Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This Log


  • Please log in to reply

#1
prufrock101

prufrock101

    New Member

  • Member
  • Pip
  • 4 posts
I've run Adaware, Spybot, and Ewido... I tried CW shredder but it doesn't run. Every time I reboot ewido finds smssand wants to delete it. The same thing happens with Spybot... every time I reboot it finds the same problem.


Logfile of HijackThis v1.99.1
Scan saved at 12:09:11 AM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Desktop\HijackThis.exe

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\nnllj.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkklk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [M\U[XRKVR]_`MJaN[U\P] C:\WINDOWS\System32\gcxbi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128835902707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128835870391
O17 - HKLM\System\CCS\Services\Tcpip\..\{875250DF-332B-4782-8DA3-DBCF21444947}: NameServer = 192.168.0.1
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: jkklk - C:\WINDOWS\System32\jkklk.dll
O20 - Winlogon Notify: nnllj - C:\WINDOWS\SYSTEM32\nnllj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: SMSS - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi prufrock101


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\jkklk.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\klkkj.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\nnllj.dll

    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkklk.dll

    O20 - Winlogon Notify: jkklk - C:\WINDOWS\System32\jkklk.dll

    O20 - Winlogon Notify: nnllj - C:\WINDOWS\SYSTEM32\nnllj.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
prufrock101

prufrock101

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:29:51 PM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [M\U[XRKVR]_`MJaN[U\P] C:\WINDOWS\System32\phdyi.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_208147] C:\WINDOWS\System32\ActiveScan\pavdr.exe 208147
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\cleanup.exe /WindowsRestart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128835902707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128835870391
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{875250DF-332B-4782-8DA3-DBCF21444947}: NameServer = 192.168.0.1
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: SMSS - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



VUNDO

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 128 'smss.exe'
Threads [132][136][140]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 836 'explorer.exe'
Killing PID 836 'explorer.exe'
Killing PID 836 'explorer.exe'
Killing PID 836 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 200 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.





ACTIVESCAN

Incident Status Location

Virus:W32/Bobax.BN.worm Disinfected Operating system
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/startpage.aiw No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Desktop\backups\backup-20051009-145608-597.dll
Virus:W32/Bobax.BN.worm Disinfected C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Local Settings\Temp\kzfur.hkp
Virus:W32/Bobax.BN.worm Disinfected C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Local Settings\Temp\opccyot.mln
Virus:W32/Baxbo.A Disinfected C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Virus:W32/Baxbo.A Disinfected C:\Program Files\QuickTime\qttask.exe
Virus:W32/Baxbo.A Disinfected C:\Program Files\Spyware Doctor\swdoctor.exe
Virus:W32/Baxbo.A Disinfected C:\Program Files\Valve\Steam\SteamTmp.exe
Adware:Adware/IST.ISTBar No disinfected C:\RECYCLER\S-1-5-21-789336058-706699826-1343024091-1004\Dc38\xml_istbar.xml
Possible Virus. No disinfected C:\WINDOWS\system32\awttr.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\cbawt.dll
Possible Virus. No disinfected C:\WINDOWS\system32\ddcby.dll
Virus:Trj/Qhost.AD Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20051008-233915.backup
Possible Virus. No disinfected C:\WINDOWS\system32\fcyaw.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\hggff.dll
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Possible Virus. No disinfected C:\WINDOWS\system32\jkhff.dll
Possible Virus. No disinfected C:\WINDOWS\system32\jkkli.dll
Possible Virus. No disinfected C:\WINDOWS\system32\khfff.dll
Possible Virus. No disinfected C:\WINDOWS\system32\ljjgf.dll
Possible Virus. No disinfected C:\WINDOWS\system32\mllji.dll
Possible Virus. No disinfected C:\WINDOWS\system32\nnllj.dll
Possible Virus. No disinfected C:\WINDOWS\system32\oppom.dll
Possible Virus. No disinfected C:\WINDOWS\system32\qomjh.dll
Possible Virus. No disinfected C:\WINDOWS\system32\qomno.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\qopqn.dll
Possible Virus. No disinfected C:\WINDOWS\system32\rqrqo.dll
Possible Virus. No disinfected C:\WINDOWS\system32\sstqo.dll
Possible Virus. No disinfected C:\WINDOWS\system32\tuvvt.dll
Possible Virus. No disinfected C:\WINDOWS\system32\yayvt.dll
Possible Virus. No disinfected C:\WINDOWS\system32\yayxv.dll


I'm sort of surprised at how much stuff there is there still. This is on a Dell Inspiron 600m laptop. I reinstalled windows using the dell CD right before coming to this website, and it seemed to keep all my files. Reinstalling windows is an option, but I'm not sure how to do it in such a way that it deletes all the files and gets rid of all the problems.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Reformat???

Whats That??? :tazz:


I as a stubborn as they come out here so Reformat does not compute!


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Post the log from WinPFind in the next reply!
  • 0

#5
prufrock101

prufrock101

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 7/16/2003 1:26:44 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 7/16/2003 1:42:42 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 7/16/2003 1:50:38 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/10/2005 4:29:56 PM S 2048 C:\WINDOWS\bootstat.dat
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
10/4/2005 1:02:16 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
10/4/2005 1:03:30 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
10/8/2005 10:32:26 PM H 0 C:\WINDOWS\inf\oem10.inf
10/4/2005 1:02:16 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
10/4/2005 1:03:00 PM RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
10/4/2005 1:03:00 PM RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
10/4/2005 1:03:00 PM RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
10/4/2005 1:11:08 PM H 229376 C:\WINDOWS\repair\ntuser.dat
10/8/2005 10:46:02 AM HS 28173 C:\WINDOWS\system32\awttr.dll
10/6/2005 10:31:20 PM HS 27149 C:\WINDOWS\system32\cbawt.dll
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
10/7/2005 8:51:50 PM HS 28173 C:\WINDOWS\system32\ddcby.dll
10/8/2005 10:57:40 AM HS 28173 C:\WINDOWS\system32\fcyaw.dll
10/6/2005 8:44:38 PM HS 27149 C:\WINDOWS\system32\hggff.dll
10/8/2005 6:53:38 PM HS 28173 C:\WINDOWS\system32\jkhff.dll
10/8/2005 7:26:30 PM HS 28173 C:\WINDOWS\system32\jkkli.dll
10/8/2005 6:49:28 PM HS 28173 C:\WINDOWS\system32\khfff.dll
10/8/2005 11:17:36 AM HS 28173 C:\WINDOWS\system32\ljjgf.dll
10/4/2005 1:02:16 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
10/8/2005 9:37:52 AM HS 28173 C:\WINDOWS\system32\mllji.dll
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
10/7/2005 8:51:40 PM HS 28173 C:\WINDOWS\system32\nnllj.dll
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
10/8/2005 10:16:02 PM HS 28173 C:\WINDOWS\system32\oppom.dll
10/8/2005 7:23:32 PM HS 28173 C:\WINDOWS\system32\qomjh.dll
10/8/2005 7:13:06 PM HS 28173 C:\WINDOWS\system32\qomno.dll
10/6/2005 11:11:36 PM HS 27149 C:\WINDOWS\system32\qopqn.dll
10/8/2005 7:35:32 PM HS 28173 C:\WINDOWS\system32\rqrqo.dll
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
10/8/2005 10:22:10 AM HS 28173 C:\WINDOWS\system32\sstqo.dll
10/8/2005 7:32:32 PM HS 28173 C:\WINDOWS\system32\tuvvt.dll
10/4/2005 1:02:16 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
10/4/2005 1:02:04 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
10/8/2005 7:29:32 PM HS 28173 C:\WINDOWS\system32\yayvt.dll
10/8/2005 6:57:30 PM HS 28173 C:\WINDOWS\system32\yayxv.dll
10/10/2005 4:29:46 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/10/2005 4:30:12 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/10/2005 4:29:58 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/10/2005 4:31:14 PM H 77824 C:\WINDOWS\system32\config\software.LOG
10/10/2005 4:30:02 PM H 778240 C:\WINDOWS\system32\config\system.LOG
10/4/2005 5:48:40 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
10/4/2005 5:48:44 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
10/4/2005 5:50:30 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
10/4/2005 5:50:30 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
10/4/2005 1:03:02 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
10/4/2005 1:03:02 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A1SZ4TMD\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GJM7E7EZ\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GNEDMHCL\desktop.ini
10/4/2005 1:03:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IDCHQJKJ\desktop.ini
10/4/2005 1:02:20 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
10/4/2005 5:50:30 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
10/4/2005 1:04:28 PM HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
10/4/2005 1:04:26 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
10/4/2005 1:04:28 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
10/4/2005 1:04:28 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
10/4/2005 1:04:28 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
10/7/2005 1:22:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\07f7cc04-361a-4fb2-9aa6-8325c021eb06
10/7/2005 1:22:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
10/4/2005 6:10:10 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\657a7e5b-eecc-455f-aaf5-3f69dfd059f9
10/4/2005 6:10:10 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/8/2005 10:33:26 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
10/10/2005 4:29:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 7/16/2003 1:23:44 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 7/16/2003 1:24:18 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 7/16/2003 1:26:40 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 7/16/2003 1:29:16 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 7/16/2003 1:30:22 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/16/2003 1:30:30 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 7/16/2003 1:31:04 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/5/2005 6:26:06 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/16/2003 1:32:24 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/16/2003 1:33:56 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/16/2003 1:37:20 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/16/2003 1:40:02 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 7/16/2003 1:40:18 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 7/16/2003 1:41:58 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
SigmaTel Inc. 7/20/2004 10:14:06 AM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 7/16/2003 1:47:12 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 7/16/2003 1:47:58 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 7/16/2003 1:48:08 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 7/16/2003 1:23:44 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 7/16/2003 1:24:18 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 7/16/2003 1:26:40 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 7/16/2003 1:29:16 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 7/16/2003 1:30:22 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 7/16/2003 1:30:30 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 7/16/2003 1:31:04 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 7/16/2003 1:32:24 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 7/16/2003 1:33:56 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 7/16/2003 1:37:20 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 7/16/2003 1:40:02 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 7/16/2003 1:40:18 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 7/16/2003 1:41:58 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 7/16/2003 1:43:50 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 7/16/2003 1:47:12 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 7/16/2003 1:47:58 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 7/16/2003 1:48:08 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/4/2005 10:49:48 PM 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
10/4/2005 1:04:28 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/4/2005 5:50:30 AM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
10/4/2005 1:04:28 PM HS 84 C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/4/2005 5:50:30 AM HS 62 C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

IntelWireless C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
M\U[XRKVR]_`MJaN[U\P C:\WINDOWS\System32\sdulkf.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless
= C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/10/2005 4:37:10 PM
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Copy the text below into a blank Notepad page and Save it to the Desktop as rem.reg but dont run it yet!


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M\U[XRKVR]_`MJaN[U\P"=-


Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!



Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot and Unregister .dll before Deleting-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Restart in Safe Mode and run each of those entries through Killbox again to ensure all were deleted!

As you paste each entry into Killbox-> Place a tick by any of these selections available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete!


Now,locate and double click rem.reg and allow it to merge into the registry!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!


Post back with a fresh HijackThis log and let me know how the PC is running!
  • 0

#7
prufrock101

prufrock101

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I'm a bit confused about the list I'm supposed to paste into KillBox... could you clarify?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about that,apparently Copy&Paste didnt work too good that time

C:\WINDOWS\System32\sdulkf.exe
C:\WINDOWS\etb
C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Local Settings\Temp\kzfur.hkp
C:\Documents and Settings\Philip Jensen.HOME-60PKX4IAS3\Local Settings\Temp\opccyot.mln
C:\WINDOWS\system32\awttr.dll
C:\WINDOWS\system32\cbawt.dll
C:\WINDOWS\system32\ddcby.dll
C:\WINDOWS\system32\drivers\etc\hosts.20051008-233915.backup
C:\WINDOWS\system32\fcyaw.dll
C:\WINDOWS\system32\hggff.dll
C:\WINDOWS\system32\i
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\khfff.dll
C:\WINDOWS\system32\ljjgf.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\nnllj.dll
C:\WINDOWS\system32\oppom.dll
C:\WINDOWS\system32\qomjh.dll
C:\WINDOWS\system32\qomno.dll
C:\WINDOWS\system32\qopqn.dll
C:\WINDOWS\system32\rqrqo.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\tuvvt.dll
C:\WINDOWS\system32\yayvt.dll
C:\WINDOWS\system32\yayxv.dll
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP