Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slow computer and lots of popups, please help [RESOLVED]


  • This topic is locked This topic is locked

#16
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
After this BIG cleanup, there remains one more major infection to take care of.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
    O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing)
    O4 - HKLM\..\Run: [-
    ] C:\WINDOWS\jaibahw.exe
    O4 - HKLM\..\Run: [Mapipopoozetest] C:\Documents and Settings\All Users\Application Data\open meow mapi pop\FragWindow.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [System Volume Information Service] sysrv.exe
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pztptz.exe reg_run
    O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
    O4 - HKLM\..\Run: [svtcin] C:\WINDOWS\system32\n20050308.a.Stub.EXE
    O4 - HKLM\..\Run: [QLBBX5] C:\WINDOWS\fuftv.exe
    O4 - HKLM\..\Run: [xware] "C:\WINDOWS\cskware.exe"
    O4 - HKLM\..\Run: [YvLhkULiU] C:\WINDOWS\xinrnffi.exe
    O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [bO4gyw^ܜMC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\xinrnffi.exe
    O4 - HKLM\..\Run: [Qyojmo] C:\Program Files\Axbgrv\Aooiymd.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [System Volume Information Service] sysrv.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nesunel.mht!http://snipernet.us/...Bridge-c139.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\fsacsklc.mht!http://filesharingac...Bridge-c139.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nesunex.mht!http://snipernet.us/...ysb_regular.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - ms-its:mhtml:file://c:\nesunet.mht!http://snipernet.us/...m::/website.ocx
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\System32\qlink32.dll
    O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\rdvpmsg.dll (file missing)
    O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\nyprovau.dll (file missing)
    O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\wnasf.dll (file missing)
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\iSshlpr.dll (file missing)
    O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\tjext.dll (file missing)
    O20 - Winlogon Notify: SysDM - C:\WINDOWS\system32\iSshlpr.dll (file missing)
    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\wnasf.dll (file missing)
    O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\wnasf.dll (file missing)
    O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\wnasf.dll (file missing)
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\wnasf.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\Program Files\Viewpoint<==Folder
    C:\program files\tvs<===Folder
    C:\WINDOWS\cskware.exe
    C:\WINDOWS\xinrnffi.exe
    C:\WINDOWS\xload.exe
    C:\Program Files\Axbgrvxe<==Folder
    C:\Program Files\ISTsvc<==Folder
    c:\Program Files\Ftk<==Folder
    C:\Program Files\YourSiteBar<==Folder
    C:\WINDOWS\jaibahw.exe
    C:\Documents and Settings\All Users\Application Data\open meow mapi pop<==Folder
    C:\WINDOWS\System32\nsvsvc<==Folder
    sysrv.exe<==You will have to Search for this one
    C:\Program Files\Common Files\Java\ftkcpy.exe
    C:\WINDOWS\System32\pztptz.exe
    C:\WINDOWS\ttupt.exe
    C:\WINDOWS\system32\n20050308.a.Stub.EXE
    C:\WINDOWS\fuftv.exe
    C:\Program Files\SurfAccuracy
    C:\WINDOWS\web\related.htm
    C:\WINDOWS\System32\qlink32.dll
    C:\WINDOWS\system32\rdvpmsg.dll
    C:\WINDOWS\system32\nyprovau.dll
    C:\WINDOWS\system32\wnasf.dll
    C:\WINDOWS\system32\iSshlpr.dll
    C:\WINDOWS\system32\tjext.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

Advertisements


#17
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Hi,

here is my hijack this log. i also noticed that while i was erasing those items you told me to, my norton anti-virus told me that i have a virus called bloodhound.exploit.20. i dont know if i erased it in the process or what, but i thought that i would let you know if you could help me fix it. another thing that happens is that my web page will suddenly change without me clicking on anything, its weird. well thanks for the help, bye.

Eric


Logfile of HijackThis v1.99.1
Scan saved at 6:56:20 PM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\explorer6s4.exe
C:\Program Files\AIM95\aim.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R3 - URLSearchHook: (no name) - {D2488AAC-A140-6532-BD4B-A10A7353F5F7} - ftbar.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\sqxyo.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\sqxyo.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [ftbar] LOPTCON.exe
O4 - HKLM\..\Run: [WhatsNewBot] MNTP.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pztptz.exe reg_run
O4 - HKLM\..\Run: [dmnjn.exe] C:\WINDOWS\System32\dmnjn.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [bhoserv] barint.exe
O4 - HKCU\..\Run: [uio] typeconf.exe
O4 - HKCU\..\Run: [Uint32] defect08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECE0D35-D8F4-43CC-B718-8E40F10469C1}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\tjext.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Adobe Acrobat 5.0 - {BB02D600-86DF-6C80-2CE6-5654267939DA} - c:\program files\adobe\acrobat 5.0\reader\wcimt32.dll
O21 - SSODL: System - {D9461661-E663-4759-A6D6-FEC27A802A06} - ssmc.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#18
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You have the latest version of VX2.
  • Download L2mfix from one of these two locations:

    http://www.atribune....oads/l2mfix.exe
    http://www.downloads....org/l2mfix.exe

  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then OPEN the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #"1" for Run Find Log by typing 1 and then pressing Enter.
  • This will scan your computer and it may appear as if nothing is happening, then, after a minute or 2, Notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Regards,

Trevuren

  • 0

#19
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\tjext.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B1E741E7-1E77-40D4-9FD8-51949B9CCBD0}"="Pa&nicware Pop-Up Stopper Pro"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
birdihuy.dll Tue Sep 6 2005 6:30:08a A.... 62 0.06 K
birdih~1.dll Tue Sep 6 2005 6:30:08a A.... 28,672 28.00 K
ekmem.dll Tue Sep 6 2005 6:45:44p A.... 133,120 130.00 K
gpr2l3~1.dll Thu Jun 16 2005 3:44:24p ..S.R 0 0.00 K
jdsjsdf.dll Sun Sep 4 2005 10:35:40p A.... 46,080 45.00 K
nkana.dll Sun Sep 4 2005 10:35:40p A.... 10,240 10.00 K
px.dll Tue Jul 12 2005 5:10:26p ..... 360,448 352.00 K
pxdrv.dll Tue Jul 12 2005 5:10:26p ..... 397,312 388.00 K
pxmas.dll Tue Jul 12 2005 5:10:32p ..... 155,648 152.00 K
pxsfs.dll Tue Jul 12 2005 5:10:40p ..... 1,093,632 1.04 M
pxwave.dll Tue Jul 12 2005 5:10:34p ..... 339,968 332.00 K
rncrcnx.dll Tue Sep 6 2005 6:45:40p A.... 181,760 177.50 K
s32evnt1.dll Thu Jul 28 2005 2:52:18p A.... 91,856 89.70 K
sqxyo.dll Tue Sep 6 2005 8:08:00a A.... 155,648 152.00 K
vxblock.dll Tue Jul 12 2005 5:10:40p ..... 28,672 28.00 K
w95inf16.dll Sat Jun 18 2005 9:07:36p A.... 2,272 2.22 K
w95inf32.dll Sat Jun 18 2005 9:07:36p A.... 4,608 4.50 K
wuauclt.dll Sat Sep 3 2005 1:51:04p A.... 30,720 30.00 K
zlbw.dll Tue Sep 6 2005 6:31:36a A.... 46,592 45.50 K
zolker~1.dll Tue Sep 6 2005 6:28:58a A.... 85,000 83.01 K
ztoolb~1.dll Tue Sep 6 2005 6:29:00a A.... 55,000 53.71 K

21 items found: 21 files (1 H/S), 0 directories.
Total of file sizes: 3,247,310 bytes 3.09 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2891-44B6

Directory of C:\WINDOWS\System32

09/04/2005 02:09 PM <DIR> DLLCACHE
06/16/2005 03:44 PM 0 gpr2l39o1.dll
04/19/2005 06:02 PM 235,584 l84qlih5184.dll
04/18/2005 07:53 PM 0 lv4809hue.dll
07/30/2002 04:50 AM <DIR> Microsoft
07/14/2000 11:00 PM 41,013 MFCN42D.DLL
07/14/2000 11:00 PM 434,252 MSVCRTD.DLL
07/14/2000 11:00 PM 929,844 MFC42D.DLL
6 File(s) 1,640,693 bytes
2 Dir(s) 3,500,789,760 bytes free
  • 0

#20
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER.
  • Then press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer.
  • When it's finished, Notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

  • 0

#21
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1560 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1568 'rundll32.exe'
Killing PID 1616 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
updating: clear.reg (188 bytes security) (deflated 2%)
updating: desktop.ini (188 bytes security) (stored 0%)
updating: lo2.txt (188 bytes security) (deflated 52%)
updating: test.txt (188 bytes security) (stored 0%)
updating: test2.txt (188 bytes security) (stored 0%)
updating: test3.txt (188 bytes security) (stored 0%)
updating: test5.txt (188 bytes security) (stored 0%)
updating: tmp.txt (188 bytes security) (deflated 62%)
adding: log.txt (188 bytes security) (deflated 88%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\tjext.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

  • 0

#22
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
and here is my hijack this log.

thanks,
Eric


Logfile of HijackThis v1.99.1
Scan saved at 10:25:27 PM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {D2488AAC-A140-6532-BD4B-A10A7353F5F7} - ftbar.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\sqxyo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\sqxyo.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [ftbar] LOPTCON.exe
O4 - HKLM\..\Run: [WhatsNewBot] MNTP.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pztptz.exe reg_run
O4 - HKLM\..\Run: [dmnjn.exe] C:\WINDOWS\System32\dmnjn.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [bhoserv] barint.exe
O4 - HKCU\..\Run: [uio] typeconf.exe
O4 - HKCU\..\Run: [Uint32] defect08.exe
O4 - Global Startup: kcak.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECE0D35-D8F4-43CC-B718-8E40F10469C1}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\tjext.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Adobe Acrobat 5.0 - {BB02D600-86DF-6C80-2CE6-5654267939DA} - c:\program files\adobe\acrobat 5.0\reader\wcimt32.dll
O21 - SSODL: System - {D9461661-E663-4759-A6D6-FEC27A802A06} - ssmc.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#23
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#24
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:17:44 PM, on 9/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {D2488AAC-A140-6532-BD4B-A10A7353F5F7} - ftbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ftbar] LOPTCON.exe
O4 - HKLM\..\Run: [WhatsNewBot] MNTP.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pztptz.exe reg_run
O4 - HKLM\..\Run: [dmeqr.exe] C:\WINDOWS\System32\dmeqr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [bhoserv] barint.exe
O4 - HKCU\..\Run: [uio] typeconf.exe
O4 - HKCU\..\Run: [Uint32] defect08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECE0D35-D8F4-43CC-B718-8E40F10469C1}: NameServer = 195.95.218.52,85.255.112.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D65FDA-8729-4BD0-A7B9-E3C8EAED5943}: NameServer = 195.95.218.52,85.255.112.16
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\tjext.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Adobe Acrobat 5.0 - {BB02D600-86DF-6C80-2CE6-5654267939DA} - c:\program files\adobe\acrobat 5.0\reader\wcimt32.dll
O21 - SSODL: System - {D9461661-E663-4759-A6D6-FEC27A802A06} - ssmc.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#25
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your system has been hijacket and is being rerouted via Kiev in the Ukraine. That is what we will be tackling in the next 4 posts.

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Regards,

Trevuren

  • 0

Advertisements


#26
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
i tried to paste the ewido log, but it didnt work. i think its because its too long. i looked over it and i noticed that some of the spyware didnt get cleaned, so i thought i would paste it here. i also decided to attach the report.

thanks,
Eric


C:\backup.zip/aathz.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/absldp.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/affsipc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/AHTAPI.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ahvpack.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/akkctrs.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/akvpack.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/avthz.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/awvpack.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/axa8lg9u16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/az12l39o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/az18lg9u16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza001jme.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza20gdoe60c0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza2l39o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza607lse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza6l9js1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aza8lg9u16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azam0gd1e60.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azamla911d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azaol5l31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azaq07l5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azaqlih5184.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/azau09j9e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/bmhci.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/bvhci.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/bxtsprx2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/c000ladm1d0a.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/c4000edmeh0a0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/c8000idme80a0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/chseqchk.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/clm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/cmyptnet.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/cndial32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/cPpicom.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/csmpobj.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/cvprops.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/d20m0cd1ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/d60m0gd1e60.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/d6j02g1mg6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/d8j0li1m18.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dbuiext.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dctmsft3.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dEvclnt.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dF0m0cd1ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dfprpres.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dicpcsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/djcdll.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dK0m0cd1ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dlcpmon.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dn0601dse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dn0m01d1e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dn4q01h5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dn6001jme.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dn6801jue.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dnjm0111e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dtnmpntw.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dV0m0cd1ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dvusic.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dwiman32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dwvenum.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dyskperf.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dyspex.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dyvacm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dzdmoprp.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dzmsadsn.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e4jm0e11eh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e6020gdoe60c0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e6200gfme62a0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e6202gfmg62a2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/eD202gfmg62a2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/eds.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en0ml1d11.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en0ul1d91.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en62l1jo1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en68l1ju1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en88l1lu1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en8ul1l91.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enj2l11o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enlml1311.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/f82mlif1182.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fGahvoas.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fgcfg.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fn2021fmg.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fp8803lue.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fpj0031me.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fpjm0311e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fpjo0313e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fpl8033ue.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fpp2037oe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g004ladq1d0e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g0jo0a13ed.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g0jola131d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g2040cdqef0e0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g6lm0g31e6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g8040idqe80e0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g8joli1318.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/g8lm0i31e8.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ggkrsrc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gMjoli1318.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gmlol3331.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gp48l3hu1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gp4ol3h31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gp82l3lo1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gp8ml3l11.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gp8sl3l71.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gpjml3111.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gpjol3131.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gplol3331.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gplsl3371.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gpn2l35o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gpn4l35q1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gpnol3531.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gppol3731.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gTjola131d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/gtr2l39o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h00q0ad5ed0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h0l20a3oed.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h22olcf31f2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h40q0ed5eh0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h6j4lg1q16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h8l2li3o18.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h8n0li5m18.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hicutils.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hjcutils.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hjtplug.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hpfinst.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr0205doe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr2205foe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr2m05f1e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr4o05h3e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr4u05h9e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hrl2053oe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hrl6053se.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hrrm0591e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hucoin.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hxui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hy2m05f1e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i0lola331d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i2jq0c15ef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i4060edseh060.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i806lids1806.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i824lifq182e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i8jqli1518.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/i8loli3318.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ibfxdgps.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ics.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iDlmdnt5.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ieetcplc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iEsrecst.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iexmontr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ifsecsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iGlmdnt5.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ih8ol5l31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ihxmontr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ijfxeud.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iLlmdd5.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iLlola331d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iLsrecst.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/Imetwh32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iMlmCoIn_0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ippeers.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ir2ul5f91.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ir6ql5j51.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ir8ol5l31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irfxhk.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irj4l51q1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iRlmdnt5.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irlml5311.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irp0l57m1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irp2l57o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irpql5751.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/irsutil.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iufxres.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iycvid.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iZlmCoIn_0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/iZlmdnt5.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j20s0cd7ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j2j60c1sef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j4n20e5oeh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j80slid7180.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jEvacypt.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jEvaee.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jh8q07l5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jK0s0cd7ef0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jn8q07l5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt0807due.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt0o07d3e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt0q07d5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt2207foe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt2407fqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt2607fse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt2o07f3e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt2s07f7e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt4407hqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt4607hse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt4q07h5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt6o07j3e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt6q07j5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt8607lse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt8m07l1e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jt8q07l5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jtj6071se.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jtps0777e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jtr6079se.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jtrq0795e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ju4607hse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k0620ajoedoc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k262lcjo1foc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k2no0c53ef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k2pmlc711f.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4800elmehqa0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4lq0e35eh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k608lgdu1608.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k6260gfse6260.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k626lgfs1626.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k6620gjoe6oc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k8260ifse8260.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kadhu1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kadsl.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kkdycl.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kmdhe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kn1394.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kndhe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kpdycl.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kprwbrkr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kqdmaori.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt00l7dm1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt0ol7d31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt22l7fo1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt46l7hs1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt8ml7l11.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktdkyr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktl6l73s1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktpsl7771.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktrul7991.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kudblr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kurberos.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kwdfc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kwdhe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/KWDKAZ.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kxd101b.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l00u0ad9ed0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l22s0cf7ef2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l28m0cl1efq.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l2j80c1uef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l2n40c5qef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l2p2lc7o1f.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l4l60e3seh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l88mlil118q.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lccdll.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LCIMG11N.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LHRTREND.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/licalui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LJPSD11N.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LMDIS11n.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LNBMP11N.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LOBMP11N.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lsp2097oe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv0009dme.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv0409dqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv0s09d7e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv2609fse.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv2s09f7e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv4s09h7e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv6u09j9e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv8009lme.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv8q09l5e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvjs0917e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvl2093oe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvp2097oe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvpo0973e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lzcalui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lzk.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/LZTGA11N.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m0pola731d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m0rmla911d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m4280efueh280.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m4jule191h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m6rm0g91e6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m828lifu1828.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m8640ijqe8oe0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m8lsli3718.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m8nqli5518.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/maaatext.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mbw3prt.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mgcoree.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mH28lifu1828.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/MHCTFP.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mhndex.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mkrui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mm43dmod.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mmg4dmod.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mocomput.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/monsspc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mpafd.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mqratelc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mtfutil.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mudemui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv20l9fm1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv24l9fq1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv40l9hm1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv48l9hu1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv64l9jq1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv66l9js1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mv8sl9l71.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mviseq.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvjul9191.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvl4l93q1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvlsl9371.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvndex.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvnul9591.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvp2l97o1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvpml9711.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvrql9951.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mvrul9991.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mxcshext.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/my4sdmod.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n04s0ah7ed4.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n42ulef91h2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n4l8le3u1h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n6p40g7qe6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n82u0if9e82.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n88olil318q.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nehtml.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ngmsdba.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nhshrui.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nimssvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nmprovau.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nqtui1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nrtui2.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nutui1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/NX4.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/o0rola931d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/o2840clqefqe0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/o6ns0g57e6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/o8660ijse8o60.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/o8pqli7518.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ogbcp32r.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ojecnv32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/okfox32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/oSrola931d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/otbctrac.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/p28q0cl5efq.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/p2n8lc5u1f.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/p6r40g9qe6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/p8r4li9q18.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pbrfts.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pfwrprof.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pLpsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pxtorec.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pzlmon.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/q0nu0a59ed.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/q0nula591d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/qcsname.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r0p80a7ued.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r2p80c7uef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r2r60c9sef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r48slel71hq.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r4r6le9s1h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r68s0gl7e6q.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/r68slgl716q.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rCsauto.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rEp80c7uef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rfnd.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rPsapi32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rrpdd.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rtched32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rxched32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rygsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rZ8slgl716q.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/s8puli7918.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sdgen.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sdmpapi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sjlwoa.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sklgntfy.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/smrmdll.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sncur32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/somedia.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sqcpack.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sqlgntfy.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/srcoinst.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/strio600.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/stsinv.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/SUDLL.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/svdoclc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/svlwoa.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/svpblb.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/svsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/svtupapi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/sxmsg.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/szmapi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/t6r8lg9u16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/tdpmon.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/tlext.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/tNpiperf.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/tOpi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/u6ru0g99e6.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/UEEG.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/vbsapi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/vzrsion.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/waigest.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wB5inf16.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wc2help.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wcavideo.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wdapi.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wdcsvc.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wderror.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wkv3is.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wsstream.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wY2topl.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wyhext.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/xllprov.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/guard.tmp -> Spyware.Look2Me : Error during cleaning
  • 0

#27
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please proceed with Post # 20

Trevuren

Edited by Trevuren, 07 September 2005 - 03:29 PM.

  • 0

#28
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."]
"SNInstall" = "C:\winstall.exe" [file not found]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]
"bhoserv" = "barint.exe" [file not found]
"uio" = "typeconf.exe" [file not found]
"Uint32" = "defect08.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"DadApp" = "C:\Program Files\DELL\AccessDirect\dadapp.exe" [null data]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"Dell|Alert" = "C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [empty string]
"LWBMOUSE" = "C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [empty string]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"eTrustPPAP" = ""C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"" ["Computer Associates"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"mmtask" = ""C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"" ["Musicmatch Inc."]
"ftbar" = "LOPTCON.exe" [file not found]
"WhatsNewBot" = "MNTP.exe" [file not found]
"winsync" = "C:\WINDOWS\System32\pztptz.exe reg_run" [null data]
"dmeqr.exe" = "C:\WINDOWS\System32\dmeqr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Adobe Acrobat 5.0" = "{BB02D600-86DF-6C80-2CE6-5654267939DA}"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\adobe\acrobat 5.0\reader\wcimt32.dll" [null data]
"System" = "{D9461661-E663-4759-A6D6-FEC27A802A06}"
-> {CLSID}\InProcServer32\(Default) = "ssmc.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csaeo.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! Explorer\DLLName = "C:\WINDOWS\system32\tjext.dll" [file not found]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
nkynykst\(Default) = "{a080fc5e-62ac-4e1a-852e-2d1bf735e571}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ekmem.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables the Display Properties|Desktop (tab) (except the "Customize
Desktop..." button); selects wallpaper if Active Desktop is enabled]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Eric Peppers" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft Corporation"]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\OOBEBALN.EXE /sys /i /n:1" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9E248641-0E24-4DDB-9A1F-705087832AD6}\
"MenuText" = "Java"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{D2488AAC-A140-6532-BD4B-A10A7353F5F7}" = "defect08"
-> {CLSID}\InProcServer32\(Default) = "ftbar.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 358 seconds, including 21 seconds for message boxes)
  • 0

#29
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Copy everything in the code box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""


2. Double-click fixware.reg and when asked if you want to merge with the registry click YES.

3. After the merged successfully prompt, please reboot your computer.

4. After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it. It may take a while.
  • When it is finished a window should appear with a log.
5. Please copy the contents of the log and paste them here
  • Note: the log with be saved at c:\log.txt
Regards,

Trevuren

  • 0

#30
western14

western14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
this is all that showed up in the log.txt file. i waited a long time and this is all i got


C:\unzipped\rkfiles
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP