249:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.258:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.259:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.260:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.281:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.282:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.283:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.287:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.288:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.289:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.290:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.301:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.302:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.303:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.307:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.325:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.326:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.327:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.331:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\t3oje6pc.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/dkrawex.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/dwghelp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/iWlmrnt5.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/kndpo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/kwdic.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/myiole32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\installer_MARKETING58.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1307D198-517B-4648-A258-CFF685\35417C01-F885-472D-9CA2-00E260 -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\92DF9FE3-DBD9-4FC4-8C49-0271A7\B3568AE3-BD36-4F3B-9FD5-CE6E2A -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\installer_MARKETING58.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\system32\modgxyz.exe -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\1K47HPKP\installer_VENDARE[1].cab/installer_VENDARE.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R6D4O3H0\installer_VENDARE4[1].cab/installer_VENDARE4.exe -> TrojanDownloader.Adload.a : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 9:23:27 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mansfield.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124072443234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6B2DD49-9184-4334-92E1-D2432EBD2C4E} (Ircchat Control) - http://www.eyechat.org/ircchat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\450RGZO7\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[Buckeye_Sam]

Your log looks clean to me. Are you having any more problems?

[kittyatmu]

Yeah, i'm still getting popups in certain places. ^_^;;; and my internet is still slower than my dead gramma, and it still takes 20 minutes to startup.

Edited by kittyatmu, 18 August 2005 - 09:38 PM.

[Buckeye_Sam]

Let's take a closer look.

Download PFind.zip and unzip the contents to its own permanent folder.

Reboot your computer into Safe Mode

Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt along with a new hijackthis log.

[kittyatmu]

All of this was done from safemode with networking:



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex 8/15/2005 8:48:06 PM 4161 C:\WINDOWS\jkaar.dll
PECompact2 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\LPT$VPN.777
qoologic 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\LPT$VPN.777
SAHAgent 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\LPT$VPN.777
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 6/9/2005 2:17:54 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\VPTNFILE.777
qoologic 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\VPTNFILE.777
SAHAgent 8/12/2005 10:50:26 AM 15628561 C:\WINDOWS\VPTNFILE.777
UPX! 6/9/2005 2:23:00 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 6/9/2005 2:23:00 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 7/9/2005 2:03:06 AM 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/4/2004 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
69.59.186.63 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
209.66.67.134 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
66.63.167.97 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
66.63.167.77 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
web-nex 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
winsync 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
rec2_run 8/17/2005 1:37:08 PM 204800 C:\WINDOWS\SYSTEM32\installer.exe
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
UPX! 5/15/2004 4:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 6/19/2004 6:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 5:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/19/2005 9:22:50 PM 2048 C:\WINDOWS\bootstat.dat
H 7/7/2005 2:40:24 AM 69584 C:\WINDOWS\MEMORY.DMP
H 8/18/2005 12:37:44 AM 54156 C:\WINDOWS\QTFont.qfn
H 8/14/2005 7:23:22 PM 0 C:\WINDOWS\inf\oem31.inf
SH 7/19/2005 1:23:56 AM 56 C:\WINDOWS\system32\EC6E2F7A30.sys
SH 7/19/2005 1:24:02 AM 3350 C:\WINDOWS\system32\KGyGaAvL.sys
S 7/8/2005 4:23:18 PM 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
S 6/30/2005 9:06:34 AM 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
S 7/19/2005 7:18:10 PM 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
S 6/30/2005 1:42:18 PM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
S 6/30/2005 2:21:10 PM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
S 6/30/2005 8:46:18 AM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
S 6/28/2005 7:12:56 PM 11845 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
H 8/19/2005 9:22:42 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/10/2005 2:20:38 PM 0 C:\WINDOWS\system32\config\default_TU_80101.LOG
H 8/19/2005 9:23:04 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/10/2005 2:20:38 PM 0 C:\WINDOWS\system32\config\SAM_TU_11875.LOG
H 8/19/2005 9:22:54 PM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/10/2005 2:20:36 PM 0 C:\WINDOWS\system32\config\SECURITY_TU_96859.LOG
H 8/19/2005 9:23:56 PM 311296 C:\WINDOWS\system32\config\software.LOG
H 8/10/2005 2:20:38 PM 0 C:\WINDOWS\system32\config\software_TU_64557.LOG
H 8/19/2005 9:22:00 PM 1024 C:\WINDOWS\system32\config\system.LOG
H 8/10/2005 2:20:38 PM 0 C:\WINDOWS\system32\config\system_TU_17292.LOG
H 8/15/2005 6:34:04 PM 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
S 7/2/2005 5:24:44 PM 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
S 7/2/2005 5:24:44 PM 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
H 7/2/2005 5:09:46 PM 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
H 7/2/2005 5:09:46 PM 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
SH 7/2/2005 5:30:18 PM 4152 C:\WINDOWS\system32\drivers\HP_PJ562AA-ABA a705w_YC_Pavi_QCNC442_E44NAheBLW1_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.15_T040805_WXH2_L409_M248_J40_7Intel_8Celeron_92.93_1_N10EC8139_P_Z11C1048C_K_A808624C5_U808624C2.MRK
SH 7/2/2005 5:15:58 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d42fa39c-b6f4-4e0a-9881-cc0d544bdf55
SH 7/2/2005 5:15:58 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fc08b086-7f7f-4b5c-bf8d-f3d595810aa0
SH 7/2/2005 5:15:58 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/18/2005 11:07:24 PM 192 C:\WINDOWS\Tasks\RUTASK.job
H 8/19/2005 9:21:40 PM 6 C:\WINDOWS\Tasks\SA.DAT
SH 8/14/2005 5:13:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0BDJMYZT\desktop.ini
SH 8/13/2005 5:57:34 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0TA78PQZ\desktop.ini
SH 8/14/2005 5:13:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\1K47HPKP\desktop.ini
SH 8/13/2005 10:39:14 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4DU3S1Y7\desktop.ini
SH 8/13/2005 10:39:14 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\93R9J5NC\desktop.ini
SH 8/13/2005 10:39:14 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9E3KLUJ\desktop.ini
SH 8/13/2005 5:57:34 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GPAR4T2B\desktop.ini
SH 8/13/2005 5:57:34 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GZY5CHGE\desktop.ini
SH 8/13/2005 5:57:34 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ISOPIODB\desktop.ini
SH 8/14/2005 5:13:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K9UF49UB\desktop.ini
SH 8/13/2005 10:39:14 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OLUJEJ0D\desktop.ini
SH 8/14/2005 5:13:06 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YLZ0P4ZY\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 8/11/2004 7:36:14 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 8/3/2004 6:45:16 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 12:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/13/2005 2:42:26 AM 5458 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
6/22/2005 1:20:52 PM 1556 C:\Documents and Settings\HP_Owner\Application Data\AdobeDLM.log
7/16/2005 9:53:02 PM 263 C:\Documents and Settings\HP_Owner\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqggsffg
{142e5d79-9fae-49c4-a20d-089e12471e56} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
second C:\Documents and Settings\HP_Owner\Desktop\l2mfix\second.bat

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AIM C:\Program Files\AIM95\AIM95\aim.exe -cnetwait.odl
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ares "C:\Program Files\Ares\Ares.exe" -h

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoDispAppearancePage 0
NoDispBackgroundPage 0
DisableTaskMgr 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/19/2005 9:31:43 PM



Logfile of HijackThis v1.99.1
Scan saved at 9:37:07 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\AIM95\aim.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1124261639\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mansfield.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [second] C:\Documents and Settings\HP_Owner\Desktop\l2mfix\second.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124072443234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6B2DD49-9184-4334-92E1-D2432EBD2C4E} (Ircchat Control) - http://www.eyechat.org/ircchat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\450RGZO7\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


Okay...now what?


OH! When I came back into NORMAL windows, that lmfix or whatever popped up, and here's what IT said:

Setting Directory
C:\Documents and Settings\HP_Owner
Setting Directory
C:\Documents and Settings\HP_Owner
Setting Directory
C:\Documents and Settings\HP_Owner
System Rebooted!

Running From:
C:\Documents and Settings\HP_Owner

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1240 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: install notes.txt (164 bytes security) (deflated 32%)
adding: lo2.txt (164 bytes security) (deflated 56%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Edited by kittyatmu, 19 August 2005 - 07:58 PM.