954,253 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
6 Years Ago
0

yyy65&XBDYUS.htm annoyance!!!!

:mad:
Please help, i like to play games, and needless to say,
being taken out once every two minutes is not fun.
i have been able to take care of things in the past,
and have even gone so far as to download hijack this and such, deleting most if not all of the keys, and i'm still getting popups, ad aware is always picking up something, so is Search and Destroy, but after i reboot in safe mode do all of the above, delete everything, oh, i reboot back and what do you know... yes, 1:59 minutes without a popup!, plz help, this is my hijack this reading, i'm running xp, and have looked through countless of articles with the same problem , albeit, i never have the exact case.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:20 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\AIM\aim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\MSNGAM~1\zone.exe
D:\PROGRA~1\MSNGAM~1\zclient.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: Themes - D:\WINDOWS\system32\m646lghs1646.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DirectX Drivers - Unknown owner - D:\WINDOWS\D1rectX.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

once again, please help.

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

also, i've tried shutting programs off in task manager, and i'm getting an access denied message, even though i'm the administrator. i looked it up but every solution to that hasn't worked.

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
Download and install Ewido Security Suite v3.5 . After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update.
Exit Ewido when done - DO NOT perform a scan yet.


Download CCleaner and install it. Do not run it now!


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named DirectX Drivers and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode.


Next, download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Next, please download Rootkit Revealer (link is at the very bottom of the page)Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.
** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.


Then, post both the L2MFix and Rootkit Reaveler logs.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

ps: ty.
heres what came from l2me and rootkit

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\n44s0eh7eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37272362-547D-3D33-7851-C01176D810B7}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8C4786B2-1C31-40F3-A998-2C82BDA648CF}"=""
"{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}"=""
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\InprocServer32]
@="D:\\WINDOWS\\system32\\imakeng.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\InprocServer32]
@="D:\\WINDOWS\\system32\\kmdca.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\InprocServer32]
@="D:\\WINDOWS\\system32\\MIC71ESP.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

D:\WINDOWS\SYSTEM32\
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K
kmdca.dll Sun Jan 22 2006 12:39:08p ..S.R 234,223 228.73 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
n44s0e~1.dll Sun Jan 22 2006 11:18:46a ..S.R 234,223 228.73 K
p68qlg~1.dll Sun Jan 22 2006 12:37:36p ..S.R 235,518 229.99 K
s32evnt1.dll Tue Jan 3 2006 3:31:44p A.... 91,904 89.75 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K

10 items found: 10 files (3 H/S), 0 directories.
Total of file sizes: 8,270,044 bytes 7.89 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is 94A5-4C6E

Directory of D:\WINDOWS\System32

01/22/2006 12:39 PM ..
01/22/2006 12:39 PM .
01/22/2006 12:39 PM 234,223 kmdca.dll
01/22/2006 12:37 PM 235,518 p68qlgl516q.dll
01/22/2006 11:18 AM 234,223 n44s0eh7eh4.dll
09/13/2005 07:22 PM Microsoft
3 File(s) 703,964 bytes
3 Dir(s) 5,632,966,656 bytes free
I'm posting these in halves, because when i added rootkit to the post it was extremely long, and i got a cannot find server error when posting together.

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

i have a problem with rootkits...
its 4.6 mb, .... from the looks of it it just copied everything from both drives.... eh, i tried posting, its big even in half of a drive... help?!!?!?!??

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
I didnt thought Rootkit Revealer would become that big! We will proceed without that one!

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter.
It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.


Also, perform an online virus scan at Kaspersky Online Scanner . Save the log it gives after the scan and please post it back.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

alright, i gotta go to work soon, ill be back in about 4-5 hours, and will post and probably go to bed thereafter, so it's best if you expect results tommorow, and then we can continue, but as i will be back tommorow around and hour from whatever time it is on here now, hopefully that is your time... ( i would be back around 3:10 eastern time is what i'm trying to say.)

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

i ran l2me fix, nothing happens, some wierd message comes up on the screen, something asks fora password, and then it does something else, when i restarted, no notepad came up, and ewido freaks out when i try to open up hijackthiss with look2me infections...ah!!!!

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Logfile of HijackThis v1.99.1
Scan saved at 6:48:07 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Benincasa\My Documents\hijackthis.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: ThemeManager - D:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Sysinternals - www.sysinternals.com - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


thats that... but ... wierd clicking noise is appearing now.

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Logfile of HijackThis v1.99.1
Scan saved at 6:48:07 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Benincasa\My Documents\hijackthis.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: ThemeManager - D:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Sysinternals - www.sysinternals.com - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
Look2Me is still there. I am sorry, i forgot to say about that password. When L2MFix asks for password, please type bye and press Enter.
Also, after the reboot, if the NotePad doesnt open automatically with the log, go to the folder where L2Mfix.bat file is present and you will find the log there.

Please re-run the L2MFix.bat with Option 2 (and password bye) and post back the log file of L2MFix and HijackThis.


PS: The clicking noise is due to this Look2Me infection!!

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

i have a problem with the l2mefix
at the top it says password will be entered automatically
it says enter the password ofr l2mefix :
and then 1/20th of a second later it says
Attempting to start D:\WINDOWS\System32\second.bat
1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it
Processing cleanup.
. The system cannot find the file specified
The system cannot find the file specified
A duplicate file name exists, or the file cannot be found
Could Not Find D:\WINDOWS\System32\log.txt
then adds some files and says system is ready to reboot...
The log.txt will be in the l2mfix folder after the reboot if it does not open on its own Please fix the missing file 020 with hijackthis after the reboot

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
Can you post the contents of log.txt present in the L2MFix folder?

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

L2mfix Beta 122705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
Looks like its a new Look2Me, and hence L2MFix is not able to completely remove the files. We will remove them manually now.


Download Process Explorer for Windows Nt/2K/XP (Download link is at the bottom of the page). xtract the Zip file to a folder.

Download KillBox , extract it to your desktop.

Boot in SAFE Mode.


In the Process Explorer folder, run Procexp.exe. Now, in the main screen, click on the process Winlogon.exe to highlight it. Right-click on it and click "Properties". Now, in the Properties window, click the "Threads" tab. Here, under the "Start Address" field, look for the filename n44s0eh7eh4.dll. If you find it, select it and click Kill button and click "Yes" to kill it. There may be more than one n44s0eh7eh4.dll in this list, kill them all.


Now, click "OK" to exit from the "Properties" window. In the main window of Process Explorer, click on the process Explorer.exe. Right-click on it and select "Properties". Now, click the "Threads" tab. Similarly, here also look for n44s0eh7eh4.dll entry and kill it, if you find it. Click "OK" to exit from Properties window.


Similarly, look for these DLL files in Winlogon.exe and Explorer.exe properties in Process Explorer, as described above, and if they are found, kill them.
p68qlgl516q.dll
kmdca.dll


Next, open Killbox.exe. First click on Tools > Delete Temp Files. A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then, Check on the Button titled "Delete Selected Temp Files". Exit by clicking the Button titled "Exit(Save Settings)". Once back into the main Killbox program.

Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.
D:\WINDOWS\SYSTEM32\kmdca.dll
D:\WINDOWS\SYSTEM32\n44s0eh7eh4.dll
D:\WINDOWS\SYSTEM32\p68qlgl516q.dll
D:\WINDOWS\SYSTEM32\guard.tmp
Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click theRed X button and for the confirmation message that will appear, you will need to click "Yes".

A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


After the reboot, Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with a new HijackThis log.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

ugh, did everything, i can tell you the first part, there where none of those files in the locations given. i ran killbox, and popups persist.

here is the hijackthis log, cftmon is still there.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:23 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Benincasa\Local Settings\Temp\Temporary Internet Files\Content.IE5\01234567\WinPFind[1]\WinPFind\winpfind.exe
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\n4l80e3ueh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Unknown owner - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


ill post the WinPFind when it gets done, as it is, it's a white screen that's not responding.

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings
= D:\WINDOWS\system32\n4l80e3ueh.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/24/2006 4:47:15 PM

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

disregard previous.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 4:19:58 PM 2337488 D:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/6/2004 7:15:42 PM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 1/22/2006 6:37:04 PM R S 235348 D:\WINDOWS\SYSTEM32\ir2ml5f11.dll
ad-w-a-r-e.com 1/22/2006 6:37:04 PM R S 235348 D:\WINDOWS\SYSTEM32\ir2ml5f11.dll
WinShutDown 1/24/2006 4:01:46 PM R S 235353 D:\WINDOWS\SYSTEM32\IvagX7.dll
ad-w-a-r-e.com 1/24/2006 4:01:46 PM R S 235353 D:\WINDOWS\SYSTEM32\IvagX7.dll
PTech 7/12/2005 6:04:22 PM 520456 D:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 D:\WINDOWS\SYSTEM32\locate.com
PECompact2 1/4/2006 7:46:40 PM 2827616 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 D:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 1/22/2006 6:41:54 PM R S 234223 D:\WINDOWS\SYSTEM32\myxml3.dll
ad-w-a-r-e.com 1/22/2006 6:41:54 PM R S 234223 D:\WINDOWS\SYSTEM32\myxml3.dll
aspack 8/3/2004 11:56:38 PM 708096 D:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 12/20/2003 6:44:34 PM 8704 D:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 8/3/2004 11:56:46 PM 657920 D:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/20/2005 1:47:50 PM 175616 D:\WINDOWS\SYSTEM32\strings.exe
UPX! 10/30/2005 8:49:02 PM 42496 D:\WINDOWS\SYSTEM32\swreg.exe
UPX! 12/20/2003 6:45:26 PM 112128 D:\WINDOWS\SYSTEM32\vorbis.dll
winsync 8/6/2004 7:18:14 PM 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 8/3/2004 11:56:44 PM 3584 D:\WINDOWS\SYSTEM32\webctl.dll

Checking %System%\Drivers folder and sub-folders...

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/24/2006 4:36:04 PM S 2048 D:\WINDOWS\bootstat.dat
1/24/2006 4:46:32 PM H 24 D:\WINDOWS\p1cxK
12/21/2005 4:06:04 PM RHS 227 D:\WINDOWS\assembly\Desktop.ini
1/8/2006 8:43:22 PM H 10820 D:\WINDOWS\Help\nocontnt.GID
12/25/2005 12:28:28 AM H 10820 D:\WINDOWS\Help\update.GID
1/24/2006 4:36:22 PM R S 236187 D:\WINDOWS\system32\dsserial.dll
1/24/2006 4:36:20 PM R S 234093 D:\WINDOWS\system32\enr6l19s1.dll
1/22/2006 6:37:04 PM R S 235348 D:\WINDOWS\system32\ir2ml5f11.dll
1/24/2006 4:01:46 PM R S 235353 D:\WINDOWS\system32\IvagX7.dll
1/22/2006 6:41:54 PM R S 234223 D:\WINDOWS\system32\myxml3.dll
1/24/2006 4:27:48 PM R S 236187 D:\WINDOWS\system32\n4l80e3ueh.dll
11/30/2005 11:17:10 PM S 21633 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM S 11223 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/24/2006 4:38:00 PM H 1024 D:\WINDOWS\system32\config\default.LOG
1/24/2006 4:36:18 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG
1/24/2006 4:38:06 PM H 1024 D:\WINDOWS\system32\config\SECURITY.LOG
1/24/2006 4:46:32 PM H 1024 D:\WINDOWS\system32\config\software.LOG
1/24/2006 4:38:38 PM H 1024 D:\WINDOWS\system32\config\system.LOG
1/16/2006 11:35:44 AM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/30/2005 8:23:56 PM H 40613 D:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkma.GID
1/21/2006 4:20:26 PM H 6 D:\WINDOWS\Tasks\SA.DAT
1/24/2006 4:36:26 PM HS 113 D:\WINDOWS\Temp\History\History.IE5\desktop.ini
1/24/2006 4:36:26 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2VYDIX8H\desktop.ini
1/24/2006 4:40:28 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C7KDBWED\desktop.ini
1/24/2006 4:44:50 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1470R8J\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RQ1J653Y\desktop.ini
1/24/2006 4:44:46 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SPUNCD2F\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UPKF4FGP\desktop.ini
1/24/2006 4:40:28 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WSWGVFBR\desktop.ini
1/24/2006 4:40:32 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6ZO9YF\desktop.ini
1/24/2006 4:44:36 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y3EMIGNN\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/6/2004 7:17:02 PM 187904 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/6/2004 7:17:26 PM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/6/2004 7:17:32 PM 36864 D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 D:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 6/20/2001 3:34:36 PM 287232 D:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/6/2004 7:18:04 PM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/13/2005 7:16:08 PM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 4:11:58 PM 2046 D:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/13/2005 7:16:08 PM HS 84 D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM HS 62 D:\Documents and Settings\Benincasa\Application Data\desktop.ini
12/29/2005 5:53:22 PM 1850843 D:\Documents and Settings\Benincasa\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{8C4786B2-1C31-40F3-A998-2C82BDA648CF} = D:\WINDOWS\system32\imakeng.dll
{73C81572-87F7-48CA-A5A8-ADA82AF73D7C} = D:\WINDOWS\system32\myxml3.dll
{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD} = D:\WINDOWS\system32\MIC71ESP.DLL
{64EDC752-4460-48E6-8730-B9B18A740C9E} = D:\WINDOWS\system32\IvagX7.dll
{716662EE-0F72-4DF4-9789-72ADFE54FFEC} = D:\WINDOWS\system32\dsserial.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\M2WShlExMenu
{DC6FA7E0-6666-11D5-8CE2-444553540000} = D:\PROGRA~1\ACOUST~1\M2WShlEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mygksnnt
{47b160de-c8f1-43ee-837b-3fb77a4093cc} = D:\WINDOWS\system32\kmgkq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : D:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
Flags

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe D:\WINDOWS\system32\ctfmon.exe
AIM D:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
STOPzilla Local Service 2
SysmonLog 3
Schedule 2
Browser 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item Microsoft Office
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^Benincasa^Start Menu^Programs^Startup^Sound Control.lnk
path D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup D:\WINDOWS\pss\Sound Control.lnkStartup
location Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item Sound Control
path D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup D:\WINDOWS\pss\Sound Control.lnkStartup
location Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item Sound Control

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winlog
hkey HKLM
command winlog.exe
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adtech2006
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2006a
hkey HKLM
command C:\windows\adtech2006a.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2006a
hkey HKLM
command C:\windows\adtech2006a.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fimq
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fimqm
hkey HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fimqm
hkey HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb11
hkey HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb11
hkey HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHmon06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphmon06
hkey HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphmon06
hkey HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHUPD06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphupd06
hkey HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphupd06
hkey HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark X1100 Series
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lxbkbmgr
hkey HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lxbkbmgr
hkey HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lspins
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igps
hkey HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igps
hkey HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000140
hkey HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000140
hkey HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\timessquare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsupdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsupdater
hkey HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsupdater
hkey HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysban
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysban
hkey HKLM
command C:\windows\winsysban.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysban
hkey HKLM
command C:\windows\winsysban.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysupd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysupd
hkey HKLM
command C:\windows\winsysupd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysupd
hkey HKLM
command C:\windows\winsysupd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\[01]##############################################################################################################################
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rogue
hkey HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rogue
hkey HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = D:\WINDOWS\system32\webctl.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings
= D:\WINDOWS\system32\n4l80e3ueh.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/24/2006 4:47:15 PM

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Hi,
There are a lot of files to remove!


Please download Trojan Hunter (trial) and install it.

Boot in SAFE mode.


Now, run Trojan Hunter. Go to Tools Menu > Process Viewer. This opens up process viewer window, here click on the + symbol beside the process Winlogon.exe. Now, in this expanded list for process Winlogon.exe, look for the filename D:\WINDOWS\system32\n4l80e3ueh.dll, if you find it, right-click on it and select Unload module.

Similarly, expand the process Explorer.exe by clicking the + sign beside it, and look for the same D:\WINDOWS\system32\n4l80e3ueh.dll file and if its found, right-click on it and click Unload module.

Now, close Trojan Hunter.


Uninstall this Software from Add/Remove Programs in Control Panel:-
Internet Optimizer (if found)


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\n4l80e3ueh.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete these folders:-
D:\PROGRAM FILES\COMMON FILES\fimq
D:\Program Files\winsupdater
D:\Program Files\Internet Optimizer


Open Killbox.exe. Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.
C:\winstall.exe
C:\windows\adtech2006a.exe
C:\windows\timessquare.exe
C:\windows\winsysban.exe
C:\windows\winsysupd.exe
D:\WINDOWS\p1cxK
D:\WINDOWS\system32\igps.exe
D:\WINDOWS\SYSTEM32\ir2ml5f11.dll
D:\WINDOWS\SYSTEM32\IvagX7.dll
D:\WINDOWS\SYSTEM32\myxml3.dll
D:\WINDOWS\SYSTEM32\webctl.dll
D:\WINDOWS\system32\dsserial.dll
D:\WINDOWS\system32\enr6l19s1.dll
D:\WINDOWS\system32\n4l80e3ueh.dll
D:\WINDOWS\system32\imakeng.dll
D:\WINDOWS\system32\MIC71ESP.DLL
D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkma.GID
Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click theRed X button and for the confirmation message that will appear, you will need to click "Yes".

A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


Once rebooted to Normal mode, please run WinPFind again and post a new log of it.

swatkat
Practically a Master Poster
645 posts since Jul 2005
Reputation Points: 25
Solved Threads: 51
 
6 Years Ago
0

did all of the following, the requested n4l180e3ueh.dll isn't found, nor was internet optimizer.

i did have to delete common files on both drives,
as i use both drives after my c was reformatted, and have been trying to switch more to c because it has about 40 gigs free compared to the 3 gigs on d left... so there may be files on one or the other. ewido has about 6 l2me files in quarentine, including guard.tmp yyy65 are still popping up, and a
heres the scan.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 4:19:58 PM 2337488 D:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/6/2004 7:15:42 PM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 D:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 D:\WINDOWS\SYSTEM32\locate.com
PECompact2 1/4/2006 7:46:40 PM 2827616 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 D:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 1/25/2006 6:06:22 PM R S 236187 D:\WINDOWS\SYSTEM32\n46q0ej5eho.dll
ad-w-a-r-e.com 1/25/2006 6:06:22 PM R S 236187 D:\WINDOWS\SYSTEM32\n46q0ej5eho.dll
aspack 8/3/2004 11:56:38 PM 708096 D:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 12/20/2003 6:44:34 PM 8704 D:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 8/3/2004 11:56:46 PM 657920 D:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/20/2005 1:47:50 PM 175616 D:\WINDOWS\SYSTEM32\strings.exe
UPX! 10/30/2005 8:49:02 PM 42496 D:\WINDOWS\SYSTEM32\swreg.exe
UPX! 12/20/2003 6:45:26 PM 112128 D:\WINDOWS\SYSTEM32\vorbis.dll
winsync 8/6/2004 7:18:14 PM 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 1/26/2006 3:34:08 PM 234093 D:\WINDOWS\SYSTEM32\__delete_on_reboot__rjpcfgex.dll
ad-w-a-r-e.com 1/26/2006 3:34:08 PM 234093 D:\WINDOWS\SYSTEM32\__delete_on_reboot__rjpcfgex.dll

Checking %System%\Drivers folder and sub-folders...

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/26/2006 3:33:44 PM S 2048 D:\WINDOWS\bootstat.dat
1/26/2006 3:47:38 PM H 24 D:\WINDOWS\p1cxK
12/21/2005 4:06:04 PM RHS 227 D:\WINDOWS\assembly\Desktop.ini
1/8/2006 8:43:22 PM H 10820 D:\WINDOWS\Help\nocontnt.GID
12/25/2005 12:28:28 AM H 10820 D:\WINDOWS\Help\update.GID
1/26/2006 3:38:12 PM H 0 D:\WINDOWS\inf\oem12.inf
1/26/2006 3:38:12 PM H 0 D:\WINDOWS\LastGood\INF\oem12.inf
1/26/2006 3:38:12 PM H 0 D:\WINDOWS\LastGood\INF\oem12.PNF
1/26/2006 3:39:56 PM H 0 D:\WINDOWS\LastGood\INF\oem13.inf
1/26/2006 3:39:56 PM H 0 D:\WINDOWS\LastGood\INF\oem13.PNF
1/25/2006 6:06:22 PM R S 236187 D:\WINDOWS\system32\n46q0ej5eho.dll
1/26/2006 3:16:20 PM R S 234093 D:\WINDOWS\system32\wx2help.dll
11/30/2005 11:17:10 PM S 21633 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM S 11223 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/26/2006 3:40:12 PM H 1024 D:\WINDOWS\system32\config\default.LOG
1/26/2006 3:33:56 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG
1/26/2006 3:36:04 PM H 1024 D:\WINDOWS\system32\config\SECURITY.LOG
1/26/2006 3:47:10 PM H 1024 D:\WINDOWS\system32\config\software.LOG
1/26/2006 3:41:28 PM H 1024 D:\WINDOWS\system32\config\system.LOG
1/16/2006 11:35:44 AM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/21/2006 4:20:26 PM H 6 D:\WINDOWS\Tasks\SA.DAT
1/24/2006 4:36:26 PM HS 113 D:\WINDOWS\Temp\History\History.IE5\desktop.ini
1/24/2006 4:36:26 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2VYDIX8H\desktop.ini
1/24/2006 4:48:42 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4PCLEN41\desktop.ini
1/24/2006 4:54:24 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6C4MQ38U\desktop.ini
1/24/2006 5:21:42 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\B2BANVIS\desktop.ini
1/24/2006 4:40:28 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C7KDBWED\desktop.ini
1/24/2006 4:52:46 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E9WFA5AL\desktop.ini
1/24/2006 4:44:50 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1470R8J\desktop.ini
1/24/2006 4:54:20 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\JLD0CZ67\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RQ1J653Y\desktop.ini
1/24/2006 4:44:46 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SPUNCD2F\desktop.ini
1/24/2006 4:44:44 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UPKF4FGP\desktop.ini
1/24/2006 4:40:28 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WSWGVFBR\desktop.ini
1/24/2006 4:40:32 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6ZO9YF\desktop.ini
1/24/2006 4:44:36 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y3EMIGNN\desktop.ini
1/24/2006 4:48:56 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YFUP0VAV\desktop.ini
1/24/2006 4:48:56 PM HS 67 D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YVYV2DQB\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/6/2004 7:17:02 PM 187904 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/6/2004 7:17:26 PM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/6/2004 7:17:32 PM 36864 D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 D:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 6/20/2001 3:34:36 PM 287232 D:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/6/2004 7:18:04 PM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/13/2005 7:16:08 PM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 4:11:58 PM 2046 D:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/13/2005 7:16:08 PM HS 84 D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM HS 62 D:\Documents and Settings\Benincasa\Application Data\desktop.ini
12/29/2005 5:53:22 PM 1850843 D:\Documents and Settings\Benincasa\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{8C4786B2-1C31-40F3-A998-2C82BDA648CF} = D:\WINDOWS\system32\imakeng.dll
{73C81572-87F7-48CA-A5A8-ADA82AF73D7C} = D:\WINDOWS\system32\myxml3.dll
{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD} = D:\WINDOWS\system32\MIC71ESP.DLL
{64EDC752-4460-48E6-8730-B9B18A740C9E} = D:\WINDOWS\system32\IvagX7.dll
{716662EE-0F72-4DF4-9789-72ADFE54FFEC} = D:\WINDOWS\system32\dsserial.dll
{25942B62-516E-4A7E-B195-A361C2139755} = D:\WINDOWS\system32\wx2help.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\M2WShlExMenu
{DC6FA7E0-6666-11D5-8CE2-444553540000} = D:\PROGRA~1\ACOUST~1\M2WShlEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mygksnnt
{47b160de-c8f1-43ee-837b-3fb77a4093cc} = D:\WINDOWS\system32\kmgkq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : D:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "D:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard "D:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
Flags

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe D:\WINDOWS\system32\ctfmon.exe
AIM D:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
STOPzilla Local Service 2
SysmonLog 3
Schedule 2
Browser 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item Microsoft Office
path D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^Benincasa^Start Menu^Programs^Startup^Sound Control.lnk
path D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup D:\WINDOWS\pss\Sound Control.lnkStartup
location Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item Sound Control
path D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup D:\WINDOWS\pss\Sound Control.lnkStartup
location Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item Sound Control

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winlog
hkey HKLM
command winlog.exe
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adtech2006
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2006a
hkey HKLM
command C:\windows\adtech2006a.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adtech2006a
hkey HKLM
command C:\windows\adtech2006a.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fimq
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fimqm
hkey HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fimqm
hkey HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb11
hkey HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb11
hkey HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHmon06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphmon06
hkey HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphmon06
hkey HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHUPD06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphupd06
hkey HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hphupd06
hkey HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark X1100 Series
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lxbkbmgr
hkey HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lxbkbmgr
hkey HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lspins
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igps
hkey HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igps
hkey HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000140
hkey HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000140
hkey HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\timessquare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item timessquare
hkey HKLM
command C:\windows\timessquare.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsupdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsupdater
hkey HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsupdater
hkey HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysban
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysban
hkey HKLM
command C:\windows\winsysban.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysban
hkey HKLM
command C:\windows\winsysban.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysupd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysupd
hkey HKLM
command C:\windows\winsysupd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winsysupd
hkey HKLM
command C:\windows\winsysupd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\[01]##############################################################################################################################
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rogue
hkey HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rogue
hkey HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = D:\WINDOWS\system32\webctl.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation
= D:\WINDOWS\system32\wx2help.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
= D:\WINDOWS\system32\enr6l19s1.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/26/2006 3:48:42 PM

IYIiKe
Newbie Poster
21 posts since Jan 2006
Reputation Points: 10
Solved Threads: 0
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed