Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijackthis log file


  • Please log in to reply

#1
Paperweight

Paperweight

    Member

  • Member
  • PipPip
  • 17 posts
I once had a computer, now I have a paperweight...

Logfile of HijackThis v1.99.1
Scan saved at 3:27:50 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\Smlt\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\nglzbex.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\windows\system32\logon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\WINDOWS\nglzbexA.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Uvlwiv\Amwo.exe
C:\windows\system32\rodsregk.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\mmxp2passion.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\swinpsai.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\awvtt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteaam32.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [freexstyle] lockbr.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 30478734
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames9.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\waoqar.exe reg_run
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [nglzbexA] C:\WINDOWS\nglzbexA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [Bhytk] C:\Program Files\Uvlwiv\Amwo.exe
O4 - HKLM\..\Run: [{9B-B9-93-3E-ZN}] C:\windows\system32\rodsregk.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinpsai.exe CORN001
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunServices: [freexstyle] lockbr.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\swinpsai.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\s2pu0c79ef.dll
O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nglzbex.exe

Edited by Paperweight, 20 February 2006 - 03:37 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

You've got a variety of issues showing up in your log. This will take a few steps, but we should have your paperweight turned back into a computer in short order. :)

I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

  • 0

#3
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey Sam, thanks for responding, I really appreciate any help you could give me.

First, let me give you some background so you're not flying blind.

1) I'm not a big PC type person so it might take me a while to catch on.
(Most of my expertise is in the Oracle arena on Sun servers)

2) The computer in question is mostly used by my wife and kids, so I'm not sure what they've
done to it.

3) When we log into an account I notice (through the Task Manager) that iexplorer.exe
is running. However, there is no button on the Taskbar, and it was never invoked (intentionally).
This seems to chew up ALOT of memory. When I kill it, the system speeds up dramatically.
Unfortunately, this is sometimes short lived as the process seems to occasionally restart itself.

4) There's this new menu bar on internet explorer (when we actually do invoke it).
It has all these stupid options like online dating, people search, online casinos, etc.
(Stuff I HOPE my wife and kids aren't doing)

5) When I ran StartupList I noticed a few suspicious procsses. When I showed their properties
many of them did not have a company name (or were from WebHancer Inc), or their internal
file name was "test". I though this was a sign that they weren't legitimate. Some of them are:
amwo.exe, actalert.exe, pokapoka79.exe, rodsregk.exe, swinpsai.exe, whagent.exe,
whsurvey.exe, winsyban10.exe. I'm sure you'll find a dozen more.

6) In the uninstall manager list the items that jump right out at me are: Active Alert,
Enhanced Ads by Zeno removal, InterActual Player, My Web Search (Smiley Central)
Toolbar888, UCmore - The Search Accelerator, webHancer Customer Companion,
WONswap, WSEM Update, Zeno Search Assistant removal. I'm sure you'll say something
like, "Hey dummy, don't remove that one or your monitor won't work".

7) I tend to be a bit long winded (but I'm sure you've figured that out by now).

Below are the results of the uninstall manager option and once again, thanks for your help.

Active Alert
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
America Online
AOL Instant Messenger
BugOff 1.10
CatDog
ClueFinders® 3rd Grade Adventures
Command
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Dell Digital Jukebox Driver
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
DH
Easy CD Creator 5 Basic
Enhanced Ads by Zeno removal
FoneSync
Harry Potter
Harry Potter II
HijackThis 1.99.1
Hoyle Board Games 5
Hoyle Card Games 5
hp instant support
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
InterActual Player
Internet Optimizer
Lexmark X73
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
MasterCook 6: Deluxe Edition
Media-motor
MGI PhotoSuite 8.1 (Remove Only)
Microsoft Encarta Encyclopedia Standard 2001
Microsoft Money 2001
Microsoft Picture It! Publishing 2001
Microsoft Streets and Trips 2001
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Musicmatch® Jukebox
My Web Search (Smiley Central)
Nancy Drew: The Haunted Carousel
Nancy Drew: Treasure in the Royal Tower
Network Monitor
Network Play System (Patching)
Norton AntiVirus 2002
NVIDIA Windows 2000/XP Display Drivers
PhoneTools
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
PowerDVD
Quicklinks
QuickTime
RealPlayer Basic
RegiFast Software
RollerCoaster Tycoon 3 Demo
Ryan Cabrera Screen Saver
Scholastic's The Magic School Bus Volcano
Shockwave
SimCoaster
Slam Dunk Typing
Sound Blaster Live! Value
SpongeBob SquarePants - The Movie
SPY KIDS Mega Mission Zone
SSH Tectia Client 4.3.0
The ClueFinders' 4th Grade Adventures
The Sims House Party
Toolbar888
TSA
Typing Tutor Junior
UCmore - The Search Accelerator
UnSpyPC
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Web Nexus Network
webHancer Customer Companion
Windows Media Format Runtime
Windows Overlay Components
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WONswap
WSEM Update
Zeno Search Assistant removal
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You're on the right track. Let's see what we can get rid of the easy way first and then we'll go from there.

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

Active Alert
DH
Enhanced Ads by Zeno removal
Internet Optimizer
Media-motor
My Web Search (Smiley Central)
Toolbar888
UCmore - The Search Accelerator
UnSpyPC
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Web Nexus Network
webHancer Customer Companion
WSEM Update
Zeno Search Assistant removal



Some of these uninstallations may fail or return errors. Don't be concerned about that. We will manually remove anything that doesn't go away the right way.


===============


Please download miekiemoes' LQfix batch here:
http://www.downloads...m.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and please post a new HijackThis log.
  • 0

#5
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK Sam, so far so good. The uninstall seems to have removed all the programs you suggested.
(I've attached a new uninstall file) For one of them (DH) I had to go to the task manager and
end the process before it could be removed. I hope I didn't screw it up. The Internet Optimizer
also seems to still be running (according to the Hijackthis log)

Here are some of the problems I'm still facing when I log into an account:

1) a rundll error, C:\windows\image.new not found
2) system tries to run C:\windows\system32\lockbr.exe but it has an
"unknown publisher". (I always close this box instead of pressing the "run" or "cancel" button)
3) a "web page unavailable" message. The buttons are "connect" and "stay offline".
(I always close this box, too, instead of pressing one of the buttons)
This message comes up about 3 or 4 times.
4) iexplorer.exe still shows up (uninvoked by me) in task mnager. This is what seems to
slow down the computer the most. When I kill the process, the system is MUCH quicker,
until iexplorer.exe mysteriously reappears.

The good news is that I've already noticed a difference in the speed of the computer.
I really appreciate what you've done for me so far.

*** Hijackthis log file ***

Logfile of HijackThis v1.99.1
Scan saved at 7:16:25 AM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\Smlt\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\windows\system32\logon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\nglzbex.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\winsysban10.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\nglzbexA.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Uvlwiv\Amwo.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\mmxp2passion.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\awvtt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [freexstyle] lockbr.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 30478734
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [nglzbexA] C:\WINDOWS\nglzbexA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [Bhytk] C:\Program Files\Uvlwiv\Amwo.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\swinpsai.exe CORN001
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
O4 - HKLM\..\RunServices: [freexstyle] lockbr.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\swinpsai.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8815F567-DB74-4423-8D49-86764FFE9A05}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B479546-A78E-40D6-A7A3-B7E8B0D89199}: NameServer = 85.255.116.91,85.255.112.234
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\q0nula591d.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\wsdmtpus.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nglzbex.exe

*** Uninstall log file ***

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
America Online
AOL Instant Messenger
BugOff 1.10
CatDog
ClueFinders® 3rd Grade Adventures
Command
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Dell Digital Jukebox Driver
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Easy CD Creator 5 Basic
FoneSync
Harry Potter
Harry Potter II
HijackThis 1.99.1
Hoyle Board Games 5
Hoyle Card Games 5
hp instant support
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
InterActual Player
Lexmark X73
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
MasterCook 6: Deluxe Edition
MGI PhotoSuite 8.1 (Remove Only)
Microsoft Encarta Encyclopedia Standard 2001
Microsoft Money 2001
Microsoft Picture It! Publishing 2001
Microsoft Streets and Trips 2001
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Musicmatch® Jukebox
Nancy Drew: The Haunted Carousel
Nancy Drew: Treasure in the Royal Tower
Network Monitor
Network Play System (Patching)
Norton AntiVirus 2002
NVIDIA Windows 2000/XP Display Drivers
PhoneTools
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
PowerDVD
Quicklinks
QuickTime
RealPlayer Basic
RegiFast Software
RollerCoaster Tycoon 3 Demo
Ryan Cabrera Screen Saver
Scholastic's The Magic School Bus Volcano
Shockwave
SimCoaster
Slam Dunk Typing
Sound Blaster Live! Value
SpongeBob SquarePants - The Movie
SPY KIDS Mega Mission Zone
SSH Tectia Client 4.3.0
The ClueFinders' 4th Grade Adventures
The Sims House Party
TSA
Typing Tutor Junior
Windows Media Format Runtime
Windows Overlay Components
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WONswap

Edited by Paperweight, 23 February 2006 - 07:15 AM.

  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You've still got a lot going on in that log, but we're getting there.

Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • Make sure "Hide extensions for known file types" is unchecked
    • Make sure "Hide protected operating system files (recommended)" is unchecked
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
    O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\awvtt.dll
    O4 - HKLM\..\Run: [logon.exe] c:\windows\system32\logon.exe
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKLM\..\Run: [freexstyle] lockbr.exe
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
    O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 30478734
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
    O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
    O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
    O4 - HKLM\..\Run: [nglzbexA] C:\WINDOWS\nglzbexA.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
    O4 - HKLM\..\Run: [Bhytk] C:\Program Files\Uvlwiv\Amwo.exe
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\swinpsai.exe CORN001
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
    O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
    O4 - HKLM\..\Run: [RegiFast] C:\Program Files\RegiFast\RFManager.exe
    O4 - HKLM\..\RunServices: [freexstyle] lockbr.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\swinpsai.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
    O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
    O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
    O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\q0nula591d.dll (file missing)
    O20 - Winlogon Notify: URL - C:\WINDOWS\system32\wsdmtpus.dll
    O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
    O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\nglzbex.exe



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:/html/start/start.html
    C:\PROGRAM FILES\Jalmp <-- delete this folder
    C:\WINDOWS\system32\awvtt.dll
    c:\windows\system32\logon.exe
    C:\WINDOWS\wdskctl.exe
    c:\windows\system32\lockbr.exe
    C:\windows\winsysupd10.exe
    C:\windows\winsysban10.exe
    C:\windows\gimmygames10.exe
    C:\WINDOWS\system32\hpsw.exe
    C:\WINDOWS\nglzbexA.exe
    C:\Program Files\Internet Optimizer <-- delete this folder
    C:\WINDOWS\SYSC00.exe
    C:\Program Files\Uvlwiv <-- delete this folder
    C:\WINDOWS\SYSTEM32\swinpsai.exe
    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\system32\mmxp2passion.exe
    C:\WINDOWS\system32\loadadv64
    C:\WINDOWS\SYSTEM32\swinpsai.exe
    C:\WINDOWS\system32\wsdmtpus.dll
    C:\WINDOWS\system32\dcom_14.dll
    C:\WINDOWS\system32\ewr.dll
    C:\WINDOWS\Smlt\command.exe
    C:\WINDOWS\nglzbex.exe

Reboot your computer to go back to normal mode.



Please download Look2Me-Remover.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Remover.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#7
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Man, what a mess... after I ran Hijackthis, selected the items and clicked the"fix checked"
button I rebooted. I got "keyboard error" message (on the black bootup screen) and it
would not work. (I've been getting that message for a LONG time, whenever I reboot)
I switched the keyboard to another port and was able to ue the F8 button to get into safe mode.
But when I tried to log in as the Administrator I was returned to the black screen (with
the words Safe Mode on the bottom). So I then got into Safe Mode with Command Prompt
to delete the files/directories.

I couldn't download the Look2Me Remover from the link site but I found it on another.
(http://www.simplytech.it/L2MRemover) I guess this one was a little different because
it didn't create a log file. It did say that it found L2M and removed it. Then it rebooted the
system for me.

I've got a small problem with the printers now but I'll worry about that later
(a "new hardware found" message displays and wants me to install the hardware)

Oh, and the file C:/html/start/start.html is my web home page. It's just a small HTML
file I wrote. It really is nothing more than a bunch of <A HREF> commands inside
a <TABLE> structure. So basically, it's a bunch of web links on the screen.

Logfile of HijackThis v1.99.1
Scan saved at 11:07:09 AM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\Smlt\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - (no file)
O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINDOWS\system32\awvtt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8815F567-DB74-4423-8D49-86764FFE9A05}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B479546-A78E-40D6-A7A3-B7E8B0D89199}: NameServer = 85.255.116.91,85.255.112.234
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\enpol1731.dll
O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by Paperweight, 23 February 2006 - 10:40 AM.

  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We are making progress. There's still two separate issues that need to be addressed separately.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

  • 0

#9
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Wow, there's a big difference already in my computer. Thanks.

*** VundoFix log ***

VundoFix V4.2.26
Scan started at 1:44:12 PM 2/23/2006

Listing files found while scanning....

C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak2
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.tmp

C:\WINDOWS\SYSTEM32\ttvwa.bak1
C:\WINDOWS\SYSTEM32\ttvwa.bak2
C:\WINDOWS\SYSTEM32\ttvwa.tmp
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini2
C:\WINDOWS\SYSTEM32\awvtt.dll
C:\WINDOWS\SYSTEM32\ttvwa.ini2
C:\WINDOWS\SYSTEM32\ttvwa.bak2
C:\WINDOWS\SYSTEM32\ttvwa.tmp
C:\WINDOWS\SYSTEM32\ttvwa.ini
C:\WINDOWS\SYSTEM32\ttvwa.ini2
C:\WINDOWS\SYSTEM32\awvtt.dll
Attempting to delete C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.bak2
C:\WINDOWS\system32\ttvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.tmp
C:\WINDOWS\system32\ttvwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

*** Hijackthis log ***

Logfile of HijackThis v1.99.1
Scan saved at 1:48:28 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\Smlt\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - (no file)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8815F567-DB74-4423-8D49-86764FFE9A05}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B479546-A78E-40D6-A7A3-B7E8B0D89199}: NameServer = 85.255.116.91,85.255.112.234
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\aza0l95m1.dll
O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch.


Fix these lines with Hijackthis.

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8815F567-DB74-4423-8D49-86764FFE9A05}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B479546-A78E-40D6-A7A3-B7E8B0D89199}: NameServer = 85.255.116.91,85.255.112.234
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\aza0l95m1.dll
O21 - SSODL: bqTiUoNky - {40E9B93F-EA43-1395-9516-73AE6A0ADF71} - C:\WINDOWS\system32\ewr.dll (file missing)




Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Reboot your computer.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
  • 0

Advertisements


#11
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done... but some things didn't go according to plan. I searched my entire C drive
(not just c:\fixwareout) and couldn't find the report.txt file. And even though you
said the computer might take longer to reboot, it didn't. The last message it told
me was that uninstaller was going to run on the next reboot. If it did it was very fast.

Plus, I'm still surfing in the stone ages (dialup modem). I'm getting DSL on Monday
and will attempt to be going wireless... at least from my "virus free" laptop. I'll
hook up the paperweight (which is actually running real well, now, thanks to you)
once we're done. Anyways, I set the modem to "Obtain DNS Servers Automatically"
(as well as the Local Area connection).

Logfile of HijackThis v1.99.1
Scan saved at 3:01:38 PM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [dmasa.exe] C:\WINDOWS\system32\dmasa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h04mlah11d4.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Don't worry about the log. We just need to double check and make sure nothing was left behind.

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.



==========


It looks as if you still have one active infection left that we need yet another tool for.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#13
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done... I had zero problems this time. Everything ran very fast.

I found the image.new problem I mentioned before, it was a registry
entry buried down in explorer->policies->run. l deleted the key
(after exporting it first, just in case I had to restore it) and have not
had the rundll error since.

Plus, I noticed in the task manager a process called " wowexec.exe"
popping up occasionally. (There actually is a space before it)
With my limited (but just enough to be dangerous) knowledge I thought
this couldn't be good.


*** fsbl log ***

02/25/06 06:57:21 [Info]: BlackLight Engine 1.0.32 initialized
02/25/06 06:57:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/25/06 06:57:22 [Note]: 7019 4
02/25/06 06:57:22 [Note]: 7005 0
02/25/06 06:57:38 [Note]: 7006 0
02/25/06 06:57:38 [Note]: 7011 2924
02/25/06 06:57:38 [Note]: 7024 1
02/25/06 06:57:38 [Note]: 7015 212
02/25/06 06:57:38 [Note]: 7015 5
02/25/06 06:57:38 [Info]: Hidden process: Unknown process (pid: 212)
02/25/06 06:57:38 [Note]: 7024 1
02/25/06 06:57:38 [Note]: 7015 404
02/25/06 06:57:38 [Note]: 7015 5
02/25/06 06:57:38 [Info]: Hidden process: Unknown process (pid: 404)
02/25/06 06:57:38 [Note]: 7024 1
02/25/06 06:57:38 [Note]: 7015 416
02/25/06 06:57:38 [Note]: 7015 5
02/25/06 06:57:38 [Info]: Hidden process: Unknown process (pid: 416)
02/25/06 06:57:38 [Note]: 7015 432
02/25/06 06:57:38 [Note]: 7015 5
02/25/06 06:57:38 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 568
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 568)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 576
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 576)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 592
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 592)
02/25/06 06:57:39 [Note]: 7015 720
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Note]: 7015 1036
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1112
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1112)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1152
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1152)
02/25/06 06:57:39 [Note]: 7015 1264
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Note]: 7015 1312
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1532
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1532)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1552
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1552)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1688
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1688)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1772
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1772)
02/25/06 06:57:39 [Note]: 7015 1796
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1828
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1828)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1896
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1896)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 1936
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 1936)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2080
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2080)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2212
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2212)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2240
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2240)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2268
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2268)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2300
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2300)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2308
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2308)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2388
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2388)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2400
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2400)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2532
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2532)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2564
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2564)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2568
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2568)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2580
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2580)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2676
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2676)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2700
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2700)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2740
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2740)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2744
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2744)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2752
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2752)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2764
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2764)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 2804
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 2804)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3028
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3028)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3052
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3052)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3076
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3076)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3212
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3212)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3268
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3268)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3320
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3320)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3344
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3344)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3400
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3400)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3432
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3432)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3484
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3484)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3552
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3552)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3624
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3624)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3656
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3656)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3680
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3680)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3776
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3776)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3788
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3788)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3836
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3836)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3888
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3888)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3892
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3892)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 3960
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 3960)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 4004
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 4004)
02/25/06 06:57:39 [Note]: 7024 1
02/25/06 06:57:39 [Note]: 7015 4076
02/25/06 06:57:39 [Note]: 7015 5
02/25/06 06:57:39 [Info]: Hidden process: Unknown process (pid: 4076)
02/25/06 06:57:39 [Note]: FSRAW library version 1.7.1015
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:09 [Note]: 7002 0
02/25/06 06:59:09 [Note]: 7003 1
02/25/06 06:59:53 [Note]: 7007 0


*** L2M log ***

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr0405dqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{48574F65-7C48-E5E1-7690-0CBD48E8452F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{8EE1745C-A2FC-4C95-BE42-43DF5F721FFE}"=""
"{8B75F303-1AC8-4345-9384-C9B0B52B28F7}"=""
"{AEF81F1D-BBC2-4595-A911-CB04A7FB01B1}"=""
"{38947153-078D-4F45-80D6-F0389504CA23}"=""
"{F65A8386-DB84-41BC-A9FD-7B318A0D7F87}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8EE1745C-A2FC-4C95-BE42-43DF5F721FFE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EE1745C-A2FC-4C95-BE42-43DF5F721FFE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EE1745C-A2FC-4C95-BE42-43DF5F721FFE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EE1745C-A2FC-4C95-BE42-43DF5F721FFE}\InprocServer32]
@="C:\\WINDOWS\\system32\\fzdrclnr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8B75F303-1AC8-4345-9384-C9B0B52B28F7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B75F303-1AC8-4345-9384-C9B0B52B28F7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B75F303-1AC8-4345-9384-C9B0B52B28F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B75F303-1AC8-4345-9384-C9B0B52B28F7}\InprocServer32]
@="C:\\WINDOWS\\system32\\NJTAPI.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AEF81F1D-BBC2-4595-A911-CB04A7FB01B1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEF81F1D-BBC2-4595-A911-CB04A7FB01B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEF81F1D-BBC2-4595-A911-CB04A7FB01B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AEF81F1D-BBC2-4595-A911-CB04A7FB01B1}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{38947153-078D-4F45-80D6-F0389504CA23}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38947153-078D-4F45-80D6-F0389504CA23}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38947153-078D-4F45-80D6-F0389504CA23}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{38947153-078D-4F45-80D6-F0389504CA23}\InprocServer32]
@="C:\\WINDOWS\\system32\\azivtmxx.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F65A8386-DB84-41BC-A9FD-7B318A0D7F87}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F65A8386-DB84-41BC-A9FD-7B318A0D7F87}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F65A8386-DB84-41BC-A9FD-7B318A0D7F87}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F65A8386-DB84-41BC-A9FD-7B318A0D7F87}\InprocServer32]
@="C:\\WINDOWS\\system32\\lytif11n.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
0kg00xc4.dll Mon Feb 6 2006 4:14:46p A.... 22,016 21.50 K
0kg0an0q.dll Wed Feb 22 2006 5:59:38a A.... 45,568 44.50 K
0sis001w.dll Sat Feb 18 2006 9:27:10p A.... 22,016 21.50 K
adserv~1.dll Thu Feb 9 2006 7:00:46a A.... 16,896 16.50 K
atmtd.dll Sat Feb 11 2006 9:42:12a A.... 687,592 671.48 K
awtqn.dll Sun Feb 12 2006 1:05:46a ..SH. 38,925 38.01 K
azaul9~1.dll Mon Feb 20 2006 3:36:36p ..S.R 234,919 229.41 K
azivtmxx.dll Sat Feb 11 2006 2:28:28p ..S.R 234,272 228.78 K
dcom_13.dll Sun Feb 12 2006 1:04:48a A.... 66,560 65.00 K
dn8801~1.dll Sun Feb 19 2006 8:44:58p ..S.R 235,800 230.27 K
dnl401~1.dll Wed Feb 15 2006 10:41:22p ..S.R 234,919 229.41 K
e002la~1.dll Sat Feb 11 2006 3:08:28p ..S.R 234,272 228.78 K
e8jm0i~1.dll Sun Feb 19 2006 8:16:36p ..S.R 235,037 229.53 K
enpql1~1.dll Wed Feb 15 2006 5:40:36p ..S.R 234,919 229.41 K
epuspps.dll Sat Feb 11 2006 9:34:20a A.... 67,072 65.50 K
f00o0a~1.dll Wed Feb 22 2006 6:51:48p ..S.R 235,219 229.70 K
f6j20g~1.dll Sat Feb 11 2006 3:26:42p ..S.R 234,488 228.99 K
fp2q03~1.dll Mon Feb 20 2006 2:39:14p ..S.R 234,919 229.41 K
fzdrclnr.dll Wed Feb 22 2006 11:11:10p ..S.R 234,919 229.41 K
gpjml3~1.dll Sun Feb 12 2006 11:54:36a ..S.R 234,272 228.78 K
hhpertrm.dll Wed Feb 22 2006 8:19:52a ..S.R 234,919 229.41 K
hr0405~1.dll Fri Feb 24 2006 3:58:26p ..S.R 236,089 230.55 K
hrps05~1.dll Tue Feb 14 2006 6:45:50p ..S.R 234,919 229.41 K
ia41_qcx.dll Wed Feb 15 2006 4:48:36p ..S.R 234,919 229.41 K
ir00l5~1.dll Thu Feb 23 2006 12:16:10a ..S.R 234,919 229.41 K
ir28l5~1.dll Wed Feb 22 2006 6:13:18a ..S.R 234,919 229.41 K
ir8ml5~1.dll Sun Feb 12 2006 7:07:36p ..S.R 236,104 230.57 K
j46m0e~1.dll Thu Feb 23 2006 11:14:48a ..S.R 233,933 228.45 K
jt6m07~1.dll Fri Feb 10 2006 3:14:56p ..S.R 234,272 228.78 K
jtr807~1.dll Tue Feb 21 2006 8:39:36a ..S.R 234,919 229.41 K
jysd400.dll Tue Feb 14 2006 2:37:22p ..S.R 234,919 229.41 K
kgdtuq.dll Sat Feb 11 2006 11:57:54a ..S.R 234,272 228.78 K
kt20l7~1.dll Sat Feb 11 2006 12:22:02p ..S.R 235,299 229.78 K
kt2ql7~1.dll Thu Feb 23 2006 10:54:14a ..S.R 236,085 230.55 K
kzdit.dll Fri Feb 24 2006 2:43:50p ..S.R 235,308 229.79 K
kzdmaori.dll Thu Feb 23 2006 10:36:14a ..S.R 236,085 230.55 K
l08m0a~1.dll Wed Feb 15 2006 12:30:34a ..S.R 234,919 229.41 K
l08mla~1.dll Wed Feb 22 2006 11:11:10p ..S.R 236,099 230.56 K
l42sle~1.dll Mon Feb 20 2006 7:05:10a ..S.R 234,919 229.41 K
l8l60i~1.dll Sun Feb 12 2006 1:33:34a ..S.R 234,910 229.40 K
lcbmp70n.dll Sat Feb 11 2006 3:21:52p ..S.R 234,272 228.78 K
lhwnd10n.dll Thu Feb 23 2006 1:47:14p ..S.R 235,308 229.79 K
lv4409~1.dll Sat Feb 11 2006 7:54:52a ..S.R 234,272 228.78 K
lvj009~1.dll Thu Feb 16 2006 8:17:50p ..S.R 234,919 229.41 K
lyjnm.dll Tue Feb 21 2006 9:05:30p A.... 155,648 152.00 K
lytif11n.dll Thu Feb 23 2006 10:14:26a ..S.R 234,919 229.41 K
m6460g~1.dll Wed Feb 22 2006 5:52:16a ..S.R 235,565 230.04 K
m8rm0i~1.dll Sun Feb 12 2006 11:05:36p ..S.R 234,919 229.41 K
mmimg32.dll Thu Feb 23 2006 5:20:16p ..S.R 236,977 231.42 K
mpricons.dll Thu Feb 23 2006 1:32:28p ..S.R 235,308 229.79 K
mrdsrv32.dll Sun Feb 19 2006 12:34:52p ..S.R 234,919 229.41 K
mvjul9~1.dll Sun Feb 12 2006 1:02:26a ..S.R 236,191 230.65 K
mvl8l9~1.dll Tue Feb 14 2006 9:42:42a ..S.R 234,919 229.41 K
mvn0l9~1.dll Tue Feb 14 2006 2:58:22p ..S.R 234,919 229.41 K
n24s0c~1.dll Wed Feb 22 2006 8:50:54a ..S.R 234,919 229.41 K
n44sle~1.dll Mon Feb 13 2006 7:30:40p ..S.R 234,919 229.41 K
n48ole~1.dll Thu Feb 23 2006 7:02:42a ..S.R 234,919 229.41 K
njtapi.dll Tue Feb 21 2006 8:58:36p ..S.R 234,919 229.41 K
nsz8a3.dll Wed Jan 18 2006 4:19:02p A.... 84,480 82.50 K
nttrap.dll Fri Feb 24 2006 3:31:26p ..S.R 236,089 230.55 K
o2lu0c~1.dll Sun Feb 19 2006 2:46:54p ..S.R 234,919 229.41 K
otbc32gt.dll Sat Feb 11 2006 12:22:02p ..S.R 234,272 228.78 K
oxhlp30e.dll Fri Feb 24 2006 4:33:24p ..S.R 235,308 229.79 K
pbdx5032.dll Fri Feb 10 2006 6:46:52a ..S.R 234,272 228.78 K
q4860e~1.dll Sat Feb 11 2006 3:35:50p ..S.R 234,956 229.45 K
q8psli~1.dll Sun Feb 12 2006 1:57:34a ..S.R 234,272 228.78 K
qysf.dll Sun Feb 19 2006 8:06:42p ..S.R 234,919 229.41 K
r66ulg~1.dll Fri Feb 24 2006 4:44:24p ..S.R 235,308 229.79 K
r6r60g~1.dll Sat Feb 18 2006 8:02:30a ..S.R 234,919 229.41 K
roched20.dll Thu Feb 23 2006 6:49:36a ..S.R 234,919 229.41 K
suc.dll Thu Feb 23 2006 7:07:32a ..S.R 234,919 229.41 K
tbpiui.dll Thu Feb 23 2006 11:02:48a ..S.R 233,933 228.45 K
u8ruli~1.dll Fri Feb 10 2006 2:29:56p ..S.R 236,270 230.73 K
uorcoina.dll Wed Feb 22 2006 5:52:18a ..S.R 234,919 229.41 K
upeg.dll Sun Feb 19 2006 8:44:58p ..S.R 234,919 229.41 K
winubg32.dll Thu Feb 9 2006 7:00:46a A.... 16,896 16.50 K
wm2_32.dll Thu Feb 23 2006 10:56:02a ..S.R 233,933 228.45 K
wtw32.dll Thu Feb 23 2006 10:10:56a ..S.R 234,919 229.41 K

78 items found: 78 files (68 H/S), 0 directories.
Total of file sizes: 16,969,399 bytes 16.18 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Fri Feb 24 2006 5:47:42p ..S.R 236,089 230.55 K
lat2929.tmp Sat Feb 18 2006 7:21:06a A.... 0 0.00 K
latf52.tmp Sun Feb 12 2006 9:20:40p A.... 0 0.00 K
latf56.tmp Sun Feb 12 2006 10:20:52p A.... 0 0.00 K
ldacb7.tmp Fri Feb 17 2006 5:28:02p A.... 24,589 24.01 K
mcrh.tmp Mon Feb 20 2006 7:48:24p A.... 143 0.14 K

6 items found: 6 files (1 H/S), 0 directories.
Total of file sizes: 260,821 bytes 254.71 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 40E9-B93E

Directory of C:\WINDOWS\System32

02/24/2006 05:47 PM 236,089 guard.tmp
02/24/2006 04:44 PM 235,308 r66ulgj916o.dll
02/24/2006 04:33 PM 235,308 oxhlp30e.dll
02/24/2006 03:58 PM 236,089 hr0405dqe.dll
02/24/2006 03:31 PM 236,089 nttrap.dll
02/24/2006 02:43 PM 235,308 KZDIT.DLL
02/23/2006 05:20 PM 236,977 mmimg32.dll
02/23/2006 01:47 PM 235,308 LHWND10N.DLL
02/23/2006 01:32 PM 235,308 mpricons.dll
02/23/2006 11:14 AM 233,933 j46m0ej1eho.dll
02/23/2006 11:02 AM 233,933 TBPIUI.DLL
02/23/2006 10:56 AM 233,933 wm2_32.dll
02/23/2006 10:54 AM 236,085 kt2ql7f51.dll
02/23/2006 10:36 AM 236,085 kzdmaori.dll
02/23/2006 10:14 AM 234,919 lytif11n.dll
02/23/2006 10:10 AM 234,919 wtw32.dll
02/23/2006 07:07 AM 234,919 suc.dll
02/23/2006 07:02 AM 234,919 n48olel31hq.dll
02/23/2006 06:49 AM 234,919 roched20.dll
02/23/2006 12:16 AM 234,919 ir00l5dm1.dll
02/22/2006 11:11 PM 234,919 fzdrclnr.dll
02/22/2006 11:11 PM 236,099 l08mlal11dq.dll
02/22/2006 06:51 PM 235,219 f00o0ad3ed0.dll
02/22/2006 08:50 AM 234,919 n24s0ch7ef4.dll
02/22/2006 08:19 AM 234,919 hhpertrm.dll
02/22/2006 06:13 AM 234,919 ir28l5fu1.dll
02/22/2006 05:52 AM 234,919 UORCOINA.DLL
02/22/2006 05:52 AM 235,565 m6460ghse6460.dll
02/21/2006 08:58 PM 234,919 NJTAPI.DLL
02/21/2006 08:39 AM 234,919 jtr8079ue.dll
02/20/2006 03:36 PM 234,919 azaul9191.dll
02/20/2006 02:39 PM 234,919 fp2q03f5e.dll
02/20/2006 07:05 AM 234,919 l42slef71h2.dll
02/19/2006 08:44 PM 234,919 UPEG.DLL
02/19/2006 08:44 PM 235,800 dn8801lue.dll
02/19/2006 08:16 PM 235,037 e8jm0i11e8.dll
02/19/2006 08:06 PM 234,919 qYsf.dll
02/19/2006 02:46 PM 234,919 o2lu0c39ef.dll
02/19/2006 12:34 PM 234,919 MRDSRV32.DLL
02/18/2006 08:02 AM 234,919 r6r60g9se6.dll
02/16/2006 08:17 PM 234,919 lvj0091me.dll
02/15/2006 10:41 PM 234,919 dnl4013qe.dll
02/15/2006 05:40 PM 234,919 enpql1751.dll
02/15/2006 04:48 PM 234,919 ia41_qcx.dll
02/15/2006 12:30 AM 234,919 l08m0al1edq.dll
02/14/2006 06:45 PM 234,919 hrps0577e.dll
02/14/2006 02:58 PM 234,919 mvn0l95m1.dll
02/14/2006 02:37 PM 234,919 JYSD400.DLL
02/14/2006 09:42 AM 234,919 mvl8l93u1.dll
02/13/2006 07:30 PM 234,919 n44sleh71h4.dll
02/12/2006 11:05 PM 234,919 m8rm0i91e8.dll
02/12/2006 07:07 PM 236,104 ir8ml5l11.dll
02/12/2006 11:54 AM 234,272 gpjml3111.dll
02/12/2006 01:57 AM 234,272 q8psli7718.dll
02/12/2006 01:33 AM 234,910 l8l60i3se8.dll
02/12/2006 01:05 AM 38,925 awtqn.dll
02/12/2006 01:02 AM 236,191 mvjul9191.dll
02/11/2006 03:35 PM 234,956 q4860elsehq60.dll
02/11/2006 03:26 PM 234,488 f6j20g1oe6.dll
02/11/2006 03:21 PM 234,272 LCBMP70N.DLL
02/11/2006 03:08 PM 234,272 e002lado1d0c.dll
02/11/2006 02:28 PM 234,272 azivtmxx.dll
02/11/2006 12:22 PM 234,272 otbc32gt.dll
02/11/2006 12:22 PM 235,299 kt20l7fm1.dll
02/11/2006 11:57 AM 234,272 KGDTUQ.DLL
02/11/2006 07:54 AM 234,272 lv4409hqe.dll
02/10/2006 03:14 PM 234,272 jt6m07j1e.dll
02/10/2006 02:29 PM 236,270 u8ruli9918.dll
02/10/2006 06:46 AM 234,272 pbdx5032.dll
11/08/2005 03:43 PM <DIR> DLLCACHE
08/04/2004 12:56 AM 40,960 lockbr.exe
12/17/2001 07:24 PM <DIR> Microsoft
70 File(s) 16,061,704 bytes
2 Dir(s) 62,184,054,784 bytes free
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts

Plus, I noticed in the task manager a process called " wowexec.exe"
popping up occasionally. (There actually is a space before it)
With my limited (but just enough to be dangerous) knowledge I thought
this couldn't be good.

You're right. That one's no good. We'll track it down after we get rid of your L2M infection.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#15
Paperweight

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
The l2mfx.bat wanted a password (after I pressed 2). I just hit enter and it seemed to run.

Also, I noticed when I went into one of the other accounts on the computer that the
"lockbr.exe" box was popping up. Should I be doing any of these fixes in the other
accounts (like the Fix Checked using HJT) ?



*** L2M log **

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 72%)

*** HJT log ***

Logfile of HijackThis v1.99.1
Scan saved at 6:14:39 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\f4j2le1o1h.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP