Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

UMonitor, .dll problems


  • Please log in to reply

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
OK this will take a while but it should be worth the trouble.

Download and install Agent Ransack: http://www.mythicsof...x?page=download

Then use the settings as in the example I wil attach.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Hopefully this will tell us which file(s) is reporting that ugly missing.

Regards,

Pieter

Attached Thumbnails

  • ransackexample.jpg

  • 0

Advertisements


#17
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hmmm...I'm not so sure I did this right, but I'll send the results anyway. In order to use the settings in your example, I had to click on the Expr. Wizard...something about 'regular expressions'? I left everything blank on the options page...just let the expressions wizard do whatever it does. Let me know if I need to do something different.

I really hate to post this log...it seems awfully long. I do realize it's Christmas, so I'm not expecting to hear back soon ;)

C:\Program Files\TDS3\Logs\Dec\24-12-04 Fri.txt (4 KB, 12/24/2004 1:43:16 AM)
21 00:40:56 [File Scan] Scanning file C:\WINDOWS\SYSTEM32\guard.tmp

C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-14 00-56-04.txt (17 KB, 12/14/2004 12:56:04 AM)
159 Data : guard.tmp
165 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
185 Data : guard.tmp
191 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 00-32-13.txt (9 KB, 12/24/2004 12:32:13 AM)
146 Data : guard.tmp
152 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
172 Data : guard.tmp
178 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 02-38-35.txt (33 KB, 12/24/2004 2:38:35 AM)
667 Data : guard.tmp
673 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 03-05-09.txt (30 KB, 12/24/2004 3:05:09 AM)
642 Data : guard.tmp
648 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
668 Data : guard.tmp
674 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 15-47-58.txt (35 KB, 12/24/2004 3:47:58 PM)
662 Data : guard.tmp
668 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Desktop\Backup.bkf (385681 KB, 12/15/2004 11:34:05 PM)
194202 commandlh x a o Uprundll32.exe C:\PROGRA~1\AMERIC~1.0D\WEBCAL~1.DLL,WebCalHandler %1nk 'z 4 1 < Programmable96-4nk t (z 'a 1 6 VersionIndependentProgIDvk 82n ContactIaimu Tm m 1nk JE'z a 1 0c&{7DD95801-9882-11CF-9FA9-00AA006C42C4} nk JE'z 5 1 Impl Insertableries-1{00A987AE-587B-4343-B826-89F17AB41A03}peLiblh p ܤ0 B/ %~xN/ ~/ 9y]chali1.0Libhl Xn Xm ot Ds Qvk ,(#a PublisherModel Qnk 'z X/1 6 1 LLLImplemented CategoriesA9nk (z 1 1 rR ProgrammableC3-4vk&e{E2527B48-1C57-4187-A2B0-A96632D78975}BvkLu sDvk~Mk a nk JE'z 5 @` 1 +6 MiscStatusndank 'z X/1 1 pb6 Insertablenk Xl'z x4 1 Programmable32nk 1'z $a 1 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}A91.0u Tnk 'z X/1 P a 1 pb6 MiscStatusndank Xl'z x4 1 0VersionIndependentProgIDlh @ea C x 1 u TXI1 ՗R Xk @1 s Qvka b12/15/2004՗R s Qnk V"(z +6 1 dllInprocServer32 T a 8 a vk `.a lCommentshbin a f U8g% wlA nk JE'z 5 1 L+6 Implemented Categories T0A `B 88 a nk y$U !a X!a h ,m AolCalSvr.ACMonthViewCtrl.56vk,(!a ACMonthViewCtrl Class !a nk y$U a 8"a hN߯N CLSIDSZlh `!a [ vkN!a ٨{0FE9096F-7F7A-4e40-857C-E48A53440DFE}ՒQ !a C:\Program Files\America Online 9.0d\MyCalendar.dllTvk a a lh %a dU a 2. ` C a } x a u T` ՗R 0ag Ug t+6 s Qusvk Microsoft Corporation a nk 'z a 1 pb6 1ypeLibQnk 'z X/1 81 NA0TypeLibnk 1'z 4 hi 1 LImplemented Categories-1vk X a Qitemadin` Hm m /a 1.0u Tnk 1'z 4 ɳ1 hLLInprocServer32 nk 1'z 4 Xp1 Nrver TypeLibe ` nk JE'z 5 1 +6 Controltlh ,a dU@ a 2.(` C a } a 5 u T` ՗R #a 6 tpb6 s QuspeLibnk (z 1 P 1 hLLInprocServer32 nk (z 1 pp1 6rver VersionIndependentProgIDC:\WINDOWS\system32\guard.tmp.dl a nk 'z @ a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z xh 1 0.&{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}C5nk t (z 'a 1 ProgrammablerammH a nk Xl'z x4 Hɳ1 hInprocServer32Senk 1'z $a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z 1 1 Programmable32Senk (z 1 D1 hInprocServer32Senk (z 1 1 LLControl0` ` `c Hc c 0e vk Ma a FileName a nk -|$U ,a +a h ($K AolCalSvr.ACToolBarCtrl.5h; vk(p+a ACToolBarCtrl Class% X+a nk -|$U *a ,a hN^O CLSIDp lh +a [ vkN(,a ?{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}턏 H ,a nk 'z X/1 1 h/a Controlnk Xl'z x4 1 0bControlenk t (z 'a e1 hLLInprocServer32 nk (z غ1 41 <LLVersionIndependentProgIDnk ( (z h7a PE1 ntPr 1ogID` Your Commentsx` vk R/n a HelpLinkm 8m LibDvk,e C:\Program Files\America Online 9.0d\MyCalendar.dll06lh p 6Р q 3ةa a s Qnk 'z @ a 1 pb6 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}sIHU V G Xa z4 `a hbin0a pDa (Ink Xl'z x4 x 1 L8 a Implemented CategoriesA9C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1nk (z 1 1 &a Insertablenda{3F8E02B4-6601-41A2-95E7-6BD102935C55}peLibnk N(z ( P1 N0cTypeLib s8 h8 ` c xT Ж D PDa ca vk 5VersionH da lh 8a 1vk : c URLInfoAboutLib nk (z 1 1 ndInsertablemap32enk t (z 'a 1 ndInsertablemap32nk (z غ1 1 hProgrammable32a nk C (z 1 Pv1 r.dToolboxBitmap32nk T+x(z 30 X!0 1 Nb9TypeLibvk R@p atHelpLinknk Z~$U 6a (6a h (^ AolCalSvr.ACMPickerCtrl.5_q8njvk(5a OcACMPickerCtrl Classx( 5a nk Z~$U p5a 7a hN> CLSIDQlh 06a [ vkN6a {DA3C177A-D1DA-47f2-BBF0-E9710CA7253F} 6a nk 'z Hbg p1 A
194203 h tnk ]` xq 0 h* unk "Ւ` xq hvisplayNnk "Ւ` xq h wnk "Ւ` xq hxnk "Ւ` xq hHyq nk "Ւ` xq hb z`q nk "Ւ` xq hq [vklh q Aq Bq C8q Dq Eq F@q Gq HPq Iq Jq KXq Lq M@q Nq Oq P@q Qq Rq Sȸq T q Uxq Vйq W(q Xq Yغq Z0q [vk:q @C:\WINDOWS\System32\msbe.dll`hq Xnk nk "Ւ` q hHELP alhnk "Ւ` q h2\bq nk "Ւ` q hcC6906A2nk "Ւ` q htcdnk "Ւ` q henk "Ւ` q hhf`K nk "Ւ` q hbCls gq nk "Ւ` q hhdnk |7` q hq mq J.jtmpl?hbinq nk ]` q @4 h,04rnk "Ւ` pb q h q gq Jnk "Ւ` xq hPq aq Uvk q 025 YZnk ]` q 5 h20tNnk r` q hBEuE15nk r` q hversionnk r` q hw8EEE58Dnk r` q hxnk r` q h yq nk "Ւ` q hznk "Ւ` q hc180 [ q lh q A0q Bq Cq Dq E@q Fq Ghq H q Ixq Jгq K(q Lq Mq Nhq Oq Pq Q q Rq SPq Tq Uq VXq Wq Xq Y`q Zq [q pvk @ q InstallDirHC:\Program Files\TopConvervk Hq q 026 pq q nk K pv{ xhTopConvertingvk q DisplayNamearkanoid GameXq vk Xq UninstallStringxC:\Program Files\TopConverting\arkanoid\arkanoid.exe /uninstalllh q Aq Bq Cpq DȒq E q Fxq GГq Hq Iq J8q Kq L(q Mxq NЖq O(q Pq Qؗq Rq Sq T`q Uq Vq Wq XHq Yq Zq [Xnk @K Xq NTypeLiblhnk n ` 0q hB-bB-2vk q }038vk q 039sion.py?nk H K q ضq h,&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}vknk H K q hq q hLImplemented Categories.jsp?vknk H K `q q h&{00021492-0000-0000-C000-000000000046}lh q -cvkxq nk s q / hDInprocServer32lh `q 2.q C vk<(q C:\WINDOWS\system32\guard.tmplvk q ThreadingModelApartmentvk&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}nk n ` Xq hxf1amic .php vk 1TPUSN_id(q q q Pq xq Xq q nk ` 0q h h8:grkanoidnk n ` 0q hpart ha4nk r` 0q hq mq JKnk n ` 0q hData ivk nk r` 0q he8j315nk r` 0q h6 kc |nk r` 0q h16l000nk ]` 0q 4 h *q sq Jvk q 032 N.phtml Qnk r` 0q hq nvk.php?hbinq nk r` 0q h ofO nk r` 0q htche pCBnk r` 0q h qPq nk ]` 0q ( h":-4r-88nk "Ւ` pb q h q fq Jnk r` q hXq aq Uvk q 027 YZnk ]` 0q h0tLSIDnk r` 0q h-4u-88.php3?3A3.phtml?q xC:\documents and settings\tammy\local settings\temp\grosVI.exeependexC:\documents and settings\tammy\local settings\temp\AZ7M2Ozhd.exenk n ` Xq homy Fivk q e037.process?.py gvk ~8q q grosVI.exeq nk n ` 0q h cnk ` 0q 萔 h&sidObjnk n ` 0q he\nk n ` 0q hfmivk q 035 lvk (q Z036Pq X{692B8041-F1C5-4881-82E9-4F94BBA34AC2}rVer` nk "Ւ` q hiersion nk |7` q hj4EB7BBEnk |7` q hknk |7` q h0l1.0nk |7` q hq sq Jvk q 033 N.pl?Qnk |7` q hnnk ]` q h&"onk |7` q hpC:nk |7` q h: qq nk |7` q hq rq nk ]` q H hq aq Jnk |7` q hq bq Uvk q 028 YZnk |7` q h tq nk |7` q hNunk |7` q h04vnk ]` q h""wnk |7` q h00x24-nk |7` q hH P yq nk |7` q hq zq Cnk |7` q
194282 ~1\Tammy\LOCALS~1\Temp\temp.fr0ECC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021906.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr3D99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021907.vxd!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr05C6\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021909.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA848\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022112.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCFD0\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022114.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr7F96\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022115.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr5687\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022116.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCDF2\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022117.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frE82E\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022119.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA8D5\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022120.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frD292P hbinp<0/\??\C:\WINDOWS\system32\h20q0cd5ef0.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDBA4\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frFAFC\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr0275\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024696.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr006C\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024697.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr3F57\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024698.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr6DAF\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024699.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frF7C7\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024700.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr73FA\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024701.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr268F\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024702.vxd!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frE8BD\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024703.srg!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDC99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024704.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frB578\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024705.DLL!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr09C0331!F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (6858 KB, 12/24/2004 12:36:36 AM)
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000700 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000700 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 00 07 00 00 00 00 00 00 4..w...w........0000000000f8f364 00 00 00 00 9a 22 dd 77 - 00 07 00 00 00 00 00 00 .....".w........0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 00 07 00 00 ....d...t..w....0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 00 07 00 00 ................0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 24 02 00 00 ....0....R..$...0000000000f8f3e4 3a 02 00 00 1e 00 00 00 - 36 02 00 00 43 3a 5c 57 :.......6...C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x91c <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=00000224 edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00fdfd5c 77f5c534 77e7a580 00000224 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00fdfdc4 77e7ab74 00000224 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc80000002 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000fdfd60 34 c5 f5 77 80 a5 e7 77 - 24 02 00 00 00 00 00 00 4..w...w$.......0000000000fdfd70 00 00 00 00 a8 83 04 10 - 24 02 00
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000230 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000230 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 30 02 00 00 00 00 00 00 4..w...w0.......0000000000f8f364 00 00 00 00 9a 22 dd 77 - 30 02 00 00 00 00 00 00 .....".w0.......0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 30 02 00 00 ....d...t..w0...0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 30 02 00 00 ............0...0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 1c 02 00 00 ....0....R......0000000000f8f3e4 0a 05 00 00 1e 00 00 00 - 82 05 00 00 43 3a 5c 57 ............C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x980 <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=0000021c edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00fdfd5c 77f5c534 77e7a580 0000021c 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00fdfdc4 77e7ab74 0000021c ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc80000002 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000fdfd60 34 c5 f5 77 80 a5 e7 77 - 1c 02 00 00 00 00 00 00 4..w...w........0000000000fdfd70 00 00 00 00 a8 83 04 10 - 1c 02 00
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00e3f350 77f5c534 77e7a580 000004a0 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00e3f3b8 77e7ab74 000004a0 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00e3f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000e3f354 34 c5 f5 77 80 a5 e7 77 - a0 04 00 00 00 00 00 00 4..w...w........0000000000e3f364 00 00 00 00 9a 22 dd 77 - a0 04 00 00 00 00 00 00 .....".w........0000000000e3f374 06 00 52 00 00 00 00 00 - c8 f1 e3 00 01 00 00 00 ..R.............0000000000e3f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000e3f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 e3 00 ............h...0000000000e3f3a4 e0 83 e3 77 74 ff e3 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000e3f3b4 00 00 00 00 64 f4 e3 00 - 74 ab e7 77 a0 04 00 00 ....d...t..w....0000000000e3f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 a0 04 00 00 ................0000000000e3f3d4 ff ff ff ff 30 f0 ab 00 - d8 52 c4 00 20 02 00 00 ....0....R.. ...0000000000e3f3e4 36 02 00 00 1e 00 00 00 - 32 02 00 00 43 3a 5c 57 6.......2...C:\W0000000000e3f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000e3f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000e3f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000e3f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000e3f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 .....


C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf (92 KB, 12/24/2004 8:06:43 PM)
2 \ALL USERS\START MENU\PROGRAMS\ADOBE PHOTOSHOP ELEMENTS 2.0.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ADOBE READER 6.0.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL MEDIA EXPERIENCE.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL NETWORKING GUIDE.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MSN EXPLORER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\REALONE PLAYER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\SOLUTION CENTER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINDOWS JOURNAL VIEWER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINDOWS MESSENGER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINDOWS MOVIE MAKER.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\ACCESSIBILITY\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\COMMUNICATIONS\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\ENTERTAINMENT\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\SYSTEM TOOLS\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\CALCULATOR.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\PAINT.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\SCANNER AND CAMERA WIZARD.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\WORDPAD.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\ACCESSIBILITY\ACCESSIBILITY WIZARD.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\COMMUNICATIONS\HYPERTERMINAL.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\COMMUNICATIONS\NETWORK CONNECTIONS.LNK\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\COMMUNICATIONS\NETWORK SETUP WIZARD.LNK\DEVICE\HARDDISKVOLUME2\WINDOWS\FONTS\FRAMDIT.TTF\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GUARD.TMP\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEDLG.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL\DEVICE\HARDDISKVOLUME2\RECYCLER\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MYDOCS.DLL\DEVICE\HARDDISKVOLUME2\PROGRA~1\NORTON~1\NISRES.DLL\DEVICE\HARDDISKVOLUME2\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.DLL\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\AIM\AIMRES.DLL\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TIVO\DESKTOP\TIVOSERVER.EXE\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\TAMMY\NETHOOD\BIRTHS ON GATEWAY (STEPHEN)\DESKTOP.INI\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE\DEVICE\HARDDISKVOLUME2\PROGRA~1\PURENE~1\PORTMA~1\LIBCFY.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETSHELL.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CREDUI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MORICONS.DLL\DEVICE\HARDDISKVOLUME2\DELL\DELLCIRC.ICO\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WIN32K.SYS(< A4X P C\DEVICE\HARDDISKVOLUME2%H/I/11111111111111111111//:& H 00////////////////////////L _҅ol i* Y Y   C h h E E : p p @ @ 4A s s i i _ _ u u C 2A C q q j j i i S U @ m m e e C BZ3 u<A 11m1m1q1q1s1s1}1}11111111111111111^h 11 "^Jc>11M/N/y/z/x/y/t/u/e/f/k/l/i/j/j/k/f/g/g/h/]/^/d/e/b/c/R/S/S/T/V/W/X/Y/W/X/T/U/22 33x0022 33ilTpYYP P V V ZZ;A 49,:;;4>8>d>h>DFXJi$(,04ld׀|# , 1 1 1 \DEVICE\HARDDISKVOLUME2\/\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\9\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\J\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\N\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\R\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\ACS\V\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\ACS\1.0\T\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\j\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USER

C:\Documents and Settings\Tammy\Application Data\Iomega Automatic Backup\CacheFiles\IOM280.tmp (17 KB, 12/14/2004 12:56:04 AM)
159 Data : guard.tmp
165 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
185 Data : guard.tmp
191 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Local Settings\Temp\kb.log (2 KB, 12/23/2004 10:26:32 PM)
41 C:\WINDOWS\system32\guard.tmp

C:\WINDOWS\Prefetch\Layout.ini (347 KB, 12/24/2004 4:10:52 PM)
0 \SYSTEM32\BLACKBOX.DLLC:\WINDOWS\SYSTEM32\CAPICOM.DLLC:\WINDOWS\SYSTEM32\CONTROL.EXEC:\PROGRAM FILES\PESTPATROL\LOGS\C:\PROGRAM FILES\PESTPATROL\SPYWARE.DATC:\PROGRAM FILES\PESTPATROL\LOGS\TAMMY_COOKIEPATROL.LOGC:\WINDOWS\SYSTEM32\DEFRAG.EXEC:\WINDOWS\SYSTEM32\DFRGRES.DLLC:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0C\C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VIEWPOINT\VIEWPOINT EXPERIENCE TECHNOLOGY\RESOURCES\C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VIEWPOINT\VIEWPOINT MEDIA PLAYER\C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VIEWPOINT\VIEWPOINT MEDIA PLAYER\RESOURCES\C:\PROGRAM FILES\COMMON FILES\NULLSOFT\C:\PROGRAM FILES\COMMON FILES\NULLSOFT\ACTIVEX\C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MEDIA PLAYER\C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\HISTORY\C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\C:\WINDOWS\SYSTEM32\MACROMED\C:\WINDOWS\SYSTEM32\DFRGNTFS.EXEC:\WINDOWS\PREFETCH\LAYOUT.INIC:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\DR WATSON\C:\PROGRAM FILES\AMERICA ONLINE 9.0D\TOOL\C:\PROGRAM FILES\WORDPERFECT OFFICE 11\PROGRAMS\C:\WINDOWS\MSAGENT\C:\WINDOWS\SRCHASST\C:\WINDOWS\SYSTEM32\DRWTSN32.EXEC:\WINDOWS\SYSTEM32\DBGENG.DLLC:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\DR WATSON\DRWTSN32.LOGC:\WINDOWS\SYSTEM32\EXTS.DLLC:\WINDOWS\SYSTEM32\NTSDEXTS.DLLC:\WINDOWS\SYSTEM32\BROWSELC.DLLC:\PROGRAM FILES\AMERICA ONLINE 9.0D\TOOL\HTMLVIEW.TOLC:\WINDOWS\SRCHASST\SRCHUI.DLLC:\WINDOWS\SYSTEM32\PRINTUI.DLLC:\WINDOWS\SYSTEM32\SHMEDIA.DLLC:\WINDOWS\SYSTEM32\AVIFIL32.DLLC:\WINDOWS\SYSTEM32\WMVCORE.DLLC:\WINDOWS\SYSTEM32\WMASF.DLLC:\PROGRAM FILES\NORTON INTERNET SECURITY\NORTON ANTIVIRUS\NAVSHEXT.DLLC:\WINDOWS\SYSTEM32\TDS3SHL.DLLC:\PROGRAM FILES\WORDPERFECT OFFICE 11\PROGRAMS\PFSE110.DLLC:\WINDOWS\SYSTEM32\JSCRIPT.DLLC:\WINDOWS\SRCHASST\SRCHCTLS.DLLC:\WINDOWS\MSAGENT\AGENTDP2.DLLC:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\MSOHEV.DLLC:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\DR WATSON\USER.DMPC:\WINDOWS\SYSTEM32\DUMPREP.EXEC:\WINDOWS\SYSTEM32\1033\C:\WINDOWS\SYSTEM32\DWWIN.EXEC:\WINDOWS\SYSTEM32\ZIPFLDR.DLLC:\DOCUME~1\TAMMY\LOCALS~1\TEMP\1576F4F.DMPC:\WINDOWS\SYSTEM32\1033\DWINTL.DLLC:\DOCUME~1\TAMMY\LOCALS~1\TEMP\31E4B4.DMPC:\DOCUME~1\TAMMY\LOCALS~1\TEMP\10C73A.DMPC:\DOCUME~1\TAMMY\LOCALS~1\TEMP\197035.DMPC:\WINDOWS\INSTALLER\C:\WINDOWS\SYSTEM32\GUARD.TMPC:\PROGRA~1\NORTON~1\NISRES.DLLC:\WINDOWS\SYSTEM32\ULIB.DLLC:\WINDOWS\PCHEALTH\HELPCTR\CONFIG\C:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\C:\WINDOWS\PCHEALTH\HELPCTR\PACKAGESTORE\C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPSVC.EXEC:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HCAPPRES.DLLC:\WINDOWS\PCHEALTH\HELPCTR\CONFIG\CNTSTORE.BINC:\WINDOWS\PCHEALTH\HELPCTR\PACKAGESTORE\SKUSTORE.BINC:\WINDOWS\PCHEALTH\HELPCTR\PACKAGESTORE\CRC_DISKC:\WINDOWS\PCHEALTH\HELPCTR\CONFIG\DATASPEC.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\HISTORY_DB.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5176.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_947.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_317.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5178.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5180.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5182.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5184.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5186.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5187.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5157.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5127.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5097.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5067.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5037.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_5007.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4977.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4947.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4917.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4887.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4857.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4827.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4797.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4767.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4737.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4707.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4677.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4647.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4617.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4587.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4557.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4527.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4497.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\COLLECTEDDATA_4467.XMLC:\WINDOWS\PCHEALTH\HELPCTR\DATACOL

C:\WINDOWS\Prefetch\RUNDLL32.EXE-52B5E4C9.pf (33 KB, 12/24/2004 9:34:18 AM)
1 WS\SYSTEM32\MSASN1.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEDLG.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.1579_X-WW_7BBF8D08\COMCTL32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS\DEVICE\HARDDISKVOLUME2\$MFT\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL\DEVICE\HARDDISKVOLUME2\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\ASOEHOOK.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCR70.DLL\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\COMMON FILES\AOL\ACS\WLHOOK.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\TAMMY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\TAMMY\COOKIES\INDEX.DAT\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\TAMMY\LOCAL SETTINGS\HISTORY\HISTORY.IE5\INDEX.DAT\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SERWVDRV.DLL\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\CONNECTIONS\PBK\RASPHONE.PBK\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINRNR.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WLDAP32.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRCDLL.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EACDEC.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GUARD.TMP\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\ACS\1.0\WHITELISTDLLREAD.INI\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRIVERS\SWMIDI.SYS\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\AMERICA ONLINE 9.0D\IDLEPROC.DLL\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCR71.DLL(< A4X ( \DEVICE\HARDDISKVOLUME29L olY Y h h Z Z :tazz: p @ \ \ @ s s i i _ _ 2A C q q j j i i S U @ m m e e C B o o ( * <A 11m1m1q1q122 33x22 33ilYYZZ;A \DEVICE\HARDDISKVOLUME2\/\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\9\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\J\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\N\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\R\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\ACS\V\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\ACS\1.0\&\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\3\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\COMMON FILES\7\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\COMMON FILES\AOL\;\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\COMMON FILES\AOL\ACS\!\DEVICE\HARDDISKVOLUME2\PROGRA~1\*\DEVICE\HARDDISKVOLUME2\PROGRA~1\COMMON~1\3\DEVICE\HARDDISKVOLUME2\PROGRA~1\COMMON~1\SYMANT~1\<\DEVICE\HARDDISKVOLUME2\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\ \DEVICE\HARDDISKVOLUME2\WINDOWS\)\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\'\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\z\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.1579_X-WW_7BBF8D08\

C:\WINDOWS\REPAIR\SOFTWARE (27480 KB, 12/15/2004 11:30:46 PM)
1238 LImplemented Categories-1vk X a Qitemadin` Hm m /a 1.0u Tnk 1'z 4 ɳ1 hLLInprocServer32 nk 1'z 4 Xp1 Nrver TypeLibe ` nk JE'z 5 1 +6 Controltlh ,a dU@ a 2.(` C a } a 5 u T` ՗R #a 6 tpb6 s QuspeLibnk (z 1 P 1 hLLInprocServer32 nk (z 1 pp1 6rver VersionIndependentProgIDC:\WINDOWS\system32\guard.tmp.dl a nk 'z @ a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z xh 1 0.&{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}C5nk t (z 'a 1 ProgrammablerammH a nk Xl'z x4 Hɳ1 hInprocServer32Senk 1'z $a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z 1 1 Programmable32Senk (z 1 D1 hInprocServer32Senk (z 1 1 LLControl0` ` `c Hc c 0e vk Ma a FileName a nk -|$U ,a +a h ($K AolCalSvr.ACToolBarCtrl.5h; vk(p+a ACToolBarCtrl Class% X+a nk -|$U *a ,a hN^O CLSIDp lh +a [ vkN(,a ?{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}턏 H ,a nk 'z X/1 1 h/a Controlnk Xl'z x4 1 0bControlenk t (z 'a e1 hLLInprocServer32 nk (z غ1 41 <LLVersionIndependentProgIDnk ( (z h7a PE1 ntPr 1ogID` Your Commentsx` vk R/n a HelpLinkm 8m LibDvk,e C:\Program Files\America Online 9.0d\MyCalendar.dll06lh p 6Р q 3ةa a s Qnk 'z @ a 1 pb6 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}sIHU V G Xa z4 `a hbin0a pDa (Ink Xl'z x4 x 1 L8 a Implemented CategoriesA9C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1nk (z 1 1 &a Insertablenda{3F8E02B4-6601-41A2-95E7-6BD102935C55}peLibnk N(z ( P1 N0cTypeLib s8 h8 ` c xT Ж D PDa ca vk 5VersionH da lh 8a 1vk : c URLInfoAboutLib nk (z 1 1 ndInsertablemap32enk t (z 'a 1 ndInsertablemap32nk (z غ1 1 hProgrammable32a nk C (z 1 Pv1 r.dToolboxBitmap32nk T+x(z 30 X!0 1 Nb9TypeLibvk R@p atHelpLinknk Z~$U 6a (6a h (^ AolCalSvr.ACMPickerCtrl.5_q8njvk(5a OcACMPickerCtrl Classx( 5a nk Z~$U p5a 7a hN> CLSIDQlh 06a [ vkN6a {DA3C177A-D1DA-47f2-BBF0-E9710CA7253F} 6a nk 'z Hbg p1 A01ypeLibbnk ( (z غ1 >a D1 -a MiscStatus{0C:\Program Files\America Online 9.0d\MyCalendar.dll, 605vk =a o`jde{nlchd!bntqnor!".8Ga nk ( (z غ1 Z1 h@_ InprocServer322nk C (z >a 20 1 LL1ontrolnk bR(z E0 ( 1 v InprocServer32{229b78b8-38f5-11d5-9001-00c04f4c3b9f}DLL8Ga vk \ lwaol.exe8ga C:\Program Files\America Online 9.0d\MyCalendar.dllnk 0.:(z H/ 1 ChControl{3F8E02B4-6601-41A2-95E7-6BD102935C55}peLibnk F(z 1 1 osControlnk AM(z &1 81 ll InprocServer32{229b78b8-38f5-11d5-9001-00c04f4c3b9f}peLib{229b78b8-38f5-11d5-9001-00c04f4c3b9f}peLibnk |(z <0 1 vCOInprocServer32DvkNp @ACS.SENSReachability1bjPDa 3.0.61103145573vk1349fa vk X=a TInno Setup: Setup Versiona 1vk oLastKeywordTypeca lh .a 1HKCUIDpo xp p p @6n vk pk commandnnk ( (z غ1 1 -a Insertablemap32nk C (z 1 @3a . 1 &a MiscStatusndalh0] 0] 0] a s Q a s Qpq0975e.l vk `4n QDLLNameI vk EVersionH`ma vk*?a ACWebDlgHelper ClassX?a hbin@a nk $U @a ?a h *AolCalSvr.ACWebDlgHelper.5nk $U @a hAa hNCLSIDlh @a [ vkNAa {6AD3B5BD-9A96-4ca2-9455-2034D05EB134}@a C:\Program Files\America Online 9.0d\MyCalendar.dll, 544C:\Program Files\America Online 9.0d\MyCalendar.dll, 586C:\Program Files\America Online 9.0d\MyCalendar.dll, 605at{00A987AE-587B-4343-B826-89F17AB41A03}03}C:\Program Files\America Online 9.0d\MIMEHook.dllnk <(z H/ / 1 ToolboxBitmap32X{999E3352-CCAA-4DC6-BE6A-99EBBF91B523}DLLvk8ͨ (oa nk X (z 1 0b1 r.dToolboxBitmap32nk L|H(z wa 1 1 C51ontrolnk ( (z غ1 I1 N.dTypeLi
1239 h tnk ]` xq 0 h* unk "Ւ` xq hvisplayNnk "Ւ` xq h wnk "Ւ` xq hxnk "Ւ` xq hHyq nk "Ւ` xq hb z`q nk "Ւ` xq hq [vklh q Aq Bq C8q Dq Eq F@q Gq HPq Iq Jq KXq Lq M@q Nq Oq P@q Qq Rq Sȸq T q Uxq Vйq W(q Xq Yغq Z0q [vk:q @C:\WINDOWS\System32\msbe.dll`hq Xnk nk "Ւ` q hHELP alhnk "Ւ` q h2\bq nk "Ւ` q hcC6906A2nk "Ւ` q htcdnk "Ւ` q henk "Ւ` q hhf`K nk "Ւ` q hbCls gq nk "Ւ` q hhdnk |7` q hq mq J.jtmpl?hbinq nk ]` q @4 h,04rnk "Ւ` pb q h q gq Jnk "Ւ` xq hPq aq Uvk q 025 YZnk ]` q 5 h20tNnk r` q hBEuE15nk r` q hversionnk r` q hw8EEE58Dnk r` q hxnk r` q h yq nk "Ւ` q hznk "Ւ` q hc180 [ q lh q A0q Bq Cq Dq E@q Fq Ghq H q Ixq Jгq K(q Lq Mq Nhq Oq Pq Q q Rq SPq Tq Uq VXq Wq Xq Y`q Zq [q pvk @ q InstallDirHC:\Program Files\TopConvervk Hq q 026 pq q nk K pv{ xhTopConvertingvk q DisplayNamearkanoid GameXq vk Xq UninstallStringxC:\Program Files\TopConverting\arkanoid\arkanoid.exe /uninstalllh q Aq Bq Cpq DȒq E q Fxq GГq Hq Iq J8q Kq L(q Mxq NЖq O(q Pq Qؗq Rq Sq T`q Uq Vq Wq XHq Yq Zq [Xnk @K Xq NTypeLiblhnk n ` 0q hB-bB-2vk q }038vk q 039sion.py?nk H K q ضq h,&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}vknk H K q hq q hLImplemented Categories.jsp?vknk H K `q q h&{00021492-0000-0000-C000-000000000046}lh q -cvkxq nk s q / hDInprocServer32lh `q 2.q C vk<(q C:\WINDOWS\system32\guard.tmplvk q ThreadingModelApartmentvk&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}nk n ` Xq hxf1amic .php vk 1TPUSN_id(q q q Pq xq Xq q nk ` 0q h h8:grkanoidnk n ` 0q hpart ha4nk r` 0q hq mq JKnk n ` 0q hData ivk nk r` 0q he8j315nk r` 0q h6 kc |nk r` 0q h16l000nk ]` 0q 4 h *q sq Jvk q 032 N.phtml Qnk r` 0q hq nvk.php?hbinq nk r` 0q h ofO nk r` 0q htche pCBnk r` 0q h qPq nk ]` 0q (
  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Looks promising actually. :tazz:

Just some logs, backups and XP tricks.

Fisrt flush your restore points:
Disable System restore, reboot and re-enable system restore.
Read how: http://service1.syma...src=sec_doc_nam

Clean out your prefetch folder:
http://www.tweakxp.com/tweak525.aspx

In safe mode use the DiskCleanup Tool to empty all your Temp folders.

Can you post another agent Ransack log after doing all that?

Regards,

Pieter
  • 0

#19
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK...time to return to the fun...

My new Ransack log is below. System restore was already disabled, and has been since I started this process. One of the first problems I had noticed weeks ago was that Norton wasn't updating, so I followed their instructions to uninstall/reinstall....and that included disabling System Restore and creating a backup registry. I had never re-enabled System Restore. I think I was assuming I'd eventually end up wiping my drive anyway.

So...I re-enabled System Restore, cleaned out prefetch and used DiskCleanup on the temps. Here's agent Ransack. (When I noticed the entries referring to the AdAware logs, I deleted those logs.)

(By the way...do my logs look normal? I'm not sure I'm doing this exactly right.)


C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-14 00-56-04.txt (17 KB, 12/14/2004 12:56:04 AM)
159 Data : guard.tmp
165 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
185 Data : guard.tmp
191 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 00-32-13.txt (9 KB, 12/24/2004 12:32:13 AM)
146 Data : guard.tmp
152 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
172 Data : guard.tmp
178 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (6858 KB, 12/24/2004 12:36:36 AM)
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000700 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000700 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 00 07 00 00 00 00 00 00 4..w...w........0000000000f8f364 00 00 00 00 9a 22 dd 77 - 00 07 00 00 00 00 00 00 .....".w........0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 00 07 00 00 ....d...t..w....0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 00 07 00 00 ................0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 24 02 00 00 ....0....R..$...0000000000f8f3e4 3a 02 00 00 1e 00 00 00 - 36 02 00 00 43 3a 5c 57 :.......6...C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x91c <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=00000224 edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00fdfd5c 77f5c534 77e7a580 00000224 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00fdfdc4 77e7ab74 00000224 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc80000002 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000fdfd60 34 c5 f5 77 80 a5 e7 77 - 24 02 00 00 00 00 00 00 4..w...w$.......0000000000fdfd70 00 00 00 00 a8 83 04 10 - 24 02 00
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000230 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000230 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 30 02 00 00 00 00 00 00 4..w...w0.......0000000000f8f364 00 00 00 00 9a 22 dd 77 - 30 02 00 00 00 00 00 00 .....".w0.......0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 30 02 00 00 ....d...t..w0...0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 30 02 00 00 ............0...0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 1c 02 00 00 ....0....R......0000000000f8f3e4 0a 05 00 00 1e 00 00 00 - 82 05 00 00 43 3a 5c 57 ............C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x980 <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=0000021c edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00fdfd5c 77f5c534 77e7a580 0000021c 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00fdfdc4 77e7ab74 0000021c ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc80000002 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000fdfd60 34 c5 f5 77 80 a5 e7 77 - 1c 02 00 00 00 00 00 00 4..w...w........0000000000fdfd70 00 00 00 00 a8 83 04 10 - 1c 02 00
0 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00e3f350 77f5c534 77e7a580 000004a0 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00e3f3b8 77e7ab74 000004a0 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00e3f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000e3f354 34 c5 f5 77 80 a5 e7 77 - a0 04 00 00 00 00 00 00 4..w...w........0000000000e3f364 00 00 00 00 9a 22 dd 77 - a0 04 00 00 00 00 00 00 .....".w........0000000000e3f374 06 00 52 00 00 00 00 00 - c8 f1 e3 00 01 00 00 00 ..R.............0000000000e3f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000e3f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 e3 00 ............h...0000000000e3f3a4 e0 83 e3 77 74 ff e3 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000e3f3b4 00 00 00 00 64 f4 e3 00 - 74 ab e7 77 a0 04 00 00 ....d...t..w....0000000000e3f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 a0 04 00 00 ................0000000000e3f3d4 ff ff ff ff 30 f0 ab 00 - d8 52 c4 00 20 02 00 00 ....0....R.. ...0000000000e3f3e4 36 02 00 00 1e 00 00 00 - 32 02 00 00 43 3a 5c 57 6.......2...C:\W0000000000e3f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000e3f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000e3f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000e3f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000e3f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000e3f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 .....


C:\Documents and Settings\Tammy\Application Data\Iomega Automatic Backup\CacheFiles\IOM280.tmp (17 KB, 12/14/2004 12:56:04 AM)
159 Data : guard.tmp
165 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
185 Data : guard.tmp
191 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 02-38-35.txt (33 KB, 12/24/2004 2:38:35 AM)
667 Data : guard.tmp
673 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 03-05-09.txt (30 KB, 12/24/2004 3:05:09 AM)
642 Data : guard.tmp
648 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
668 Data : guard.tmp
674 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-24 15-47-58.txt (35 KB, 12/24/2004 3:47:58 PM)
662 Data : guard.tmp
668 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-26 00-38-27.txt (44 KB, 12/26/2004 12:38:27 AM)
859 Data : guard.tmp
865 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-26 01-35-20.txt (40 KB, 12/26/2004 1:35:20 AM)
932 Data : guard.tmp
938 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-12-26 01-54-23.txt (19 KB, 12/26/2004 1:54:23 AM)
383 Data : guard.tmp
389 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
423 Data : guard.tmp
429 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

C:\Documents and Settings\Tammy\Desktop\Backup.bkf (385681 KB, 12/15/2004 11:34:05 PM)
194202 commandlh x a o Uprundll32.exe C:\PROGRA~1\AMERIC~1.0D\WEBCAL~1.DLL,WebCalHandler %1nk 'z 4 1 < Programmable96-4nk t (z 'a 1 6 VersionIndependentProgIDvk 82n ContactIaimu Tm m 1nk JE'z a 1 0c&{7DD95801-9882-11CF-9FA9-00AA006C42C4} nk JE'z 5 1 Impl Insertableries-1{00A987AE-587B-4343-B826-89F17AB41A03}peLiblh p ܤ0 B/ %~xN/ ~/ 9y]chali1.0Libhl Xn Xm ot Ds Qvk ,(#a PublisherModel Qnk 'z X/1 6 1 LLLImplemented CategoriesA9nk (z 1 1 rR ProgrammableC3-4vk&e{E2527B48-1C57-4187-A2B0-A96632D78975}BvkLu sDvk~Mk a nk JE'z 5 @` 1 +6 MiscStatusndank 'z X/1 1 pb6 Insertablenk Xl'z x4 1 Programmable32nk 1'z $a 1 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}A91.0u Tnk 'z X/1 P a 1 pb6 MiscStatusndank Xl'z x4 1 0VersionIndependentProgIDlh @ea C x 1 u TXI1 ՗R Xk @1 s Qvka b12/15/2004՗R s Qnk V"(z +6 1 dllInprocServer32 T a 8 a vk `.a lCommentshbin a f U8g% wlA nk JE'z 5 1 L+6 Implemented Categories T0A `B 88 a nk y$U !a X!a h ,m AolCalSvr.ACMonthViewCtrl.56vk,(!a ACMonthViewCtrl Class !a nk y$U a 8"a hN߯N CLSIDSZlh `!a [ vkN!a ٨{0FE9096F-7F7A-4e40-857C-E48A53440DFE}ՒQ !a C:\Program Files\America Online 9.0d\MyCalendar.dllTvk a a lh %a dU a 2. ` C a } x a u T` ՗R 0ag Ug t+6 s Qusvk Microsoft Corporation a nk 'z a 1 pb6 1ypeLibQnk 'z X/1 81 NA0TypeLibnk 1'z 4 hi 1 LImplemented Categories-1vk X a Qitemadin` Hm m /a 1.0u Tnk 1'z 4 ɳ1 hLLInprocServer32 nk 1'z 4 Xp1 Nrver TypeLibe ` nk JE'z 5 1 +6 Controltlh ,a dU@ a 2.(` C a } a 5 u T` ՗R #a 6 tpb6 s QuspeLibnk (z 1 P 1 hLLInprocServer32 nk (z 1 pp1 6rver VersionIndependentProgIDC:\WINDOWS\system32\guard.tmp.dl a nk 'z @ a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z xh 1 0.&{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}C5nk t (z 'a 1 ProgrammablerammH a nk Xl'z x4 Hɳ1 hInprocServer32Senk 1'z $a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z 1 1 Programmable32Senk (z 1 D1 hInprocServer32Senk (z 1 1 LLControl0` ` `c Hc c 0e vk Ma a FileName a nk -|$U ,a +a h ($K AolCalSvr.ACToolBarCtrl.5h; vk(p+a ACToolBarCtrl Class% X+a nk -|$U *a ,a hN^O CLSIDp lh +a [ vkN(,a ?{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}턏 H ,a nk 'z X/1 1 h/a Controlnk Xl'z x4 1 0bControlenk t (z 'a e1 hLLInprocServer32 nk (z غ1 41 <LLVersionIndependentProgIDnk ( (z h7a PE1 ntPr 1ogID` Your Commentsx` vk R/n a HelpLinkm 8m LibDvk,e C:\Program Files\America Online 9.0d\MyCalendar.dll06lh p 6Р q 3ةa a s Qnk 'z @ a 1 pb6 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}sIHU V G Xa z4 `a hbin0a pDa (Ink Xl'z x4 x 1 L8 a Implemented CategoriesA9C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1nk (z 1 1 &a Insertablenda{3F8E02B4-6601-41A2-95E7-6BD102935C55}peLibnk N(z ( P1 N0cTypeLib s8 h8 ` c xT Ж D PDa ca vk 5VersionH da lh 8a 1vk : c URLInfoAboutLib nk (z 1 1 ndInsertablemap32enk t (z 'a 1 ndInsertablemap32nk (z غ1 1 hProgrammable32a nk C (z 1 Pv1 r.dToolboxBitmap32nk T+x(z 30 X!0 1 Nb9TypeLibvk R@p atHelpLinknk Z~$U 6a (6a h (^ AolCalSvr.ACMPickerCtrl.5_q8njvk(5a OcACMPickerCtrl Classx( 5a nk Z~$U p5a 7a hN> CLSIDQlh 06a [ vkN6a {DA3C177A-D1DA-47f2-BBF0-E9710CA7253F} 6a nk 'z Hbg p1 A
194203 h tnk ]` xq 0 h* unk "Ւ` xq hvisplayNnk "Ւ` xq h wnk "Ւ` xq hxnk "Ւ` xq hHyq nk "Ւ` xq hb z`q nk "Ւ` xq hq [vklh q Aq Bq C8q Dq Eq F@q Gq HPq Iq Jq KXq Lq M@q Nq Oq P@q Qq Rq Sȸq T q Uxq Vйq W(q Xq Yغq Z0q [vk:q @C:\WINDOWS\System32\msbe.dll`hq Xnk nk "Ւ` q hHELP alhnk "Ւ` q h2\bq nk "Ւ` q hcC6906A2nk "Ւ` q htcdnk "Ւ` q henk "Ւ` q hhf`K nk "Ւ` q hbCls gq nk "Ւ` q hhdnk |7` q hq mq J.jtmpl?hbinq nk ]` q @4 h,04rnk "Ւ` pb q h q gq Jnk "Ւ` xq hPq aq Uvk q 025 YZnk ]` q 5 h20tNnk r` q hBEuE15nk r` q hversionnk r` q hw8EEE58Dnk r` q hxnk r` q h yq nk "Ւ` q hznk "Ւ` q hc180 [ q lh q A0q Bq Cq Dq E@q Fq Ghq H q Ixq Jгq K(q Lq Mq Nhq Oq Pq Q q Rq SPq Tq Uq VXq Wq Xq Y`q Zq [q pvk @ q InstallDirHC:\Program Files\TopConvervk Hq q 026 pq q nk K pv{ xhTopConvertingvk q DisplayNamearkanoid GameXq vk Xq UninstallStringxC:\Program Files\TopConverting\arkanoid\arkanoid.exe /uninstalllh q Aq Bq Cpq DȒq E q Fxq GГq Hq Iq J8q Kq L(q Mxq NЖq O(q Pq Qؗq Rq Sq T`q Uq Vq Wq XHq Yq Zq [Xnk @K Xq NTypeLiblhnk n ` 0q hB-bB-2vk q }038vk q 039sion.py?nk H K q ضq h,&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}vknk H K q hq q hLImplemented Categories.jsp?vknk H K `q q h&{00021492-0000-0000-C000-000000000046}lh q -cvkxq nk s q / hDInprocServer32lh `q 2.q C vk<(q C:\WINDOWS\system32\guard.tmplvk q ThreadingModelApartmentvk&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}nk n ` Xq hxf1amic .php vk 1TPUSN_id(q q q Pq xq Xq q nk ` 0q h h8:grkanoidnk n ` 0q hpart ha4nk r` 0q hq mq JKnk n ` 0q hData ivk nk r` 0q he8j315nk r` 0q h6 kc |nk r` 0q h16l000nk ]` 0q 4 h *q sq Jvk q 032 N.phtml Qnk r` 0q hq nvk.php?hbinq nk r` 0q h ofO nk r` 0q htche pCBnk r` 0q h qPq nk ]` 0q ( h":-4r-88nk "Ւ` pb q h q fq Jnk r` q hXq aq Uvk q 027 YZnk ]` 0q h0tLSIDnk r` 0q h-4u-88.php3?3A3.phtml?q xC:\documents and settings\tammy\local settings\temp\grosVI.exeependexC:\documents and settings\tammy\local settings\temp\AZ7M2Ozhd.exenk n ` Xq homy Fivk q e037.process?.py gvk ~8q q grosVI.exeq nk n ` 0q h cnk ` 0q 萔 h&sidObjnk n ` 0q he\nk n ` 0q hfmivk q 035 lvk (q Z036Pq X{692B8041-F1C5-4881-82E9-4F94BBA34AC2}rVer` nk "Ւ` q hiersion nk |7` q hj4EB7BBEnk |7` q hknk |7` q h0l1.0nk |7` q hq sq Jvk q 033 N.pl?Qnk |7` q hnnk ]` q h&"onk |7` q hpC:nk |7` q h: qq nk |7` q hq rq nk ]` q H hq aq Jnk |7` q hq bq Uvk q 028 YZnk |7` q h tq nk |7` q hNunk |7` q h04vnk ]` q h""wnk |7` q h00x24-nk |7` q hH P yq nk |7` q hq zq Cnk |7` q
194282 ~1\Tammy\LOCALS~1\Temp\temp.fr0ECC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021906.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr3D99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021907.vxd!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr05C6\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021909.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA848\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022112.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCFD0\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022114.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr7F96\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022115.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr5687\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022116.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCDF2\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022117.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frE82E\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022119.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA8D5\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022120.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frD292P hbinp<0/\??\C:\WINDOWS\system32\h20q0cd5ef0.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDBA4\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frFAFC\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr0275\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024696.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr006C\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024697.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr3F57\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024698.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr6DAF\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024699.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frF7C7\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024700.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr73FA\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024701.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr268F\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024702.vxd!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frE8BD\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024703.srg!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDC99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024704.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frB578\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024705.DLL!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr09C0331!F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{

C:\Documents and Settings\Tammy\Desktop\Contents.txt (59 KB, 12/24/2004 9:56:14 PM)
2 21 00:40:56 [File Scan] Scanning file C:\WINDOWS\SYSTEM32\guard.tmp
5 159 Data : guard.tmp
6 165 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
7 185 Data : guard.tmp
8 191 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
11 146 Data : guard.tmp
12 152 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
13 172 Data : guard.tmp
14 178 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
17 667 Data : guard.tmp
18 673 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
21 642 Data : guard.tmp
22 648 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
23 668 Data : guard.tmp
24 674 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
27 662 Data : guard.tmp
28 668 Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)
31 commandlh x a o Uprundll32.exe C:\PROGRA~1\AMERIC~1.0D\WEBCAL~1.DLL,WebCalHandler %1nk 'z 4 1 < Programmable96-4nk t (z 'a 1 6 VersionIndependentProgIDvk 82n ContactIaimu Tm m 1nk JE'z a 1 0c&{7DD95801-9882-11CF-9FA9-00AA006C42C4} nk JE'z 5 1 Impl Insertableries-1{00A987AE-587B-4343-B826-89F17AB41A03}peLiblh p ܤ0 B/ %~xN/ ~/ 9y]chali1.0Libhl Xn Xm ot Ds Qvk ,(#a PublisherModel Qnk 'z X/1 6 1 LLLImplemented CategoriesA9nk (z 1 1 rR ProgrammableC3-4vk&e{E2527B48-1C57-4187-A2B0-A96632D78975}BvkLu sDvk~Mk a nk JE'z 5 @` 1 +6 MiscStatusndank 'z X/1 1 pb6 Insertablenk Xl'z x4 1 Programmable32nk 1'z $a 1 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}A91.0u Tnk 'z X/1 P a 1 pb6 MiscStatusndank Xl'z x4 1 0VersionIndependentProgIDlh @ea C x 1 u TXI1 ՗R Xk @1 s Qvka b12/15/2004՗R s Qnk V"(z +6 1 dllInprocServer32 T a 8 a vk `.a lCommentshbin a f U8g% wlA nk JE'z 5 1 L+6 Implemented Categories T0A `B 88 a nk y$U !a X!a h ,m AolCalSvr.ACMonthViewCtrl.56vk,(!a ACMonthViewCtrl Class !a nk y$U a 8"a hN߯N CLSIDSZlh `!a [ vkN!a ٨{0FE9096F-7F7A-4e40-857C-E48A53440DFE}ՒQ !a C:\Program Files\America Online 9.0d\MyCalendar.dllTvk a a lh %a dU a 2. ` C a } x a u T` ՗R 0ag Ug t+6 s Qusvk Microsoft Corporation a nk 'z a 1 pb6 1ypeLibQnk 'z X/1 81 NA0TypeLibnk 1'z 4 hi 1 LImplemented Categories-1vk X a Qitemadin` Hm m /a 1.0u Tnk 1'z 4 ɳ1 hLLInprocServer32 nk 1'z 4 Xp1 Nrver TypeLibe ` nk JE'z 5 1 +6 Controltlh ,a dU@ a 2.(` C a } a 5 u T` ՗R #a 6 tpb6 s QuspeLibnk (z 1 P 1 hLLInprocServer32 nk (z 1 pp1 6rver VersionIndependentProgIDC:\WINDOWS\system32\guard.tmp.dl a nk 'z @ a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z xh 1 0.&{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}C5nk t (z 'a 1 ProgrammablerammH a nk Xl'z x4 Hɳ1 hInprocServer32Senk 1'z $a 1 &{7DD95802-9882-11CF-9FA9-00AA006C42C4}06nk (z 1 1 Programmable32Senk (z 1 D1 hInprocServer32Senk (z 1 1 LLControl0` ` `c Hc c 0e vk Ma a FileName a nk -|$U ,a +a h ($K AolCalSvr.ACToolBarCtrl.5h; vk(p+a ACToolBarCtrl Class% X+a nk -|$U *a ,a hN^O CLSIDp lh +a [ vkN(,a ?{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}턏 H ,a nk 'z X/1 1 h/a Controlnk Xl'z x4 1 0bControlenk t (z 'a e1 hLLInprocServer32 nk (z غ1 41 <LLVersionIndependentProgIDnk ( (z h7a PE1 ntPr 1ogID` Your Commentsx` vk R/n a HelpLinkm 8m LibDvk,e C:\Program Files\America Online 9.0d\MyCalendar.dll06lh p 6Р q 3ةa a s Qnk 'z @ a 1 pb6 &{7DD95801-9882-11CF-9FA9-00AA006C42C4}sIHU V G Xa z4 `a hbin0a pDa (Ink Xl'z x4 x 1 L8 a Implemented CategoriesA9C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1C:\Program Files\America Online 9.0d\MyCalendar.dll1nk (z 1 1 &a Insertablenda{3F8E02B4-6601-41A2-95E7-6BD102935C55}peLibnk N(z ( P1 N0cTypeLib s8 h8 ` c xT Ж D PDa ca vk 5VersionH da lh 8a 1vk : c URLInfoAboutLib nk (z 1 1 ndInsertablemap32enk t (z 'a 1 ndInsertablemap32nk (z غ1 1 hProgrammable32a nk C (z 1 Pv1 r.dToolboxBitmap32nk T+x(z 30 X!0 1 Nb9TypeLibvk R@p atHelpLinknk Z~$U 6a (6a h (^ AolCalSvr.ACMPickerCtrl.5_q8njvk(5a OcACMPickerCtrl Classx( 5a nk Z~$U p5a 7a hN> CLSIDQlh 06a [ vkN6a {DA3C177A-D1DA-47f2-BBF0-E9710CA7253F} 6a nk 'z Hbg p1 A
32 h tnk ]` xq 0 h* unk "Ւ` xq hvisplayNnk "Ւ` xq h wnk "Ւ` xq hxnk "Ւ` xq hHyq nk "Ւ` xq hb z`q nk "Ւ` xq hq [vklh q Aq Bq C8q Dq Eq F@q Gq HPq Iq Jq KXq Lq M@q Nq Oq P@q Qq Rq Sȸq T q Uxq Vйq W(q Xq Yغq Z0q [vk:q @C:\WINDOWS\System32\msbe.dll`hq Xnk nk "Ւ` q hHELP alhnk "Ւ` q h2\bq nk "Ւ` q hcC6906A2nk "Ւ` q htcdnk "Ւ` q henk "Ւ` q hhf`K nk "Ւ` q hbCls gq nk "Ւ` q hhdnk |7` q hq mq J.jtmpl?hbinq nk ]` q @4 h,04rnk "Ւ` pb q h q gq Jnk "Ւ` xq hPq aq Uvk q 025 YZnk ]` q 5 h20tNnk r` q hBEuE15nk r` q hversionnk r` q hw8EEE58Dnk r` q hxnk r` q h yq nk "Ւ` q hznk "Ւ` q hc180 [ q lh q A0q Bq Cq Dq E@q Fq Ghq H q Ixq Jгq K(q Lq Mq Nhq Oq Pq Q q Rq SPq Tq Uq VXq Wq Xq Y`q Zq [q pvk @ q InstallDirHC:\Program Files\TopConvervk Hq q 026 pq q nk K pv{ xhTopConvertingvk q DisplayNamearkanoid GameXq vk Xq UninstallStringxC:\Program Files\TopConverting\arkanoid\arkanoid.exe /uninstalllh q Aq Bq Cpq DȒq E q Fxq GГq Hq Iq J8q Kq L(q Mxq NЖq O(q Pq Qؗq Rq Sq T`q Uq Vq Wq XHq Yq Zq [Xnk @K Xq NTypeLiblhnk n ` 0q hB-bB-2vk q }038vk q 039sion.py?nk H K q ضq h,&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}vknk H K q hq q hLImplemented Categories.jsp?vknk H K `q q h&{00021492-0000-0000-C000-000000000046}lh q -cvkxq nk s q / hDInprocServer32lh `q 2.q C vk<(q C:\WINDOWS\system32\guard.tmplvk q ThreadingModelApartmentvk&{01848FFF-ABF1-4609-A69E-2436F0B5FEDD}nk n ` Xq hxf1amic .php vk 1TPUSN_id(q q q Pq xq Xq q nk ` 0q h h8:grkanoidnk n ` 0q hpart ha4nk r` 0q hq mq JKnk n ` 0q hData ivk nk r` 0q he8j315nk r` 0q h6 kc |nk r` 0q h16l000nk ]` 0q 4 h *q sq Jvk q 032 N.phtml Qnk r` 0q hq nvk.php?hbinq nk r` 0q h ofO nk r` 0q htche pCBnk r` 0q h qPq nk ]` 0q ( h":-4r-88nk "Ւ` pb q h q fq Jnk r` q hXq aq Uvk q 027 YZnk ]` 0q h0tLSIDnk r` 0q h-4u-88.php3?3A3.phtml?q xC:\documents and settings\tammy\local settings\temp\grosVI.exeependexC:\documents and settings\tammy\local settings\temp\AZ7M2Ozhd.exenk n ` Xq homy Fivk q e037.process?.py gvk ~8q q grosVI.exeq nk n ` 0q h cnk ` 0q 萔 h&sidObjnk n ` 0q he\nk n ` 0q hfmivk q 035 lvk (q Z036Pq X{692B8041-F1C5-4881-82E9-4F94BBA34AC2}rVer` nk "Ւ` q hiersion nk |7` q hj4EB7BBEnk |7` q hknk |7` q h0l1.0nk |7` q hq sq Jvk q 033 N.pl?Qnk |7` q hnnk ]` q h&"onk |7` q hpC:nk |7` q h: qq nk |7` q hq rq nk ]` q H hq aq Jnk |7` q hq bq Uvk q 028 YZnk |7` q h tq nk |7` q hNunk |7` q h04vnk ]` q h""wnk |7` q h00x24-nk |7` q hH P yq nk |7` q hq zq Cnk |7` q
33 ~1\Tammy\LOCALS~1\Temp\temp.fr0ECC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021906.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr3D99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021907.vxd!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr05C6\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021909.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA848\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022112.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCFD0\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022114.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr7F96\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022115.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr5687\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022116.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frCDF2\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022117.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frE82E\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022119.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA8D5\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022120.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frD292P hbinp<0/\??\C:\WINDOWS\system32\h20q0cd5ef0.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDBA4\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frFAFC\??\C:\WINDOWS\system32\guard.tmp!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr0275\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024696.dll!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr006C\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024697.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr3F57\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024698.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr6DAF\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024699.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frF7C7\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024700.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr73FA\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024701.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr268F\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024702.vxd!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frE8BD\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024703.srg!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frDC99\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024704.exe!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.frB578\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP225\A0024705.DLL!\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp.fr09C0331!F01-427C-A58A-7A2E4AABF84D}\RP222\A0021923.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frA317\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021924.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frB6AC\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021945.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFBDE\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021958.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0416\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP222\A0021964.DLL!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.fr0968\??\C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP223\A0022110.exe!\??\C:\DOCUME~1\Tammy\LOCALS~1\Temp\temp.frFA94\??\C:\System Volume Information\_restore{
36 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000700 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000700 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 00 07 00 00 00 00 00 00 4..w...w........0000000000f8f364 00 00 00 00 9a 22 dd 77 - 00 07 00 00 00 00 00 00 .....".w........0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 00 07 00 00 ....d...t..w....0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 00 07 00 00 ................0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 24 02 00 00 ....0....R..$...0000000000f8f3e4 3a 02 00 00 1e 00 00 00 - 36 02 00 00 43 3a 5c 57 :.......6...C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x91c <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=00000224 edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00fdfd5c 77f5c534 77e7a580 00000224 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00fdfdc4 77e7ab74 00000224 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc80000002 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000fdfd60 34 c5 f5 77 80 a5 e7 77 - 24 02 00 00 00 00 00 00 4..w...w$.......0000000000fdfd70 00 00 00 00 a8 83 04 10 - 24 02 00
37 ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3 ret 7ffe0305 9c pushfd 7ffe0306 810c2400010000 or dword ptr [esp],0x100 7ffe030d 9d popfd 7ffe030e c3 ret 7ffe030f 8bd4 mov edx,esp 7ffe0311 0f05 syscall 7ffe0313 c3 ret 7ffe0314 9c pushfd 7ffe0315 810c2400010000 or dword ptr [esp],0x100 7ffe031c 9d popfd*----> Stack Back Trace <----*WARNING: Stack unwind information not available. Following frames may be wrong.ChildEBP RetAddr Args to Child 00f8f350 77f5c534 77e7a580 00000230 00000000 *SharedUserSystemCall+0xc (FPO: [0,0,0])00f8f3b8 77e7ab74 00000230 ffffffff 00000000 ntdll!NtWaitForSingleObject+0xc00f8f464 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject+0xf*----> Raw Stack Dump <----*0000000000f8f354 34 c5 f5 77 80 a5 e7 77 - 30 02 00 00 00 00 00 00 4..w...w0.......0000000000f8f364 00 00 00 00 9a 22 dd 77 - 30 02 00 00 00 00 00 00 .....".w0.......0000000000f8f374 06 00 52 00 00 00 00 00 - c8 f1 f8 00 01 00 00 00 ..R.............0000000000f8f384 00 f0 fd 7f 00 60 fd 7f - 14 00 00 00 01 00 00 00 .....`..........0000000000f8f394 00 00 00 00 00 00 00 00 - 10 00 00 00 68 f3 f8 00 ............h...0000000000f8f3a4 e0 83 e3 77 74 ff f8 00 - e5 b2 e9 77 98 a5 e8 77 ...wt......w...w0000000000f8f3b4 00 00 00 00 64 f4 f8 00 - 74 ab e7 77 30 02 00 00 ....d...t..w0...0000000000f8f3c4 ff ff ff ff 00 00 00 00 - 8e 14 01 10 30 02 00 00 ............0...0000000000f8f3d4 ff ff ff ff 30 f0 d7 00 - c0 52 f2 00 1c 02 00 00 ....0....R......0000000000f8f3e4 0a 05 00 00 1e 00 00 00 - 82 05 00 00 43 3a 5c 57 ............C:\W0000000000f8f3f4 49 4e 44 4f 57 53 5c 73 - 79 73 74 65 6d 33 32 5c INDOWS\system32\0000000000f8f404 67 75 61 72 64 2e 74 6d - 70 00 65 00 6d 00 33 00 guard.tmp.e.m.3.0000000000f8f414 32 00 5c 00 67 00 75 00 - 61 00 72 00 64 00 2e 00 2.\.g.u.a.r.d...0000000000f8f424 74 00 6d 00 70 00 00 00 - 00 00 00 00 00 00 00 00 t.m.p...........0000000000f8f434 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f444 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f454 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f464 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f474 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................0000000000f8f484 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................*----> State Dump for Thread Id 0x980 <----*eax=100287a4 ebx=00000000 ecx=00d7ed50 edx=00000000 esi=0000021c edi=00000000eip=7ffe0304 esp=00fdfd60 ebp=00fdfdc4 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202function: <nosymbols> 7ffe02f2 0000 add [eax],al 7ffe02f4 0000 add [eax],al 7ffe02f6 0000 add [eax],al *SharedUserSystemCall: 7ffe02f8 0000 add [eax],al 7ffe02fa 0000 add [eax],al 7ffe02fc 0000 add [eax],al 7ffe02fe 0000 add [eax],al 7ffe0300 8bd4 mov edx,esp 7ffe0302 0f34 sysenter 7ffe0304 c3
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Copy the part in bold below to notepad. Save the file as remisrch.reg, set type to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]

Doubleclick the file you made and confirm you wannt to merge it with the registry.

Then reboot.

Regards,

Pieter
  • 0

#21
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK...did that. Did you want another Ransack log?

Thanks :tazz:
  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
No, all I need now is a HijackThis log and I need to know if it still asks for guard.tmp at boot.

Regards,

Pieter
  • 0

#23
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK...here's my hijack log, and no...I don't think it's asking for guard.tmp. I'm still getting RUNDLL errors at boot, but it hasn't referred to that file but has referred to various others. (bxtsprx3.dll, for example.) I'm getting fewer pop ups, and it does seem to be running better.

Thanks so much! :tazz:


Logfile of HijackThis v1.99.0
Scan saved at 10:11:24 PM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLHOS~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\ogigyo.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\America Online 9.0d\waol.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tammy\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PJQ.exe] C:\documents and settings\tammy\local settings\temp\PJQ.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102811785\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: WANMiniportService - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#24
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
This is mighty frustrating. It is still active, so it would get progressively worse if we leave it alone now.

Please try this:
Download TDS-3 from http://tds.diamondcs...p?page=download
and update it following the instructions here:
http://tds.diamondcs...php?page=update
Then click System Testing > Full System scan.
Have it remove everything it gives you a positive identification of.

Then run the FindIt program and post a new log.

TDS should get rid of the old crap, so hopefully I'll get a better view of what is really happening.

Regards,

Pieter
  • 0

#25
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
TDS didn't find anything, which I found surprising, and frustrating. Here's my new findit log. I thought I'd try running TDS again, but wanted to send this first. (And yes..I updated TDS :tazz:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
12/30/2004 12:43 PM 225,246 gppul3791.dll
12/28/2004 04:41 AM 225,588 dn4u01h9e.dll
12/26/2004 09:04 AM 223,581 dinhupnp.dll
12/12/2004 12:40 PM <DIR> DLLCACHE
12/06/2004 06:53 AM 389,120 ??chost.exe
03/22/2004 09:13 PM <DIR> Microsoft
5 File(s) 1,288,153 bytes
2 Dir(s) 66,757,320,704 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/12/2004 12:40 PM <DIR> DLLCACHE
12/06/2004 06:53 AM 389,120 ??chost.exe
06/26/2004 10:32 PM <DIR> GroupPolicy
09/03/2002 01:33 PM 488 WindowsLogon.manifest
09/03/2002 01:33 PM 488 logonui.exe.manifest
09/03/2002 01:33 PM 749 sapi.cpl.manifest
09/03/2002 01:33 PM 749 nwc.cpl.manifest
09/03/2002 01:33 PM 749 ncpa.cpl.manifest
09/03/2002 01:33 PM 749 wuaucpl.cpl.manifest
09/03/2002 01:33 PM 749 cdplayer.exe.manifest
8 File(s) 393,841 bytes
2 Dir(s) 66,757,320,704 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
1 File(s) 224,618 bytes
0 Dir(s) 66,757,316,608 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
08/29/2002 05:00 AM 2,577 CONFIG.TMP
2 File(s) 227,195 bytes
0 Dir(s) 66,757,312,512 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f4l00e3meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
dinhupnp.dll Sun Dec 26 2004 9:04:04a ..S.R 223,581 218.34 K
dn4u01~1.dll Tue Dec 28 2004 4:41:38a ..S.R 225,588 220.30 K
gppul3~1.dll Thu Dec 30 2004 12:43:30p ..S.R 225,246 219.96 K
guard.tmp Thu Dec 30 2004 1:10:20p ..S.R 224,618 219.35 K
chost~1.exe Mon Dec 6 2004 6:53:08a ..SHR 389,120 380.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,288,153 bytes 1.23 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\mazapm.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\zqyqgz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ogigyo.exe: .aspack
C:\WINDOWS\SYSTEM32\ykakqy.dat: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"PPMemCheck"="c:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"PJQ.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\PJQ.exe"
"PestPatrol Control Center"="c:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1102811785\\EE\\AOLHostManager.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CookiePatrol"="c:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements


#26
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
TDS didn't find anything, which I found surprising, and frustrating. Here's my new findit log. I thought I'd try running TDS again, but wanted to send this first. (And yes..I updated TDS :tazz:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
12/30/2004 12:43 PM 225,246 gppul3791.dll
12/28/2004 04:41 AM 225,588 dn4u01h9e.dll
12/26/2004 09:04 AM 223,581 dinhupnp.dll
12/12/2004 12:40 PM <DIR> DLLCACHE
12/06/2004 06:53 AM 389,120 ??chost.exe
03/22/2004 09:13 PM <DIR> Microsoft
5 File(s) 1,288,153 bytes
2 Dir(s) 66,757,320,704 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/12/2004 12:40 PM <DIR> DLLCACHE
12/06/2004 06:53 AM 389,120 ??chost.exe
06/26/2004 10:32 PM <DIR> GroupPolicy
09/03/2002 01:33 PM 488 WindowsLogon.manifest
09/03/2002 01:33 PM 488 logonui.exe.manifest
09/03/2002 01:33 PM 749 sapi.cpl.manifest
09/03/2002 01:33 PM 749 nwc.cpl.manifest
09/03/2002 01:33 PM 749 ncpa.cpl.manifest
09/03/2002 01:33 PM 749 wuaucpl.cpl.manifest
09/03/2002 01:33 PM 749 cdplayer.exe.manifest
8 File(s) 393,841 bytes
2 Dir(s) 66,757,320,704 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
1 File(s) 224,618 bytes
0 Dir(s) 66,757,316,608 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/30/2004 01:10 PM 224,618 guard.tmp
08/29/2002 05:00 AM 2,577 CONFIG.TMP
2 File(s) 227,195 bytes
0 Dir(s) 66,757,312,512 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f4l00e3meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
dinhupnp.dll Sun Dec 26 2004 9:04:04a ..S.R 223,581 218.34 K
dn4u01~1.dll Tue Dec 28 2004 4:41:38a ..S.R 225,588 220.30 K
gppul3~1.dll Thu Dec 30 2004 12:43:30p ..S.R 225,246 219.96 K
guard.tmp Thu Dec 30 2004 1:10:20p ..S.R 224,618 219.35 K
chost~1.exe Mon Dec 6 2004 6:53:08a ..SHR 389,120 380.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,288,153 bytes 1.23 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\mazapm.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\zqyqgz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ogigyo.exe: .aspack
C:\WINDOWS\SYSTEM32\ykakqy.dat: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"PPMemCheck"="c:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"PJQ.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\PJQ.exe"
"PestPatrol Control Center"="c:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1102811785\\EE\\AOLHostManager.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CookiePatrol"="c:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\gppul3791.dll
C:\WINDOWS\System32\dn4u01h9e.dll
C:\WINDOWS\System32\dinhupnp.dll
C:\WINDOWS\SYSTEM32\mazapm.exe
C:\WINDOWS\SYSTEM32\zqyqgz.dll
C:\WINDOWS\SYSTEM32\ogigyo.exe
C:\WINDOWS\SYSTEM32\ykakqy.dat
C:\WINDOWS\SYSTEM32\chost~1.exe
C:\WINDOWS\system32\f4l00e3meh.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PJQ.exe"=-


Then reboot once more and post a HijackThis log.

Regards,

Pieter
  • 0

#28
tdcook4

tdcook4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
All done....and you have the patience of a saint :tazz:

Here's my HijackThis log.....


Logfile of HijackThis v1.99.0
Scan saved at 10:56:44 PM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ogigyo.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0d\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tammy\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102811785\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: WANMiniportService - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - Global Startup: strings.exe

Then reboot.

Run HijackThis and check if the O1 entries stay away this time.

Regards,

Pieter
  • 0

#30
criticman

criticman

    Member

  • Member
  • PipPip
  • 37 posts

Major newbie here.  I apparently have the same problem as PyromanicElf (post 12/13) and neo fightr (post 12/18).  I've received numerous error messages, including "An exception occurred while trying to run "C:\Windows\system32\guard.tmp", UMonitor.  The same message occurs frequently with various .dll extensions. 

In addition, Norton appeared to be updating for several days as I was running  numerous virus scans, but the update date never changed. (My son eventually mentioned receiving an error message that Norton had been tampered with.)  I followed Norton's instructions to fix (disable System Restore, backup registry, uninstall, reinstall, etc.)  I repeatedly have 18 files Norton still can't remove and I suspect it's not updating again.

I've run Adaware repeatedly.  Some objects are removed, but it always ends with the message "Some objects could not be removed. Try closing all open browser windows prior to removal, etc."  As Adaware is removing objects, my desktop icons disappear, the screen flashes briefly and the My Documents window always opens.

I'm feeling way over my head, but I've read your instructions to others.....obtain logs only, no removal of anything...... and will post the logs here.

Please help! I apologize if I'm giving you way more than you need in terms of logs. Thanks in advance for anything you can do.

Here's the Find It NT-2K-XP  log....
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/19/2004  05:56 PM          225,787 OUE2.DLL
12/19/2004  05:56 PM          225,915 f82m0if1e82.dll
12/19/2004  05:42 PM          225,914 jt2m07f1e.dll
12/19/2004  02:03 PM          226,087 f00o0ad3ed0.dll
12/19/2004  01:54 PM          226,196 lv0409dqe.dll
12/19/2004  02:37 AM          223,924 e6020gdoe60c0.dll
12/18/2004  05:39 PM          225,787 gp68l3ju1.dll
12/18/2004  05:05 PM          224,177 fpn2035oe.dll
12/17/2004  02:04 PM          224,983 OKEACC.DLL
12/17/2004  01:48 PM          224,983 IHWPHBK.DLL
12/17/2004  01:46 PM          223,046 i660lgjm16oa.dll
12/17/2004  01:39 PM          223,046 witdecod.dll
12/17/2004  10:23 AM          224,983 mwwstr10.dll
12/17/2004  09:03 AM          224,635 p6p60g7se6.dll
12/17/2004  08:35 AM          224,635 MANSSPC.DLL
12/17/2004  08:10 AM          223,225 SNRMDLL.DLL
12/17/2004  12:48 AM          223,225 SLPRV.DLL
12/17/2004  12:48 AM          224,557 i2lolc331f.dll
12/16/2004  03:01 PM          224,424 WT2TOPL.DLL
12/16/2004  10:05 AM          225,098 SWSSETUP.DLL
12/16/2004  08:51 AM          224,424 MZRCLR40.DLL
12/16/2004  03:17 AM          225,285 dnro0193e.dll
12/16/2004  02:18 AM          224,424 dxwave.dll
12/16/2004  02:09 AM          225,285 IEAGEHLP.DLL
12/16/2004  02:06 AM          224,424 II32_32.DLL
12/16/2004  01:45 AM          225,881 ddcompos.dll
12/16/2004  01:20 AM          223,222 IUETPP.DLL
12/13/2004  01:59 AM          226,050 lvp0097me.dll
12/12/2004  12:40 PM    <DIR>          DLLCACHE
12/12/2004  07:55 AM          223,017 DBMASF.DLL
12/11/2004  10:43 PM          223,017 MPBSYNC.DLL
12/11/2004  10:07 PM          224,612 RGVPSP.DLL
12/11/2004  09:49 PM          223,017 wccdlg.dll
12/11/2004  08:18 PM          226,158 WHBHITS.DLL
12/11/2004  07:44 PM          226,158 NGMSMGR.DLL
12/11/2004  07:44 PM          222,833 enn2l15o1.dll
12/11/2004  12:16 PM          226,158 WZN87EM.DLL
12/11/2004  12:14 PM          224,359 j8l40i3qe8.dll
12/11/2004  12:44 AM          223,327 hrr0059me.dll
12/06/2004  06:53 AM          389,120 ??chost.exe
03/22/2004  09:13 PM    <DIR>          Microsoft
              39 File(s)      8,925,398 bytes
              2 Dir(s)  67,442,290,688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

12/12/2004  12:40 PM    <DIR>          DLLCACHE
12/06/2004  06:53 AM          389,120 ??chost.exe
06/26/2004  10:32 PM    <DIR>          GroupPolicy
09/03/2002  01:33 PM              488 WindowsLogon.manifest
09/03/2002  01:33 PM              488 logonui.exe.manifest
09/03/2002  01:33 PM              749 sapi.cpl.manifest
09/03/2002  01:33 PM              749 nwc.cpl.manifest
09/03/2002  01:33 PM              749 ncpa.cpl.manifest
09/03/2002  01:33 PM              749 wuaucpl.cpl.manifest
09/03/2002  01:33 PM              749 cdplayer.exe.manifest
              8 File(s)        393,841 bytes
              2 Dir(s)  67,442,290,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32
--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 3441-CED9

Directory of C:\WINDOWS\System32

08/29/2002  05:00 AM            2,577 CONFIG.TMP
              1 File(s)          2,577 bytes
              0 Dir(s)  67,442,282,496 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}"=""
------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp68l3ju1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
  dbmasf.dll    Sun Dec 12 2004  7:55:06a  ..S.R        223,017  217.79 K
  ddcompos.dll  Thu Dec 16 2004  1:45:42a  ..S.R        225,881  220.59 K
  dnro01~1.dll  Thu Dec 16 2004  3:17:30a  ..S.R        225,285  220.00 K
  dxwave.dll    Thu Dec 16 2004  2:18:46a  ..S.R        224,424  219.16 K
  e6020g~1.dll  Sun Dec 19 2004  2:37:38a  ..S.R        223,924  218.68 K
  enn2l1~1.dll  Sat Dec 11 2004  7:44:58p  ..S.R        222,833  217.61 K
  f00o0a~1.dll  Sun Dec 19 2004  2:04:00p  ..S.R        226,087  220.79 K
  f82m0i~1.dll  Sun Dec 19 2004  5:56:08p  ..S.R        225,915  220.62 K
  fpn203~1.dll  Sat Dec 18 2004  5:05:56p  ..S.R        224,177  218.92 K
  gp68l3~1.dll  Sat Dec 18 2004  5:39:36p  ..S.R        225,787  220.49 K
  hrr005~1.dll  Sat Dec 11 2004  12:44:36a  ..S.R        223,327  218.09 K
  i2lolc~1.dll  Fri Dec 17 2004  12:48:02a  ..S.R        224,557  219.29 K
  i660lg~1.dll  Fri Dec 17 2004  1:46:58p  ..S.R        223,046  217.82 K
  ieagehlp.dll  Thu Dec 16 2004  2:09:36a  ..S.R        225,285  220.00 K
  ihwphbk.dll    Fri Dec 17 2004  1:48:24p  ..S.R        224,983  219.71 K
  ii32_32.dll    Thu Dec 16 2004  2:06:18a  ..S.R        224,424  219.16 K
  iuetpp.dll    Thu Dec 16 2004  1:20:28a  ..S.R        223,222  217.99 K
  j8l40i~1.dll  Sat Dec 11 2004  12:14:52p  ..S.R        224,359  219.10 K
  jt2m07~1.dll  Sun Dec 19 2004  5:42:16p  ..S.R        225,914  220.62 K
  lv0409~1.dll  Sun Dec 19 2004  1:54:10p  ..S.R        226,196  220.89 K
  lvp009~1.dll  Mon Dec 13 2004  1:59:26a  ..S.R        226,050  220.75 K
  mansspc.dll    Fri Dec 17 2004  8:35:06a  ..S.R        224,635  219.37 K
  mpbsync.dll    Sat Dec 11 2004  10:43:06p  ..S.R        223,017  217.79 K
  mwwstr10.dll  Fri Dec 17 2004  10:23:38a  ..S.R        224,983  219.71 K
  mzrclr40.dll  Thu Dec 16 2004  8:51:50a  ..S.R        224,424  219.16 K
  ngmsmgr.dll    Sat Dec 11 2004  7:44:58p  ..S.R        226,158  220.86 K
  okeacc.dll    Fri Dec 17 2004  2:04:26p  ..S.R        224,983  219.71 K
  oue2.dll      Sun Dec 19 2004  5:56:10p  ..S.R        225,787  220.49 K
  p6p60g~1.dll  Fri Dec 17 2004  9:03:06a  ..S.R        224,635  219.37 K
  rgvpsp.dll    Sat Dec 11 2004  10:07:36p  ..S.R        224,612  219.35 K
  slprv.dll      Fri Dec 17 2004  12:48:02a  ..S.R        223,225  217.99 K
  snrmdll.dll    Fri Dec 17 2004  8:10:52a  ..S.R        223,225  217.99 K
  swssetup.dll  Thu Dec 16 2004  10:05:56a  ..S.R        225,098  219.82 K
  wccdlg.dll    Sat Dec 11 2004  9:49:30p  ..S.R        223,017  217.79 K
  whbhits.dll    Sat Dec 11 2004  8:18:18p  ..S.R        226,158  220.86 K
  witdecod.dll  Fri Dec 17 2004  1:39:58p  ..S.R        223,046  217.82 K
  wt2topl.dll    Thu Dec 16 2004  3:01:36p  ..S.R        224,424  219.16 K
  wzn87em.dll    Sat Dec 11 2004  12:16:02p  ..S.R        226,158  220.86 K
  chost~1.exe    Mon Dec  6 2004  6:53:08a  ..SHR        389,120  380.00 K

39 items found:  39 files, 0 directories.
  Total of file sizes:  8,925,398 bytes      8.51 M

------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"ueUiaK.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\ueUiaK.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"pvbDp.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\pvbDp.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"PJQ.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\PJQ.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"javaba32.exe"="C:\\WINDOWS\\javaba32.exe"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1102811785\\EE\\AOLHostManager.exe"
"grosVI.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\grosVI.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"AZ7M2Ozhd.exe"="C:\\documents and settings\\tammy\\local settings\\temp\\AZ7M2Ozhd.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


And the log from VX2Finder......

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
App Management
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:

User Agent String---
{F2217E10-EE42-4C5E-871C-BD3C7B8B26FE}
And DllCompare...

*    DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dbmasf.dll    Sun Dec 12 2004  7:55:06a  ..S.R        223,017  217.79 K
C:\WINDOWS\SYSTEM32\ddcompos.dll  Thu Dec 16 2004  1:45:42a  ..S.R        225,881  220.59 K
C:\WINDOWS\SYSTEM32\dnro01~1.dll  Thu Dec 16 2004  3:17:30a  ..S.R        225,285  220.00 K
C:\WINDOWS\SYSTEM32\dxwave.dll    Thu Dec 16 2004  2:18:46a  ..S.R        224,424  219.16 K
C:\WINDOWS\SYSTEM32\e6020g~1.dll  Sun Dec 19 2004  2:37:38a  ..S.R        223,924  218.68 K
C:\WINDOWS\SYSTEM32\enn2l1~1.dll  Sat Dec 11 2004  7:44:58p  ..S.R        222,833  217.61 K
C:\WINDOWS\SYSTEM32\f00o0a~1.dll  Sun Dec 19 2004  2:04:00p  ..S.R        226,087  220.79 K
C:\WINDOWS\SYSTEM32\f82m0i~1.dll  Sun Dec 19 2004  5:56:08p  ..S.R        225,915  220.62 K
C:\WINDOWS\SYSTEM32\fpn203~1.dll  Sat Dec 18 2004  5:05:56p  ..S.R        224,177  218.92 K
C:\WINDOWS\SYSTEM32\gp68l3~1.dll  Sat Dec 18 2004  5:39:36p  ..S.R        225,787  220.49 K
C:\WINDOWS\SYSTEM32\hrr005~1.dll  Sat Dec 11 2004  12:44:36a  ..S.R        223,327  218.09 K
C:\WINDOWS\SYSTEM32\i2lolc~1.dll  Fri Dec 17 2004  12:48:02a  ..S.R        224,557  219.29 K
C:\WINDOWS\SYSTEM32\i660lg~1.dll  Fri Dec 17 2004  1:46:58p  ..S.R        223,046  217.82 K
C:\WINDOWS\SYSTEM32\ieagehlp.dll  Thu Dec 16 2004  2:09:36a  ..S.R        225,285  220.00 K
C:\WINDOWS\SYSTEM32\ihwphbk.dll    Fri Dec 17 2004  1:48:24p  ..S.R        224,983  219.71 K
C:\WINDOWS\SYSTEM32\ii32_32.dll    Thu Dec 16 2004  2:06:18a  ..S.R        224,424  219.16 K
C:\WINDOWS\SYSTEM32\iuetpp.dll    Thu Dec 16 2004  1:20:28a  ..S.R        223,222  217.99 K
C:\WINDOWS\SYSTEM32\j8l40i~1.dll  Sat Dec 11 2004  12:14:52p  ..S.R        224,359  219.10 K
C:\WINDOWS\SYSTEM32\jt2m07~1.dll  Sun Dec 19 2004  5:42:16p  ..S.R        225,914  220.62 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll  Sun Dec 19 2004  1:54:10p  ..S.R        226,196  220.89 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll  Mon Dec 13 2004  1:59:26a  ..S.R        226,050  220.75 K
C:\WINDOWS\SYSTEM32\mansspc.dll    Fri Dec 17 2004  8:35:06a  ..S.R        224,635  219.37 K
C:\WINDOWS\SYSTEM32\mpbsync.dll    Sat Dec 11 2004  10:43:06p  ..S.R        223,017  217.79 K
C:\WINDOWS\SYSTEM32\mwwstr10.dll  Fri Dec 17 2004  10:23:38a  ..S.R        224,983  219.71 K
C:\WINDOWS\SYSTEM32\mzrclr40.dll  Thu Dec 16 2004  8:51:50a  ..S.R        224,424  219.16 K
C:\WINDOWS\SYSTEM32\ngmsmgr.dll    Sat Dec 11 2004  7:44:58p  ..S.R        226,158  220.86 K
C:\WINDOWS\SYSTEM32\okeacc.dll    Fri Dec 17 2004  2:04:26p  ..S.R        224,983  219.71 K
C:\WINDOWS\SYSTEM32\oue2.dll      Sun Dec 19 2004  5:56:10p  ..S.R        225,787  220.49 K
C:\WINDOWS\SYSTEM32\p6p60g~1.dll  Fri Dec 17 2004  9:03:06a  ..S.R        224,635  219.37 K
C:\WINDOWS\SYSTEM32\rgvpsp.dll    Sat Dec 11 2004  10:07:36p  ..S.R        224,612  219.35 K
C:\WINDOWS\SYSTEM32\slprv.dll      Fri Dec 17 2004  12:48:02a  ..S.R        223,225  217.99 K
C:\WINDOWS\SYSTEM32\snrmdll.dll    Fri Dec 17 2004  8:10:52a  ..S.R        223,225  217.99 K
C:\WINDOWS\SYSTEM32\swssetup.dll  Thu Dec 16 2004  10:05:56a  ..S.R        225,098  219.82 K
C:\WINDOWS\SYSTEM32\wccdlg.dll    Sat Dec 11 2004  9:49:30p  ..S.R        223,017  217.79 K
C:\WINDOWS\SYSTEM32\whbhits.dll    Sat Dec 11 2004  8:18:18p  ..S.R        226,158  220.86 K
C:\WINDOWS\SYSTEM32\witdecod.dll  Fri Dec 17 2004  1:39:58p  ..S.R        223,046  217.82 K
C:\WINDOWS\SYSTEM32\wt2topl.dll    Thu Dec 16 2004  3:01:36p  ..S.R        224,424  219.16 K
C:\WINDOWS\SYSTEM32\wzn87em.dll    Sat Dec 11 2004  12:16:02p  ..S.R        226,158  220.86 K
________________________________________________

1,301 items found:  1,301 files (38 H/S), 0 directories.
Total of file sizes:  268,170,595 bytes    255.75 M

Administrator Account =  True

--------------------End log---------------------
And finally....my hijack this log.  Incidentally, an error message appears when I open HijackThis, telling me it "appears to have been opened from a temporary folder, etc."....but it's not a temporary.  I tried pasting into another, but still get the same message.

Logfile of HijackThis v1.99.0
Scan saved at 2:40:54 AM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\documents and settings\tammy\local settings\temp\AZ7M2Ozhd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\??chost.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLHOS~1.EXE
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0d\waol.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\Documents and Settings\Tammy\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zuyhd.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zuyhd.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Tammy\Local Settings\Temp\aHXn52s3U.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ueUiaK.exe] C:\documents and settings\tammy\local settings\temp\ueUiaK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pvbDp.exe] C:\documents and settings\tammy\local settings\temp\pvbDp.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PJQ.exe] C:\documents and settings\tammy\local settings\temp\PJQ.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [javaba32.exe] C:\WINDOWS\javaba32.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102811785\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [grosVI.exe] C:\documents and settings\tammy\local settings\temp\grosVI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AZ7M2Ozhd.exe] C:\documents and settings\tammy\local settings\temp\AZ7M2Ozhd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Yvaz] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range:  (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45CA330F-30C2-47FC-B2FA-5527179FC356}: NameServer = 205.188.146.146
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: WANMiniportService - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\winxq.exe (file missing)

View Post


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP