0

Hi everyone.

First of all, I must say thanks to this site, I have been able to take care of most of my problems, and I have learned a lot, and fixed a lot.

Now...my question is more a "general method" question, than a request for someone to read through my HJT log and lead me along.

Here's what I'm dealing with:

1. Two programs which are evident ONLY in the HJT startup log. It is not possible to delete with Killbox, and is not possible to locate with XP search, etc. All hidden folders are shown, all usual routes have been taken. Both are executables. Only one has a strange character (d?xplore.exe).

2. These programs (I believe), installs a .dll into a random registry folder it creates in the "notify" sub-sub folder. The DLLs always are a random string of letters and numbers. Upon looking in Windows-->system32--> I found MANY dlls with random number/letter strings in the 224-229k range. However, I'm reluctant to dump all of them.

So...my questions are: How do I delete something I can only find with HJT (and which can't be deleted with HJT on it's own)? And can I assume any group of DLLs in the 224-229k range that were modified at the same time and appear to be random number/letter strings can be safely deleted?

ALSO--just a note to others. MS Anti-Spyware Beta is already totally cracked and messed with by script kiddies and hackers. Two days after installation it stopped showing running processes, among other crucial errors.

3
Contributors
17
Replies
18
Views
12 Years
Discussion Span
Last Post by ethical
0

Run the PurityScan uninstaller.

You may have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

0

First off, Thanks for the help!

Secondly, I bolded the stuff I have been fighting with.

As I said, I have a bunch of weird dlls, all in the 220-230k range, and it looks like all of them popped up here.

I don't know enough about registry keys to know what to look for...other than those things that might be obvious to a person who's no security expert, but has gone this long without a real infection.

BTW--what in the world are all of those "impersonate" entries in the registry?

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\lvlm0931e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D6332836-CC20-F4EA-A6DE-4DEEDF69421B}"=""


**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Scripting Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{B1E741E7-1E77-40D4-9FD8-51949B9CCBD0}"="Pa&nicware Pop-Up Stopper Pro"
"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}"="Shuttle Shell Extension for Drive"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{D585CA5A-B1EE-449A-8395-52D69A3EA82B}"=""
"{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}"=""
"{AEC4155D-24EF-4561-AB0D-6B96602319F6}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{DAC19394-0049-4CE5-B487-030256F0E199}"=""
"{20C0CEE6-581E-4073-BCCF-0F617B151F0D}"=""
"{075519DF-D850-4C3D-A7B0-823C27BBD417}"=""


**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{D585CA5A-B1EE-449A-8395-52D69A3EA82B}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{D585CA5A-B1EE-449A-8395-52D69A3EA82B}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{D585CA5A-B1EE-449A-8395-52D69A3EA82B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{D585CA5A-B1EE-449A-8395-52D69A3EA82B}\InprocServer32]
@="C:\\WINDOWS\\system32\\MpPMSNSv.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}\InprocServer32]
@="C:\\WINDOWS\\system32\\gNjo0c13ef.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{AEC4155D-24EF-4561-AB0D-6B96602319F6}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{AEC4155D-24EF-4561-AB0D-6B96602319F6}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{AEC4155D-24EF-4561-AB0D-6B96602319F6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{AEC4155D-24EF-4561-AB0D-6B96602319F6}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{DAC19394-0049-4CE5-B487-030256F0E199}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{DAC19394-0049-4CE5-B487-030256F0E199}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{DAC19394-0049-4CE5-B487-030256F0E199}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{DAC19394-0049-4CE5-B487-030256F0E199}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{20C0CEE6-581E-4073-BCCF-0F617B151F0D}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{20C0CEE6-581E-4073-BCCF-0F617B151F0D}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{20C0CEE6-581E-4073-BCCF-0F617B151F0D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{20C0CEE6-581E-4073-BCCF-0F617B151F0D}\InprocServer32]
@="C:\\WINDOWS\\system32\\uenp.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{075519DF-D850-4C3D-A7B0-823C27BBD417}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{075519DF-D850-4C3D-A7B0-823C27BBD417}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{075519DF-D850-4C3D-A7B0-823C27BBD417}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{075519DF-D850-4C3D-A7B0-823C27BBD417}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"


**********************************************************************************Files Found are not all bad files:


C:\WINDOWS\SYSTEM32\
akcore.dll     Sun Feb 20 2005   2:53:20a  A....        188,416   184.00 K
bxotvid.dll    Fri Feb 25 2005  10:34:30p  ..S.R        228,647   223.29 K
cgvfat.dll     Sun Feb 20 2005  12:47:48p  ..S.R        230,991   225.57 K
cwmsnap.dll    Thu Feb 24 2005   9:36:52p  ..S.R        231,938   226.50 K
dacpmon.dll    Fri Feb 25 2005   2:04:56a  ..S.R        231,938   226.50 K
danmodem.dll   Sun Mar 13 2005   4:25:46p  ..S.R        235,656   230.13 K
dn0801~1.dll   Wed Feb 23 2005  10:45:22a  ..S.R        229,907   224.52 K
dn4001~1.dll   Wed Feb 23 2005   2:59:20p  ..S.R        230,380   224.98 K
docore.dll     Mon Feb 21 2005   6:03:12p  A....        151,552   148.00 K
dosync.dll     Thu Mar 10 2005  12:59:08a  A....        114,688   112.00 K
drct16.dll     Sun Mar 13 2005   4:25:40p  A....              0     0.00 K
dzvil.dll      Thu Feb 24 2005   5:38:56p  ..S.R        231,938   226.50 K
en24l1~1.dll   Mon Mar  7 2005   7:02:24a  ..S.R        228,728   223.37 K
en4sl1~1.dll   Sun Feb 20 2005   8:06:28p  ..S.R        229,070   223.70 K
en8ul1~1.dll   Tue Feb 22 2005   6:16:26p  ..S.R        231,087   225.67 K
enp4l1~1.dll   Mon Mar 14 2005   9:17:04p  ..S.R        235,677   230.15 K
enp8l1~1.dll   Tue Feb 22 2005   7:17:54a  ..S.R        230,977   225.56 K
fp0q03~1.dll   Fri Feb 25 2005  10:56:10p  ..S.R        229,932   224.54 K
fp8203~1.dll   Tue Feb 22 2005   8:35:16a  ..S.R        229,389   224.01 K
g2jo0c~1.dll   Sun Feb 20 2005  12:26:30p  ..S.R        230,048   224.66 K
g2lmlc~1.dll   Mon Feb 21 2005   3:43:40p  ..S.R        230,238   224.84 K
gccoll~1.dll   Thu Feb 10 2005  10:32:20p  A....        119,520   116.72 K
gcmd5q~1.dll   Wed Feb 23 2005   7:41:40p  A....         10,752    10.50 K
gcunco~1.dll   Thu Feb 10 2005  10:32:20p  A....        130,272   127.22 K
gnjo0c~1.dll   Wed Feb 23 2005   6:22:12p  A....        231,938   226.50 K
gpjml3~1.dll   Sat Mar  5 2005   4:40:26p  ..S.R        228,510   223.15 K
h2j4lc~1.dll   Thu Feb 24 2005   9:36:52p  ..S.R        228,906   223.54 K
hashlib.dll    Thu Feb 10 2005  10:32:18p  A....         81,120    79.22 K
hrl805~1.dll   Sun Mar 13 2005   4:34:48p  A....             56     0.05 K
ht23msp.dll    Tue Feb 22 2005   8:41:32a  ..S.R        229,106   223.73 K
iessvcs.dll    Sun Feb 20 2005   8:34:36p  ..S.R        232,219   226.77 K
inmontr.dll    Tue Mar  1 2005   9:00:32p  ..S.R        232,233   226.79 K
ir22l5~1.dll   Tue Mar  1 2005  10:45:10p  ..S.R        232,233   226.79 K
j2n2lc~1.dll   Sun Mar 13 2005   4:41:18p  A....             56     0.05 K
j64o0g~1.dll   Tue Feb 22 2005   6:24:32p  ..S.R        229,452   224.07 K
jt0q07~1.dll   Sun Mar 13 2005   4:50:36p  A....             56     0.05 K
jt0u07~1.dll   Tue Mar 15 2005  12:34:36a  ..S.R        235,113   229.60 K
jtl607~1.dll   Tue Feb 22 2005   8:41:32a  ..S.R        229,743   224.36 K
jtr607~1.dll   Wed Feb 23 2005   8:22:28p  ..S.R        229,199   223.82 K
k0js0a~1.dll   Sun Mar 13 2005   8:44:42p  A....             56     0.05 K
kfdus.dll      Tue Feb 22 2005   6:16:26p  ..S.R        229,106   223.73 K
klogini.dll    Sun Feb 20 2005  12:25:30p  A....              0     0.00 K
kt64l7~1.dll   Tue Mar  8 2005  10:17:20a  ..S.R        228,728   223.37 K
ljgif10n.dll   Fri Feb 25 2005  10:52:26p  ..S.R        228,647   223.29 K
ltpcd10n.dll   Fri Feb 25 2005   2:07:04a  ..S.R        232,058   226.62 K
lvj209~1.dll   Sat Feb 26 2005   3:36:36a  ..S.R        230,103   224.71 K
lvlm09~1.dll   Sun Mar 13 2005   9:40:42p  ..S.R        234,206   228.71 K
lvns09~1.dll   Mon Mar 14 2005   2:48:26p  ..S.R        234,965   229.46 K
maaatext.dll   Sun Feb 20 2005   8:06:28p  ..S.R        232,219   226.77 K
mbctf.dll      Fri Mar 11 2005  12:21:36a  ..S.R        232,736   227.28 K
mcrepl35.dll   Thu Mar 10 2005  12:10:00a  ..S.R        232,736   227.28 K
mnports.dll    Wed Feb 23 2005   7:43:28p  ..S.R        229,199   223.82 K
mnrclr40.dll   Fri Feb 25 2005  10:46:04p  ..S.R        228,647   223.29 K
moc42d.dll     Sun Feb 20 2005   9:20:16p  ..S.R        229,314   223.94 K
mppmsnsv.dll   Sun Feb 20 2005   9:43:12p  ..S.R        228,710   223.35 K
mqwmdmsp.dll   Mon Feb 21 2005   3:00:00p  ..S.R        231,788   226.36 K
msvcp71.dll    Mon Feb 21 2005   3:16:34p  .....        499,712   488.00 K
msvcr71.dll    Mon Feb 21 2005   3:16:38p  .....        348,160   340.00 K
mv66l9~1.dll   Mon Mar  7 2005   6:53:30a  ..S.R        228,728   223.37 K
mwcpx32r.dll   Tue Mar  8 2005   7:46:50p  ..S.R        228,728   223.37 K
mysip32.dll    Sat Mar 12 2005   8:35:06p  ..S.R        233,213   227.75 K
nxtui2.dll     Sun Mar 13 2005   4:44:12p  ..S.R        233,357   227.89 K
o466le~1.dll   Mon Feb 21 2005   2:58:20p  ..S.R        231,330   225.91 K
o8nsli~1.dll   Sun Feb 20 2005   2:27:22p  ..S.R        229,079   223.71 K
otbc32gt.dll   Fri Feb 25 2005  10:39:20p  ..S.R        229,292   223.92 K
p8r4li~1.dll   Wed Mar  2 2005   9:39:44a  ..S.R        228,510   223.15 K
puutoenr.dll   Sat Feb 26 2005   2:04:44a  ..S.R        228,647   223.29 K
pxfmgr.dll     Tue Feb 22 2005   6:24:32p  ..S.R        229,106   223.73 K
r86u0i~1.dll   Sun Feb 20 2005  12:37:42p  ..S.R        231,959   226.52 K
rysutils.dll   Sun Feb 20 2005  12:37:42p  ..S.R        230,991   225.57 K
s0pula~1.dll   Fri Feb 25 2005  10:46:04p  ..S.R        230,617   225.21 K
sanceng.dll    Sun Mar 13 2005   4:15:44p  ..S.R        234,821   229.32 K
sjfrslv.dll    Fri Feb 25 2005  10:55:10p  ..S.R        229,932   224.54 K
sporder.dll    Sun Feb 20 2005   2:53:20a  A....          8,464     8.27 K
uenp.dll       Tue Mar 15 2005  12:34:36a  ..S.R        234,206   228.71 K
wdvadvd.dll    Sat Mar  5 2005   1:47:16p  ..S.R        228,728   223.37 K
wgaservc.dll   Sun Feb 20 2005   2:27:24p  ..S.R        231,768   226.34 K
wpwin32.dll    Tue Mar  1 2005   8:10:28p  ..S.R        230,617   225.21 K
wussvc.dll     Fri Feb 25 2005  11:03:50p  ..S.R        228,647   223.29 K
79 items found:  79 files (62 H/S), 0 directories.
Total of file sizes:  16,193,511 bytes     15.44 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is JUSTELLA
Volume Serial Number is DC5A-B5E4


Directory of C:\WINDOWS\System32


03/15/2005  12:34 AM           234,206 uenp.dll
03/15/2005  12:34 AM           235,113 jt0u07d9e.dll
03/14/2005  09:17 PM           235,677 enp4l17q1.dll
03/14/2005  02:48 PM           234,965 lvns0957e.dll
03/13/2005  09:40 PM           234,206 lvlm0931e.dll
03/13/2005  04:44 PM           233,357 nxtui2.dll
03/13/2005  04:25 PM           235,656 danmodem.dll
03/13/2005  04:15 PM           234,821 sanceng.dll
03/12/2005  08:35 PM           233,213 mysip32.dll
03/11/2005  12:21 AM           232,736 MBCTF.dll
03/10/2005  12:09 AM           232,736 MCREPL35.DLL
03/08/2005  07:46 PM           228,728 mwcpx32r.dLL
03/08/2005  10:17 AM           228,728 kt64l7jq1.dll
03/07/2005  07:02 AM           228,728 en24l1fq1.dll
03/07/2005  06:53 AM           228,728 mv66l9js1.dll
03/05/2005  04:40 PM           228,510 gpjml3111.dll
03/05/2005  03:57 PM    <DIR>          dllcache
03/05/2005  01:47 PM           228,728 wdvadvd.dll
03/02/2005  09:39 AM           228,510 p8r4li9q18.dll
03/01/2005  10:45 PM           232,233 ir22l5fo1.dll
03/01/2005  09:00 PM           232,233 inmontr.dll
03/01/2005  08:10 PM           230,617 WpWin32.dll
02/26/2005  03:36 AM           230,103 lvj2091oe.dll
02/26/2005  02:04 AM           228,647 pUutoenr.dll
02/25/2005  11:03 PM           228,647 wussvc.dll
02/25/2005  10:56 PM           229,932 fp0q03d5e.dll
02/25/2005  10:55 PM           229,932 sJfrslv.dll
02/25/2005  10:52 PM           228,647 ljgif10N.dll
02/25/2005  10:46 PM           228,647 mnrclr40.dll
02/25/2005  10:46 PM           230,617 s0pula791d.dll
02/25/2005  10:39 PM           229,292 otbc32gt.dll
02/25/2005  10:34 PM           228,647 bxotvid.dll
02/25/2005  02:07 AM           232,058 ltpcd10N.dll
02/25/2005  02:04 AM           231,938 dacpmon.dll
02/24/2005  09:36 PM           231,938 cwmsnap.dll
02/24/2005  09:36 PM           228,906 h2j4lc1q1f.dll
02/24/2005  05:38 PM           231,938 dzvil.dll
02/23/2005  08:22 PM           229,199 jtr6079se.dll
02/23/2005  07:43 PM           229,199 mnports.dll
02/23/2005  02:59 PM           230,380 dn4001hme.dll
02/23/2005  10:45 AM           229,907 dn0801due.dll
02/22/2005  06:24 PM           229,106 pxfmgr.dll
02/22/2005  06:24 PM           229,452 j64o0gh3e64.dll
02/22/2005  06:16 PM           229,106 kfdus.dll
02/22/2005  06:16 PM           231,087 en8ul1l91.dll
02/22/2005  08:41 AM           229,106 hT23msp.dll
02/22/2005  08:41 AM           229,743 jtl6073se.dll
02/22/2005  08:35 AM           229,389 fp8203loe.dll
02/22/2005  07:17 AM           230,977 enp8l17u1.dll
02/21/2005  03:43 PM           230,238 g2lmlc311f.dll
02/21/2005  02:59 PM           231,788 mqwmdmsp.dll
02/21/2005  02:58 PM           231,330 o466lejs1ho6.dll
02/20/2005  09:43 PM           228,710 MpPMSNSv.dll
02/20/2005  09:20 PM           229,314 Moc42d.dll
02/20/2005  08:34 PM           232,219 iEssvcs.dll
02/20/2005  08:06 PM           232,219 maaatext.dll
02/20/2005  08:06 PM           229,070 en4sl1h71.dll
02/20/2005  02:27 PM           231,768 wgaservc.dll
02/20/2005  02:27 PM           229,079 o8nsli5718.dll
02/20/2005  12:47 PM           230,991 cgvfat.dll
02/20/2005  12:37 PM           230,991 rysutils.dll
02/20/2005  12:37 PM           231,959 r86u0ij9e8o.dll
02/20/2005  12:26 PM           230,048 g2jo0c13ef.dll02/08/2005  08:37 AM           417,792 d?xplore.exe
01/16/2005  10:32 AM             7,305 xaayl.log
01/01/2003  08:30 AM    <DIR>          Microsoft
64 File(s)     14,733,790 bytes
2 Dir(s)   3,084,471,296 bytes free

Edited by pritaeas: Fixed formatting

0

I also ran a SilentRunners scan. Here it is:

"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"lxamsp32.exe" = "lxamsp32.exe" ["Lexmark International"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"PestPatrol Control Center" = "C:\Program Files\PestPatrol\PPControl.exe" [null data]
"PPMemCheck" = "C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]
"CookiePatrol" = "C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [null data]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"EPSON Stylus Photo R200 Series (Copy 1)" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R200"" ["SEIKO EPSON CORPORATION"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Nokia Tray Application" = "C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" ["Nokia"]
"AudioDSP24 External Links" = "EL.EXE" [null data]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"nsvcin" = "C:\n20050308.exe" [file not found]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{53C74826-AB99-4d33-ACA4-3117F51D3788}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}" = "Shuttle Shell Extension for Drive"
-> {CLSID}\InProcServer32\(Default) = "stlhook.dll" ["SCM Microsystems Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{D585CA5A-B1EE-449A-8395-52D69A3EA82B}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\MpPMSNSv.dll" [null data]
"{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\gNjo0c13ef.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{AEC4155D-24EF-4561-AB0D-6B96602319F6}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{DAC19394-0049-4CE5-B487-030256F0E199}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]
"{20C0CEE6-581E-4073-BCCF-0F617B151F0D}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\uenp.dll" [null data]
"{075519DF-D850-4C3D-A7B0-823C27BBD417}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! MCD\DLLName = "C:\WINDOWS\system32\lvlm0931e.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Startup items in "James Stankus" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\James Stankus\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AcBtnMgr_X63.exe" -> shortcut to: "C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe" ["Jetsoft Development Company"]
"ACMonitor_X63.exe" -> shortcut to: "C:\Program Files\LexmarkX63\ACMonitor_X63.exe" [null data]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]
"Tune-up Application Start" -> launches: "walign" [file not found]
"Uninstall Expiration Reminder" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

0

It was the purityscan uninstaller that I needed you to run. It will rid you of the entries with the ? in them.

You definitely have the latest VX2 infection.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

0

Okay, here's the l2mfix log:

L2Mfix 1.02b


Running From:
C:\Documents and Settings\James Stankus\Desktop\l2mfix


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting registry permissions:



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!



Denying C access for really "Everyone"
- adding new ACCESS DENY entry



Registry Permissions set too:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       Everyone
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting up for Reboot



Starting Reboot!


C:\Documents and Settings\James Stankus\Desktop\l2mfix
System Rebooted!


Running From:
C:\Documents and Settings\James Stankus\Desktop\l2mfix


killing explorer and rundll32.exe


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'
Killing PID 1956 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1760 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'
Killing PID 248 'rundll32.exe'


Scanning First Pass. Please Wait!


First Pass Completed


Second Pass Scanning


Second pass Completed!
Backing Up: C:\WINDOWS\system32\bxotvid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cgvfat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cwmsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dacpmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn0801due.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn4001hme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dzvil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en24l1fq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en4sl1h71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en8ul1l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enp8l17u1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp0q03d5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8203loe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g2jo0c13ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g2lmlc311f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gNjo0c13ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gpjml3111.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h2j4lc1q1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hT23msp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iEssvcs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\inmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir22l5fo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j64o0gh3e64.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtl6073se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jtr6079se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt64l7jq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ljgif10N.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ltpcd10N.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvj2091oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\maaatext.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnports.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnrclr40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Moc42d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MpPMSNSv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqwmdmsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv66l9js1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwcpx32r.dLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o466lejs1ho6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8nsli5718.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\otbc32gt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8r4li9q18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pUutoenr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pxfmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r86u0ij9e8o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rysutils.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0pula791d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sJfrslv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wdvadvd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wgaservc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WpWin32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wussvc.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\bxotvid.dll
Successfully Deleted: C:\WINDOWS\system32\bxotvid.dll
deleting: C:\WINDOWS\system32\cgvfat.dll
Successfully Deleted: C:\WINDOWS\system32\cgvfat.dll
deleting: C:\WINDOWS\system32\cwmsnap.dll
Successfully Deleted: C:\WINDOWS\system32\cwmsnap.dll
deleting: C:\WINDOWS\system32\dacpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dacpmon.dll
deleting: C:\WINDOWS\system32\dn0801due.dll
Successfully Deleted: C:\WINDOWS\system32\dn0801due.dll
deleting: C:\WINDOWS\system32\dn4001hme.dll
Successfully Deleted: C:\WINDOWS\system32\dn4001hme.dll
deleting: C:\WINDOWS\system32\dzvil.dll
Successfully Deleted: C:\WINDOWS\system32\dzvil.dll
deleting: C:\WINDOWS\system32\en24l1fq1.dll
Successfully Deleted: C:\WINDOWS\system32\en24l1fq1.dll
deleting: C:\WINDOWS\system32\en4sl1h71.dll
Successfully Deleted: C:\WINDOWS\system32\en4sl1h71.dll
deleting: C:\WINDOWS\system32\en8ul1l91.dll
Successfully Deleted: C:\WINDOWS\system32\en8ul1l91.dll
deleting: C:\WINDOWS\system32\enp8l17u1.dll
Successfully Deleted: C:\WINDOWS\system32\enp8l17u1.dll
deleting: C:\WINDOWS\system32\fp0q03d5e.dll
Successfully Deleted: C:\WINDOWS\system32\fp0q03d5e.dll
deleting: C:\WINDOWS\system32\fp8203loe.dll
Successfully Deleted: C:\WINDOWS\system32\fp8203loe.dll
deleting: C:\WINDOWS\system32\g2jo0c13ef.dll
Successfully Deleted: C:\WINDOWS\system32\g2jo0c13ef.dll
deleting: C:\WINDOWS\system32\g2lmlc311f.dll
Successfully Deleted: C:\WINDOWS\system32\g2lmlc311f.dll
deleting: C:\WINDOWS\system32\gNjo0c13ef.dll
Successfully Deleted: C:\WINDOWS\system32\gNjo0c13ef.dll
deleting: C:\WINDOWS\system32\gpjml3111.dll
Successfully Deleted: C:\WINDOWS\system32\gpjml3111.dll
deleting: C:\WINDOWS\system32\h2j4lc1q1f.dll
Successfully Deleted: C:\WINDOWS\system32\h2j4lc1q1f.dll
deleting: C:\WINDOWS\system32\hT23msp.dll
Successfully Deleted: C:\WINDOWS\system32\hT23msp.dll
deleting: C:\WINDOWS\system32\iEssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iEssvcs.dll
deleting: C:\WINDOWS\system32\inmontr.dll
Successfully Deleted: C:\WINDOWS\system32\inmontr.dll
deleting: C:\WINDOWS\system32\ir22l5fo1.dll
Successfully Deleted: C:\WINDOWS\system32\ir22l5fo1.dll
deleting: C:\WINDOWS\system32\j64o0gh3e64.dll
Successfully Deleted: C:\WINDOWS\system32\j64o0gh3e64.dll
deleting: C:\WINDOWS\system32\jtl6073se.dll
Successfully Deleted: C:\WINDOWS\system32\jtl6073se.dll
deleting: C:\WINDOWS\system32\jtr6079se.dll
Successfully Deleted: C:\WINDOWS\system32\jtr6079se.dll
deleting: C:\WINDOWS\system32\kfdus.dll
Successfully Deleted: C:\WINDOWS\system32\kfdus.dll
deleting: C:\WINDOWS\system32\kt64l7jq1.dll
Successfully Deleted: C:\WINDOWS\system32\kt64l7jq1.dll
deleting: C:\WINDOWS\system32\ljgif10N.dll
Successfully Deleted: C:\WINDOWS\system32\ljgif10N.dll
deleting: C:\WINDOWS\system32\ltpcd10N.dll
Successfully Deleted: C:\WINDOWS\system32\ltpcd10N.dll
deleting: C:\WINDOWS\system32\lvj2091oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvj2091oe.dll
deleting: C:\WINDOWS\system32\maaatext.dll
Successfully Deleted: C:\WINDOWS\system32\maaatext.dll
deleting: C:\WINDOWS\system32\mnports.dll
Successfully Deleted: C:\WINDOWS\system32\mnports.dll
deleting: C:\WINDOWS\system32\mnrclr40.dll
Successfully Deleted: C:\WINDOWS\system32\mnrclr40.dll
deleting: C:\WINDOWS\system32\Moc42d.dll
Successfully Deleted: C:\WINDOWS\system32\Moc42d.dll
deleting: C:\WINDOWS\system32\MpPMSNSv.dll
Successfully Deleted: C:\WINDOWS\system32\MpPMSNSv.dll
deleting: C:\WINDOWS\system32\mqwmdmsp.dll
Successfully Deleted: C:\WINDOWS\system32\mqwmdmsp.dll
deleting: C:\WINDOWS\system32\mv66l9js1.dll
Successfully Deleted: C:\WINDOWS\system32\mv66l9js1.dll
deleting: C:\WINDOWS\system32\mwcpx32r.dLL
Successfully Deleted: C:\WINDOWS\system32\mwcpx32r.dLL
deleting: C:\WINDOWS\system32\o466lejs1ho6.dll
Successfully Deleted: C:\WINDOWS\system32\o466lejs1ho6.dll
deleting: C:\WINDOWS\system32\o8nsli5718.dll
Successfully Deleted: C:\WINDOWS\system32\o8nsli5718.dll
deleting: C:\WINDOWS\system32\otbc32gt.dll
Successfully Deleted: C:\WINDOWS\system32\otbc32gt.dll
deleting: C:\WINDOWS\system32\p8r4li9q18.dll
Successfully Deleted: C:\WINDOWS\system32\p8r4li9q18.dll
deleting: C:\WINDOWS\system32\pUutoenr.dll
Successfully Deleted: C:\WINDOWS\system32\pUutoenr.dll
deleting: C:\WINDOWS\system32\pxfmgr.dll
Successfully Deleted: C:\WINDOWS\system32\pxfmgr.dll
deleting: C:\WINDOWS\system32\r86u0ij9e8o.dll
Successfully Deleted: C:\WINDOWS\system32\r86u0ij9e8o.dll
deleting: C:\WINDOWS\system32\rysutils.dll
Successfully Deleted: C:\WINDOWS\system32\rysutils.dll
deleting: C:\WINDOWS\system32\s0pula791d.dll
Successfully Deleted: C:\WINDOWS\system32\s0pula791d.dll
deleting: C:\WINDOWS\system32\sJfrslv.dll
Successfully Deleted: C:\WINDOWS\system32\sJfrslv.dll
deleting: C:\WINDOWS\system32\wdvadvd.dll
Successfully Deleted: C:\WINDOWS\system32\wdvadvd.dll
deleting: C:\WINDOWS\system32\wgaservc.dll
Successfully Deleted: C:\WINDOWS\system32\wgaservc.dll
deleting: C:\WINDOWS\system32\WpWin32.dll
Successfully Deleted: C:\WINDOWS\system32\WpWin32.dll
deleting: C:\WINDOWS\system32\wussvc.dll
Successfully Deleted: C:\WINDOWS\system32\wussvc.dll


Desktop.ini sucessfully removed


Zipping up files for submission:
adding: bxotvid.dll (164 bytes security) (deflated 5%)
adding: cgvfat.dll (164 bytes security) (deflated 5%)
adding: cwmsnap.dll (164 bytes security) (deflated 6%)
adding: dacpmon.dll (164 bytes security) (deflated 6%)
adding: dn0801due.dll (164 bytes security) (deflated 5%)
adding: dn4001hme.dll (164 bytes security) (deflated 5%)
adding: dzvil.dll (164 bytes security) (deflated 6%)
adding: en24l1fq1.dll (164 bytes security) (deflated 5%)
adding: en4sl1h71.dll (164 bytes security) (deflated 4%)
adding: en8ul1l91.dll (164 bytes security) (deflated 5%)
adding: enp8l17u1.dll (164 bytes security) (deflated 5%)
adding: fp0q03d5e.dll (164 bytes security) (deflated 5%)
adding: fp8203loe.dll (164 bytes security) (deflated 5%)
adding: g2jo0c13ef.dll (164 bytes security) (deflated 5%)
adding: g2lmlc311f.dll (164 bytes security) (deflated 5%)
adding: gNjo0c13ef.dll (164 bytes security) (deflated 6%)
adding: gpjml3111.dll (164 bytes security) (deflated 4%)
adding: h2j4lc1q1f.dll (164 bytes security) (deflated 5%)
adding: hT23msp.dll (164 bytes security) (deflated 5%)
adding: iEssvcs.dll (164 bytes security) (deflated 6%)
adding: inmontr.dll (164 bytes security) (deflated 6%)
adding: ir22l5fo1.dll (164 bytes security) (deflated 6%)
adding: j64o0gh3e64.dll (164 bytes security) (deflated 5%)
adding: jtl6073se.dll (164 bytes security) (deflated 5%)
adding: jtr6079se.dll (164 bytes security) (deflated 5%)
adding: kfdus.dll (164 bytes security) (deflated 5%)
adding: kt64l7jq1.dll (164 bytes security) (deflated 5%)
adding: ljgif10N.dll (164 bytes security) (deflated 5%)
adding: ltpcd10N.dll (164 bytes security) (deflated 6%)
adding: lvj2091oe.dll (164 bytes security) (deflated 5%)
adding: maaatext.dll (164 bytes security) (deflated 6%)
adding: mnports.dll (164 bytes security) (deflated 5%)
adding: mnrclr40.dll (164 bytes security) (deflated 5%)
adding: Moc42d.dll (164 bytes security) (deflated 5%)
adding: MpPMSNSv.dll (164 bytes security) (deflated 5%)
adding: mqwmdmsp.dll (164 bytes security) (deflated 6%)
adding: mv66l9js1.dll (164 bytes security) (deflated 5%)
adding: mwcpx32r.dLL (164 bytes security) (deflated 5%)
adding: o466lejs1ho6.dll (164 bytes security) (deflated 6%)
adding: o8nsli5718.dll (164 bytes security) (deflated 4%)
adding: otbc32gt.dll (164 bytes security) (deflated 5%)
adding: p8r4li9q18.dll (164 bytes security) (deflated 4%)
adding: pUutoenr.dll (164 bytes security) (deflated 5%)
adding: pxfmgr.dll (164 bytes security) (deflated 5%)
adding: r86u0ij9e8o.dll (164 bytes security) (deflated 5%)
adding: rysutils.dll (164 bytes security) (deflated 5%)
adding: s0pula791d.dll (164 bytes security) (deflated 5%)
adding: sJfrslv.dll (164 bytes security) (deflated 5%)
adding: wdvadvd.dll (164 bytes security) (deflated 5%)
adding: wgaservc.dll (164 bytes security) (deflated 5%)
adding: WpWin32.dll (164 bytes security) (deflated 5%)
adding: wussvc.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 58%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 91%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 40%)
adding: test3.txt (164 bytes security) (deflated 39%)
adding: test5.txt (164 bytes security) (deflated 39%)
adding: xfind.txt (164 bytes security) (deflated 78%)
adding: backregs/075519DF-D850-4C3D-A7B0-823C27BBD417.reg (164 bytes security) (deflated 70%)
adding: backregs/20C0CEE6-581E-4073-BCCF-0F617B151F0D.reg (164 bytes security) (deflated 70%)
adding: backregs/A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11.reg (164 bytes security) (deflated 70%)
adding: backregs/AEC4155D-24EF-4561-AB0D-6B96602319F6.reg (164 bytes security) (deflated 70%)
adding: backregs/D585CA5A-B1EE-449A-8395-52D69A3EA82B.reg (164 bytes security) (deflated 70%)
adding: backregs/DAC19394-0049-4CE5-B487-030256F0E199.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)


Restoring Registry Permissions:



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!



Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!



Registry permissions set too:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Restoring Sedebugprivilege:


Granting SeDebugPrivilege to Administrators   ... successful


deleting local copy: bxotvid.dll
deleting local copy: cgvfat.dll
deleting local copy: cwmsnap.dll
deleting local copy: dacpmon.dll
deleting local copy: dn0801due.dll
deleting local copy: dn4001hme.dll
deleting local copy: dzvil.dll
deleting local copy: en24l1fq1.dll
deleting local copy: en4sl1h71.dll
deleting local copy: en8ul1l91.dll
deleting local copy: enp8l17u1.dll
deleting local copy: fp0q03d5e.dll
deleting local copy: fp8203loe.dll
deleting local copy: g2jo0c13ef.dll
deleting local copy: g2lmlc311f.dll
deleting local copy: gNjo0c13ef.dll
deleting local copy: gpjml3111.dll
deleting local copy: h2j4lc1q1f.dll
deleting local copy: hT23msp.dll
deleting local copy: iEssvcs.dll
deleting local copy: inmontr.dll
deleting local copy: ir22l5fo1.dll
deleting local copy: j64o0gh3e64.dll
deleting local copy: jtl6073se.dll
deleting local copy: jtr6079se.dll
deleting local copy: kfdus.dll
deleting local copy: kt64l7jq1.dll
deleting local copy: ljgif10N.dll
deleting local copy: ltpcd10N.dll
deleting local copy: lvj2091oe.dll
deleting local copy: maaatext.dll
deleting local copy: mnports.dll
deleting local copy: mnrclr40.dll
deleting local copy: Moc42d.dll
deleting local copy: MpPMSNSv.dll
deleting local copy: mqwmdmsp.dll
deleting local copy: mv66l9js1.dll
deleting local copy: mwcpx32r.dLL
deleting local copy: o466lejs1ho6.dll
deleting local copy: o8nsli5718.dll
deleting local copy: otbc32gt.dll
deleting local copy: p8r4li9q18.dll
deleting local copy: pUutoenr.dll
deleting local copy: pxfmgr.dll
deleting local copy: r86u0ij9e8o.dll
deleting local copy: rysutils.dll
deleting local copy: s0pula791d.dll
deleting local copy: sJfrslv.dll
deleting local copy: wdvadvd.dll
deleting local copy: wgaservc.dll
deleting local copy: WpWin32.dll
deleting local copy: wussvc.dll


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r88s0il7e8q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



The following are the files found:
****************************************************************************
C:\WINDOWS\system32\bxotvid.dll
C:\WINDOWS\system32\cgvfat.dll
C:\WINDOWS\system32\cwmsnap.dll
C:\WINDOWS\system32\dacpmon.dll
C:\WINDOWS\system32\dn0801due.dll
C:\WINDOWS\system32\dn4001hme.dll
C:\WINDOWS\system32\dzvil.dll
C:\WINDOWS\system32\en24l1fq1.dll
C:\WINDOWS\system32\en4sl1h71.dll
C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\enp8l17u1.dll
C:\WINDOWS\system32\fp0q03d5e.dll
C:\WINDOWS\system32\fp8203loe.dll
C:\WINDOWS\system32\g2jo0c13ef.dll
C:\WINDOWS\system32\g2lmlc311f.dll
C:\WINDOWS\system32\gNjo0c13ef.dll
C:\WINDOWS\system32\gpjml3111.dll
C:\WINDOWS\system32\h2j4lc1q1f.dll
C:\WINDOWS\system32\hT23msp.dll
C:\WINDOWS\system32\iEssvcs.dll
C:\WINDOWS\system32\inmontr.dll
C:\WINDOWS\system32\ir22l5fo1.dll
C:\WINDOWS\system32\j64o0gh3e64.dll
C:\WINDOWS\system32\jtl6073se.dll
C:\WINDOWS\system32\jtr6079se.dll
C:\WINDOWS\system32\kfdus.dll
C:\WINDOWS\system32\kt64l7jq1.dll
C:\WINDOWS\system32\ljgif10N.dll
C:\WINDOWS\system32\ltpcd10N.dll
C:\WINDOWS\system32\lvj2091oe.dll
C:\WINDOWS\system32\maaatext.dll
C:\WINDOWS\system32\mnports.dll
C:\WINDOWS\system32\mnrclr40.dll
C:\WINDOWS\system32\Moc42d.dll
C:\WINDOWS\system32\MpPMSNSv.dll
C:\WINDOWS\system32\mqwmdmsp.dll
C:\WINDOWS\system32\mv66l9js1.dll
C:\WINDOWS\system32\mwcpx32r.dLL
C:\WINDOWS\system32\o466lejs1ho6.dll
C:\WINDOWS\system32\o8nsli5718.dll
C:\WINDOWS\system32\otbc32gt.dll
C:\WINDOWS\system32\p8r4li9q18.dll
C:\WINDOWS\system32\pUutoenr.dll
C:\WINDOWS\system32\pxfmgr.dll
C:\WINDOWS\system32\r86u0ij9e8o.dll
C:\WINDOWS\system32\rysutils.dll
C:\WINDOWS\system32\s0pula791d.dll
C:\WINDOWS\system32\sJfrslv.dll
C:\WINDOWS\system32\wdvadvd.dll
C:\WINDOWS\system32\wgaservc.dll
C:\WINDOWS\system32\WpWin32.dll
C:\WINDOWS\system32\wussvc.dll


Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D585CA5A-B1EE-449A-8395-52D69A3EA82B}"=-
"{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}"=-
"{AEC4155D-24EF-4561-AB0D-6B96602319F6}"=-
"{DAC19394-0049-4CE5-B487-030256F0E199}"=-
"{20C0CEE6-581E-4073-BCCF-0F617B151F0D}"=-
"{075519DF-D850-4C3D-A7B0-823C27BBD417}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D585CA5A-B1EE-449A-8395-52D69A3EA82B}]
[-HKEY_CLASSES_ROOT\CLSID\{A96DAEF5-5C19-4CDC-ABAA-FA69776F4B11}]
[-HKEY_CLASSES_ROOT\CLSID\{AEC4155D-24EF-4561-AB0D-6B96602319F6}]
[-HKEY_CLASSES_ROOT\CLSID\{DAC19394-0049-4CE5-B487-030256F0E199}]
[-HKEY_CLASSES_ROOT\CLSID\{20C0CEE6-581E-4073-BCCF-0F617B151F0D}]
[-HKEY_CLASSES_ROOT\CLSID\{075519DF-D850-4C3D-A7B0-823C27BBD417}]
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8FC821DF-FFB7-4D68-AC09-9F041B013272}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{8FC821DF-FFB7-4D68-AC09-9F041B013272}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

Edited by pritaeas: Fixed formatting

0

And heres the HJT log right after l2mfix was run.

Note the new dll in the Winlogin Notify registry...ARGH!!!

(NOTE--I ran the purityscan remover before all of this, as instructed, and my ? files are now gone--thanks!)

Logfile of HijackThis v1.99.1
Scan saved at 7:03:07 AM, on 3/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James Stankus\My Documents\BitTorrent\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [AudioDSP24 External Links] EL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nsvcin] C:\n20050308.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://web1.nugs.net/dev/dlControl.CAB
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\r88s0il7e8q.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

0

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe

Now find and delete the lxamsp32.exe file.

Download the zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

Reboot when done and post another log please.

0

Okay, Did all of the above int he correct order with no browser windows open, rebooted, and here's the HJT log. I'm still having the persistent random .dll entry?!

Logfile of HijackThis v1.99.1
Scan saved at 2:23:31 PM, on 3/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James Stankus\My Documents\BitTorrent\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [AudioDSP24 External Links] EL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nsvcin] C:\n20050308.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://web1.nugs.net/dev/dlControl.CAB
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\q0rqla951d.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

0

Let's try the fix the old way.

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here.do not reboot once you have posted the logs because all the filenames will change otherwise.

0

Here is the vx2 finder log and the Hosts log:

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
StillImage
termsrv
Themes
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{8B5F264F-4D81-BE03-1504-26A10BF7C6E4}


HOSTS:


127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com

0

Dllcompare Log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\danmodem.dll Sun Mar 13 2005 4:25:46p ..S.R 235,656 230.13 K
C:\WINDOWS\SYSTEM32\dytrans.dll Thu Mar 17 2005 4:33:40p ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\enp4l1~1.dll Mon Mar 14 2005 9:17:04p ..S.R 235,677 230.15 K
C:\WINDOWS\SYSTEM32\jt0u07~1.dll Tue Mar 15 2005 12:34:36a ..S.R 235,113 229.60 K
C:\WINDOWS\SYSTEM32\kcdhept.dll Wed Mar 16 2005 6:54:54a ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\kjdaze.dll Thu Mar 17 2005 3:45:12a ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\l26o0c~1.dll Tue Mar 15 2005 7:11:16p ..S.R 235,475 229.95 K
C:\WINDOWS\SYSTEM32\lqxbm12n.dll Wed Mar 16 2005 4:31:20a ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\lvns09~1.dll Mon Mar 14 2005 2:48:26p ..S.R 234,965 229.46 K
C:\WINDOWS\SYSTEM32\mbctf.dll Fri Mar 11 2005 12:21:36a ..S.R 232,736 227.28 K
C:\WINDOWS\SYSTEM32\mcrepl35.dll Thu Mar 10 2005 12:10:00a ..S.R 232,736 227.28 K
C:\WINDOWS\SYSTEM32\mysip32.dll Sat Mar 12 2005 8:35:06p ..S.R 233,213 227.75 K
C:\WINDOWS\SYSTEM32\nxtui2.dll Sun Mar 13 2005 4:44:12p ..S.R 233,357 227.89 K
C:\WINDOWS\SYSTEM32\o8roli~1.dll Thu Mar 17 2005 3:43:20a ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\sanceng.dll Sun Mar 13 2005 4:15:44p ..S.R 234,821 229.32 K
C:\WINDOWS\SYSTEM32\sbrio600.dll Tue Mar 15 2005 7:11:16p ..S.R 235,113 229.60 K
________________________________________________

1,456 items found: 1,456 files (16 H/S), 0 directories.
Total of file sizes: 301,776,946 bytes 287.80 M

Administrator Account = True

--------------------End log---------------------

0

I already have Killbox--I'm assuming I run Killbox on all of the Dlls that Dll Compare found?

0

My biggest question, I guess, is where is the program that is creating these randomly named Dlls? Or are they drive-by installs dropped by websites that pop-up? If so, how do they know to change their name upon reboot without a program instructing them to do so?

0

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\danmodem.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\dytrans.dll
C:\WINDOWS\SYSTEM32\enp4l1~1.dll
C:\WINDOWS\SYSTEM32\jt0u07~1.dll
C:\WINDOWS\SYSTEM32\kcdhept.dll
C:\WINDOWS\SYSTEM32\kjdaze.dll
C:\WINDOWS\SYSTEM32\l26o0c~1.dll
C:\WINDOWS\SYSTEM32\lqxbm12n.dll
C:\WINDOWS\SYSTEM32\lvns09~1.dll
C:\WINDOWS\SYSTEM32\mbctf.dll
C:\WINDOWS\SYSTEM32\mcrepl35.dll
C:\WINDOWS\SYSTEM32\mysip32.dll
C:\WINDOWS\SYSTEM32\nxtui2.dll
C:\WINDOWS\SYSTEM32\o8roli~1.dll
C:\WINDOWS\SYSTEM32\sanceng.dll
C:\WINDOWS\SYSTEM32\sbrio600.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

It is the guard file that does the damage in this case. If not fixed correctly, it reinstalls the infection with renamed dll's. This still may take a couple of attempts.
Your's is the first case where the automated fix has not worked.

Remember not to reboot after posting again.

0

Okay, I've followed your directions a couple times over to get the last stragglers, and now after two reboots, DLLCOMPARE is still coming up empty, so it looks like the bugs have been squashed. THANK YOU!

One question-->when I run HJT, the Windows-->Notify registries still appear, but then it says "file missing." I'm assuming we're all good?

Logfile of HijackThis v1.99.1
Scan saved at 5:31:35 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James Stankus\My Documents\BitTorrent\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [AudioDSP24 External Links] EL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nsvcin] C:\n20050308.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: HushEncryptionEngine - https://mailserver3.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://web1.nugs.net/dev/dlControl.CAB
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\f02m0af1ed2.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dn2401fqe.dll (file missing)
O20 - Winlogon Notify: Welcome - C:\WINDOWS\system32\p6n8lg5u16.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe

0

SIR I found that this process iifghbss.dll
is the randomly generated process and it is having a malicious activity and can not be deleted sir help me to delete this. thank u

These are the registry keys present

Winlogon/notify:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\iifgHBsS]
"Asynchronous"=dword:00000001
"DllName"="iifgHBsS.dll"
"Impersonate"=dword:00000000
"Logon"="o"
"Logoff"="f"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\PFW]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\winwea32]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet


Settings\User Agent\Post Platform]
"SV1"=""
"digit_may2002"="IEAK"


**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell


Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows


Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script


Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete


List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List


Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler


(DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag


Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo


Target"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box


Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box


Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist


Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar


Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time


Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet


Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist


Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD


Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist


Context Menu Handler"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{ABC70703-32AF-11d4-90C4-D483A70F4825}"="CMenuExtender"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon


Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon


Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}"="CorelDRAW Shell Extension


Component"
@="CorelDRAW Shell Extension Component"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application


References"
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}"="PhoneBrowser"
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay


Handler"
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"="TuneUp Shredder Shell Extension"
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{731E006D-0C55-4C6F-ABF0-C98F268FD077}"="APDFR Context Menu Shell Extension"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"


**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:


C:\WINDOWS\SYSTEM32\
winzwr32.dll   Wed Apr 23 2008  12:29:50a  A....         28,672    28.00 K
winjyp32.dll   Wed Apr 23 2008  12:29:56a  A....         28,672    28.00 K
bassmod.dll    Sun Jun 22 2008   2:38:32p  A....         34,308    33.50 K
isafeif.dll    Wed May 28 2008   2:06:14p  A....         99,592    97.26 K
vetredir.dll   Wed May 28 2008   2:06:14p  A....         83,256    81.30 K
sintf16.dll    Sat Jun 14 2008  10:46:02p  A....         12,067    11.78 K
sintf32.dll    Sat Jun 14 2008  10:46:02p  A....         17,212    16.81 K
sintfnt.dll    Sat Jun 14 2008  10:46:02p  A....         21,840    21.33 K
iifghbss.dll   Sun Jun 22 2008   7:11:40p  A....         57,344    56.00 K
isafprod.dll   Sat Jun 21 2008   5:32:44p  A....         91,376    89.23 K


10 items found:  10 files, 0 directories.
Total of file sizes:  474,339 bytes    463.22 K
Locate .tmp files:


No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8D8-C8B6


Directory of C:\WINDOWS\System32


06/26/2008  05:58 AM           438,628 MUCKlnpo.ini
06/26/2008  05:58 AM           438,450 MUCKlnpo.ini2
06/25/2008  11:53 PM           437,580 QAaJlnpo.ini
06/25/2008  11:52 PM           442,279 QAaJlnpo.ini2
06/24/2008  10:34 PM           429,505 IQAbIRqr.ini
06/24/2008  10:34 PM           429,327 IQAbIRqr.ini2
06/23/2008  10:53 PM           426,689 WGihNXyb.ini
06/23/2008  10:52 PM           426,511 WGihNXyb.ini2
06/22/2008  07:37 PM             2,906 mnmpAcdd.ini
06/22/2008  07:36 PM             2,728 mnmpAcdd.ini2
01/22/2008  08:08 PM    <DIR>          Microsoft
01/22/2008  07:27 PM    <DIR>          dllcache
10 File(s)      3,474,603 bytes
2 Dir(s)   6,511,099,904 bytes free

Edited by happygeek: fixed formatting

0

SIR MY COMPUTER IS FACNIG THE PROBLEM THAT IT CONTINSLY RESTARTING THE THE PROCESS OF EXPLORER.EXE THEN I SCAN WITH L2MFIX AND FIND THIS RESULT PLS HELP ME TO RESOLVE THIS EXPLORER.EXE LOOP PROBLEM

SIR I FOUND THAT THIS iifgHBsS.DLL PROCESS IS HAVING A MALICIOUS ACTIVITY AND CAN NOT BE DELETED PLS HELP

THANK U

These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\iifgHBsS]
"Asynchronous"=dword:00000001
"DllName"="iifgHBsS.dll"
"Impersonate"=dword:00000000
"Logon"="o"
"Logoff"="f"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\PFW]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\winwea32]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows


NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet


Settings\User Agent\Post Platform]
"SV1"=""
"digit_may2002"="IEAK"


**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell


Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows


Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script


Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete


List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List


Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler


(DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag


Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo


Target"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box


Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box


Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist


Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar


Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time


Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet


Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist


Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD


Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist


Context Menu Handler"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{ABC70703-32AF-11d4-90C4-D483A70F4825}"="CMenuExtender"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon


Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon


Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}"="CorelDRAW Shell Extension


Component"
@="CorelDRAW Shell Extension Component"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application


References"
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}"="PhoneBrowser"
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay


Handler"
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"="TuneUp Shredder Shell Extension"
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{731E006D-0C55-4C6F-ABF0-C98F268FD077}"="APDFR Context Menu Shell Extension"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"


**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:


C:\WINDOWS\SYSTEM32\
winzwr32.dll   Wed Apr 23 2008  12:29:50a  A....         28,672    28.00 K
winjyp32.dll   Wed Apr 23 2008  12:29:56a  A....         28,672    28.00 K
bassmod.dll    Sun Jun 22 2008   2:38:32p  A....         34,308    33.50 K
isafeif.dll    Wed May 28 2008   2:06:14p  A....         99,592    97.26 K
vetredir.dll   Wed May 28 2008   2:06:14p  A....         83,256    81.30 K
sintf16.dll    Sat Jun 14 2008  10:46:02p  A....         12,067    11.78 K
sintf32.dll    Sat Jun 14 2008  10:46:02p  A....         17,212    16.81 K
sintfnt.dll    Sat Jun 14 2008  10:46:02p  A....         21,840    21.33 K
iifghbss.dll   Sun Jun 22 2008   7:11:40p  A....         57,344    56.00 K
isafprod.dll   Sat Jun 21 2008   5:32:44p  A....         91,376    89.23 K


10 items found:  10 files, 0 directories.
Total of file sizes:  474,339 bytes    463.22 K
Locate .tmp files:


No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8D8-C8B6


Directory of C:\WINDOWS\System32


06/26/2008  05:58 AM           438,628 MUCKlnpo.ini
06/26/2008  05:58 AM           438,450 MUCKlnpo.ini2
06/25/2008  11:53 PM           437,580 QAaJlnpo.ini
06/25/2008  11:52 PM           442,279 QAaJlnpo.ini2
06/24/2008  10:34 PM           429,505 IQAbIRqr.ini
06/24/2008  10:34 PM           429,327 IQAbIRqr.ini2
06/23/2008  10:53 PM           426,689 WGihNXyb.ini
06/23/2008  10:52 PM           426,511 WGihNXyb.ini2
06/22/2008  07:37 PM             2,906 mnmpAcdd.ini
06/22/2008  07:36 PM             2,728 mnmpAcdd.ini2
01/22/2008  08:08 PM    <DIR>          Microsoft
01/22/2008  07:27 PM    <DIR>          dllcache
10 File(s)      3,474,603 bytes
2 Dir(s)   6,511,099,904 bytes free

Edited by happygeek: fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.