Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spyware [RESOLVED]


  • This topic is locked This topic is locked

#1
mark mccluskey

mark mccluskey

    Member

  • Member
  • PipPip
  • 24 posts
i was recently notified that i had spyware and after following the steps provided on the website i thought i was rid of ll spyware but it just keeps on coming back after i delete it. can u help??

Logfile of HijackThis v1.99.1
Scan saved at 17:35:31, on 16/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\paytime.exe
C:\windows\adtech2005.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\paytime.exe
C:\PROGRA~1\COMMON~1\immq\immqm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\MALCOM\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O1 - Hosts: .net
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\E.tmp
O4 - HKCU\..\Run: [immq] C:\PROGRA~1\COMMON~1\immq\immqm.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CC6B8A3-EA33-4D33-B6AD-E0609B671B45}: NameServer = 194.168.8.100,194.168.4.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\jt8407lqe.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\mnknnabj.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\feggbpho.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\gpikkgmh.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\hceciqpk.dll
O21 - SSODL: DEJJGBIE - {042421F5-5501-6493-1129-393438A110DF} - C:\WINDOWS\system32\Bgjkog32.dll (file missing)
O21 - SSODL: mtkle - {0D941CB2-92ED-4397-8B90-6EA192C65589} - C:\WINDOWS\system32\dugx32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGVsbG8\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi mark mccluskey and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

I need to get you to move HijackThis to a folder of its own so that nothing gets deleted by mistake

1. Right click in an empty space on your desktop.

2. From the Menu, click New, then Folder and a folder will appear on your desktop.

3. Name the folder HJT

4. Drag the current HijackThis icon from your desktop into the new Folder that was just created.

5. Now, run the program and post a fresh HJT log for review.

Regards,

Trevuren

  • 0

#3
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hello Trevuren thanks for getting back to me sorry if its bein a while my internet has bein down for a while but ave managed to get it bac up. heres my hijhack list have a look then get back to me wenever you can thanks.

Logfile of HijackThis v1.99.1
Scan saved at 21:50:39, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SGVsbG8\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\paytime.exe
C:\windows\adtech2005.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\paytime.exe
C:\PROGRA~1\COMMON~1\immq\immqm.exe
C:\Program Files\Trustix\Trustix AntiVirus\Tavaud.exe
C:\Program Files\WinFixer_2005\UWFX5.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\malcom\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O1 - Hosts: .net
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\E.tmp
O4 - HKCU\..\Run: [immq] C:\PROGRA~1\COMMON~1\immq\immqm.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\fpj8031ue.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\mnknnabj.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\feggbpho.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\gpikkgmh.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\hceciqpk.dll
O21 - SSODL: mtkle - {0D941CB2-92ED-4397-8B90-6EA192C65589} - C:\WINDOWS\system32\dugx32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGVsbG8\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You have the latest version of Look2Me/VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts.
  • Then open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat
  • select option #1 for Run Find Log by typing "1" and then pressing ENTER.
  • This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar to "C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt, the system file is not suitable for running ms-dos and microsoft windows applications",
  • choose close to terminate the application.
  • Then please use option 5 or the web page link in the l2mfix folder to solve this error condition.
Do not run the fix portion without fixing this first.

Regards,

Trevuren

  • 0

#5
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok i followed your insturctions and this is what i got

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i4600ejmehoa0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E6648231-2252-C9C3-39EC-149065BD6836}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2478453B-BF5F-4784-8273-5111F5AFAE1A}"="Trustix Antivirus"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{6B1914F0-4D5D-4798-92E3-9E7A70C3900D}"="c2b"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}"=""
"{459056BE-B699-47EF-A335-83F07D080FC0}"=""
"{D81EA6E8-643A-484C-8D7F-EE1586D73764}"=""
"{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}"=""
"{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}"=""
"{37BC9363-A366-433B-8099-E85178CB5F91}"=""
"{472851EC-B648-4337-9D72-FDC7A896E050}"=""
"{18286857-C824-4B0C-B771-9A2D7D6D1000}"=""
"{270D6813-1959-4B0D-9135-7209654A8939}"=""
"{225741D7-1386-4B15-9051-58E473FDFB19}"=""
"{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}"=""
"{D072F687-CCDF-445D-A71F-4ED43F8516D0}"=""
"{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}"=""
"{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}"=""
"{88ABB1AD-7D57-4950-877E-D9ECDA346D56}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}\InprocServer32]
@="C:\\WINDOWS\\system32\\mwrapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{459056BE-B699-47EF-A335-83F07D080FC0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{459056BE-B699-47EF-A335-83F07D080FC0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{459056BE-B699-47EF-A335-83F07D080FC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{459056BE-B699-47EF-A335-83F07D080FC0}\InprocServer32]
@="C:\\WINDOWS\\system32\\ciedui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D81EA6E8-643A-484C-8D7F-EE1586D73764}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D81EA6E8-643A-484C-8D7F-EE1586D73764}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D81EA6E8-643A-484C-8D7F-EE1586D73764}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D81EA6E8-643A-484C-8D7F-EE1586D73764}\InprocServer32]
@="C:\\WINDOWS\\system32\\CIASIO.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}\InprocServer32]
@="C:\\WINDOWS\\system32\\crrpol.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37BC9363-A366-433B-8099-E85178CB5F91}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37BC9363-A366-433B-8099-E85178CB5F91}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37BC9363-A366-433B-8099-E85178CB5F91}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37BC9363-A366-433B-8099-E85178CB5F91}\InprocServer32]
@="C:\\WINDOWS\\system32\\nprsfi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{472851EC-B648-4337-9D72-FDC7A896E050}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{472851EC-B648-4337-9D72-FDC7A896E050}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{472851EC-B648-4337-9D72-FDC7A896E050}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{472851EC-B648-4337-9D72-FDC7A896E050}\InprocServer32]
@="C:\\WINDOWS\\system32\\ome2disp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{18286857-C824-4B0C-B771-9A2D7D6D1000}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18286857-C824-4B0C-B771-9A2D7D6D1000}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18286857-C824-4B0C-B771-9A2D7D6D1000}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18286857-C824-4B0C-B771-9A2D7D6D1000}\InprocServer32]
@="C:\\WINDOWS\\system32\\CBOSUSER.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{270D6813-1959-4B0D-9135-7209654A8939}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{270D6813-1959-4B0D-9135-7209654A8939}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{270D6813-1959-4B0D-9135-7209654A8939}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{270D6813-1959-4B0D-9135-7209654A8939}\InprocServer32]
@="C:\\WINDOWS\\system32\\tpd32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{225741D7-1386-4B15-9051-58E473FDFB19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{225741D7-1386-4B15-9051-58E473FDFB19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{225741D7-1386-4B15-9051-58E473FDFB19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{225741D7-1386-4B15-9051-58E473FDFB19}\InprocServer32]
@="C:\\WINDOWS\\system32\\akferror.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dznwsock.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D072F687-CCDF-445D-A71F-4ED43F8516D0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D072F687-CCDF-445D-A71F-4ED43F8516D0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D072F687-CCDF-445D-A71F-4ED43F8516D0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D072F687-CCDF-445D-A71F-4ED43F8516D0}\InprocServer32]
@="C:\\WINDOWS\\system32\\iaxsap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}\InprocServer32]
@="C:\\WINDOWS\\system32\\jkcript.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}\InprocServer32]
@="C:\\WINDOWS\\system32\\rcgwizc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{88ABB1AD-7D57-4950-877E-D9ECDA346D56}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88ABB1AD-7D57-4950-877E-D9ECDA346D56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88ABB1AD-7D57-4950-877E-D9ECDA346D56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{88ABB1AD-7D57-4950-877E-D9ECDA346D56}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
akferror.dll Fri 18 Nov 2005 12:43:32 ..S.R 233,654 228.18 K
appwiz.dll Sun 13 Nov 2005 17:48:52 A.... 65,252 63.72 K
aqwav.dll Fri 18 Nov 2005 19:06:00 ..S.R 235,658 230.13 K
atmtd.dll Sun 13 Nov 2005 17:51:52 A.... 687,592 671.48 K
aui2dvaa.dll Sun 20 Nov 2005 21:02:50 ..S.R 235,658 230.13 K
azsldp.dll Sat 19 Nov 2005 10:38:00 ..S.R 234,231 228.74 K
browseui.dll Fri 2 Sep 2005 23:52:04 A.... 1,019,904 996.00 K
c2b.dll Tue 8 Nov 2005 19:05:54 A.... 86,367 84.34 K
cbosuser.dll Thu 17 Nov 2005 16:15:02 ..S.R 233,654 228.18 K
cdfview.dll Fri 2 Sep 2005 23:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 1:53:42 A.... 2,067,968 1.97 M
child.dll Sun 13 Nov 2005 17:48:50 A.... 14,336 14.00 K
ciedui.dll Wed 23 Nov 2005 18:44:40 ..S.R 234,812 229.31 K
crrpol.dll Wed 16 Nov 2005 15:29:26 ..S.R 237,182 231.62 K
czvfat.dll Sun 20 Nov 2005 21:10:12 ..S.R 236,178 230.64 K
danim.dll Fri 2 Sep 2005 23:52:04 A.... 1,053,696 1.00 M
dxraw.dll Sun 20 Nov 2005 21:17:32 ..S.R 234,259 228.77 K
dxtrans.dll Fri 2 Sep 2005 23:52:04 A.... 205,312 200.50 K
dzmasf.dll Mon 21 Nov 2005 11:41:50 ..S.R 234,325 228.83 K
dznwsock.dll Sun 20 Nov 2005 18:23:30 ..S.R 235,658 230.13 K
extmgr.dll Fri 2 Sep 2005 23:52:04 ..... 55,808 54.50 K
ezsvc.dll Fri 18 Nov 2005 18:19:20 ..S.R 237,182 231.62 K
fv20enu.dll Wed 16 Nov 2005 20:31:16 ..S.R 237,182 231.62 K
g6402g~1.dll Fri 18 Nov 2005 18:41:06 ..S.R 233,654 228.18 K
gdi32.dll Thu 6 Oct 2005 3:09:36 A.... 280,064 273.50 K
gpr6l3~1.dll Wed 16 Nov 2005 15:49:40 ..S.R 237,182 231.62 K
gqmf32.dll Sat 19 Nov 2005 18:27:18 ..S.R 235,658 230.13 K
hceciqpk.dll Sun 13 Nov 2005 17:48:50 A.... 40,960 40.00 K
hrjo05~1.dll Thu 24 Nov 2005 13:00:26 ..S.R 234,935 229.43 K
i4600e~1.dll Thu 24 Nov 2005 0:10:24 ..S.R 234,873 229.37 K
iaxsap.dll Mon 21 Nov 2005 18:26:20 ..S.R 234,931 229.42 K
iepeers.dll Fri 2 Sep 2005 23:52:04 A.... 251,392 245.50 K
inseng.dll Fri 2 Sep 2005 23:52:04 A.... 96,256 94.00 K
ir4ml5~1.dll Tue 15 Nov 2005 14:11:10 ..S.R 237,182 231.62 K
jkcript.dll Tue 22 Nov 2005 16:59:28 ..S.R 236,620 231.07 K
k0pm0a~1.dll Tue 15 Nov 2005 0:37:18 ..S.R 236,074 230.54 K
k4lqle~1.dll Wed 16 Nov 2005 20:27:46 ..S.R 234,178 228.69 K
linkinfo.dll Thu 1 Sep 2005 1:41:54 A.... 19,968 19.50 K
lvj209~1.dll Mon 14 Nov 2005 17:37:08 ..S.R 236,074 230.54 K
m2820c~1.dll Fri 18 Nov 2005 19:02:54 ..S.R 235,658 230.13 K
mdiavi32.dll Sun 20 Nov 2005 20:31:08 ..S.R 236,066 230.53 K
mmcertui.dll Thu 17 Nov 2005 17:56:38 ..S.R 237,182 231.62 K
mnknnabj.dll Sun 13 Nov 2005 17:48:12 A.... 40,960 40.00 K
mrise.dll Fri 18 Nov 2005 19:01:58 ..S.R 235,658 230.13 K
mshtml.dll Tue 4 Oct 2005 16:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Fri 2 Sep 2005 23:52:06 A.... 448,512 438.00 K
msrating.dll Fri 2 Sep 2005 23:52:06 A.... 146,432 143.00 K
mstime.dll Fri 2 Sep 2005 23:52:06 A.... 530,432 518.00 K
mvl_mtf.dll Sun 13 Nov 2005 18:22:44 ..S.R 236,074 230.54 K
mwrapi.dll Thu 24 Nov 2005 15:55:00 ..S.R 234,873 229.37 K
nprsfi.dll Tue 15 Nov 2005 20:02:00 ..S.R 237,182 231.62 K
nzwrstr.dll Sun 20 Nov 2005 21:14:06 ..S.R 236,605 231.06 K
o2ro0c~1.dll Wed 16 Nov 2005 15:58:42 ..S.R 237,182 231.62 K
o8840i~1.dll Tue 22 Nov 2005 17:01:30 ..S.R 236,620 231.07 K
ome2disp.dll Wed 16 Nov 2005 20:34:26 ..S.R 237,182 231.62 K
pncrt.dll Wed 31 Aug 2005 16:53:54 A.... 278,528 272.00 K
pndx5016.dll Wed 31 Aug 2005 16:53:54 A.... 6,656 6.50 K
pndx5032.dll Wed 31 Aug 2005 16:53:54 A.... 5,632 5.50 K
pngfilt.dll Fri 2 Sep 2005 23:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 3:54:26 A.... 1,287,168 1.23 M
rcgwizc.dll Tue 22 Nov 2005 17:02:22 ..S.R 234,812 229.31 K
rmoc3260.dll Wed 31 Aug 2005 16:53:58 A.... 176,167 172.04 K
rvsauto.dll Wed 16 Nov 2005 20:27:44 ..S.R 237,182 231.62 K
sflunirl.dll Mon 21 Nov 2005 20:21:52 ..S.R 234,812 229.31 K
shdocvw.dll Fri 2 Sep 2005 23:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 3:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Fri 2 Sep 2005 23:52:06 A.... 473,600 462.50 K
sirenacm.dll Mon 19 Sep 2005 0:00:34 A.... 119,856 117.05 K
sjrmfilt.dll Tue 22 Nov 2005 18:12:16 ..S.R 234,812 229.31 K
smcsccp.dll Sat 19 Nov 2005 12:15:10 ..S.R 235,658 230.13 K
smhannel.dll Wed 16 Nov 2005 12:53:24 ..S.R 237,182 231.62 K
sporder.dll Sun 23 Oct 2005 10:28:20 A.... 8,464 8.27 K
urerinfo.dll Wed 23 Nov 2005 18:50:16 A.... 45,056 44.00 K
urlmon.dll Fri 2 Sep 2005 23:52:06 A.... 608,768 594.50 K
wdspdmod.dll Sun 20 Nov 2005 13:35:30 ..S.R 236,066 230.53 K
wininet.dll Fri 2 Sep 2005 23:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 1:41:54 A.... 291,840 285.00 K
wlbclnt.dll Fri 18 Nov 2005 18:24:04 ..S.R 233,654 228.18 K
zjpfldr.dll Fri 18 Nov 2005 19:40:02 ..S.R 235,658 230.13 K

79 items found: 79 files (44 H/S), 0 directories.
Total of file sizes: 34,582,458 bytes 32.98 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3499-6B8E

Directory of C:\WINDOWS\System32

24/11/2005 16:05 <DIR> ..
24/11/2005 16:05 <DIR> .
24/11/2005 15:54 234,873 mwrapi.dll
24/11/2005 13:00 234,935 hrjo0513e.dll
24/11/2005 00:10 234,873 i4600ejmehoa0.dll
23/11/2005 18:44 234,812 ciedui.dll
22/11/2005 18:12 234,812 sjrmfilt.dll
22/11/2005 17:02 234,812 rcgwizc.dll
22/11/2005 17:01 236,620 o8840ilqe8qe0.dll
22/11/2005 16:59 236,620 jkcript.dll
21/11/2005 20:21 234,812 sflunirl.dll
21/11/2005 18:26 234,931 iaxsap.dll
21/11/2005 11:41 234,325 dzmasf.dll
20/11/2005 21:17 234,259 dxraw.dll
20/11/2005 21:16 <DIR> dllcache
20/11/2005 21:14 236,605 nzwrstr.dll
20/11/2005 21:10 236,178 czvfat.dll
20/11/2005 21:02 235,658 aui2dvaa.dll
20/11/2005 20:31 236,066 mdiavi32.dll
20/11/2005 18:23 235,658 dznwsock.dll
20/11/2005 13:35 236,066 wdspdmod.dll
19/11/2005 18:27 235,658 gqmf32.dll
19/11/2005 12:15 235,658 smcsccp.dll
19/11/2005 10:37 234,231 azsldp.dll
18/11/2005 19:40 235,658 zjpfldr.dll
18/11/2005 19:05 235,658 aqwav.dll
18/11/2005 19:02 235,658 m2820cloefqc0.dll
18/11/2005 19:01 235,658 mrise.dll
18/11/2005 18:41 233,654 g6402ghmg64a2.dll
18/11/2005 18:24 233,654 wlbclnt.dll
18/11/2005 18:19 237,182 ezsvc.dll
18/11/2005 12:43 233,654 akferror.dll
17/11/2005 17:56 237,182 mmcertui.dll
17/11/2005 16:15 233,654 CBOSUSER.DLL
16/11/2005 20:34 237,182 ome2disp.dll
16/11/2005 20:31 237,182 FV20ENU.DLL
16/11/2005 20:27 234,178 k4lqle351h.dll
16/11/2005 20:27 237,182 rVsauto.dll
16/11/2005 15:58 237,182 o2ro0c93ef.dll
16/11/2005 15:49 237,182 gpr6l39s1.dll
16/11/2005 15:29 237,182 crrpol.dll
16/11/2005 12:53 237,182 smhannel.dll
15/11/2005 20:01 237,182 nprsfi.dll
15/11/2005 14:11 237,182 ir4ml5h11.dll
15/11/2005 00:37 236,074 k0pm0a71ed.dll
14/11/2005 17:37 236,074 lvj2091oe.dll
13/11/2005 18:22 236,074 mvl_mtf.dll
24/06/2005 12:34 <DIR> Microsoft
44 File(s) 10,371,112 bytes
4 Dir(s) 63,281,401,856 bytes free
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop,
  • Double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER
  • then it will ask for a password enter the word bye (lowercase) then hit ENTER.
  • Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
  • Press any key to reboot.
  • After the reboot notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

NOTE: If after the reboot the log does not open double click on it in the l2mfix folder

Regards,

Trevuren

  • 0

#7
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hello again this is what i got from the i2mfix

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Setting Directory
C:\Documents and Settings\malcom\Desktop\l2mfix
C:\Documents and Settings\malcom\Desktop\l2mfix

Running From:
C:\Documents and Settings\malcom\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 452 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 532 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1676 'explorer.exe'
Killing PID 1676 'explorer.exe'
Killing PID 1676 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2808 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\akferror.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aqwav.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aui2dvaa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azsldp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CBOSUSER.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ciedui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crrpol.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czvfat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnj6011se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnnq0155e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxraw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dzmasf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dznwsock.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enl8l13u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ezsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\FV20ENU.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g6402ghmg64a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpr6l39s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gqmf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iaxsap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir4ml5h11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iudkcs32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jkcript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0pm0a71ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4lqle351h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\klduzb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvj2091oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m2820cloefqc0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdiavi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmcertui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrise.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvl_mtf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\newrsja.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nprsfi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nprspt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nzwrstr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2ro0c93ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8840ilqe8qe0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ome2disp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qlsname.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rcgwizc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rVsauto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sflunirl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sinscfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sjrmfilt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smcsccp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smhannel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wdspdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfn87em.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlbclnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zjpfldr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\akferror.dll
Successfully Deleted: C:\WINDOWS\system32\akferror.dll
deleting: C:\WINDOWS\system32\aqwav.dll
Successfully Deleted: C:\WINDOWS\system32\aqwav.dll
deleting: C:\WINDOWS\system32\aui2dvaa.dll
Successfully Deleted: C:\WINDOWS\system32\aui2dvaa.dll
deleting: C:\WINDOWS\system32\azsldp.dll
Successfully Deleted: C:\WINDOWS\system32\azsldp.dll
deleting: C:\WINDOWS\system32\CBOSUSER.DLL
Successfully Deleted: C:\WINDOWS\system32\CBOSUSER.DLL
deleting: C:\WINDOWS\system32\ciedui.dll
Successfully Deleted: C:\WINDOWS\system32\ciedui.dll
deleting: C:\WINDOWS\system32\crrpol.dll
Successfully Deleted: C:\WINDOWS\system32\crrpol.dll
deleting: C:\WINDOWS\system32\czvfat.dll
Successfully Deleted: C:\WINDOWS\system32\czvfat.dll
deleting: C:\WINDOWS\system32\dnj6011se.dll
Successfully Deleted: C:\WINDOWS\system32\dnj6011se.dll
deleting: C:\WINDOWS\system32\dnnq0155e.dll
Successfully Deleted: C:\WINDOWS\system32\dnnq0155e.dll
deleting: C:\WINDOWS\system32\dxraw.dll
Successfully Deleted: C:\WINDOWS\system32\dxraw.dll
deleting: C:\WINDOWS\system32\dzmasf.dll
Successfully Deleted: C:\WINDOWS\system32\dzmasf.dll
deleting: C:\WINDOWS\system32\dznwsock.dll
Successfully Deleted: C:\WINDOWS\system32\dznwsock.dll
deleting: C:\WINDOWS\system32\enl8l13u1.dll
Successfully Deleted: C:\WINDOWS\system32\enl8l13u1.dll
deleting: C:\WINDOWS\system32\ezsvc.dll
Successfully Deleted: C:\WINDOWS\system32\ezsvc.dll
deleting: C:\WINDOWS\system32\FV20ENU.DLL
Successfully Deleted: C:\WINDOWS\system32\FV20ENU.DLL
deleting: C:\WINDOWS\system32\g6402ghmg64a2.dll
Successfully Deleted: C:\WINDOWS\system32\g6402ghmg64a2.dll
deleting: C:\WINDOWS\system32\gpr6l39s1.dll
Successfully Deleted: C:\WINDOWS\system32\gpr6l39s1.dll
deleting: C:\WINDOWS\system32\gqmf32.dll
Successfully Deleted: C:\WINDOWS\system32\gqmf32.dll
deleting: C:\WINDOWS\system32\iaxsap.dll
Successfully Deleted: C:\WINDOWS\system32\iaxsap.dll
deleting: C:\WINDOWS\system32\ir4ml5h11.dll
Successfully Deleted: C:\WINDOWS\system32\ir4ml5h11.dll
deleting: C:\WINDOWS\system32\iudkcs32.dll
Successfully Deleted: C:\WINDOWS\system32\iudkcs32.dll
deleting: C:\WINDOWS\system32\jkcript.dll
Successfully Deleted: C:\WINDOWS\system32\jkcript.dll
deleting: C:\WINDOWS\system32\k0pm0a71ed.dll
Successfully Deleted: C:\WINDOWS\system32\k0pm0a71ed.dll
deleting: C:\WINDOWS\system32\k4lqle351h.dll
Successfully Deleted: C:\WINDOWS\system32\k4lqle351h.dll
deleting: C:\WINDOWS\system32\klduzb.dll
Successfully Deleted: C:\WINDOWS\system32\klduzb.dll
deleting: C:\WINDOWS\system32\lvj2091oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvj2091oe.dll
deleting: C:\WINDOWS\system32\m2820cloefqc0.dll
Successfully Deleted: C:\WINDOWS\system32\m2820cloefqc0.dll
deleting: C:\WINDOWS\system32\mdiavi32.dll
Successfully Deleted: C:\WINDOWS\system32\mdiavi32.dll
deleting: C:\WINDOWS\system32\mmcertui.dll
Successfully Deleted: C:\WINDOWS\system32\mmcertui.dll
deleting: C:\WINDOWS\system32\mrise.dll
Successfully Deleted: C:\WINDOWS\system32\mrise.dll
deleting: C:\WINDOWS\system32\mvl_mtf.dll
Successfully Deleted: C:\WINDOWS\system32\mvl_mtf.dll
deleting: C:\WINDOWS\system32\newrsja.dll
Successfully Deleted: C:\WINDOWS\system32\newrsja.dll
deleting: C:\WINDOWS\system32\nprsfi.dll
Successfully Deleted: C:\WINDOWS\system32\nprsfi.dll
deleting: C:\WINDOWS\system32\nprspt.dll
Successfully Deleted: C:\WINDOWS\system32\nprspt.dll
deleting: C:\WINDOWS\system32\nzwrstr.dll
Successfully Deleted: C:\WINDOWS\system32\nzwrstr.dll
deleting: C:\WINDOWS\system32\o2ro0c93ef.dll
Successfully Deleted: C:\WINDOWS\system32\o2ro0c93ef.dll
deleting: C:\WINDOWS\system32\o8840ilqe8qe0.dll
Successfully Deleted: C:\WINDOWS\system32\o8840ilqe8qe0.dll
deleting: C:\WINDOWS\system32\ome2disp.dll
Successfully Deleted: C:\WINDOWS\system32\ome2disp.dll
deleting: C:\WINDOWS\system32\qlsname.dll
Successfully Deleted: C:\WINDOWS\system32\qlsname.dll
deleting: C:\WINDOWS\system32\rcgwizc.dll
Successfully Deleted: C:\WINDOWS\system32\rcgwizc.dll
deleting: C:\WINDOWS\system32\rVsauto.dll
Successfully Deleted: C:\WINDOWS\system32\rVsauto.dll
deleting: C:\WINDOWS\system32\sflunirl.dll
Successfully Deleted: C:\WINDOWS\system32\sflunirl.dll
deleting: C:\WINDOWS\system32\sinscfg.dll
Successfully Deleted: C:\WINDOWS\system32\sinscfg.dll
deleting: C:\WINDOWS\system32\sjrmfilt.dll
Successfully Deleted: C:\WINDOWS\system32\sjrmfilt.dll
deleting: C:\WINDOWS\system32\smcsccp.dll
Successfully Deleted: C:\WINDOWS\system32\smcsccp.dll
deleting: C:\WINDOWS\system32\smhannel.dll
Successfully Deleted: C:\WINDOWS\system32\smhannel.dll
deleting: C:\WINDOWS\system32\wdspdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wdspdmod.dll
deleting: C:\WINDOWS\system32\wfn87em.dll
Successfully Deleted: C:\WINDOWS\system32\wfn87em.dll
deleting: C:\WINDOWS\system32\wlbclnt.dll
Successfully Deleted: C:\WINDOWS\system32\wlbclnt.dll
deleting: C:\WINDOWS\system32\zjpfldr.dll
Successfully Deleted: C:\WINDOWS\system32\zjpfldr.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: akferror.dll (164 bytes security) (deflated 4%)
adding: aqwav.dll (164 bytes security) (deflated 5%)
adding: aui2dvaa.dll (164 bytes security) (deflated 5%)
adding: azsldp.dll (164 bytes security) (deflated 4%)
adding: CBOSUSER.DLL (164 bytes security) (deflated 4%)
adding: ciedui.dll (164 bytes security) (deflated 5%)
adding: crrpol.dll (164 bytes security) (deflated 5%)
adding: czvfat.dll (164 bytes security) (deflated 5%)
adding: dnj6011se.dll (164 bytes security) (deflated 5%)
adding: dnnq0155e.dll (164 bytes security) (deflated 5%)
adding: dxraw.dll (164 bytes security) (deflated 5%)
adding: dzmasf.dll (164 bytes security) (deflated 5%)
adding: dznwsock.dll (164 bytes security) (deflated 5%)
adding: enl8l13u1.dll (164 bytes security) (deflated 5%)
adding: ezsvc.dll (164 bytes security) (deflated 5%)
adding: FV20ENU.DLL (164 bytes security) (deflated 5%)
adding: g6402ghmg64a2.dll (164 bytes security) (deflated 4%)
adding: gpr6l39s1.dll (164 bytes security) (deflated 5%)
adding: gqmf32.dll (164 bytes security) (deflated 5%)
adding: iaxsap.dll (164 bytes security) (deflated 5%)
adding: ir4ml5h11.dll (164 bytes security) (deflated 5%)
adding: iudkcs32.dll (164 bytes security) (deflated 5%)
adding: jkcript.dll (164 bytes security) (deflated 5%)
adding: k0pm0a71ed.dll (164 bytes security) (deflated 5%)
adding: k4lqle351h.dll (164 bytes security) (deflated 4%)
adding: klduzb.dll (164 bytes security) (deflated 5%)
adding: lvj2091oe.dll (164 bytes security) (deflated 5%)
adding: m2820cloefqc0.dll (164 bytes security) (deflated 5%)
adding: mdiavi32.dll (164 bytes security) (deflated 5%)
adding: mmcertui.dll (164 bytes security) (deflated 5%)
adding: mrise.dll (164 bytes security) (deflated 5%)
adding: mvl_mtf.dll (164 bytes security) (deflated 5%)
adding: newrsja.dll (164 bytes security) (deflated 5%)
adding: nprsfi.dll (164 bytes security) (deflated 5%)
adding: nprspt.dll (164 bytes security) (deflated 5%)
adding: nzwrstr.dll (164 bytes security) (deflated 5%)
adding: o2ro0c93ef.dll (164 bytes security) (deflated 5%)
adding: o8840ilqe8qe0.dll (164 bytes security) (deflated 5%)
adding: ome2disp.dll (164 bytes security) (deflated 5%)
adding: qlsname.dll (164 bytes security) (deflated 5%)
adding: rcgwizc.dll (164 bytes security) (deflated 5%)
adding: rVsauto.dll (164 bytes security) (deflated 5%)
adding: sflunirl.dll (164 bytes security) (deflated 5%)
adding: sinscfg.dll (164 bytes security) (deflated 5%)
adding: sjrmfilt.dll (164 bytes security) (deflated 5%)
adding: smcsccp.dll (164 bytes security) (deflated 5%)
adding: smhannel.dll (164 bytes security) (deflated 5%)
adding: wdspdmod.dll (164 bytes security) (deflated 5%)
adding: wfn87em.dll (164 bytes security) (deflated 5%)
adding: wlbclnt.dll (164 bytes security) (deflated 4%)
adding: zjpfldr.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 70%)
adding: echo.reg (164 bytes security) (deflated 11%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: direct.txt (164 bytes security) (stored 0%)
adding: flag.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: not.txt (164 bytes security) (stored 0%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 71%)
adding: sec.txt (164 bytes security) (stored 0%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (deflated 49%)
adding: test3.txt (164 bytes security) (deflated 49%)
adding: test5.txt (164 bytes security) (deflated 49%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/18286857-C824-4B0C-B771-9A2D7D6D1000.reg (164 bytes security) (deflated 70%)
adding: backregs/1C366D49-F25A-4549-AAA2-AA6D2D137AEC.reg (164 bytes security) (deflated 70%)
adding: backregs/225741D7-1386-4B15-9051-58E473FDFB19.reg (164 bytes security) (deflated 70%)
adding: backregs/270D6813-1959-4B0D-9135-7209654A8939.reg (164 bytes security) (deflated 70%)
adding: backregs/37BC9363-A366-433B-8099-E85178CB5F91.reg (164 bytes security) (deflated 70%)
adding: backregs/459056BE-B699-47EF-A335-83F07D080FC0.reg (164 bytes security) (deflated 70%)
adding: backregs/472851EC-B648-4337-9D72-FDC7A896E050.reg (164 bytes security) (deflated 70%)
adding: backregs/4BD0BC84-2FDE-4BD4-ABA0-7AB5F43634AB.reg (164 bytes security) (deflated 70%)
adding: backregs/5E6BF15C-57FF-4B42-A672-8B9B13A773DD.reg (164 bytes security) (deflated 70%)
adding: backregs/684E37F4-BB5F-4933-A6E6-B9CB57AC770B.reg (164 bytes security) (deflated 70%)
adding: backregs/88ABB1AD-7D57-4950-877E-D9ECDA346D56.reg (164 bytes security) (deflated 70%)
adding: backregs/9DBC9B69-4F28-4CBB-9E6F-89E492268B3B.reg (164 bytes security) (deflated 70%)
adding: backregs/AC84673D-DC6E-46B5-B742-89FED617E14E.reg (164 bytes security) (deflated 70%)
adding: backregs/B2850790-E8BB-4DC3-845C-EB27FEC3B28A.reg (164 bytes security) (deflated 70%)
adding: backregs/B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10.reg (164 bytes security) (deflated 70%)
adding: backregs/D072F687-CCDF-445D-A71F-4ED43F8516D0.reg (164 bytes security) (deflated 70%)
adding: backregs/D81EA6E8-643A-484C-8D7F-EE1586D73764.reg (164 bytes security) (deflated 70%)
adding: backregs/DDC91C81-2114-4C2E-85B7-67EB3906DB1E.reg (164 bytes security) (deflated 70%)
adding: backregs/DE723DA3-BF8A-4380-A162-6179A01197EF.reg (164 bytes security) (deflated 70%)
adding: backregs/F35EB24B-F9EE-43B1-B7F4-0B714CA3BB41.reg (164 bytes security) (deflated 70%)
adding: backregs/F542821F-FA07-4474-B0B3-7D7BF5C73687.reg (164 bytes security) (deflated 70%)
adding: backregs/F85D29BF-1DDD-4A46-BC5F-EEAD7DCD60EB.reg (164 bytes security) (deflated 70%)
adding: backregs/F8F173F2-714D-4533-BB22-717E67B48643.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: akferror.dll
deleting local copy: aqwav.dll
deleting local copy: aui2dvaa.dll
deleting local copy: azsldp.dll
deleting local copy: CBOSUSER.DLL
deleting local copy: ciedui.dll
deleting local copy: crrpol.dll
deleting local copy: czvfat.dll
deleting local copy: dnj6011se.dll
deleting local copy: dnnq0155e.dll
deleting local copy: dxraw.dll
deleting local copy: dzmasf.dll
deleting local copy: dznwsock.dll
deleting local copy: enl8l13u1.dll
deleting local copy: ezsvc.dll
deleting local copy: FV20ENU.DLL
deleting local copy: g6402ghmg64a2.dll
deleting local copy: gpr6l39s1.dll
deleting local copy: gqmf32.dll
deleting local copy: iaxsap.dll
deleting local copy: ir4ml5h11.dll
deleting local copy: iudkcs32.dll
deleting local copy: jkcript.dll
deleting local copy: k0pm0a71ed.dll
deleting local copy: k4lqle351h.dll
deleting local copy: klduzb.dll
deleting local copy: lvj2091oe.dll
deleting local copy: m2820cloefqc0.dll
deleting local copy: mdiavi32.dll
deleting local copy: mmcertui.dll
deleting local copy: mrise.dll
deleting local copy: mvl_mtf.dll
deleting local copy: newrsja.dll
deleting local copy: nprsfi.dll
deleting local copy: nprspt.dll
deleting local copy: nzwrstr.dll
deleting local copy: o2ro0c93ef.dll
deleting local copy: o8840ilqe8qe0.dll
deleting local copy: ome2disp.dll
deleting local copy: qlsname.dll
deleting local copy: rcgwizc.dll
deleting local copy: rVsauto.dll
deleting local copy: sflunirl.dll
deleting local copy: sinscfg.dll
deleting local copy: sjrmfilt.dll
deleting local copy: smcsccp.dll
deleting local copy: smhannel.dll
deleting local copy: wdspdmod.dll
deleting local copy: wfn87em.dll
deleting local copy: wlbclnt.dll
deleting local copy: zjpfldr.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnj6011se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\akferror.dll
C:\WINDOWS\system32\aqwav.dll
C:\WINDOWS\system32\aui2dvaa.dll
C:\WINDOWS\system32\azsldp.dll
C:\WINDOWS\system32\CBOSUSER.DLL
C:\WINDOWS\system32\ciedui.dll
C:\WINDOWS\system32\crrpol.dll
C:\WINDOWS\system32\czvfat.dll
C:\WINDOWS\system32\dnj6011se.dll
C:\WINDOWS\system32\dnnq0155e.dll
C:\WINDOWS\system32\dxraw.dll
C:\WINDOWS\system32\dzmasf.dll
C:\WINDOWS\system32\dznwsock.dll
C:\WINDOWS\system32\enl8l13u1.dll
C:\WINDOWS\system32\ezsvc.dll
C:\WINDOWS\system32\FV20ENU.DLL
C:\WINDOWS\system32\g6402ghmg64a2.dll
C:\WINDOWS\system32\gpr6l39s1.dll
C:\WINDOWS\system32\gqmf32.dll
C:\WINDOWS\system32\iaxsap.dll
C:\WINDOWS\system32\ir4ml5h11.dll
C:\WINDOWS\system32\iudkcs32.dll
C:\WINDOWS\system32\jkcript.dll
C:\WINDOWS\system32\k0pm0a71ed.dll
C:\WINDOWS\system32\k4lqle351h.dll
C:\WINDOWS\system32\klduzb.dll
C:\WINDOWS\system32\lvj2091oe.dll
C:\WINDOWS\system32\m2820cloefqc0.dll
C:\WINDOWS\system32\mdiavi32.dll
C:\WINDOWS\system32\mmcertui.dll
C:\WINDOWS\system32\mrise.dll
C:\WINDOWS\system32\mvl_mtf.dll
C:\WINDOWS\system32\newrsja.dll
C:\WINDOWS\system32\nprsfi.dll
C:\WINDOWS\system32\nprspt.dll
C:\WINDOWS\system32\nzwrstr.dll
C:\WINDOWS\system32\o2ro0c93ef.dll
C:\WINDOWS\system32\o8840ilqe8qe0.dll
C:\WINDOWS\system32\ome2disp.dll
C:\WINDOWS\system32\qlsname.dll
C:\WINDOWS\system32\rcgwizc.dll
C:\WINDOWS\system32\rVsauto.dll
C:\WINDOWS\system32\sflunirl.dll
C:\WINDOWS\system32\sinscfg.dll
C:\WINDOWS\system32\sjrmfilt.dll
C:\WINDOWS\system32\smcsccp.dll
C:\WINDOWS\system32\smhannel.dll
C:\WINDOWS\system32\wdspdmod.dll
C:\WINDOWS\system32\wfn87em.dll
C:\WINDOWS\system32\wlbclnt.dll
C:\WINDOWS\system32\zjpfldr.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}"=-
"{459056BE-B699-47EF-A335-83F07D080FC0}"=-
"{D81EA6E8-643A-484C-8D7F-EE1586D73764}"=-
"{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}"=-
"{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}"=-
"{37BC9363-A366-433B-8099-E85178CB5F91}"=-
"{472851EC-B648-4337-9D72-FDC7A896E050}"=-
"{18286857-C824-4B0C-B771-9A2D7D6D1000}"=-
"{270D6813-1959-4B0D-9135-7209654A8939}"=-
"{225741D7-1386-4B15-9051-58E473FDFB19}"=-
"{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}"=-
"{D072F687-CCDF-445D-A71F-4ED43F8516D0}"=-
"{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}"=-
"{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}"=-
"{88ABB1AD-7D57-4950-877E-D9ECDA346D56}"=-
"{4BD0BC84-2FDE-4BD4-ABA0-7AB5F43634AB}"=-
"{F85D29BF-1DDD-4A46-BC5F-EEAD7DCD60EB}"=-
"{DE723DA3-BF8A-4380-A162-6179A01197EF}"=-
"{F542821F-FA07-4474-B0B3-7D7BF5C73687}"=-
"{AC84673D-DC6E-46B5-B742-89FED617E14E}"=-
"{684E37F4-BB5F-4933-A6E6-B9CB57AC770B}"=-
"{F35EB24B-F9EE-43B1-B7F4-0B714CA3BB41}"=-
"{F8F173F2-714D-4533-BB22-717E67B48643}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5E6BF15C-57FF-4B42-A672-8B9B13A773DD}]
[-HKEY_CLASSES_ROOT\CLSID\{459056BE-B699-47EF-A335-83F07D080FC0}]
[-HKEY_CLASSES_ROOT\CLSID\{D81EA6E8-643A-484C-8D7F-EE1586D73764}]
[-HKEY_CLASSES_ROOT\CLSID\{9DBC9B69-4F28-4CBB-9E6F-89E492268B3B}]
[-HKEY_CLASSES_ROOT\CLSID\{1C366D49-F25A-4549-AAA2-AA6D2D137AEC}]
[-HKEY_CLASSES_ROOT\CLSID\{37BC9363-A366-433B-8099-E85178CB5F91}]
[-HKEY_CLASSES_ROOT\CLSID\{472851EC-B648-4337-9D72-FDC7A896E050}]
[-HKEY_CLASSES_ROOT\CLSID\{18286857-C824-4B0C-B771-9A2D7D6D1000}]
[-HKEY_CLASSES_ROOT\CLSID\{270D6813-1959-4B0D-9135-7209654A8939}]
[-HKEY_CLASSES_ROOT\CLSID\{225741D7-1386-4B15-9051-58E473FDFB19}]
[-HKEY_CLASSES_ROOT\CLSID\{DDC91C81-2114-4C2E-85B7-67EB3906DB1E}]
[-HKEY_CLASSES_ROOT\CLSID\{D072F687-CCDF-445D-A71F-4ED43F8516D0}]
[-HKEY_CLASSES_ROOT\CLSID\{B9B0B2A5-05CD-4A6A-BE4B-B1343FA1DE10}]
[-HKEY_CLASSES_ROOT\CLSID\{B2850790-E8BB-4DC3-845C-EB27FEC3B28A}]
[-HKEY_CLASSES_ROOT\CLSID\{88ABB1AD-7D57-4950-877E-D9ECDA346D56}]
[-HKEY_CLASSES_ROOT\CLSID\{4BD0BC84-2FDE-4BD4-ABA0-7AB5F43634AB}]
[-HKEY_CLASSES_ROOT\CLSID\{F85D29BF-1DDD-4A46-BC5F-EEAD7DCD60EB}]
[-HKEY_CLASSES_ROOT\CLSID\{DE723DA3-BF8A-4380-A162-6179A01197EF}]
[-HKEY_CLASSES_ROOT\CLSID\{F542821F-FA07-4474-B0B3-7D7BF5C73687}]
[-HKEY_CLASSES_ROOT\CLSID\{AC84673D-DC6E-46B5-B742-89FED617E14E}]
[-HKEY_CLASSES_ROOT\CLSID\{684E37F4-BB5F-4933-A6E6-B9CB57AC770B}]
[-HKEY_CLASSES_ROOT\CLSID\{F35EB24B-F9EE-43B1-B7F4-0B714CA3BB41}]
[-HKEY_CLASSES_ROOT\CLSID\{F8F173F2-714D-4533-BB22-717E67B48643}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

AND THIS IS WHAT I GOT FROM MY HIJACKTHIS LOG FILE

Logfile of HijackThis v1.99.1
Scan saved at 18:47:27, on 26/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SGVsbG8\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\paytime.exe
C:\windows\adtech2005.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\paytime.exe
C:\PROGRA~1\COMMON~1\immq\immqm.exe
C:\Program Files\Trustix\Trustix AntiVirus\Tavaud.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\malcom\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O1 - Hosts: .net
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\E.tmp
O4 - HKCU\..\Run: [immq] C:\PROGRA~1\COMMON~1\immq\immqm.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\dnj6011se.dll (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\mnknnabj.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\feggbpho.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\gpikkgmh.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\hceciqpk.dll
O21 - SSODL: mtkle - {0D941CB2-92ED-4397-8B90-6EA192C65589} - C:\WINDOWS\system32\dugx32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGVsbG8\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
That appears to have been a wothwhile adventure. It is one of the biggest logs that I have seen in a long time.

A. We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===> Command Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:
  • Open HJT
  • Click on Config>>Misc Tools>>Delete an NT Service
  • Copy/Paste cmdService in the space provided and click OK
  • The program will ask you to REBOOT --- Accept
  • REBOOT into SAFE MODE
  • Using Windows Explorer, locate and DELETE the following file (if it still is present):

    C:\WINDOWS\SGVsbG8<===Folder

  • REBOOT back into Normal Mode


B. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
    O1 - Hosts: .net
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [klop] C:\WINDOWS\E.tmp
    O4 - HKCU\..\Run: [immq] C:\PROGRA~1\COMMON~1\immq\immqm.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
    O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\dnj6011se.dll (file missing)
    O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\mnknnabj.dll
    O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\feggbpho.dll (file missing)
    O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\gpikkgmh.dll (file missing)
    O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\hceciqpk.dll
    O21 - SSODL: mtkle - {0D941CB2-92ED-4397-8B90-6EA192C65589} - C:\WINDOWS\system32\dugx32.dll (file missing)



  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):


    C:\WINDOWS\system32\paytime.exe
    C:\windows\adtech2005.exe
    C:\PROGRA~1\COMMON~1\immq<==Folder
    C:\Program Files\winupdates<==Folder
    C:\WINDOWS\E.tmp
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe
    C:\WINDOWS\system32\mnknnabj.dll
    C:\WINDOWS\system32\feggbpho.dll
    C:\WINDOWS\system32\gpikkgmh.dll
    C:\WINDOWS\system32\hceciqpk.dll
    C:\WINDOWS\system32\dugx32.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

#9
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
once again thank you for doing this for me. i followed your instuctions and some of the files i could not locate so i take it they are deleted then? and the paytime.exe will not delete it says cannot delete access denied what will i do???

here is my hijack log anyways

Logfile of HijackThis v1.99.1
Scan saved at 20:15:59, on 27/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\adtech2005.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Trustix\Trustix AntiVirus\SoftAct.exe
C:\Program Files\Trustix\Trustix AntiVirus\Tavaud.exe
C:\Documents and Settings\malcom\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [adtech2005] C:\WINDOWS\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. In Safe Mode, right click on paytime.exe, this will bring up a box where I want you to choose properties

2. Look for "attributes" and if any are checked off then uncheck them and then try to delete the file .

3. Once deleted, post a fresh HJT log so we can continue

Regards,

Trevuren

  • 0

Advertisements


#11
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok that is is deleted. just a question if i am trying to delete other things and it comes up the same thing with the adtech access denied is that how i would go around deleting it?????????


heres the hjt
Logfile of HijackThis v1.99.1
Scan saved at 14:42:44, on 28/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\malcom\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [adtech2005] C:\WINDOWS\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
That is the way that to delete these files, most of the time.

Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

Trevuren
  • 0

#13
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
heres the list

Adobe Acrobat 5.0
Adobe Acrobat Reader 3.02
AOpen Multimedia Utilities
Azureus
Command
Delta Force - Black Hawk Down
DSA Car & ADI Theory Test
EPSON Printer Software
F5D5050 Driver Uninstall
Football Manager 2005
Google Earth
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 5
Ladbrokes Poker
LimeWire 4.8.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Max Payne
Microsoft Office Professional Edition 2003
MSN Messenger 7.5
Music Visualizer Library 1.4.00
Nero 6 Enterprise Edition
Network Play System (Patching)
NVIDIA Drivers
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Limited Patch 3.2-03-04-17-02
OpenMG Secure Module 3.2
PartyPoker
QuickTime
RealPlayer
RollerCoaster Tycoon 2
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
SonicStage 1.5.53
The Sims On Holiday
Trustix AntiVirus 2005
Unreal Tournament 2003
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinFixer2005 1.1.37.4
WinRAR archiver
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#15
mark mccluskey

mark mccluskey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:41:42, 28/11/2005
+ Report-Checksum: EBBC75FA

+ Scan result:

HKU\S-1-5-21-329068152-412668190-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-329068152-412668190-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-329068152-412668190-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-329068152-412668190-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9896231A-C487-43A5-8369-6EC9B0A96CC0} -> Spyware.Hijacker.Generic : Cleaned with backup
[736] C:\WINDOWS\system32\child.dll -> TrojanDownloader.Small.bug : Cleaned with backup
:mozilla.19:C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\qpsiarac.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temp\Cookies\home@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\ERB6ES27\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\IBK7UH8H\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\Y3CPU74X\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
:mozilla.18:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.27:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.28:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.31:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.46:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.47:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.48:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.52:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.65:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.74:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.76:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.77:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.78:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.79:C:\Documents and Settings\malcom\Application Data\Mozilla\Firefox\Profiles\3gdugmze.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@sel.as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\malcom\Cookies\malcom@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\backups\backup-20051118-184005-475.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/akferror.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/aqwav.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/aui2dvaa.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/azsldp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/CBOSUSER.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/ciedui.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/crrpol.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/czvfat.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/dnj6011se.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/dnnq0155e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/dxraw.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/dzmasf.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/dznwsock.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/enl8l13u1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/ezsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/FV20ENU.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/g6402ghmg64a2.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/gpr6l39s1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/gqmf32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/iaxsap.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/ir4ml5h11.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/iudkcs32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/jkcript.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/k0pm0a71ed.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/k4lqle351h.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/klduzb.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/lvj2091oe.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/m2820cloefqc0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/mdiavi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/mmcertui.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/mrise.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/mvl_mtf.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/newrsja.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/nprsfi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/nprspt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/nzwrstr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/o2ro0c93ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/o8840ilqe8qe0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/ome2disp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/qlsname.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/rcgwizc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/rVsauto.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/sflunirl.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/sinscfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/sjrmfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/smcsccp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/smhannel.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/wdspdmod.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/wfn87em.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/wlbclnt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/zjpfldr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\malcom\Local Settings\Temp\Cookies\malcom@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\malcom\Local Settings\Temp\Cookies\malcom@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\malcom\Local Settings\Temp\Cookies\malcom@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\malcom\Local Settings\Temp\Cookies\malcom@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\malcom\Local Settings\Temp\Temporary Internet Files\Content.IE5\HGF07HM7\mte3ndi6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\6ux8xdia.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\6ux8xdia.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\6ux8xdia.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\6ux8xdia.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\6ux8xdia.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ryan\Cookies\ryan@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Cookies\ryan@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temp\Temporary Internet Files\Content.IE5\JDVG1LZ7\mm[2].js -> Spyware.Chitika : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\81jkoz7e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\81jkoz7e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\81jkoz7e.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\81jkoz7e.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\81jkoz7e.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@ehg-ladbrokes.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sean\Cookies\sean@sel.as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@banner.goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ehg-ladbrokes.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ehg-osiris.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@sel.as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> TrojanSpy.Small.dg : Cleaned with backup
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\iconu.exe -> Spyware.Zestyfind : Cleaned with backup
C:\WINDOWS\kl.exe -> TrojanSpy.Small.dg : Cleaned with backup
C:\WINDOWS\sstray.exe -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\WINDOWS\system32\appwiz.dll -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\WINDOWS\system32\child.dll -> TrojanDownloader.Small.bug : Cleaned with backup
C:\WINDOWS\system32\eeejmpja.exe -> TrojanDropper.Small.aib : Cleaned with backup
C:\WINDOWS\system32\elepclii.exe -> TrojanDropper.Small.afo : Cleaned with backup
C:\WINDOWS\system32\Lajogndm.exe -> TrojanSpy.Banker.akk : Cleaned with backup
C:\WINDOWS\system32\lpbdinge.exe -> TrojanProxy.Wopla.m : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Spyware.Zestyfind : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\home@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\malcom@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\malcom@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\ryan@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\ryan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\ryan@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\ryan@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\ryan@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\sean@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\tool1.exe -> TrojanDownloader.Small.bnt : Cleaned with backup
C:\WINDOWS\tool3.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINDOWS\tool4.exe -> TrojanDownloader.Small.bwr : Cleaned with backup
C:\WINDOWS\tskmgr.exe -> TrojanDownloader.Small.bwk : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 23:46:49, on 28/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trustix\Trustix AntiVirus\Tavaud.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\malcom\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [cnfgTav] "C:\Program Files\Trustix\Trustix AntiVirus\Tav.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [adtech2005] C:\WINDOWS\adtech2005.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118679888403
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci...6.1.7_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trustix AV Service (TAVM_Service) - Unknown owner - C:\Program Files\Trustix\Trustix AntiVirus\TAVMS.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP