Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"Generated Errors" problem [CLOSED]

Started by dlines , Aug 22 2005 06:11 PM

This topic is locked

#1
dlines

Posted 22 August 2005 - 06:11 PM

Member

Member
27 posts

Like others I have seen posting on this board, I have a Windows 2000 Professional machine that comes up and often when I try to start programs I will get the error message "xxxxx.exe has generated errors and will be closed by Windows...". I did download HJT and after a number of tries it did start up. I tried to attach the HJT log file to this message, but it said "Upload failed. You are not permitted to upload a file with that file extension.", so I just pasted the log file at the end of this message.

When I first start up the machine I get a number of the above errors as well as when I try to start MS Excel or MS Word, but I also get an error about a program that tries to open a MS-DOS command type window. The window has 'C:\WINNT\SYSTEM\KWMXCQ~1.EXE' as its title and then an error box opens in the middle of the screen with the title '16 bit MS-DOS Subsystem' and in the error window is the following:

C:\WINNT\system\KWMXCQ~1.EXE
C:\WINNT\SYSTEM32\AUTOEXEC.NT The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

It has 'Close' and 'Ignore' buttons and the X in the upper right corner is greyed out (inactive). I click the close button. I don't know if this helps, but is another strange behaviour on this machine.

Thanks so much for the help. I really appreciate it.

David

P.S. HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:09 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\Explorer.exe
C:\WINNT\system32\ihcrowf.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\etb\pokapoka63.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\novell\nwquota\nwquota.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
H:\MyDocuments\download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O1 - Hosts: 155.106.100.225 sctdb1
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [saie] c:\winnt\system32\saie.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [svtcin] C:\WINNT\system32\n20050308.a.Stub.EXE
O4 - HKLM\..\Run: [hsuitb] C:\WINNT\system32\ihcrowf.exe r
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O20 - Winlogon Notify: Reliability - C:\WINNT\system32\dnp8017ue.dll
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

#2
Wizard

Posted 23 August 2005 - 06:23 PM

Retired Staff

Retired Staff
5,661 posts

Hi dlines and Welcome to GeekstoGo!

There are a few infections running around in there,so this may take a few passes!

If Microsoft Antispywares Real Time monitor is engaged,please disable it via the tray icon by the clock!

First lets get some files fixed that are causing some of these errors!

Go to the site below
http://www.tech-foru...opic/29806.html

Click on the link that applies to your Operating System and download the file to your desktop!

Double Click the file to run it-> When the small Windows pops up-> Click Unzip and it will do the rest for you!

If propmted to overwrite any files-> Click Yes or just agree to it!

Restart and Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

System Startup Service

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!

Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download LQfix
http://users.pandora...atchy/LQfix.exe

Double Click LQfix.exe-> Click Install-> Open and Double Click ClickThis.bat

Let it Run-> if a Window pops up prompting you to reboot-> Do So!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Once in Safe Mode-> Scan the entire System with Ewido-> Clean All it finds-> Be sure to click the tab to Save a report!

Restart back in Normal Mode and download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread along with a fresh HijackThis log and the report from Ewido!

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

Edited by Cretemonster, 23 August 2005 - 06:24 PM.

#3
dlines

Posted 24 August 2005 - 09:13 AM

Member

Topic Starter
Member
27 posts

Cretemonster,

I followed your instructions so far:

- I disabled Microsoft AntiSpyware Real-Time Protection
- I downloaded and ran W2kFiles.exe and it unzipped 3 files (When I restarted the machine I no longer have the "16-bit MS-DOS Subsystem" error, but the KWMXCQ~1 error is still there.)
- I finally (after about 30+ tries) got the Services.msc to run and disabled the System Startup Service

Your next instruction says:

Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

I don't see the bold text that I am supposed to copy into the Open Box.

After that your next steps talk about downloading Ewido Security Suite and updating the definitions file. Is there anyway I can download that onto a different computer (Windows XP not Windows 2000) and then update the definitions there. After that can I put the files on a floppy or CD and then run it on the problem machine? I am trying not to hook that computer up to the network and possibly infect other computers.

Also, I don't know if this matters, but I started to do the Malware treatment that is suggested. I Cleaned up the temporary files and when I got to the AdAware program, I put it on the computer and then I have a hard time running it, but when it finally starts up I try to do a scan and then it shuts down the computer with a BSOD with an error of :

STOP: c000021a {Fatal System Error}

I probably should have waited to hear from you, but I started to do this because of the suggestion that I would probably have to do it anyway. I just wanted you to be aware of what I had done and what was happening.

Thanks for the wonderful help so far, I really appreciate it.

David

#4
Wizard

Posted 24 August 2005 - 06:03 PM

Retired Staff

Retired Staff
5,661 posts

Hey thats worth a try,I have never attempted it!

Try it,Download the Setup exe for Ewido to a CD(Not a Floppy)

Setup Ewido on the CD and try to Update it!

If all that works and the Updates are successful!

Take the CD to the Infected machine!

If you have allready run LQFix once,dont repeat it!

If you havent run it yet,Go to Safe Mode-> Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

sc delete SvcProc<- OopPs Sorry! :tazz:

Now run LQFix and let it run and Restart back in Safe Mode!

Once back in Safe Mode,try to run Ewido and Save the Report if it runs!

Try to run Ad Aware Again!

Restart, and Run the l2mfix just as I have described!

Post all the logs I have asked for!

#5
dlines

Posted 31 August 2005 - 03:55 PM

Member

Topic Starter
Member
27 posts

Ok, Cretemonster,

I have been away from this for awhile because of time constraints and now am just getting back to it.

I guess I have been infected with more problems because the AUTOEXEC.NT problem that I was having is back again. I tried to run that program that copied the files over and that worked, but the error is still there.

I also have a new error on startup like the KW one, but it is JJLNUA~1.EXE.

Two new errors that I get on startup:
1. A window labeled 'RUNDLL' that says, "An exception occurred whil trying to run ""C:\WINNT\system32\mwxclu.dll",DllGetVersion""
2. It is autostarting the Internet Connection Wizard.

I can't get to the Services.msc program. Every time I start it I get the "generated errors" error and then if I click on cancel, it still says that I have a "services" window open, but I can't get to the window and I can't stop and disable the 'System Startup Service'. If I keep starting it I get more and more 'Services' windows open, but none of them are active to let me do anything.

On Post #2 you said to stop and disable services and then click Start -> Run -> and Copy and Paste the line you left out, but gave me in Post #4. In Post #4 you say to do this from Safe Mode. Which should I do. Also, I have not run Ewido or LQfix, because in Post #2 it looks like they should be run after the 'sc delete SvcProc', but in Post #4 it looks like they should be run before that.

Sorry to be a pain and ask all of these questions, but I want to do it right and not mess it up anymore than it is already.

Thanks so much for your help and I will try to keep up with this now.

#6
Wizard

Posted 31 August 2005 - 04:09 PM

Retired Staff

Retired Staff
5,661 posts

OK,Run the l2mfix and this time,select option 4 and save the log!

Restart and run Option 1 and 2 no matter what errors you get!

Lets see the logs and go from there!

#7
dlines

Posted 31 August 2005 - 05:14 PM

Member

Topic Starter
Member
27 posts

Just want to make sure.

We are skipping:
- the stop and disable of System Startup Service
- the run of sc delete SvcProc
- the Ewido security scan
- the LQfix
- rescan of Ewido scan

and then go straight to the l2mfix. Correct?

David

#8
Wizard

Posted 31 August 2005 - 06:09 PM

Retired Staff

Retired Staff
5,661 posts

Yeah,just run the l2mfix for now and lets see if we can deal wih it!

#9
dlines

Posted 01 September 2005 - 01:56 PM

Member

Topic Starter
Member
27 posts

Ok, I ran the l2mfix and ran HiJackThis again. The logs are listed below:

l2mfix log

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\i224lcfq1f2e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{25387631-FDE6-5B99-7271-8459F3D45755}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{6C47FB97-4B7B-11D3-A9BA-00C04FA3624C}"="Reflection FTP Neighborhood"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}"="iSQL*Plus Servers"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{93DA6CC7-4CFE-4974-91AF-57081AE35655}"=""
"{E02BE2CC-A6D9-4344-9FF5-29D72D209917}"=""
"{91C765BD-0D13-4861-B5C2-88C91FA0E929}"=""
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{1BF441DB-AB3C-475C-802A-B7B27E01DE63}"=""
"{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}"=""
"{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{93DA6CC7-4CFE-4974-91AF-57081AE35655}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93DA6CC7-4CFE-4974-91AF-57081AE35655}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93DA6CC7-4CFE-4974-91AF-57081AE35655}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93DA6CC7-4CFE-4974-91AF-57081AE35655}\InprocServer32]
@="C:\\WINNT\\system32\\scbrsrc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E02BE2CC-A6D9-4344-9FF5-29D72D209917}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E02BE2CC-A6D9-4344-9FF5-29D72D209917}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E02BE2CC-A6D9-4344-9FF5-29D72D209917}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E02BE2CC-A6D9-4344-9FF5-29D72D209917}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{91C765BD-0D13-4861-B5C2-88C91FA0E929}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91C765BD-0D13-4861-B5C2-88C91FA0E929}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91C765BD-0D13-4861-B5C2-88C91FA0E929}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91C765BD-0D13-4861-B5C2-88C91FA0E929}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1BF441DB-AB3C-475C-802A-B7B27E01DE63}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BF441DB-AB3C-475C-802A-B7B27E01DE63}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BF441DB-AB3C-475C-802A-B7B27E01DE63}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1BF441DB-AB3C-475C-802A-B7B27E01DE63}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3B45-11DC

Directory of C:\WINNT\System32

09/01/2005 12:27p 236,733 m2820cloefqc0.dll
09/01/2005 12:27p 236,451 scbrsrc.dll
08/31/2005 04:26p 236,451 enr8l19u1.dll
08/31/2005 04:18p 236,540 n2n60c5sef.dll
08/31/2005 01:56p 236,451 i224lcfq1f2e.dll
08/23/2005 01:41p 234,785 dXdrm.dll
08/23/2005 01:27p 234,785 mmhtmler.dll
08/23/2005 01:27p 235,776 dnru0199e.dll
08/23/2005 01:22p 234,785 NGTLOGON.DLL
08/22/2005 08:16p 234,785 k4jsle171h.dll
08/22/2005 07:32p 234,785 mtimg32.dll
08/22/2005 07:27p 234,785 fplu0339e.dll
08/22/2005 06:57p 235,816 enl0l13m1.dll
08/20/2005 02:50p 233,775 lvpq0975e.dll
08/18/2005 08:22a 236,140 h40q0ed5eh0.dll
08/18/2005 08:09a 234,289 mHlsla371d.dll
08/17/2005 09:03p 235,636 mcr2cenu.dll
08/17/2005 06:18p 234,289 pzrfdisk.dll
08/17/2005 12:22p 234,289 phfmgr.dll
08/17/2005 11:34a 233,560 m0lsla371d.dll
08/16/2005 06:26p 233,560 MODBG.DLL
08/16/2005 05:48p 233,560 AAVAPI32.DLL
08/16/2005 05:45p 233,560 kt0ql7d51.dll
08/16/2005 01:52p 233,560 m6rmlg9116.dll
08/13/2005 09:47a 235,158 e6jmlg1116.dll
08/11/2005 10:48a 235,622 lv2409fqe.dll
08/04/2005 08:38a 236,613 MJRDO20.DLL
08/04/2005 08:36a 234,999 k4620ejoehoc0.dll
08/01/2005 02:48p 236,613 j4j6le1s1h.dll
07/28/2005 08:24a 234,899 seclient.dll
07/25/2005 08:47a 234,999 jKvart.dll
07/21/2005 11:49a 234,899 mlrmsg.dll
07/20/2005 11:09a 235,158 NWTAPI32.DLL
07/18/2005 08:48a 235,492 djodbc7.dll
07/16/2005 12:07p 235,158 daskcopy.dll
07/14/2005 09:45a 234,572 KNRNEL32.DLL
07/12/2005 10:06a 235,288 lort.dll
07/12/2005 09:34a 234,572 aesnw.dll
07/10/2005 12:38p 233,465 xSctsrv.dll
07/08/2005 06:02p 233,349 nctid.dll
07/07/2005 10:50a 236,265 jibexec.dll
07/05/2005 12:42p 233,690 its.dll
07/01/2005 08:21p 236,265 wipdxm.dll
06/30/2005 01:24p 233,259 pYutoenr.dll
06/28/2005 07:31p 236,265 snclient.dll
06/27/2005 08:16a 234,272 demsrpcn.dll
06/24/2005 09:42a 234,582 demsvinn.dLL
06/21/2005 06:06p 234,272 mxls31.dll
06/20/2005 09:09a 234,582 rqfsaps.dll
06/18/2005 04:44p 234,272 fjsrch.dll
06/17/2005 09:55a 234,582 CEVFAT.DLL
06/15/2005 02:18p 234,272 ihxrtmgr.dll
06/15/2005 10:04a 234,272 idign32.dll
06/14/2005 04:31p 224,806 tirmmgr.dll
06/14/2005 04:31p 225,466 o0660ajsedo60.dll
06/13/2005 12:01p 224,806 ir64l5jq1.dll
06/13/2005 10:30a 224,806 dOtime.dll
06/11/2005 02:18p 224,806 ixxpromn.dll
06/11/2005 02:16p 222,993 hrn4055qe.dll
06/11/2005 11:58a 222,993 nudsatq.dll
06/10/2005 07:38a 224,806 iVspipe.dll
06/09/2005 03:11p 224,806 hncoin.dll
06/09/2005 03:11p 226,159 gpnol3531.dll
06/08/2005 06:19p 224,806 dYdrm.dll
06/08/2005 06:19p 225,109 fp0o03d3e.dll
06/27/2002 10:13a <DIR> dllcache
03/31/1999 08:00p 12,288 hlinkprx.dll
10/15/1996 05:53a 78,848 inloader.dll
67 File(s) 15,238,350 bytes
1 Dir(s) 6,091,784,192 bytes free

HiJackThis log file

Logfile of HijackThis v1.99.1
Scan saved at 2:52:31 PM, on 9/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\TGluZXNE\command.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\hkivc\vvdbdn.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\Explorer.exe
C:\WINNT\system32\wzvoik.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\system32\btsmhkll\kfcb.exe
C:\WINNT\system32\afeiaeol\byrqav.exe
C:\WINNT\system32\nrftqa\mkjdvli.exe
C:\WINNT\system32\mfuex\eirnhy.exe
C:\WINNT\etb\pokapoka63.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\novell\nwquota\nwquota.exe
C:\Program Files\ProSiteFinder\prositefinderh.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\WINNT\system32\su8bf669.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINNT\system32\cmd.exe
H:\MyDocuments\download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb.prin.edu/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O1 - Hosts: 155.106.100.225 sctdb1
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [svtcin] C:\WINNT\system32\n20050308.a.Stub.EXE
O4 - HKLM\..\Run: [kfcb] C:\WINNT\system32\btsmhkll\kfcb.exe
O4 - HKLM\..\Run: [vvdbdn] C:\WINNT\system32\hkivc\vvdbdn.exe
O4 - HKLM\..\Run: [byrqav] C:\WINNT\system32\afeiaeol\byrqav.exe
O4 - HKLM\..\Run: [mkjdvli] C:\WINNT\system32\nrftqa\mkjdvli.exe
O4 - HKLM\..\Run: [eirnhy] C:\WINNT\system32\mfuex\eirnhy.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [Microsoft Mapped PC] mappedpc.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [su8bf669] C:\WINNT\system32\su8bf669.exe
O4 - HKLM\..\Run: [lurscs] C:\WINNT\system32\wzvoik.exe r
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mappedpc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\InetGet\stubinstaller6002.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\i224lcfq1f2e.dll
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGluZXNE\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe
O23 - Service: vvdbdnhkivc - Unknown owner - C:\WINNT\system32\hkivc\vvdbdn.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

Let me know what I need to do next.

Thanks again.

David

#10
Wizard

Posted 01 September 2005 - 04:40 PM

Retired Staff

Retired Staff
5,661 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link-> Clean everthing it finds and make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!

Post back with a fresh HijackThis log and the reports from Ewido and Panda!

Edited by Cretemonster, 01 September 2005 - 04:44 PM.

#11
dlines

Posted 02 September 2005 - 12:16 PM

Member

Topic Starter
Member
27 posts

Ok, I have some problems because I didn't follow instructions properly. Sorry in advance.

I ran lm2fix, but only ran it signed on the workstation only. I have the log, but because of the next problem (that I don't know how to fix) I can't bring up the machine enough to get the log file off to send to you.

The big problem I created is that I installed Ewido without unchecking the 'Install background guard' and the 'Install scan via context menu'. Because I did that, it immediately comes up with finding problems before I have updated it. What can I do to fix this problem?

David

#12
Wizard

Posted 02 September 2005 - 04:10 PM

Retired Staff

Retired Staff
5,661 posts

Go into Safe Mode and Uninstall Ewido from Add\Remove Programs!

Leave it uninstalled!

See if you can get to the l2mfix log after that!

#13
dlines

Posted 02 September 2005 - 06:47 PM

Member

Topic Starter
Member
27 posts

Ok, I think I followed these instructions properly.

I booted in SAFE MODE and removed Ewido and copied off the l2mfix log file. Here it is:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 224 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\AAVAPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\aesnw.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\CEVFAT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\daskcopy.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\demsrpcn.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\demsvinn.dLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\djodbc7.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dnru0199e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dOtime.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dXdrm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dYdrm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\e6jmlg1116.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\en22l1fo1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\enl0l13m1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\enr8l19u1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fjsrch.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fJxtiff.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp0o03d3e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp2403fqe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fplu0339e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gpnol3531.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h40q0ed5eh0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hncoin.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hr8805lue.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hrn4055qe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\idign32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ihxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ir64l5jq1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\its.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iVspipe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ixxpromn.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\j4j6le1s1h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jibexec.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\jKvart.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\k4620ejoehoc0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\k4jsle171h.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\KNRNEL32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\kt0ql7d51.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ktnul7591.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l0j80a1ued.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lort.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lv2409fqe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lvpq0975e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\m0lsla371d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\m2820cloefqc0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\m4640ejqehoe0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\m6rmlg9116.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mcr2cenu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mHlsla371d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MJRDO20.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mlrmsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mmhtmler.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\MODBG.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mtimg32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mxls31.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\n2n60c5sef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\nctid.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\NGTLOGON.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\nudsatq.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\NWTAPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\o0660ajsedo60.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\phfmgr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\pYutoenr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\pzrfdisk.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\q4rq0e95eh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rqfsaps.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\seclient.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\snclient.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\tirmmgr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\u8ruli9918.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wipdxm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\xSctsrv.dll
1 file(s) copied.
deleting: C:\WINNT\system32\AAVAPI32.DLL
Successfully Deleted: C:\WINNT\system32\AAVAPI32.DLL
deleting: C:\WINNT\system32\aesnw.dll
Successfully Deleted: C:\WINNT\system32\aesnw.dll
deleting: C:\WINNT\system32\CEVFAT.DLL
Successfully Deleted: C:\WINNT\system32\CEVFAT.DLL
deleting: C:\WINNT\system32\daskcopy.dll
Successfully Deleted: C:\WINNT\system32\daskcopy.dll
deleting: C:\WINNT\system32\demsrpcn.dll
Successfully Deleted: C:\WINNT\system32\demsrpcn.dll
deleting: C:\WINNT\system32\demsvinn.dLL
Successfully Deleted: C:\WINNT\system32\demsvinn.dLL
deleting: C:\WINNT\system32\djodbc7.dll
Successfully Deleted: C:\WINNT\system32\djodbc7.dll
deleting: C:\WINNT\system32\dnru0199e.dll
Successfully Deleted: C:\WINNT\system32\dnru0199e.dll
deleting: C:\WINNT\system32\dOtime.dll
Successfully Deleted: C:\WINNT\system32\dOtime.dll
deleting: C:\WINNT\system32\dXdrm.dll
Successfully Deleted: C:\WINNT\system32\dXdrm.dll
deleting: C:\WINNT\system32\dYdrm.dll
Successfully Deleted: C:\WINNT\system32\dYdrm.dll
deleting: C:\WINNT\system32\e6jmlg1116.dll
Successfully Deleted: C:\WINNT\system32\e6jmlg1116.dll
deleting: C:\WINNT\system32\en22l1fo1.dll
Successfully Deleted: C:\WINNT\system32\en22l1fo1.dll
deleting: C:\WINNT\system32\enl0l13m1.dll
Successfully Deleted: C:\WINNT\system32\enl0l13m1.dll
deleting: C:\WINNT\system32\enr8l19u1.dll
Successfully Deleted: C:\WINNT\system32\enr8l19u1.dll
deleting: C:\WINNT\system32\fjsrch.dll
Successfully Deleted: C:\WINNT\system32\fjsrch.dll
deleting: C:\WINNT\system32\fJxtiff.dll
Successfully Deleted: C:\WINNT\system32\fJxtiff.dll
deleting: C:\WINNT\system32\fp0o03d3e.dll
Successfully Deleted: C:\WINNT\system32\fp0o03d3e.dll
deleting: C:\WINNT\system32\fp2403fqe.dll
Successfully Deleted: C:\WINNT\system32\fp2403fqe.dll
deleting: C:\WINNT\system32\fplu0339e.dll
Successfully Deleted: C:\WINNT\system32\fplu0339e.dll
deleting: C:\WINNT\system32\gpnol3531.dll
Successfully Deleted: C:\WINNT\system32\gpnol3531.dll
deleting: C:\WINNT\system32\h40q0ed5eh0.dll
Successfully Deleted: C:\WINNT\system32\h40q0ed5eh0.dll
deleting: C:\WINNT\system32\hncoin.dll
Successfully Deleted: C:\WINNT\system32\hncoin.dll
deleting: C:\WINNT\system32\hr8805lue.dll
Successfully Deleted: C:\WINNT\system32\hr8805lue.dll
deleting: C:\WINNT\system32\hrn4055qe.dll
Successfully Deleted: C:\WINNT\system32\hrn4055qe.dll
deleting: C:\WINNT\system32\idign32.dll
Successfully Deleted: C:\WINNT\system32\idign32.dll
deleting: C:\WINNT\system32\ihxrtmgr.dll
Successfully Deleted: C:\WINNT\system32\ihxrtmgr.dll
deleting: C:\WINNT\system32\ir64l5jq1.dll
Successfully Deleted: C:\WINNT\system32\ir64l5jq1.dll
deleting: C:\WINNT\system32\its.dll
Successfully Deleted: C:\WINNT\system32\its.dll
deleting: C:\WINNT\system32\iVspipe.dll
Successfully Deleted: C:\WINNT\system32\iVspipe.dll
deleting: C:\WINNT\system32\ixxpromn.dll
Successfully Deleted: C:\WINNT\system32\ixxpromn.dll
deleting: C:\WINNT\system32\j4j6le1s1h.dll
Successfully Deleted: C:\WINNT\system32\j4j6le1s1h.dll
deleting: C:\WINNT\system32\jibexec.dll
Successfully Deleted: C:\WINNT\system32\jibexec.dll
deleting: C:\WINNT\system32\jKvart.dll
Successfully Deleted: C:\WINNT\system32\jKvart.dll
deleting: C:\WINNT\system32\k4620ejoehoc0.dll
Successfully Deleted: C:\WINNT\system32\k4620ejoehoc0.dll
deleting: C:\WINNT\system32\k4jsle171h.dll
Successfully Deleted: C:\WINNT\system32\k4jsle171h.dll
deleting: C:\WINNT\system32\KNRNEL32.DLL
Successfully Deleted: C:\WINNT\system32\KNRNEL32.DLL
deleting: C:\WINNT\system32\kt0ql7d51.dll
Successfully Deleted: C:\WINNT\system32\kt0ql7d51.dll
deleting: C:\WINNT\system32\ktnul7591.dll
Successfully Deleted: C:\WINNT\system32\ktnul7591.dll
deleting: C:\WINNT\system32\l0j80a1ued.dll
Successfully Deleted: C:\WINNT\system32\l0j80a1ued.dll
deleting: C:\WINNT\system32\lort.dll
Successfully Deleted: C:\WINNT\system32\lort.dll
deleting: C:\WINNT\system32\lv2409fqe.dll
Successfully Deleted: C:\WINNT\system32\lv2409fqe.dll
deleting: C:\WINNT\system32\lvpq0975e.dll
Successfully Deleted: C:\WINNT\system32\lvpq0975e.dll
deleting: C:\WINNT\system32\m0lsla371d.dll
Successfully Deleted: C:\WINNT\system32\m0lsla371d.dll
deleting: C:\WINNT\system32\m2820cloefqc0.dll
Successfully Deleted: C:\WINNT\system32\m2820cloefqc0.dll
deleting: C:\WINNT\system32\m4640ejqehoe0.dll
Successfully Deleted: C:\WINNT\system32\m4640ejqehoe0.dll
deleting: C:\WINNT\system32\m6rmlg9116.dll
Successfully Deleted: C:\WINNT\system32\m6rmlg9116.dll
deleting: C:\WINNT\system32\mcr2cenu.dll
Successfully Deleted: C:\WINNT\system32\mcr2cenu.dll
deleting: C:\WINNT\system32\mHlsla371d.dll
Successfully Deleted: C:\WINNT\system32\mHlsla371d.dll
deleting: C:\WINNT\system32\MJRDO20.DLL
Successfully Deleted: C:\WINNT\system32\MJRDO20.DLL
deleting: C:\WINNT\system32\mlrmsg.dll
Successfully Deleted: C:\WINNT\system32\mlrmsg.dll
deleting: C:\WINNT\system32\mmhtmler.dll
Successfully Deleted: C:\WINNT\system32\mmhtmler.dll
deleting: C:\WINNT\system32\MODBG.DLL
Successfully Deleted: C:\WINNT\system32\MODBG.DLL
deleting: C:\WINNT\system32\mtimg32.dll
Successfully Deleted: C:\WINNT\system32\mtimg32.dll
deleting: C:\WINNT\system32\mxls31.dll
Successfully Deleted: C:\WINNT\system32\mxls31.dll
deleting: C:\WINNT\system32\n2n60c5sef.dll
Successfully Deleted: C:\WINNT\system32\n2n60c5sef.dll
deleting: C:\WINNT\system32\nctid.dll
Successfully Deleted: C:\WINNT\system32\nctid.dll
deleting: C:\WINNT\system32\NGTLOGON.DLL
Successfully Deleted: C:\WINNT\system32\NGTLOGON.DLL
deleting: C:\WINNT\system32\nudsatq.dll
Successfully Deleted: C:\WINNT\system32\nudsatq.dll
deleting: C:\WINNT\system32\NWTAPI32.DLL
Successfully Deleted: C:\WINNT\system32\NWTAPI32.DLL
deleting: C:\WINNT\system32\o0660ajsedo60.dll
Successfully Deleted: C:\WINNT\system32\o0660ajsedo60.dll
deleting: C:\WINNT\system32\phfmgr.dll
Successfully Deleted: C:\WINNT\system32\phfmgr.dll
deleting: C:\WINNT\system32\pYutoenr.dll
Successfully Deleted: C:\WINNT\system32\pYutoenr.dll
deleting: C:\WINNT\system32\pzrfdisk.dll
Successfully Deleted: C:\WINNT\system32\pzrfdisk.dll
deleting: C:\WINNT\system32\q4rq0e95eh.dll
Successfully Deleted: C:\WINNT\system32\q4rq0e95eh.dll
deleting: C:\WINNT\system32\rqfsaps.dll
Successfully Deleted: C:\WINNT\system32\rqfsaps.dll
deleting: C:\WINNT\system32\seclient.dll
Successfully Deleted: C:\WINNT\system32\seclient.dll
deleting: C:\WINNT\system32\snclient.dll
Successfully Deleted: C:\WINNT\system32\snclient.dll
deleting: C:\WINNT\system32\tirmmgr.dll
Successfully Deleted: C:\WINNT\system32\tirmmgr.dll
deleting: C:\WINNT\system32\u8ruli9918.dll
Successfully Deleted: C:\WINNT\system32\u8ruli9918.dll
deleting: C:\WINNT\system32\wipdxm.dll
Successfully Deleted: C:\WINNT\system32\wipdxm.dll
deleting: C:\WINNT\system32\xSctsrv.dll
Successfully Deleted: C:\WINNT\system32\xSctsrv.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: AAVAPI32.DLL (deflated 4%)
adding: aesnw.dll (deflated 5%)
adding: CEVFAT.DLL (deflated 5%)
adding: daskcopy.dll (deflated 5%)
adding: demsrpcn.dll (deflated 4%)
adding: demsvinn.dLL (deflated 5%)
adding: djodbc7.dll (deflated 5%)
adding: dnru0199e.dll (deflated 5%)
adding: dOtime.dll (deflated 4%)
adding: dXdrm.dll (deflated 5%)
adding: dYdrm.dll (deflated 4%)
adding: e6jmlg1116.dll (deflated 5%)
adding: en22l1fo1.dll (deflated 4%)
adding: enl0l13m1.dll (deflated 5%)
adding: enr8l19u1.dll (deflated 6%)
adding: fjsrch.dll (deflated 4%)
adding: fJxtiff.dll (deflated 4%)
adding: fp0o03d3e.dll (deflated 4%)
adding: fp2403fqe.dll (deflated 4%)
adding: hncoin.dll (deflated 4%)
adding: fplu0339e.dll (deflated 5%)
adding: idign32.dll (deflated 4%)
adding: gpnol3531.dll (deflated 5%)
adding: h40q0ed5eh0.dll (deflated 5%)
adding: hr8805lue.dll (deflated 6%)
adding: hrn4055qe.dll (deflated 4%)
adding: ihxrtmgr.dll (deflated 4%)
adding: ir64l5jq1.dll (deflated 4%)
adding: its.dll (deflated 4%)
adding: ixxpromn.dll (deflated 4%)
adding: iVspipe.dll (deflated 4%)
adding: j4j6le1s1h.dll (deflated 6%)
adding: jibexec.dll (deflated 5%)
adding: jKvart.dll (deflated 5%)
adding: k4620ejoehoc0.dll (deflated 5%)
adding: k4jsle171h.dll (deflated 5%)
adding: KNRNEL32.DLL (deflated 5%)
adding: kt0ql7d51.dll (deflated 4%)
adding: ktnul7591.dll (deflated 5%)
adding: l0j80a1ued.dll (deflated 5%)
adding: lort.dll (deflated 5%)
adding: lv2409fqe.dll (deflated 5%)
adding: lvpq0975e.dll (deflated 4%)
adding: m0lsla371d.dll (deflated 4%)
adding: m2820cloefqc0.dll (deflated 6%)
adding: m4640ejqehoe0.dll (deflated 6%)
adding: m6rmlg9116.dll (deflated 4%)
adding: mcr2cenu.dll (deflated 5%)
adding: mHlsla371d.dll (deflated 5%)
adding: MJRDO20.DLL (deflated 6%)
adding: mlrmsg.dll (deflated 5%)
adding: mmhtmler.dll (deflated 5%)
adding: MODBG.DLL (deflated 4%)
adding: mtimg32.dll (deflated 5%)
adding: mxls31.dll (deflated 4%)
adding: n2n60c5sef.dll (deflated 6%)
adding: nctid.dll (deflated 4%)
adding: NGTLOGON.DLL (deflated 5%)
adding: nudsatq.dll (deflated 4%)
adding: NWTAPI32.DLL (deflated 5%)
adding: o0660ajsedo60.dll (deflated 5%)
adding: phfmgr.dll (deflated 5%)
adding: pYutoenr.dll (deflated 4%)
adding: pzrfdisk.dll (deflated 5%)
adding: q4rq0e95eh.dll (deflated 4%)
adding: rqfsaps.dll (deflated 5%)
adding: seclient.dll (deflated 5%)
adding: snclient.dll (deflated 5%)
adding: tirmmgr.dll (deflated 4%)
adding: u8ruli9918.dll (deflated 5%)
adding: wipdxm.dll (deflated 5%)
adding: xSctsrv.dll (deflated 4%)
adding: clear.reg (deflated 58%)
adding: desktop.ini (stored 0%)
adding: PRODtoPPRD.txt (deflated 83%)
adding: TEST_class_sec_objs.txt (deflated 93%)
adding: PROD_class_sec_objs.txt (deflated 94%)
adding: PROD_Class_Users.txt (deflated 86%)
adding: PROD_Class_Security_Objects.txt (deflated 90%)
adding: PROD_Security_Object_Users.txt (deflated 83%)
adding: TEST_Class_Users.txt (deflated 86%)
adding: TEST_Class_Security_Objects.txt (deflated 90%)
adding: TEST_Security_Object_Users.txt (deflated 83%)
adding: PROD_User_Status.txt (deflated 76%)
adding: cloneDVEL1.txt (deflated 87%)
adding: PROD_Role_Users.txt (deflated 86%)
adding: cloneDVEL2.txt (deflated 88%)
adding: cloning_PPRD.txt (deflated 84%)
adding: compile.txt (deflated 82%)
adding: cloning_PPRD_new.txt (deflated 83%)
adding: slpjob.txt (deflated 76%)
adding: unix_lp.txt (deflated 91%)
adding: sql_show.txt (deflated 54%)
adding: unix_lp2.txt (deflated 68%)
adding: PROD_Role_Object_Users.txt (deflated 89%)
adding: LOGFILE.TXT (deflated 72%)
adding: Steve.txt (deflated 56%)
adding: asdf.txt (deflated 68%)
adding: lo2.txt (deflated 87%)
adding: clone_PROD_PPRD.txt (deflated 86%)
adding: BAN6_Class_Users.txt (deflated 86%)
adding: PPRD_User_Status.txt (deflated 76%)
adding: TRNG_8_to_9.txt (deflated 92%)
adding: nation_test_ascii.txt (deflated 81%)
adding: PPRD_Role_Users.txt (deflated 86%)
adding: PROD_Role_Security_Objects.txt (deflated 89%)
adding: PPRD_Role_Object_Users.txt (deflated 89%)
adding: test2.txt (deflated 39%)
adding: BAN6_Class_Security_Objects.txt (deflated 90%)
adding: BAN6_Security_Object_Users.txt (deflated 83%)
adding: UNIXhelp.txt (deflated 16%)
adding: PPRD_Class_Users.txt (deflated 86%)
adding: test3.txt (deflated 39%)
adding: TEST6_Class_Users.txt (deflated 86%)
adding: TEST6_Class_Security_Objects.txt (deflated 90%)
adding: TEST6_Security_Object_Users.txt (deflated 83%)
adding: TEST_User_Status.txt (deflated 76%)
adding: PPRD_Role_Security_Objects.txt (deflated 89%)
adding: TEST_Role_Users.txt (deflated 86%)
adding: test5.txt (deflated 39%)
adding: PPRD_Class_Security_Objects.txt (deflated 90%)
adding: PPRD_Security_Object_Users.txt (deflated 83%)
adding: TEST_Role_Object_Users.txt (deflated 89%)
adding: TEST_Role_Security_Objects.txt (deflated 89%)
adding: test.txt (deflated 82%)
adding: xfind.txt (deflated 77%)
adding: TRNG_8_to_9_abbrev.txt (deflated 88%)
adding: TRNG_8_to_9_part2.txt (deflated 67%)
adding: import.err.txt (deflated 81%)
adding: TRNG_8_to_9_part3.txt (deflated 92%)
adding: clone_newserver_PROD.txt (deflated 83%)
adding: clone_newserver_TEST.txt (deflated 83%)
adding: clone_newserver_TRNG.txt (deflated 83%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: AAVAPI32.DLL
deleting local copy: aesnw.dll
deleting local copy: CEVFAT.DLL
deleting local copy: daskcopy.dll
deleting local copy: demsrpcn.dll
deleting local copy: demsvinn.dLL
deleting local copy: djodbc7.dll
deleting local copy: dnru0199e.dll
deleting local copy: dOtime.dll
deleting local copy: dXdrm.dll
deleting local copy: dYdrm.dll
deleting local copy: e6jmlg1116.dll
deleting local copy: en22l1fo1.dll
deleting local copy: enl0l13m1.dll
deleting local copy: enr8l19u1.dll
deleting local copy: fjsrch.dll
deleting local copy: fJxtiff.dll
deleting local copy: fp0o03d3e.dll
deleting local copy: fp2403fqe.dll
deleting local copy: fplu0339e.dll
deleting local copy: gpnol3531.dll
deleting local copy: h40q0ed5eh0.dll
deleting local copy: hncoin.dll
deleting local copy: hr8805lue.dll
deleting local copy: hrn4055qe.dll
deleting local copy: idign32.dll
deleting local copy: ihxrtmgr.dll
deleting local copy: ir64l5jq1.dll
deleting local copy: its.dll
deleting local copy: iVspipe.dll
deleting local copy: ixxpromn.dll
deleting local copy: j4j6le1s1h.dll
deleting local copy: jibexec.dll
deleting local copy: jKvart.dll
deleting local copy: k4620ejoehoc0.dll
deleting local copy: k4jsle171h.dll
deleting local copy: KNRNEL32.DLL
deleting local copy: kt0ql7d51.dll
deleting local copy: ktnul7591.dll
deleting local copy: l0j80a1ued.dll
deleting local copy: lort.dll
deleting local copy: lv2409fqe.dll
deleting local copy: lvpq0975e.dll
deleting local copy: m0lsla371d.dll
deleting local copy: m2820cloefqc0.dll
deleting local copy: m4640ejqehoe0.dll
deleting local copy: m6rmlg9116.dll
deleting local copy: mcr2cenu.dll
deleting local copy: mHlsla371d.dll
deleting local copy: MJRDO20.DLL
deleting local copy: mlrmsg.dll
deleting local copy: mmhtmler.dll
deleting local copy: MODBG.DLL
deleting local copy: mtimg32.dll
deleting local copy: mxls31.dll
deleting local copy: n2n60c5sef.dll
deleting local copy: nctid.dll
deleting local copy: NGTLOGON.DLL
deleting local copy: nudsatq.dll
deleting local copy: NWTAPI32.DLL
deleting local copy: o0660ajsedo60.dll
deleting local copy: phfmgr.dll
deleting local copy: pYutoenr.dll
deleting local copy: pzrfdisk.dll
deleting local copy: q4rq0e95eh.dll
deleting local copy: rqfsaps.dll
deleting local copy: seclient.dll
deleting local copy: snclient.dll
deleting local copy: tirmmgr.dll
deleting local copy: u8ruli9918.dll
deleting local copy: wipdxm.dll
deleting local copy: xSctsrv.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINNT\system32\AAVAPI32.DLL
C:\WINNT\system32\aesnw.dll
C:\WINNT\system32\CEVFAT.DLL
C:\WINNT\system32\daskcopy.dll
C:\WINNT\system32\demsrpcn.dll
C:\WINNT\system32\demsvinn.dLL
C:\WINNT\system32\djodbc7.dll
C:\WINNT\system32\dnru0199e.dll
C:\WINNT\system32\dOtime.dll
C:\WINNT\system32\dXdrm.dll
C:\WINNT\system32\dYdrm.dll
C:\WINNT\system32\e6jmlg1116.dll
C:\WINNT\system32\en22l1fo1.dll
C:\WINNT\system32\enl0l13m1.dll
C:\WINNT\system32\enr8l19u1.dll
C:\WINNT\system32\fjsrch.dll
C:\WINNT\system32\fJxtiff.dll
C:\WINNT\system32\fp0o03d3e.dll
C:\WINNT\system32\fp2403fqe.dll
C:\WINNT\system32\fplu0339e.dll
C:\WINNT\system32\gpnol3531.dll
C:\WINNT\system32\h40q0ed5eh0.dll
C:\WINNT\system32\hncoin.dll
C:\WINNT\system32\hr8805lue.dll
C:\WINNT\system32\hrn4055qe.dll
C:\WINNT\system32\idign32.dll
C:\WINNT\system32\ihxrtmgr.dll
C:\WINNT\system32\ir64l5jq1.dll
C:\WINNT\system32\its.dll
C:\WINNT\system32\iVspipe.dll
C:\WINNT\system32\ixxpromn.dll
C:\WINNT\system32\j4j6le1s1h.dll
C:\WINNT\system32\jibexec.dll
C:\WINNT\system32\jKvart.dll
C:\WINNT\system32\k4620ejoehoc0.dll
C:\WINNT\system32\k4jsle171h.dll
C:\WINNT\system32\KNRNEL32.DLL
C:\WINNT\system32\kt0ql7d51.dll
C:\WINNT\system32\ktnul7591.dll
C:\WINNT\system32\l0j80a1ued.dll
C:\WINNT\system32\lort.dll
C:\WINNT\system32\lv2409fqe.dll
C:\WINNT\system32\lvpq0975e.dll
C:\WINNT\system32\m0lsla371d.dll
C:\WINNT\system32\m2820cloefqc0.dll
C:\WINNT\system32\m4640ejqehoe0.dll
C:\WINNT\system32\m6rmlg9116.dll
C:\WINNT\system32\mcr2cenu.dll
C:\WINNT\system32\mHlsla371d.dll
C:\WINNT\system32\MJRDO20.DLL
C:\WINNT\system32\mlrmsg.dll
C:\WINNT\system32\mmhtmler.dll
C:\WINNT\system32\MODBG.DLL
C:\WINNT\system32\mtimg32.dll
C:\WINNT\system32\mxls31.dll
C:\WINNT\system32\n2n60c5sef.dll
C:\WINNT\system32\nctid.dll
C:\WINNT\system32\NGTLOGON.DLL
C:\WINNT\system32\nudsatq.dll
C:\WINNT\system32\NWTAPI32.DLL
C:\WINNT\system32\o0660ajsedo60.dll
C:\WINNT\system32\phfmgr.dll
C:\WINNT\system32\pYutoenr.dll
C:\WINNT\system32\pzrfdisk.dll
C:\WINNT\system32\q4rq0e95eh.dll
C:\WINNT\system32\rqfsaps.dll
C:\WINNT\system32\seclient.dll
C:\WINNT\system32\snclient.dll
C:\WINNT\system32\tirmmgr.dll
C:\WINNT\system32\u8ruli9918.dll
C:\WINNT\system32\wipdxm.dll
C:\WINNT\system32\xSctsrv.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{93DA6CC7-4CFE-4974-91AF-57081AE35655}"=-
"{E02BE2CC-A6D9-4344-9FF5-29D72D209917}"=-
"{91C765BD-0D13-4861-B5C2-88C91FA0E929}"=-
"{1BF441DB-AB3C-475C-802A-B7B27E01DE63}"=-
"{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}"=-
"{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}"=-
[-HKEY_CLASSES_ROOT\CLSID\{93DA6CC7-4CFE-4974-91AF-57081AE35655}]
[-HKEY_CLASSES_ROOT\CLSID\{E02BE2CC-A6D9-4344-9FF5-29D72D209917}]
[-HKEY_CLASSES_ROOT\CLSID\{91C765BD-0D13-4861-B5C2-88C91FA0E929}]
[-HKEY_CLASSES_ROOT\CLSID\{1BF441DB-AB3C-475C-802A-B7B27E01DE63}]
[-HKEY_CLASSES_ROOT\CLSID\{F1A7D9BD-F4A3-4F49-89DF-A75CB564F555}]
[-HKEY_CLASSES_ROOT\CLSID\{FE3C1EBC-E66B-4F84-99F9-9C451380B6E1}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

Ok, so what does this tell us? What does l2mfix do? What are my next steps?

David

#14
Wizard

Posted 03 September 2005 - 05:00 AM

Retired Staff

Retired Staff
5,661 posts

Go ahead and follow the restof the steps and run CleanUp-> Ewido and Adaware in Safe Mode!

Restart and Scan at panda!

Post Ewido and Panda logs along with a fresh hijackthis log!

#15
dlines

Posted 05 September 2005 - 07:31 PM

Member

Topic Starter
Member
27 posts

Ok, here is the latest.

I ran the CleanUp -- no problems

I ran the Ewido scan and have posted the log at the end -- no problems

I ran the AdAware scan, found a bunch of stuff, got rid of it -- no problems

I restarted the computer (much better, but still not all the way well) and connected to the scan at Panda. I started the scan and it ran for about 45 minutes and then as I was switching between screens, the two Panda screens just went away. It had found 5 viruses, 59 pieces of Spyware, and 1 suspicious file. I have now started the scan again, but do you have any idea what might have happened?

Was I not supposed to do the MSCONFIG piece?

I still have the two programs starting when I start up the computer that give the 16 bit MS-DOS errors. I also have many things starting up automatically through IE (Aurora, Surf Sidekick (even though I have removed this a couple of times), mmov (just a blank screen), Search Inqwire, and empnads).

Ewido log file:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:56:53 AM, 9/5/2005
+ Report-Checksum: 63177E4B

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qEtu1IKlcKbJ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\qEtY1IKlcKbJ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\saap -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\saap -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\tsvcin -> Spyware.Look2Me : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\.DEFAULT\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\LQ -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\saap -> Spyware.180Solutions : Cleaned with backup
[156] C:\WINNT\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[212] C:\WINNT\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[224] C:\WINNT\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[364] C:\WINNT\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[288] VM_02260000 -> Adware.BetterInternet : Error during cleaning
C:\WINNT\system32\axlrwj.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvsvc.exe -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\saie321.dll -> Adware.eZula : Cleaned with backup
C:\WINNT\system32\mfuex\eirnhy.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINNT\system32\InstaFinder_inst.exe -> Spyware.InstaFinder.a : Cleaned with backup
C:\WINNT\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINNT\system32\ds3pl.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\WINNT\system32\dskrsrc.exe -> Spyware.Apropos : Cleaned with backup
C:\WINNT\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\60001.exe -> TrojanDownloader.Small.bkr : Cleaned with backup
C:\WINNT\system32\btsmhkll\kfcb.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINNT\system32\eliteifp32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\elitemai32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\3ncerb8o.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\elitetzn32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\8up5odkn.dll -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINNT\system32\EDowST3.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\WINNT\system32\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\system32\mappedpc.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\elitezhk32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\elitefxk32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\elitekye32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\1bechnkt.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\iconu.exe -> Spyware.Zestyfind : Cleaned with backup
C:\WINNT\mm63.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINNT\vsbkv.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\svcproc.exe -> Trojan.Stervis.f : Cleaned with backup
C:\WINNT\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINNT\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINNT\bundle_mediamotor1004.exe -> Adware.Saha : Cleaned with backup
C:\WINNT\etb\pokapoka62.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\xud_62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\pokapoka63.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\pokapoka65.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\nt_hide63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\etb\xud_63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\rzpnwnnnzgx.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\mm15201518.a.Stub.exe -> TrojanDownloader.Delmed.a : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Common Files\mc-110-12-0000079.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\Windows Media Player\wmplayer.exe -> Spyware.Pacer : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\71E3F554-DFFE-4B1A-801C-4AE4FF\8464CECA-4313-44A8-B850-FF1C83 -> Adware.eZula : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\83CFC59C-624B-431E-8663-15C8DB\98C5FBB8-17A6-4F65-B41E-45D8C7 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\83CFC59C-624B-431E-8663-15C8DB\E8912512-78AA-480D-AAFC-74C9D4 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67A4E499-1DDA-44FB-BE41-9A5676\AEAC5BC7-0E58-42F3-AED0-21456C -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67A4E499-1DDA-44FB-BE41-9A5676\52522F16-C3F6-4F7A-83AD-7002AF -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67A4E499-1DDA-44FB-BE41-9A5676\3C10359D-1052-469F-8611-C3D93C -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9BE8A4AF-4B1D-44DB-B7F8-448519\C725F83A-3DD2-41A2-ADD4-8219DC -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9BE8A4AF-4B1D-44DB-B7F8-448519\87C19CF5-BC84-40A0-B44D-6580BC -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9BE8A4AF-4B1D-44DB-B7F8-448519\28821C94-E627-434E-93EE-AFE0A5 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F475B39F-9FCF-4029-BDCB-00B475\5E10A015-2E36-4C44-AEE4-9EAEC2 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F475B39F-9FCF-4029-BDCB-00B475\D02E8F61-A83D-4B4E-B21E-9973A2 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F475B39F-9FCF-4029-BDCB-00B475\A9E7A017-81D4-46A1-A630-0A547C -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\10A8EE23-FA63-443E-AA1E-5225D2\B8C6983C-AFAF-4802-AAB0-322872 -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CFEA02C6-3D51-4C34-8203-1F4626\103D81CE-1B0B-4E8F-9AC1-F90837 -> Spyware.HotSearchBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CC13789B-7390-46A6-8121-9202E9\6A54B89B-D203-48E7-A0B6-2D2C85 -> TrojanDropper.Agent.hl : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CC13789B-7390-46A6-8121-9202E9\00E66FF1-AAC3-4689-8010-CA27F0 -> TrojanDropper.Small.qn : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\42717DD0-829B-403A-9585-89B76B\C9BC331C-6687-43EA-86BC-71929E -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\42717DD0-829B-403A-9585-89B76B\803C367C-CDFD-411C-AF42-049DEB -> Spyware.VirtualBouncer.j : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\42717DD0-829B-403A-9585-89B76B\F49914BF-013C-4F0E-9D28-59F34E -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5940B485-848A-47FC-AC74-6BF1D0\92EF8F85-2A41-4D41-8561-F13BB4 -> TrojanDropper.Agent.hl : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5940B485-848A-47FC-AC74-6BF1D0\F17C3207-4003-4C9D-BBFA-BE621C -> TrojanDropper.Small.qn : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\983642C9-CF2E-42A2-83BB-44B490\0AA65293-9DEA-4A30-B784-5E4C7A -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\983642C9-CF2E-42A2-83BB-44B490\E1936DE8-F444-4F57-8D55-0974DF -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AD09E1F7-F05E-4F53-BB7B-EC3E92\ADC9FB4C-2DCB-422D-A290-568C55 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\39ED41FC-E90D-4285-BF89-E95C7E\73AFDEE7-FBE4-4F33-BB86-DE6F73 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C1BEB01-F353-427D-BA9C-B500E9\07E0F34E-19B6-4C00-B34B-6943B2 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C1BEB01-F353-427D-BA9C-B500E9\3BAB73A1-5EC8-49F2-B045-766577 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\95F94048-ABF0-432D-998F-308053\C08EE8B4-8F98-436C-81A7-C894A0 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\15E47D67-2468-4AD9-BC15-28A231\913247E4-904D-4399-97F5-E1634B -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\15E47D67-2468-4AD9-BC15-28A231\8A04C181-E79B-4357-841B-F68B9C -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6F4BC2FD-9CEA-4BD7-A1AB-E544A2\F55C6D34-288B-4707-A9E2-751F6B -> TrojanDownloader.Small.abd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6670585-9FA8-4290-A5A4-148C12\A30991A5-5F99-4FF5-91BD-630457 -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6670585-9FA8-4290-A5A4-148C12\1DF960C6-D2D9-4693-ACA9-B52A9D -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6670585-9FA8-4290-A5A4-148C12\B4394F68-3D36-4FBD-8F97-7232A8 -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6670585-9FA8-4290-A5A4-148C12\452FCFFD-3344-4C72-BAF1-A6FE1A -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E6670585-9FA8-4290-A5A4-148C12\AAAEC297-7735-4211-B220-054131 -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\679E8C6C-FDA0-4AE1-BAD8-3317EC\05CAE5FB-2009-42AD-BB13-F3A033 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\679E8C6C-FDA0-4AE1-BAD8-3317EC\D97633DA-9C0F-4950-BD4F-ACEA7F -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8A2A1857-9824-4E35-A4AC-E16723\8B82A609-E501-49E0-AC14-5B40D4 -> TrojanDropper.Agent.hl : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8A2A1857-9824-4E35-A4AC-E16723\B55DE7C8-BF9F-47B2-820C-25DE3A -> TrojanDropper.Small.qn : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\401DD4CC-CA2B-4133-98B0-E1BB45\42B93086-1F8B-43F0-92E1-E43696 -> Adware.SAHA : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\ProSiteFinder\prositefinder.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Media Gateway\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\180searchassistant\saap.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\180searchassistant\saaphook.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Recycled\Q330995.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\FOUND.000\FILE0000.CHK -> Adware.BetterInternet : Cleaned with backup
C:\mmxxxxmas2.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\backup.zip/AAVAPI32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aesnw.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/CEVFAT.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/daskcopy.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/demsrpcn.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/demsvinn.dLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/djodbc7.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dnru0199e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dXdrm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e6jmlg1116.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en22l1fo1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enl0l13m1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enr8l19u1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fjsrch.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fJxtiff.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fp2403fqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fplu0339e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/idign32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h40q0ed5eh0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr8805lue.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ihxrtmgr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/its.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j4j6le1s1h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jibexec.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jKvart.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4620ejoehoc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4jsle171h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/KNRNEL32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt0ql7d51.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktnul7591.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l0j80a1ued.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lort.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv2409fqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvpq0975e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m0lsla371d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m2820cloefqc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m4640ejqehoe0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m6rmlg9116.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mcr2cenu.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mHlsla371d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/MJRDO20.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mlrmsg.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mmhtmler.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/MODBG.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mtimg32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mxls31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n2n60c5sef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nctid.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/NGTLOGON.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/NWTAPI32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/phfmgr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pYutoenr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pzrfdisk.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/q4rq0e95eh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rqfsaps.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/seclient.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/snclient.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/u8ruli9918.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wipdxm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/xSctsrv.dll -> Spyware.Look2Me : Error during cleaning

::Report End