Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log (searc-h.com popups)


  • Please log in to reply

#1
explorthis

explorthis

    New Member

  • Member
  • Pip
  • 7 posts
Greetings - wonderful help site!!!

I am getting (my kids computer) the non solicited popups from searc-h.com, as well as partypoker, and others.

Here is the listing from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:58 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Mike\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119503616851
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.co...gameloader6.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\lvlo0933e.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements


#2
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you dont understand something please ask before performing any task..


Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.
    • This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thanks,
rstones12
  • 0

#3
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here it is: (I was ready)

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvlo0933e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{912A26B0-D26A-6790-596A-8FD11F42FBA9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{0A082D00-EC93-11D0-B1E6-80580BC10627}"="Corel Media Folder Root Menu Handler"
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"="Folder To Corel Media Folder Menu Handler"
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}"="Corel Media Find Folder"
"{F8152501-455F-11D1-B1E6-444553540000}"="Corel Media Folder Copy Hook Handler"
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}"="IconFactTemp.NSIconHandlerFactory"
"{A2AC368A-F883-11D0-B745-00A0C90646A4}"="NSFiltManDll.FiltManCom"
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{D565D487-91D8-4AC7-B114-7A39D9DEAE5A}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2A96C36D-3216-4E4C-B865-3AE9FC94806A}"=""
"{54A656EC-3955-4B81-B881-17A7C5F089B5}"=""
"{B2434690-9353-4429-8E84-B7B9BFDB5EF7}"=""
"{089A7EC7-D4F1-4011-A340-7886E1328073}"=""
"{A689189F-334B-4E16-85D7-52311C0DD8B4}"=""
"{D1BF3A6B-441A-4CF5-82E2-E8A05B2BC848}"=""
"{8BA86E30-0E71-4874-8B16-DA6A83230FDB}"=""
"{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}"=""
"{5D559484-2415-4739-9526-81B730DB3630}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}\InprocServer32]
@="C:\\Corel\\Graphics8\\programs\\CMFFnd80.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8BA86E30-0E71-4874-8B16-DA6A83230FDB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BA86E30-0E71-4874-8B16-DA6A83230FDB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BA86E30-0E71-4874-8B16-DA6A83230FDB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BA86E30-0E71-4874-8B16-DA6A83230FDB}\InprocServer32]
@="C:\\WINDOWS\\system32\\mxcertui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}\InprocServer32]
@="C:\\WINDOWS\\system32\\ikeshare.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5D559484-2415-4739-9526-81B730DB3630}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D559484-2415-4739-9526-81B730DB3630}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D559484-2415-4739-9526-81B730DB3630}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D559484-2415-4739-9526-81B730DB3630}\InprocServer32]
@="C:\\WINDOWS\\system32\\Lekrn12n.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bkdispl.dll Mon Aug 1 2005 10:37:14a ..S.R 233,248 227.78 K
browseui.dll Sat Jul 2 2005 7:11:28p A.... 1,019,904 996.00 K
cbprops.dll Thu Aug 25 2005 6:58:50p ..S.R 234,713 229.21 K
cdfview.dll Sat Jul 2 2005 7:11:28p A.... 151,040 147.50 K
chvfat.dll Thu Aug 25 2005 11:14:00a ..S.R 234,713 229.21 K
cipesnpn.dll Tue Jul 26 2005 12:20:40p ..S.R 233,428 227.96 K
cjiconfg.dll Thu Aug 4 2005 3:50:24p ..S.R 233,248 227.78 K
cymocx.dll Thu Aug 4 2005 4:03:44p ..S.R 233,248 227.78 K
dgd9.dll Sat Aug 27 2005 12:26:24p ..S.R 235,047 229.54 K
dlcprop2.dll Sat Aug 27 2005 2:52:10p ..S.R 235,047 229.54 K
dsconfig.dll Thu Aug 4 2005 2:37:32p ..S.R 233,248 227.78 K
dugeng.dll Wed Aug 10 2005 10:07:56a ..S.R 233,248 227.78 K
dynet.dll Tue Aug 30 2005 8:18:52a ..S.R 235,047 229.54 K
ewentlog.dll Sat Aug 20 2005 11:16:14a ..S.R 233,248 227.78 K
f00o0a~1.dll Thu Aug 25 2005 11:21:24a ..S.R 234,713 229.21 K
g822li~1.dll Wed Aug 24 2005 11:01:32a ..S.R 233,248 227.78 K
gtkcsp.dll Thu Aug 4 2005 12:34:22p ..S.R 233,248 227.78 K
gwfspi~1.dll Tue Jul 12 2005 6:04:22p A.... 23,304 22.76 K
hrrs05~1.dll Thu Aug 4 2005 1:36:36p ..S.R 233,248 227.78 K
hvl.dll Sat Aug 20 2005 7:52:32p ..S.R 233,248 227.78 K
ibwphbk.dll Tue Aug 9 2005 7:05:58p ..S.R 233,248 227.78 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
idepro~1.dll Sun Jul 3 2005 8:57:32p ..... 139,264 136.00 K
iepeers.dll Sat Jul 2 2005 7:11:28p A.... 251,392 245.50 K
ifetppui.dll Wed Aug 24 2005 11:00:32a ..S.R 233,248 227.78 K
ikeshare.dll Sun Aug 21 2005 3:59:28p ..S.R 233,248 227.78 K
inseng.dll Sat Jul 2 2005 7:11:28p A.... 96,256 94.00 K
instfunc.dll Sun Jul 3 2005 9:01:30p A.... 5,632 5.50 K
ir44l5~1.dll Thu Aug 25 2005 11:49:16a ..S.R 234,713 229.21 K
irjml5~1.dll Mon Aug 29 2005 9:57:38a ..S.R 235,047 229.54 K
irp0l5~1.dll Thu Aug 4 2005 2:38:32p ..S.R 233,248 227.78 K
irpml5~1.dll Wed Aug 3 2005 8:23:40p ..S.R 233,428 227.96 K
j04ola~1.dll Sat Aug 27 2005 12:27:24p ..S.R 235,047 229.54 K
jtr207~1.dll Thu Aug 4 2005 6:25:54p ..S.R 233,248 227.78 K
k062la~1.dll Thu Jun 23 2005 3:25:38p ..S.R 234,784 229.28 K
k626lg~1.dll Mon Aug 8 2005 11:36:10a ..S.R 233,248 227.78 K
k644lg~1.dll Wed Jun 22 2005 10:11:18p ..S.R 235,809 230.28 K
kedfo.dll Thu Aug 4 2005 3:58:24p ..S.R 233,248 227.78 K
kerberos.dll Wed Jun 15 2005 10:49:30a A.... 295,936 289.00 K
kkdinmal.dll Fri Jun 24 2005 2:44:34p ..S.R 235,809 230.28 K
ktdru.dll Sun Aug 28 2005 4:49:54p ..S.R 235,047 229.54 K
kudmon.dll Mon Aug 1 2005 8:28:34p ..S.R 233,428 227.96 K
kxdru.dll Sun Aug 21 2005 12:51:20p ..S.R 233,248 227.78 K
l08m0a~1.dll Sun Jul 24 2005 5:00:16p ..... 233,428 227.96 K
l0j80a~1.dll Fri Aug 12 2005 11:32:48a ..S.R 233,248 227.78 K
l4p20e~1.dll Sat Aug 27 2005 12:00:12p ..S.R 235,321 229.80 K
l6j8lg~1.dll Thu Jun 23 2005 8:21:58p ..S.R 235,809 230.28 K
legitc~1.dll Tue Jul 12 2005 6:04:22p A.... 520,456 508.26 K
lekrn12n.dll Thu Aug 25 2005 8:00:18p ..S.R 234,713 229.21 K
lv0q09~1.dll Sun Jun 19 2005 1:20:26p ..S.R 235,293 229.78 K
lv2s09~1.dll Mon Jun 20 2005 7:41:50p ..... 235,809 230.28 K
lvlo09~1.dll Sun Aug 28 2005 4:50:54p ..S.R 235,047 229.54 K
lvpu09~1.dll Thu Aug 4 2005 12:35:22p ..S.R 233,248 227.78 K
mard2x40.dll Fri Aug 5 2005 9:21:04p ..S.R 233,248 227.78 K
mboeacct.dll Thu Aug 18 2005 2:10:22p ..S.R 233,248 227.78 K
mdsec.dll Fri Aug 5 2005 8:00:58a ..S.R 233,248 227.78 K
mkdemui.dll Tue Aug 2 2005 12:22:08p ..S.R 233,248 227.78 K
mliwave.dll Thu Aug 25 2005 3:09:10p ..S.R 234,713 229.21 K
mlmxsdk.dll Fri Jul 29 2005 11:24:42a ..S.R 233,248 227.78 K
mpidle.dll Tue Aug 9 2005 4:43:04p ..S.R 233,248 227.78 K
mpmefilt.dll Sun Aug 7 2005 1:40:32p ..S.R 233,248 227.78 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 7:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 7:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 7:11:30p A.... 146,432 143.00 K
mwobjs.dll Mon Aug 29 2005 9:56:38a ..S.R 235,047 229.54 K
mwrdo20.dll Fri Aug 12 2005 11:29:48a ..S.R 233,248 227.78 K
mwsec.dll Wed Aug 3 2005 8:22:38p ..S.R 233,428 227.96 K
mxcertui.dll Sun Jul 24 2005 5:00:18p ..S.R 233,248 227.78 K
mxvcr70.dll Sat Aug 20 2005 12:02:08p ..S.R 233,248 227.78 K
myconf.dll Sat Aug 27 2005 12:00:12p ..S.R 235,047 229.54 K
ndiq.dll Mon Jun 20 2005 7:03:22a A.... 167,936 164.00 K
o6lulg~1.dll Thu Aug 4 2005 3:58:24p ..S.R 235,184 229.67 K
o6ns0g~1.dll Tue Aug 9 2005 11:34:14a ..S.R 233,248 227.78 K
obecli.dll Thu Jul 28 2005 10:42:46a ..S.R 233,428 227.96 K
okuninst.dll Tue Aug 9 2005 9:07:52p ..S.R 233,248 227.78 K
omfox32.dll Thu Aug 4 2005 1:35:36p ..S.R 233,248 227.78 K
pfrfproc.dll Fri Aug 19 2005 2:35:00p ..S.R 233,248 227.78 K
pngfilt.dll Sat Jul 2 2005 7:11:30p A.... 39,424 38.50 K
px.dll Sun Jul 3 2005 4:07:08p ..... 360,448 352.00 K
pxdrv.dll Sun Jul 3 2005 4:07:10p ..... 397,312 388.00 K
pxmas.dll Sun Jul 3 2005 4:07:10p ..... 155,648 152.00 K
pxwave.dll Sun Jul 3 2005 4:07:10p ..... 339,968 332.00 K
pxwma.dll Sun Jul 3 2005 4:07:10p ..... 151,552 148.00 K
r0p8la~1.dll Thu Aug 4 2005 4:03:44p ..S.R 235,118 229.61 K
rqpsnd.dll Sun Jul 24 2005 3:57:00p ..S.R 233,248 227.78 K
sbcsccp.dll Thu Aug 11 2005 11:10:44a ..S.R 233,248 227.78 K
sdns.dll Fri Aug 5 2005 5:07:00p ..S.R 233,248 227.78 K
setuplib.dll Sun Jul 3 2005 9:01:14p A.... 155,648 152.00 K
shdocvw.dll Sat Jul 2 2005 7:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 7:11:30p A.... 473,600 462.50 K
shrmdll.dll Sun Jul 31 2005 1:16:00p ..S.R 233,428 227.96 K
sisapcom.dll Sun Jul 3 2005 9:01:30p A.... 98,304 96.00 K
sisgl.dll Wed Jul 13 2005 3:46:42a A.... 1,570,489 1.50 M
sisgrv.dll Wed Jul 13 2005 3:15:14a A.... 904,192 883.00 K
sisinst.dll Sun Jul 3 2005 9:01:30p A.... 172,032 168.00 K
sisparse.dll Sun Jul 3 2005 9:01:30p A.... 221,184 216.00 K
sispinst.dll Wed Jul 13 2005 2:55:02a A.... 28,672 28.00 K
snbiop.dll Thu Aug 25 2005 11:48:16a ..S.R 234,713 229.21 K
somedia.dll Sat Aug 20 2005 7:28:04p ..S.R 233,248 227.78 K
tapisrv.dll Fri Jul 8 2005 9:27:56a A.... 249,344 243.50 K
tvmode~1.dll Sun Jul 3 2005 9:01:16p ..... 155,648 152.00 K
twembed.dll Wed Jul 27 2005 10:15:24a ..S.R 233,248 227.78 K
uirdpa.dll Tue Aug 9 2005 11:33:14a ..S.R 233,248 227.78 K
umpnpmgr.dll Wed Jun 29 2005 7:02:40p A.... 118,272 115.50 K
urlmon.dll Sat Jul 2 2005 7:11:30p A.... 607,744 593.50 K
vetredir.dll Sun Jul 10 2005 7:28:46p A.... 74,864 73.11 K
vsdata.dll Wed Jul 20 2005 2:45:14a A.... 83,728 81.77 K
vsinit.dll Wed Jul 20 2005 2:45:26a A.... 141,072 137.77 K
vsmonapi.dll Wed Jul 20 2005 2:45:34a A.... 104,208 101.77 K
vspubapi.dll Wed Jul 20 2005 2:45:38a A.... 227,088 221.77 K
vsutil.dll Wed Jul 20 2005 2:45:54a A.... 382,736 373.77 K
vsxml.dll Wed Jul 20 2005 2:46:02a A.... 100,112 97.77 K
vvdex.dll Sun Aug 14 2005 4:29:48p ..S.R 233,248 227.78 K
vxblock.dll Sun Jul 3 2005 4:07:10p ..... 28,672 28.00 K
wesdmoe2.dll Sun Aug 14 2005 9:35:04p ..S.R 233,248 227.78 K
wfsdmoe.dll Thu Aug 25 2005 11:20:24a ..S.R 234,713 229.21 K
wininet.dll Sat Jul 2 2005 7:11:30p A.... 658,432 643.00 K
wvauserv.dll Mon Aug 8 2005 11:35:10a ..S.R 233,248 227.78 K
zlcomm.dll Wed Jul 20 2005 2:46:22a A.... 79,632 77.77 K
zlcommdb.dll Wed Jul 20 2005 2:46:26a A.... 71,440 69.77 K

121 items found: 121 files (74 H/S), 0 directories.
Total of file sizes: 34,020,388 bytes 32.44 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Aug 30 2005 8:19:52a ..S.R 235,047 229.54 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 235,047 bytes 229.54 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 30F8-72DF

Directory of C:\WINDOWS\System32

08/30/2005 08:19 AM 235,047 guard.tmp
08/30/2005 08:18 AM 235,047 dynet.dll
08/29/2005 09:57 AM 235,047 irjml5111.dll
08/29/2005 09:56 AM 235,047 mwobjs.dll
08/28/2005 04:50 PM 235,047 lvlo0933e.dll
08/28/2005 04:49 PM 235,047 ktdru.dll
08/27/2005 02:52 PM 235,047 dlcprop2.dll
08/27/2005 12:27 PM 235,047 j04olah31d4.dll
08/27/2005 12:26 PM 235,047 dGd9.dll
08/27/2005 12:00 PM 235,047 myconf.dll
08/27/2005 12:00 PM 235,321 l4p20e7oeh.dll
08/25/2005 08:00 PM 234,713 Lekrn12n.dll
08/25/2005 06:58 PM 234,713 cbprops.dll
08/25/2005 03:09 PM 234,713 mliwave.dll
08/25/2005 11:49 AM 234,713 ir44l5hq1.dll
08/25/2005 11:48 AM 234,713 snbiop.dll
08/25/2005 11:21 AM 234,713 f00o0ad3ed0.dll
08/25/2005 11:20 AM 234,713 wfsdmoe.dll
08/25/2005 11:13 AM 234,713 chvfat.dll
08/24/2005 11:01 AM 233,248 g822lifo182c.dll
08/24/2005 11:00 AM 233,248 ifetppui.dll
08/22/2005 07:37 PM <DIR> dllcache
08/21/2005 03:59 PM 233,248 ikeshare.dll
08/21/2005 12:51 PM 233,248 kxdru.dll
08/20/2005 07:52 PM 233,248 HVL.DLL
08/20/2005 07:28 PM 233,248 somedia.dll
08/20/2005 12:02 PM 233,248 mxvcr70.dll
08/20/2005 11:16 AM 233,248 ewentlog.dll
08/19/2005 02:34 PM 233,248 pfrfproc.dll
08/18/2005 02:10 PM 233,248 mboeacct.dll
08/14/2005 09:35 PM 233,248 wesdmoe2.dll
08/14/2005 04:29 PM 233,248 vvdex.dll
08/12/2005 11:32 AM 233,248 l0j80a1ued.dll
08/12/2005 11:29 AM 233,248 MWRDO20.DLL
08/11/2005 11:10 AM 233,248 sbcsccp.dll
08/10/2005 10:07 AM 233,248 dugeng.dll
08/09/2005 09:07 PM 233,248 okuninst.dll
08/09/2005 07:05 PM 233,248 ibwphbk.dll
08/09/2005 04:43 PM 233,248 mpidle.dll
08/09/2005 11:34 AM 233,248 o6ns0g57e6.dll
08/09/2005 11:33 AM 233,248 uirdpa.dll
08/08/2005 11:36 AM 233,248 k626lgfs1626.dll
08/08/2005 11:35 AM 233,248 wvauserv.dll
08/07/2005 01:40 PM 233,248 mpmefilt.dll
08/05/2005 09:21 PM 233,248 mard2x40.dll
08/05/2005 05:06 PM 233,248 sdns.dll
08/05/2005 08:00 AM 233,248 mdsec.dll
08/04/2005 06:25 PM 233,248 jtr2079oe.dll
08/04/2005 04:03 PM 233,248 cYmocx.dll
08/04/2005 04:03 PM 235,118 r0p8la7u1d.dll
08/04/2005 03:58 PM 233,248 kedfo.dll
08/04/2005 03:58 PM 235,184 o6lulg3916.dll
08/04/2005 03:50 PM 233,248 cjiconfg.dll
08/04/2005 02:38 PM 233,248 irp0l57m1.dll
08/04/2005 02:37 PM 233,248 dsconfig.dll
08/04/2005 01:36 PM 233,248 hrrs0597e.dll
08/04/2005 01:35 PM 233,248 omfox32.dll
08/04/2005 12:35 PM 233,248 lvpu0979e.dll
08/04/2005 12:34 PM 233,248 gtkcsp.dll
08/03/2005 08:23 PM 233,428 irpml5711.dll
08/03/2005 08:22 PM 233,428 mwsec.dll
08/02/2005 12:22 PM 233,248 mkdemui.dll
08/01/2005 08:28 PM 233,428 kudmon.dll
08/01/2005 10:37 AM 233,248 bkdispl.dll
07/31/2005 01:15 PM 233,428 shrmdll.dll
07/29/2005 11:24 AM 233,248 mlmxsdk.dll
07/28/2005 10:42 AM 233,428 obecli.dll
07/27/2005 10:15 AM 233,248 tWembed.dll
07/26/2005 12:20 PM 233,428 cIpesnpn.dll
07/24/2005 05:00 PM 233,248 mxcertui.dll
07/24/2005 03:56 PM 233,248 rqpsnd.dll
06/24/2005 02:44 PM 235,809 kkdinmal.dll
06/23/2005 08:21 PM 235,809 l6j8lg1u16.dll
06/23/2005 03:25 PM 234,784 k062lajo1doc.dll
06/22/2005 10:11 PM 235,809 k644lghq164e.dll
06/19/2005 01:20 PM 235,293 lv0q09d5e.dll
01/01/2005 12:33 PM <DIR> Microsoft
75 File(s) 17,541,533 bytes
2 Dir(s) 69,755,469,824 bytes free
  • 0

#4
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

Please read "ALL" of the instructions before proceeding:


Now we need to do the next part of the fix.

Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Thanks,
rstones12
  • 0

#5
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
L2mfix log:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 252 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 488 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\bkdispl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cbprops.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\chvfat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cIpesnpn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cjiconfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cYmocx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dGd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dlcprop2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dsconfig.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dugeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dynet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ewentlog.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f00o0ad3ed0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g822lifo182c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gtkcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrrs0597e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HVL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ibwphbk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ifetppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ikeshare.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir44l5hq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irjml5111.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irp0l57m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irpml5711.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j04olah31d4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtr2079oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k062lajo1doc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k626lgfs1626.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k644lghq164e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedfo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdinmal.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdru.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kudmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kxdru.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l08m0al1edq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l0j80a1ued.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l4p20e7oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l6j8lg1u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Lekrn12n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0q09d5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv2s09f7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvpu0979e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mard2x40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mboeacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdsec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mkdemui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mliwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlmxsdk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpidle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpmefilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwobjs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MWRDO20.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwsec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxcertui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxvcr70.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myconf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o6lulg3916.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o6ns0g57e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\obecli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\okuninst.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\omfox32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pfrfproc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r0p8la7u1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rqpsnd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sbcsccp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\shrmdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snbiop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\somedia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tWembed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uirdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vvdex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wesdmoe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfsdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wvauserv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\bkdispl.dll
Successfully Deleted: C:\WINDOWS\system32\bkdispl.dll
deleting: C:\WINDOWS\system32\cbprops.dll
Successfully Deleted: C:\WINDOWS\system32\cbprops.dll
deleting: C:\WINDOWS\system32\chvfat.dll
Successfully Deleted: C:\WINDOWS\system32\chvfat.dll
deleting: C:\WINDOWS\system32\cIpesnpn.dll
Successfully Deleted: C:\WINDOWS\system32\cIpesnpn.dll
deleting: C:\WINDOWS\system32\cjiconfg.dll
Successfully Deleted: C:\WINDOWS\system32\cjiconfg.dll
deleting: C:\WINDOWS\system32\cYmocx.dll
Successfully Deleted: C:\WINDOWS\system32\cYmocx.dll
deleting: C:\WINDOWS\system32\dGd9.dll
Successfully Deleted: C:\WINDOWS\system32\dGd9.dll
deleting: C:\WINDOWS\system32\dlcprop2.dll
Successfully Deleted: C:\WINDOWS\system32\dlcprop2.dll
deleting: C:\WINDOWS\system32\dsconfig.dll
Successfully Deleted: C:\WINDOWS\system32\dsconfig.dll
deleting: C:\WINDOWS\system32\dugeng.dll
Successfully Deleted: C:\WINDOWS\system32\dugeng.dll
deleting: C:\WINDOWS\system32\dynet.dll
Successfully Deleted: C:\WINDOWS\system32\dynet.dll
deleting: C:\WINDOWS\system32\ewentlog.dll
Successfully Deleted: C:\WINDOWS\system32\ewentlog.dll
deleting: C:\WINDOWS\system32\f00o0ad3ed0.dll
Successfully Deleted: C:\WINDOWS\system32\f00o0ad3ed0.dll
deleting: C:\WINDOWS\system32\g822lifo182c.dll
Successfully Deleted: C:\WINDOWS\system32\g822lifo182c.dll
deleting: C:\WINDOWS\system32\gtkcsp.dll
Successfully Deleted: C:\WINDOWS\system32\gtkcsp.dll
deleting: C:\WINDOWS\system32\hrrs0597e.dll
Successfully Deleted: C:\WINDOWS\system32\hrrs0597e.dll
deleting: C:\WINDOWS\system32\HVL.DLL
Successfully Deleted: C:\WINDOWS\system32\HVL.DLL
deleting: C:\WINDOWS\system32\ibwphbk.dll
Successfully Deleted: C:\WINDOWS\system32\ibwphbk.dll
deleting: C:\WINDOWS\system32\ifetppui.dll
Successfully Deleted: C:\WINDOWS\system32\ifetppui.dll
deleting: C:\WINDOWS\system32\ikeshare.dll
Successfully Deleted: C:\WINDOWS\system32\ikeshare.dll
deleting: C:\WINDOWS\system32\ir44l5hq1.dll
Successfully Deleted: C:\WINDOWS\system32\ir44l5hq1.dll
deleting: C:\WINDOWS\system32\irjml5111.dll
Successfully Deleted: C:\WINDOWS\system32\irjml5111.dll
deleting: C:\WINDOWS\system32\irp0l57m1.dll
Successfully Deleted: C:\WINDOWS\system32\irp0l57m1.dll
deleting: C:\WINDOWS\system32\irpml5711.dll
Successfully Deleted: C:\WINDOWS\system32\irpml5711.dll
deleting: C:\WINDOWS\system32\j04olah31d4.dll
Successfully Deleted: C:\WINDOWS\system32\j04olah31d4.dll
deleting: C:\WINDOWS\system32\jtr2079oe.dll
Successfully Deleted: C:\WINDOWS\system32\jtr2079oe.dll
deleting: C:\WINDOWS\system32\k062lajo1doc.dll
Successfully Deleted: C:\WINDOWS\system32\k062lajo1doc.dll
deleting: C:\WINDOWS\system32\k626lgfs1626.dll
Successfully Deleted: C:\WINDOWS\system32\k626lgfs1626.dll
deleting: C:\WINDOWS\system32\k644lghq164e.dll
Successfully Deleted: C:\WINDOWS\system32\k644lghq164e.dll
deleting: C:\WINDOWS\system32\kedfo.dll
Successfully Deleted: C:\WINDOWS\system32\kedfo.dll
deleting: C:\WINDOWS\system32\kkdinmal.dll
Successfully Deleted: C:\WINDOWS\system32\kkdinmal.dll
deleting: C:\WINDOWS\system32\ktdru.dll
Successfully Deleted: C:\WINDOWS\system32\ktdru.dll
deleting: C:\WINDOWS\system32\kudmon.dll
Successfully Deleted: C:\WINDOWS\system32\kudmon.dll
deleting: C:\WINDOWS\system32\kxdru.dll
Successfully Deleted: C:\WINDOWS\system32\kxdru.dll
deleting: C:\WINDOWS\system32\l08m0al1edq.dll
Successfully Deleted: C:\WINDOWS\system32\l08m0al1edq.dll
deleting: C:\WINDOWS\system32\l0j80a1ued.dll
Successfully Deleted: C:\WINDOWS\system32\l0j80a1ued.dll
deleting: C:\WINDOWS\system32\l4p20e7oeh.dll
Successfully Deleted: C:\WINDOWS\system32\l4p20e7oeh.dll
deleting: C:\WINDOWS\system32\l6j8lg1u16.dll
Successfully Deleted: C:\WINDOWS\system32\l6j8lg1u16.dll
deleting: C:\WINDOWS\system32\Lekrn12n.dll
Successfully Deleted: C:\WINDOWS\system32\Lekrn12n.dll
deleting: C:\WINDOWS\system32\lv0q09d5e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0q09d5e.dll
deleting: C:\WINDOWS\system32\lv2s09f7e.dll
Successfully Deleted: C:\WINDOWS\system32\lv2s09f7e.dll
deleting: C:\WINDOWS\system32\lvpu0979e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpu0979e.dll
deleting: C:\WINDOWS\system32\mard2x40.dll
Successfully Deleted: C:\WINDOWS\system32\mard2x40.dll
deleting: C:\WINDOWS\system32\mboeacct.dll
Successfully Deleted: C:\WINDOWS\system32\mboeacct.dll
deleting: C:\WINDOWS\system32\mdsec.dll
Successfully Deleted: C:\WINDOWS\system32\mdsec.dll
deleting: C:\WINDOWS\system32\mkdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mkdemui.dll
deleting: C:\WINDOWS\system32\mliwave.dll
Successfully Deleted: C:\WINDOWS\system32\mliwave.dll
deleting: C:\WINDOWS\system32\mlmxsdk.dll
Successfully Deleted: C:\WINDOWS\system32\mlmxsdk.dll
deleting: C:\WINDOWS\system32\mpidle.dll
Successfully Deleted: C:\WINDOWS\system32\mpidle.dll
deleting: C:\WINDOWS\system32\mpmefilt.dll
Successfully Deleted: C:\WINDOWS\system32\mpmefilt.dll
deleting: C:\WINDOWS\system32\mwobjs.dll
Successfully Deleted: C:\WINDOWS\system32\mwobjs.dll
deleting: C:\WINDOWS\system32\MWRDO20.DLL
Successfully Deleted: C:\WINDOWS\system32\MWRDO20.DLL
deleting: C:\WINDOWS\system32\mwsec.dll
Successfully Deleted: C:\WINDOWS\system32\mwsec.dll
deleting: C:\WINDOWS\system32\mxcertui.dll
Successfully Deleted: C:\WINDOWS\system32\mxcertui.dll
deleting: C:\WINDOWS\system32\mxvcr70.dll
Successfully Deleted: C:\WINDOWS\system32\mxvcr70.dll
deleting: C:\WINDOWS\system32\myconf.dll
Successfully Deleted: C:\WINDOWS\system32\myconf.dll
deleting: C:\WINDOWS\system32\o6lulg3916.dll
Successfully Deleted: C:\WINDOWS\system32\o6lulg3916.dll
deleting: C:\WINDOWS\system32\o6ns0g57e6.dll
Successfully Deleted: C:\WINDOWS\system32\o6ns0g57e6.dll
deleting: C:\WINDOWS\system32\obecli.dll
Successfully Deleted: C:\WINDOWS\system32\obecli.dll
deleting: C:\WINDOWS\system32\okuninst.dll
Successfully Deleted: C:\WINDOWS\system32\okuninst.dll
deleting: C:\WINDOWS\system32\omfox32.dll
Successfully Deleted: C:\WINDOWS\system32\omfox32.dll
deleting: C:\WINDOWS\system32\pfrfproc.dll
Successfully Deleted: C:\WINDOWS\system32\pfrfproc.dll
deleting: C:\WINDOWS\system32\r0p8la7u1d.dll
Successfully Deleted: C:\WINDOWS\system32\r0p8la7u1d.dll
deleting: C:\WINDOWS\system32\rqpsnd.dll
Successfully Deleted: C:\WINDOWS\system32\rqpsnd.dll
deleting: C:\WINDOWS\system32\sbcsccp.dll
Successfully Deleted: C:\WINDOWS\system32\sbcsccp.dll
deleting: C:\WINDOWS\system32\sdns.dll
Successfully Deleted: C:\WINDOWS\system32\sdns.dll
deleting: C:\WINDOWS\system32\shrmdll.dll
Successfully Deleted: C:\WINDOWS\system32\shrmdll.dll
deleting: C:\WINDOWS\system32\snbiop.dll
Successfully Deleted: C:\WINDOWS\system32\snbiop.dll
deleting: C:\WINDOWS\system32\somedia.dll
Successfully Deleted: C:\WINDOWS\system32\somedia.dll
deleting: C:\WINDOWS\system32\tWembed.dll
Successfully Deleted: C:\WINDOWS\system32\tWembed.dll
deleting: C:\WINDOWS\system32\uirdpa.dll
Successfully Deleted: C:\WINDOWS\system32\uirdpa.dll
deleting: C:\WINDOWS\system32\vvdex.dll
Successfully Deleted: C:\WINDOWS\system32\vvdex.dll
deleting: C:\WINDOWS\system32\wesdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wesdmoe2.dll
deleting: C:\WINDOWS\system32\wfsdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wfsdmoe.dll
deleting: C:\WINDOWS\system32\wvauserv.dll
Successfully Deleted: C:\WINDOWS\system32\wvauserv.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: bkdispl.dll (188 bytes security) (deflated 4%)
adding: cbprops.dll (188 bytes security) (deflated 5%)
adding: chvfat.dll (188 bytes security) (deflated 5%)
adding: cIpesnpn.dll (188 bytes security) (deflated 4%)
adding: cjiconfg.dll (188 bytes security) (deflated 4%)
adding: cYmocx.dll (188 bytes security) (deflated 4%)
adding: dGd9.dll (188 bytes security) (deflated 5%)
adding: dlcprop2.dll (188 bytes security) (deflated 5%)
adding: dsconfig.dll (188 bytes security) (deflated 4%)
adding: dugeng.dll (188 bytes security) (deflated 4%)
adding: dynet.dll (188 bytes security) (deflated 5%)
adding: ewentlog.dll (188 bytes security) (deflated 4%)
adding: f00o0ad3ed0.dll (188 bytes security) (deflated 5%)
adding: g822lifo182c.dll (188 bytes security) (deflated 4%)
adding: gtkcsp.dll (188 bytes security) (deflated 4%)
adding: hrrs0597e.dll (188 bytes security) (deflated 4%)
adding: HVL.DLL (188 bytes security) (deflated 4%)
adding: ibwphbk.dll (188 bytes security) (deflated 4%)
adding: ifetppui.dll (188 bytes security) (deflated 4%)
adding: ikeshare.dll (188 bytes security) (deflated 4%)
adding: ir44l5hq1.dll (188 bytes security) (deflated 5%)
adding: irjml5111.dll (188 bytes security) (deflated 5%)
adding: irp0l57m1.dll (188 bytes security) (deflated 4%)
adding: irpml5711.dll (188 bytes security) (deflated 4%)
adding: j04olah31d4.dll (188 bytes security) (deflated 5%)
adding: jtr2079oe.dll (188 bytes security) (deflated 4%)
adding: k062lajo1doc.dll (188 bytes security) (deflated 4%)
adding: k626lgfs1626.dll (188 bytes security) (deflated 4%)
adding: k644lghq164e.dll (188 bytes security) (deflated 5%)
adding: kedfo.dll (188 bytes security) (deflated 4%)
adding: kkdinmal.dll (188 bytes security) (deflated 5%)
adding: ktdru.dll (188 bytes security) (deflated 5%)
adding: kudmon.dll (188 bytes security) (deflated 4%)
adding: kxdru.dll (188 bytes security) (deflated 4%)
adding: l08m0al1edq.dll (188 bytes security) (deflated 4%)
adding: l0j80a1ued.dll (188 bytes security) (deflated 4%)
adding: l4p20e7oeh.dll (188 bytes security) (deflated 5%)
adding: l6j8lg1u16.dll (188 bytes security) (deflated 5%)
adding: Lekrn12n.dll (188 bytes security) (deflated 5%)
adding: lv0q09d5e.dll (188 bytes security) (deflated 5%)
adding: lv2s09f7e.dll (188 bytes security) (deflated 5%)
adding: lvpu0979e.dll (188 bytes security) (deflated 4%)
adding: mard2x40.dll (188 bytes security) (deflated 4%)
adding: mboeacct.dll (188 bytes security) (deflated 4%)
adding: mdsec.dll (188 bytes security) (deflated 4%)
adding: mkdemui.dll (188 bytes security) (deflated 4%)
adding: mliwave.dll (188 bytes security) (deflated 5%)
adding: mlmxsdk.dll (188 bytes security) (deflated 4%)
adding: mpidle.dll (188 bytes security) (deflated 4%)
adding: mpmefilt.dll (188 bytes security) (deflated 4%)
adding: mwobjs.dll (188 bytes security) (deflated 5%)
adding: MWRDO20.DLL (188 bytes security) (deflated 4%)
adding: mwsec.dll (188 bytes security) (deflated 4%)
adding: mxcertui.dll (188 bytes security) (deflated 4%)
adding: mxvcr70.dll (188 bytes security) (deflated 4%)
adding: myconf.dll (188 bytes security) (deflated 5%)
adding: o6lulg3916.dll (188 bytes security) (deflated 5%)
adding: o6ns0g57e6.dll (188 bytes security) (deflated 4%)
adding: obecli.dll (188 bytes security) (deflated 4%)
adding: okuninst.dll (188 bytes security) (deflated 4%)
adding: omfox32.dll (188 bytes security) (deflated 4%)
adding: pfrfproc.dll (188 bytes security) (deflated 4%)
adding: r0p8la7u1d.dll (188 bytes security) (deflated 5%)
adding: rqpsnd.dll (188 bytes security) (deflated 4%)
adding: sbcsccp.dll (188 bytes security) (deflated 4%)
adding: sdns.dll (188 bytes security) (deflated 4%)
adding: shrmdll.dll (188 bytes security) (deflated 4%)
adding: snbiop.dll (188 bytes security) (deflated 5%)
adding: somedia.dll (188 bytes security) (deflated 4%)
adding: tWembed.dll (188 bytes security) (deflated 4%)
adding: uirdpa.dll (188 bytes security) (deflated 4%)
adding: vvdex.dll (188 bytes security) (deflated 4%)
adding: wesdmoe2.dll (188 bytes security) (deflated 4%)
adding: wfsdmoe.dll (188 bytes security) (deflated 5%)
adding: wvauserv.dll (188 bytes security) (deflated 4%)
adding: guard.tmp (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 65%)
adding: CLOInstallLog.txt (188 bytes security) (deflated 75%)
adding: lo2.txt (188 bytes security) (deflated 89%)
adding: OQUIRRH.TXT (188 bytes security) (deflated 32%)
adding: test.txt (188 bytes security) (deflated 84%)
adding: test2.txt (188 bytes security) (deflated 46%)
adding: test3.txt (188 bytes security) (deflated 46%)
adding: test5.txt (188 bytes security) (deflated 46%)
adding: xfind.txt (188 bytes security) (deflated 79%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: bkdispl.dll
deleting local copy: cbprops.dll
deleting local copy: chvfat.dll
deleting local copy: cIpesnpn.dll
deleting local copy: cjiconfg.dll
deleting local copy: cYmocx.dll
deleting local copy: dGd9.dll
deleting local copy: dlcprop2.dll
deleting local copy: dsconfig.dll
deleting local copy: dugeng.dll
deleting local copy: dynet.dll
deleting local copy: ewentlog.dll
deleting local copy: f00o0ad3ed0.dll
deleting local copy: g822lifo182c.dll
deleting local copy: gtkcsp.dll
deleting local copy: hrrs0597e.dll
deleting local copy: HVL.DLL
deleting local copy: ibwphbk.dll
deleting local copy: ifetppui.dll
deleting local copy: ikeshare.dll
deleting local copy: ir44l5hq1.dll
deleting local copy: irjml5111.dll
deleting local copy: irp0l57m1.dll
deleting local copy: irpml5711.dll
deleting local copy: j04olah31d4.dll
deleting local copy: jtr2079oe.dll
deleting local copy: k062lajo1doc.dll
deleting local copy: k626lgfs1626.dll
deleting local copy: k644lghq164e.dll
deleting local copy: kedfo.dll
deleting local copy: kkdinmal.dll
deleting local copy: ktdru.dll
deleting local copy: kudmon.dll
deleting local copy: kxdru.dll
deleting local copy: l08m0al1edq.dll
deleting local copy: l0j80a1ued.dll
deleting local copy: l4p20e7oeh.dll
deleting local copy: l6j8lg1u16.dll
deleting local copy: Lekrn12n.dll
deleting local copy: lv0q09d5e.dll
deleting local copy: lv2s09f7e.dll
deleting local copy: lvpu0979e.dll
deleting local copy: mard2x40.dll
deleting local copy: mboeacct.dll
deleting local copy: mdsec.dll
deleting local copy: mkdemui.dll
deleting local copy: mliwave.dll
deleting local copy: mlmxsdk.dll
deleting local copy: mpidle.dll
deleting local copy: mpmefilt.dll
deleting local copy: mwobjs.dll
deleting local copy: MWRDO20.DLL
deleting local copy: mwsec.dll
deleting local copy: mxcertui.dll
deleting local copy: mxvcr70.dll
deleting local copy: myconf.dll
deleting local copy: o6lulg3916.dll
deleting local copy: o6ns0g57e6.dll
deleting local copy: obecli.dll
deleting local copy: okuninst.dll
deleting local copy: omfox32.dll
deleting local copy: pfrfproc.dll
deleting local copy: r0p8la7u1d.dll
deleting local copy: rqpsnd.dll
deleting local copy: sbcsccp.dll
deleting local copy: sdns.dll
deleting local copy: shrmdll.dll
deleting local copy: snbiop.dll
deleting local copy: somedia.dll
deleting local copy: tWembed.dll
deleting local copy: uirdpa.dll
deleting local copy: vvdex.dll
deleting local copy: wesdmoe2.dll
deleting local copy: wfsdmoe.dll
deleting local copy: wvauserv.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bkdispl.dll
C:\WINDOWS\system32\cbprops.dll
C:\WINDOWS\system32\chvfat.dll
C:\WINDOWS\system32\cIpesnpn.dll
C:\WINDOWS\system32\cjiconfg.dll
C:\WINDOWS\system32\cYmocx.dll
C:\WINDOWS\system32\dGd9.dll
C:\WINDOWS\system32\dlcprop2.dll
C:\WINDOWS\system32\dsconfig.dll
C:\WINDOWS\system32\dugeng.dll
C:\WINDOWS\system32\dynet.dll
C:\WINDOWS\system32\ewentlog.dll
C:\WINDOWS\system32\f00o0ad3ed0.dll
C:\WINDOWS\system32\g822lifo182c.dll
C:\WINDOWS\system32\gtkcsp.dll
C:\WINDOWS\system32\hrrs0597e.dll
C:\WINDOWS\system32\HVL.DLL
C:\WINDOWS\system32\ibwphbk.dll
C:\WINDOWS\system32\ifetppui.dll
C:\WINDOWS\system32\ikeshare.dll
C:\WINDOWS\system32\ir44l5hq1.dll
C:\WINDOWS\system32\irjml5111.dll
C:\WINDOWS\system32\irp0l57m1.dll
C:\WINDOWS\system32\irpml5711.dll
C:\WINDOWS\system32\j04olah31d4.dll
C:\WINDOWS\system32\jtr2079oe.dll
C:\WINDOWS\system32\k062lajo1doc.dll
C:\WINDOWS\system32\k626lgfs1626.dll
C:\WINDOWS\system32\k644lghq164e.dll
C:\WINDOWS\system32\kedfo.dll
C:\WINDOWS\system32\kkdinmal.dll
C:\WINDOWS\system32\ktdru.dll
C:\WINDOWS\system32\kudmon.dll
C:\WINDOWS\system32\kxdru.dll
C:\WINDOWS\system32\l08m0al1edq.dll
C:\WINDOWS\system32\l0j80a1ued.dll
C:\WINDOWS\system32\l4p20e7oeh.dll
C:\WINDOWS\system32\l6j8lg1u16.dll
C:\WINDOWS\system32\Lekrn12n.dll
C:\WINDOWS\system32\lv0q09d5e.dll
C:\WINDOWS\system32\lv2s09f7e.dll
C:\WINDOWS\system32\lvpu0979e.dll
C:\WINDOWS\system32\mard2x40.dll
C:\WINDOWS\system32\mboeacct.dll
C:\WINDOWS\system32\mdsec.dll
C:\WINDOWS\system32\mkdemui.dll
C:\WINDOWS\system32\mliwave.dll
C:\WINDOWS\system32\mlmxsdk.dll
C:\WINDOWS\system32\mpidle.dll
C:\WINDOWS\system32\mpmefilt.dll
C:\WINDOWS\system32\mwobjs.dll
C:\WINDOWS\system32\MWRDO20.DLL
C:\WINDOWS\system32\mwsec.dll
C:\WINDOWS\system32\mxcertui.dll
C:\WINDOWS\system32\mxvcr70.dll
C:\WINDOWS\system32\myconf.dll
C:\WINDOWS\system32\o6lulg3916.dll
C:\WINDOWS\system32\o6ns0g57e6.dll
C:\WINDOWS\system32\obecli.dll
C:\WINDOWS\system32\okuninst.dll
C:\WINDOWS\system32\omfox32.dll
C:\WINDOWS\system32\pfrfproc.dll
C:\WINDOWS\system32\r0p8la7u1d.dll
C:\WINDOWS\system32\rqpsnd.dll
C:\WINDOWS\system32\sbcsccp.dll
C:\WINDOWS\system32\sdns.dll
C:\WINDOWS\system32\shrmdll.dll
C:\WINDOWS\system32\snbiop.dll
C:\WINDOWS\system32\somedia.dll
C:\WINDOWS\system32\tWembed.dll
C:\WINDOWS\system32\uirdpa.dll
C:\WINDOWS\system32\vvdex.dll
C:\WINDOWS\system32\wesdmoe2.dll
C:\WINDOWS\system32\wfsdmoe.dll
C:\WINDOWS\system32\wvauserv.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=-
"{D565D487-91D8-4AC7-B114-7A39D9DEAE5A}"=-
"{2A96C36D-3216-4E4C-B865-3AE9FC94806A}"=-
"{54A656EC-3955-4B81-B881-17A7C5F089B5}"=-
"{B2434690-9353-4429-8E84-B7B9BFDB5EF7}"=-
"{089A7EC7-D4F1-4011-A340-7886E1328073}"=-
"{A689189F-334B-4E16-85D7-52311C0DD8B4}"=-
"{D1BF3A6B-441A-4CF5-82E2-E8A05B2BC848}"=-
"{8BA86E30-0E71-4874-8B16-DA6A83230FDB}"=-
"{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}"=-
"{5D559484-2415-4739-9526-81B730DB3630}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
[-HKEY_CLASSES_ROOT\CLSID\{D565D487-91D8-4AC7-B114-7A39D9DEAE5A}]
[-HKEY_CLASSES_ROOT\CLSID\{2A96C36D-3216-4E4C-B865-3AE9FC94806A}]
[-HKEY_CLASSES_ROOT\CLSID\{54A656EC-3955-4B81-B881-17A7C5F089B5}]
[-HKEY_CLASSES_ROOT\CLSID\{B2434690-9353-4429-8E84-B7B9BFDB5EF7}]
[-HKEY_CLASSES_ROOT\CLSID\{089A7EC7-D4F1-4011-A340-7886E1328073}]
[-HKEY_CLASSES_ROOT\CLSID\{A689189F-334B-4E16-85D7-52311C0DD8B4}]
[-HKEY_CLASSES_ROOT\CLSID\{D1BF3A6B-441A-4CF5-82E2-E8A05B2BC848}]
[-HKEY_CLASSES_ROOT\CLSID\{8BA86E30-0E71-4874-8B16-DA6A83230FDB}]
[-HKEY_CLASSES_ROOT\CLSID\{6919FA28-D4C8-48FC-9B3B-ABD342021AFF}]
[-HKEY_CLASSES_ROOT\CLSID\{5D559484-2415-4739-9526-81B730DB3630}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


-----------

New hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 8:01:52 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mike\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119503616851
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.co...gameloader6.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#6
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you don't understand something please ask before performing any task..

Download CleanUp
Install the program, don't run it yet, we will later.

Please do the following:

Open HJT and do a scan, place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe

Now close all browsers and open windows except HJT, then click the Fix Checked button. Close HJT.

Now using Windows Explorer find and remove the following folders/files if present.
If you can't find any folders of files please make a note of them and list them in your next post.

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe <-- File

C:\WINDOWS\system32\nsvsvc\ <-- Folder
C:\WINDOWS\system32\vidctrl\ <-- Folder

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#7
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
IPClient.exe is present, however even after reboot, system (as administrator) will not allow me to delete it. Message is "access denied .... write protected, or in use.

No listing of folder: windows\system32\nsvsc
No listing of folder: windows\system 32\vidctrl



New log (after running clean up)

Logfile of HijackThis v1.99.1
Scan saved at 9:13:59 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Documents and Settings\Mike\Desktop\hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119503616851
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.co...gameloader6.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#8
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

Please read "ALL" of the instructions before proceeding:

OK lets do this.

Enable show hidden files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now go back to Windows Explorer and search for these folders and remove them.

C:\WINDOWS\system32\nsvsvc\ <-- Folder
C:\WINDOWS\system32\vidctrl\ <-- Folder

We will worry about IPClient.exe a little later.

Please do the following Online Scan - ActiveScan -, it looks like you already have done it once before.
The Scan will generate a report after it is finished, please post those results here along with a new HJT Log by using Add Reply

Thanks,
rstones12
  • 0

#9
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry for the delay, and thanks again for the help thus far. Left it on all day, and not one Popup!

Deleted as requested:

C:\WINDOWS\system32\nsvsvc\ <-- Folder
C:\WINDOWS\system32\vidctrl\ <-- Folder

Panda Active scan results:

I Noticed it has found XX "spyware" entries. I have ran my DSL version od spyware finder, and an updated version of spybot, as well as ad-aware SE, and it found none of the above...


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\backup.zip[bkdispl.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cbprops.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[chvfat.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cIpesnpn.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cjiconfg.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[cYmocx.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dGd9.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dlcprop2.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dsconfig.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dugeng.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[dynet.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ewentlog.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[f00o0ad3ed0.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[g822lifo182c.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[gtkcsp.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[hrrs0597e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[HVL.DLL]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ibwphbk.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ifetppui.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ikeshare.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ir44l5hq1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[irjml5111.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[irp0l57m1.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[irpml5711.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[j04olah31d4.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[jtr2079oe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[k062lajo1doc.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[k626lgfs1626.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[k644lghq164e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kedfo.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kkdinmal.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[ktdru.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kudmon.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[kxdru.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l08m0al1edq.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l0j80a1ued.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l4p20e7oeh.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l6j8lg1u16.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[Lekrn12n.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lv0q09d5e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lv2s09f7e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[lvpu0979e.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mard2x40.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mboeacct.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mdsec.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mkdemui.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mliwave.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mlmxsdk.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mpidle.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mpmefilt.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mwobjs.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[MWRDO20.DLL]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mwsec.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mxcertui.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[mxvcr70.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[myconf.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[o6lulg3916.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[o6ns0g57e6.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[obecli.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[okuninst.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[omfox32.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[pfrfproc.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[r0p8la7u1d.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[rqpsnd.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[sbcsccp.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[sdns.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[shrmdll.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[snbiop.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[somedia.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[tWembed.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[uirdpa.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[vvdex.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wesdmoe2.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wfsdmoe.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wvauserv.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[guard.tmp]
Adware:Adware/FlashTrack No disinfected C:\Program Files\Common Files\Java\flacpy.cfg
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/BroadcastPC No disinfected C:\Program Files\tvs\TVS_B.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\tvs\tvs_clean.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050831172227.zip[RemoveDisplayUtility.exe]
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-299502267-1677128483-1957994488-1004\Dc1\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-299502267-1677128483-1957994488-1004\Dc1\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-299502267-1677128483-1957994488-1004\Dc2\vidctrl(2).exe
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-299502267-1677128483-1957994488-1004\Dc2\vidctrl.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\F?nts\tracert.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\ndiq.dll
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:19:35 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mike\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "midaddle" "2"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119503616851
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.co...gameloader6.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#10
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

OK, lets clean some things up.

Please read "ALL" of the instructions before proceeding:

You will need to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

Please download Pocket Killbox
Click Here to download Pocket Killbox by Option^Explicit.
Unzip the program and save it to your desktop.

Now lets run Killbox
  • Double-click on Killbox.exe to start the program.
  • In the killbox program, select the Delete on Reboot option.
  • In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\Program Files\Common Files\Java\flacpy.cfg
C:\Program Files\tvs\TVS_B.exe
C:\Program Files\tvs\tvs_clean.exe
C:\WINDOWS\system\UpdInst.exe
C:\WINDOWS\system32\F?nts\tracert.exe
C:\WINDOWS\system32\ndiq.dll
  • Press the button that looks like a red circle with a white X in it after each one.
  • When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button.
  • Do this after each one until you have entered the LAST file path I have listed above.
  • After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts.
  • If you receive a message and your computer does not restart automatically, please restart it manually.
Once you have rebooted back into Normal Mode please do the following:

Using Windows Explorer find and remove the following folders:

C:\Program Files\tvs\ <-- Folder

Empty your Recycle Bin, then run the CleanUp program.

Reboot your system then do the following.

Lets run one more scan to make sure that there are no lingering trojans hanging around.


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Post those results here along with a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#11
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
All done!

This file: C:\WINDOWS\system32\F?nts\tracert.exe

I noticed as I typed in each path, and file name, the killbox program recognized each file, as the color of the file (below where I was typing) turned blue. This was the only one that it did not recognize. I re-verified it 3 times, to no avail. I still told it to delete upon reboot. Unknown if it did.

on the ewido, it did not give the warning of "Database could not be found"

ewido scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:54:13 PM, 8/31/2005
+ Report-Checksum: CF138055

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
C:\backup.zip/bkdispl.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/cbprops.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/chvfat.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/cIpesnpn.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/cjiconfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/cYmocx.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dGd9.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dlcprop2.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dsconfig.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dugeng.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dynet.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ewentlog.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/f00o0ad3ed0.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/g822lifo182c.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/gtkcsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/hrrs0597e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/HVL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ibwphbk.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ifetppui.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ikeshare.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ir44l5hq1.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/irjml5111.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/irp0l57m1.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/irpml5711.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/j04olah31d4.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/jtr2079oe.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/k062lajo1doc.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/k626lgfs1626.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/k644lghq164e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/kedfo.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/kkdinmal.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ktdru.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/kudmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/kxdru.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/l08m0al1edq.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/l0j80a1ued.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/l4p20e7oeh.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/l6j8lg1u16.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/Lekrn12n.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/lv0q09d5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/lv2s09f7e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/lvpu0979e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mard2x40.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mboeacct.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mdsec.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mkdemui.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mliwave.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mlmxsdk.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mpidle.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mpmefilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mwobjs.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/MWRDO20.DLL -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mwsec.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mxcertui.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mxvcr70.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/myconf.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/o6lulg3916.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/o6ns0g57e6.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/obecli.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/okuninst.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/omfox32.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/pfrfproc.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/r0p8la7u1d.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/rqpsnd.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/sbcsccp.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/sdns.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/shrmdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/snbiop.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/somedia.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/tWembed.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/uirdpa.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/vvdex.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/wesdmoe2.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/wfsdmoe.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/wvauserv.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Alix A\Cookies\alix a@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Alix A\Cookies\alix a@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Alix A\Cookies\alix a@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Alix A\Cookies\alix a@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Alix A\Cookies\alix a@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20050831172227.zip/Program Files/common files/uninstall information/RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

HJT REPORT/scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:13 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119503616851
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.co...gameloader6.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#12
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

You log looks much better, how are things running?

Thanks,
rstones12
  • 0

#13
explorthis

explorthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Outstanding! nary a popup since the first HJT clean up. I even ran the ewido on my other system, and it only found 6 infections, as there were about 90 on the kids system. My teen visits "myspace" (don't ask) VERY-VERY frequently, is this a cause, other than on AIM all day... ???? She is only a user, and not an administrator...

Donation on the way, 100% satisfied!!

Thanks again.

-Mike (aka explorthis)
  • 0

#14
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
explorthis,

Thanks,
We are not quite finished yet.... :tazz:

First we need to reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please take some time and read through the following information..

Here are some items that you will want to add to your to-do list:

These are some tips to reduce the potential for Spyware/Adware/Virus infection in the future:
I would strongly recommend reviewing and installing the following applications if you dont currently have them running on your system:

Use Anti-Virus Software
It is very important that your computer has Anti-Virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online and stand-alone Anti-Virus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software
It is imperative that you update your Anti-Virus software at least once a week (Even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewall's and a listing of some available ones see the link below:
Understanding and Using Firewall's

Spyware/Adware Detection and Removal Programs:
Understanding Spyware, Browser Hijackers, and DialersAd-Aware SEIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Ad-Aware SE
How to use Ad-Aware SE to remove Spyware
[/list]Spybot S&DIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Spybot S&D
How to use Spybot to remove Spyware
[/list]I strongly recommend using both of these programs to catch most spyware/adware

Prevention Programs:
  • SpywareBlaster -- SpywareBlaster will prevent spyware from being installed.
  • SpywareGuard -- SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad -- IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts File -- The MVPS Hosts File replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar -- Get the free Google Toolbar to help stop pop up windows.
Other Necessary Programs:
  • A More Secure Browser
    Internet Explorer is not the most secure and best browser.
    There are safer and better alternatives available. I recommend using Firefox
Be sure to also keep up with Windows and IE updates.

Windows Security and Critical Updates
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer Security and Critical Updates
http://www.microsoft.com/windows/ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place?

Update all these Programs Regularly:Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.
Thanks,
rstones12
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP