0

:mad:
Please help, i like to play games, and needless to say,
being taken out once every two minutes is not fun.
i have been able to take care of things in the past,
and have even gone so far as to download hijack this and such, deleting most if not all of the keys, and i'm still getting popups, ad aware is always picking up something, so is Search and Destroy, but after i reboot in safe mode do all of the above, delete everything, oh, i reboot back and what do you know... yes, 1:59 minutes without a popup!, plz help, this is my hijack this reading, i'm running xp, and have looked through countless of articles with the same problem , albeit, i never have the exact case.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:20 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\AIM\aim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\MSNGAM~1\zone.exe
D:\PROGRA~1\MSNGAM~1\zclient.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: Themes - D:\WINDOWS\system32\m646lghs1646.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DirectX Drivers - Unknown owner - D:\WINDOWS\D1rectX.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

once again, please help.

2
Contributors
30
Replies
31
Views
11 Years
Discussion Span
Last Post by IYIiKe
0

also, i've tried shutting programs off in task manager, and i'm getting an access denied message, even though i'm the administrator. i looked it up but every solution to that hasn't worked.

0

Hi,
Download and install Ewido Security Suite v3.5. After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update.
Exit Ewido when done - DO NOT perform a scan yet.


Download CCleaner and install it. Do not run it now!


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named DirectX Drivers and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode.


Next, download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Next, please download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.


Then, post both the L2MFix and Rootkit Reaveler logs.

0

ps: ty.
heres what came from l2me and rootkit

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\n44s0eh7eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37272362-547D-3D33-7851-C01176D810B7}"=""


**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8C4786B2-1C31-40F3-A998-2C82BDA648CF}"=""
"{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}"=""
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"


**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{8C4786B2-1C31-40F3-A998-2C82BDA648CF}\InprocServer32]
@="D:\\WINDOWS\\system32\\imakeng.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}\InprocServer32]
@="D:\\WINDOWS\\system32\\kmdca.dll"
"ThreadingModel"="Apartment"


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\Implemented Categories]
@=""


[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""


[HKEY_CLASSES_ROOT\CLSID\{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}\InprocServer32]
@="D:\\WINDOWS\\system32\\MIC71ESP.DLL"
"ThreadingModel"="Apartment"


**********************************************************************************
Files Found are not all bad files:


D:\WINDOWS\SYSTEM32\
browseui.dll   Wed Nov 23 2005   8:06:34p  A....      1,022,464   998.50 K
danim.dll      Fri Nov  4 2005  10:16:24p  A....      1,054,208     1.00 M
gdi32.dll      Wed Dec 28 2005   9:54:36p  A....        280,064   273.50 K
kmdca.dll      Sun Jan 22 2006  12:39:08p  ..S.R        234,223   228.73 K
mshtml.dll     Wed Nov 23 2005   8:06:34p  A....      3,015,680     2.88 M
n44s0e~1.dll   Sun Jan 22 2006  11:18:46a  ..S.R        234,223   228.73 K
p68qlg~1.dll   Sun Jan 22 2006  12:37:36p  ..S.R        235,518   229.99 K
s32evnt1.dll   Tue Jan  3 2006   3:31:44p  A....         91,904    89.75 K
shdocvw.dll    Wed Nov 30 2005  10:59:30p  A....      1,492,480     1.42 M
urlmon.dll     Fri Nov  4 2005  10:16:28p  A....        609,280   595.00 K


10 items found:  10 files (3 H/S), 0 directories.
Total of file sizes:  8,270,044 bytes      7.89 M
Locate .tmp files:


No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is 94A5-4C6E


Directory of D:\WINDOWS\System32


01/22/2006  12:39 PM    <DIR>          ..
01/22/2006  12:39 PM    <DIR>          .
01/22/2006  12:39 PM           234,223 kmdca.dll
01/22/2006  12:37 PM           235,518 p68qlgl516q.dll
01/22/2006  11:18 AM           234,223 n44s0eh7eh4.dll
09/13/2005  07:22 PM    <DIR>          Microsoft
3 File(s)        703,964 bytes
3 Dir(s)   5,632,966,656 bytes free

I'm posting these in halves, because when i added rootkit to the post it was extremely long, and i got a cannot find server error when posting together.

Edited by happygeek: fixed formatting

0

i have a problem with rootkits...
its 4.6 mb, .... from the looks of it it just copied everything from both drives.... eh, i tried posting, its big even in half of a drive... help?!!?!?!??

0

Hi,
I didnt thought Rootkit Revealer would become that big! We will proceed without that one!

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter.
It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.


Also, perform an online virus scan at Kaspersky Online Scanner. Save the log it gives after the scan and please post it back.

0

alright, i gotta go to work soon, ill be back in about 4-5 hours, and will post and probably go to bed thereafter, so it's best if you expect results tommorow, and then we can continue, but as i will be back tommorow around and hour from whatever time it is on here now, hopefully that is your time... ( i would be back around 3:10 eastern time is what i'm trying to say.)

0

i ran l2me fix, nothing happens, some wierd message comes up on the screen, something asks fora password, and then it does something else, when i restarted, no notepad came up, and ewido freaks out when i try to open up hijackthiss with look2me infections...ah!!!!

0

Logfile of HijackThis v1.99.1
Scan saved at 6:48:07 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Benincasa\My Documents\hijackthis.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: ThemeManager - D:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Sysinternals - www.sysinternals.com - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


thats that... but ... wierd clicking noise is appearing now.

0

Logfile of HijackThis v1.99.1
Scan saved at 6:48:07 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Benincasa\My Documents\hijackthis.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: ThemeManager - D:\WINDOWS\system32\n44s0eh7eh4.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Sysinternals - www.sysinternals.com - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Hi,
Look2Me is still there. I am sorry, i forgot to say about that password. When L2MFix asks for password, please type bye and press Enter.
Also, after the reboot, if the NotePad doesnt open automatically with the log, go to the folder where L2Mfix.bat file is present and you will find the log there.

Please re-run the L2MFix.bat with Option 2 (and password bye) and post back the log file of L2MFix and HijackThis.


PS: The clicking noise is due to this Look2Me infection!!

0

i have a problem with the l2mefix
at the top it says password will be entered automatically
it says enter the password ofr l2mefix :
and then 1/20th of a second later it says
Attempting to start D:\WINDOWS\System32\second.bat
1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it
Processing cleanup.
. The system cannot find the file specified
The system cannot find the file specified
A duplicate file name exists, or the file cannot be found
Could Not Find D:\WINDOWS\System32\log.txt
then adds some files and says system is ready to reboot...
The log.txt will be in the l2mfix folder after the reboot if it does not open on its own Please fix the missing file 020 with hijackthis after the reboot

0

L2mfix Beta 122705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

0

Hi,
Looks like its a new Look2Me, and hence L2MFix is not able to completely remove the files. We will remove them manually now.


Download Process Explorer for Windows Nt/2K/XP (Download link is at the bottom of the page). xtract the Zip file to a folder.

Download KillBox, extract it to your desktop.


Boot in SAFE Mode.


In the Process Explorer folder, run Procexp.exe. Now, in the main screen, click on the process Winlogon.exe to highlight it. Right-click on it and click "Properties". Now, in the Properties window, click the "Threads" tab. Here, under the "Start Address" field, look for the filename n44s0eh7eh4.dll. If you find it, select it and click Kill button and click "Yes" to kill it. There may be more than one n44s0eh7eh4.dll in this list, kill them all.


Now, click "OK" to exit from the "Properties" window. In the main window of Process Explorer, click on the process Explorer.exe. Right-click on it and select "Properties". Now, click the "Threads" tab. Similarly, here also look for n44s0eh7eh4.dll entry and kill it, if you find it. Click "OK" to exit from Properties window.


Similarly, look for these DLL files in Winlogon.exe and Explorer.exe properties in Process Explorer, as described above, and if they are found, kill them.
p68qlgl516q.dll
kmdca.dll


Next, open Killbox.exe. First click on Tools > Delete Temp Files. A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then, Check on the Button titled "Delete Selected Temp Files". Exit by clicking the Button titled "Exit(Save Settings)". Once back into the main Killbox program.

Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

D:\WINDOWS\SYSTEM32\kmdca.dll
D:\WINDOWS\SYSTEM32\n44s0eh7eh4.dll
D:\WINDOWS\SYSTEM32\p68qlgl516q.dll
D:\WINDOWS\SYSTEM32\guard.tmp

Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes".

A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


After the reboot, Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with a new HijackThis log.

0

ugh, did everything, i can tell you the first part, there where none of those files in the locations given. i ran killbox, and popups persist.

here is the hijackthis log, cftmon is still there.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:23 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Benincasa\Local Settings\Temp\Temporary Internet Files\Content.IE5\01234567\WinPFind[1]\WinPFind\winpfind.exe
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\n4l80e3ueh.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Unknown owner - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


ill post the WinPFind when it gets done, as it is, it's a white screen that's not responding.

0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings
= D:\WINDOWS\system32\n4l80e3ueh.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/24/2006 4:47:15 PM

0

disregard previous.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
aspack               3/18/2005 4:19:58 PM        2337488    D:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2                 8/6/2004 7:15:42 PM         41397      D:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown          1/22/2006 6:37:04 PM    R S 235348     D:\WINDOWS\SYSTEM32\ir2ml5f11.dllad-w-a-r-e.com       1/22/2006 6:37:04 PM    R S 235348     D:\WINDOWS\SYSTEM32\ir2ml5f11.dll
WinShutDown          1/24/2006 4:01:46 PM    R S 235353     D:\WINDOWS\SYSTEM32\IvagX7.dllad-w-a-r-e.com       1/24/2006 4:01:46 PM    R S 235353     D:\WINDOWS\SYSTEM32\IvagX7.dll
PTech                7/12/2005 6:04:22 PM        520456     D:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX!                 1/13/2005 9:41:48 PM        11254      D:\WINDOWS\SYSTEM32\locate.com
PECompact2           1/4/2006 7:46:40 PM         2827616    D:\WINDOWS\SYSTEM32\MRT.exe
aspack               1/4/2006 7:46:40 PM         2827616    D:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown          1/22/2006 6:41:54 PM    R S 234223     D:\WINDOWS\SYSTEM32\myxml3.dllad-w-a-r-e.com       1/22/2006 6:41:54 PM    R S 234223     D:\WINDOWS\SYSTEM32\myxml3.dll
aspack               8/3/2004 11:56:38 PM        708096     D:\WINDOWS\SYSTEM32\ntdll.dll
UPX!                 12/20/2003 6:44:34 PM       8704       D:\WINDOWS\SYSTEM32\ogg.dll
Umonitor             8/3/2004 11:56:46 PM        657920     D:\WINDOWS\SYSTEM32\rasdlg.dll
UPX!                 1/20/2005 1:47:50 PM        175616     D:\WINDOWS\SYSTEM32\strings.exe
UPX!                 10/30/2005 8:49:02 PM       42496      D:\WINDOWS\SYSTEM32\swreg.exe
UPX!                 12/20/2003 6:45:26 PM       112128     D:\WINDOWS\SYSTEM32\vorbis.dll
winsync              8/6/2004 7:18:14 PM         1309184    D:\WINDOWS\SYSTEM32\wbdbase.deu
UPX!                 8/3/2004 11:56:44 PM        3584       D:\WINDOWS\SYSTEM32\webctl.dll


Checking %System%\Drivers folder and sub-folders...


Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts127.0.0.1  www.qoologic.com127.0.0.1  www.urllogic.com



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/24/2006 4:36:04 PM      S 2048       D:\WINDOWS\bootstat.dat
1/24/2006 4:46:32 PM     H  24         D:\WINDOWS\p1cxK
12/21/2005 4:06:04 PM   RHS 227        D:\WINDOWS\assembly\Desktop.ini
1/8/2006 8:43:22 PM      H  10820      D:\WINDOWS\Help\nocontnt.GID
12/25/2005 12:28:28 AM   H  10820      D:\WINDOWS\Help\update.GID
1/24/2006 4:36:22 PM    R S 236187     D:\WINDOWS\system32\dsserial.dll
1/24/2006 4:36:20 PM    R S 234093     D:\WINDOWS\system32\enr6l19s1.dll
1/22/2006 6:37:04 PM    R S 235348     D:\WINDOWS\system32\ir2ml5f11.dll
1/24/2006 4:01:46 PM    R S 235353     D:\WINDOWS\system32\IvagX7.dll
1/22/2006 6:41:54 PM    R S 234223     D:\WINDOWS\system32\myxml3.dll
1/24/2006 4:27:48 PM    R S 236187     D:\WINDOWS\system32\n4l80e3ueh.dll
11/30/2005 11:17:10 PM    S 21633      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM      S 10925      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM       S 11223      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/24/2006 4:38:00 PM     H  1024       D:\WINDOWS\system32\config\default.LOG
1/24/2006 4:36:18 PM     H  1024       D:\WINDOWS\system32\config\SAM.LOG
1/24/2006 4:38:06 PM     H  1024       D:\WINDOWS\system32\config\SECURITY.LOG
1/24/2006 4:46:32 PM     H  1024       D:\WINDOWS\system32\config\software.LOG
1/24/2006 4:38:38 PM     H  1024       D:\WINDOWS\system32\config\system.LOG
1/16/2006 11:35:44 AM    H  1024       D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/30/2005 8:23:56 PM    H  40613      D:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkma.GID
1/21/2006 4:20:26 PM     H  6          D:\WINDOWS\Tasks\SA.DAT
1/24/2006 4:36:26 PM     HS 113        D:\WINDOWS\Temp\History\History.IE5\desktop.ini
1/24/2006 4:36:26 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2VYDIX8H\desktop.ini
1/24/2006 4:40:28 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C7KDBWED\desktop.ini
1/24/2006 4:44:50 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1470R8J\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RQ1J653Y\desktop.ini
1/24/2006 4:44:46 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SPUNCD2F\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UPKF4FGP\desktop.ini
1/24/2006 4:40:28 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WSWGVFBR\desktop.ini
1/24/2006 4:40:32 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6ZO9YF\desktop.ini
1/24/2006 4:44:36 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y3EMIGNN\desktop.ini


Checking for CPL files...
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        549888     D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        110592     D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        135168     D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        80384      D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        155136     D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        358400     D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        129536     D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        380416     D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         11/10/2005 1:03:50 PM       49265      D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/6/2004 7:17:02 PM         187904     D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        618496     D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/6/2004 7:17:26 PM         35840      D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        25600      D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        257024     D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/6/2004 7:17:32 PM         36864      D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        32768      D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        114688     D:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           6/20/2001 3:34:36 PM        287232     D:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        298496     D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/6/2004 7:18:04 PM         28160      D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        94208      D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        148480     D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     D:\WINDOWS\SYSTEM32\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/13/2005 7:16:08 PM     HS 84         D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM     HS 62         D:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 4:11:58 PM       2046       D:\Documents and Settings\All Users\Application Data\hpzinstall.log


Checking files in %USERPROFILE%\Startup folder...
9/13/2005 7:16:08 PM     HS 84         D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\desktop.ini


Checking files in %USERPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM     HS 62         D:\Documents and Settings\Benincasa\Application Data\desktop.ini
12/29/2005 5:53:22 PM       1850843    D:\Documents and Settings\Benincasa\Application Data\Install.dat


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{8C4786B2-1C31-40F3-A998-2C82BDA648CF}   = D:\WINDOWS\system32\imakeng.dll
{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}   = D:\WINDOWS\system32\myxml3.dll
{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}   = D:\WINDOWS\system32\MIC71ESP.DLL
{64EDC752-4460-48E6-8730-B9B18A740C9E}   = D:\WINDOWS\system32\IvagX7.dll
{716662EE-0F72-4DF4-9789-72ADFE54FFEC}   = D:\WINDOWS\system32\dsserial.dll


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\M2WShlExMenu
{DC6FA7E0-6666-11D5-8CE2-444553540000}   = D:\PROGRA~1\ACOUST~1\M2WShlEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mygksnnt
{47b160de-c8f1-43ee-837b-3fb77a4093cc}   = D:\WINDOWS\system32\kmgkq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText     = Sun Java Console : D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText   = AIM  : D:\Program Files\AIM\aim.exe


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus   : C:\Program Files\NavShExt.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task  "D:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
Flags


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe  D:\WINDOWS\system32\ctfmon.exe
AIM D:\Program Files\AIM\aim.exe -cnetwait.odl


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
STOPzilla Local Service 2
SysmonLog   3
Schedule    2
Browser 2



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup  D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item    HP Digital Imaging Monitor
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup  D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item    HP Digital Imaging Monitor


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup  D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item    HP Image Zone Fast Start
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup  D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item    HP Image Zone Fast Start


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item    Microsoft Office
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item    Microsoft Office


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^Benincasa^Start Menu^Programs^Startup^Sound Control.lnk
path    D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup  D:\WINDOWS\pss\Sound Control.lnkStartup
location    Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item    Sound Control
path    D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup  D:\WINDOWS\pss\Sound Control.lnkStartup
location    Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item    Sound Control


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winlog
hkey    HKLM
command winlog.exe
inimapping  0



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adtech2006
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    adtech2006a
hkey    HKLM
command C:\windows\adtech2006a.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    adtech2006a
hkey    HKLM
command C:\windows\adtech2006a.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    aim
hkey    HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    aim
hkey    HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ccApp
hkey    HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ccApp
hkey    HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    daemon
hkey    HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    daemon
hkey    HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fimq
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    fimqm
hkey    HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    fimqm
hkey    HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpcmpmgr
hkey    HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpcmpmgr
hkey    HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    HPWuSchd2
hkey    HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    HPWuSchd2
hkey    HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpztsb11
hkey    HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpztsb11
hkey    HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHmon06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphmon06
hkey    HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphmon06
hkey    HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHUPD06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphupd06
hkey    HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphupd06
hkey    HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    dumprep 0 -k
hkey    HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    dumprep 0 -k
hkey    HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark X1100 Series
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    lxbkbmgr
hkey    HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    lxbkbmgr
hkey    HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lspins
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    igps
hkey    HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    igps
hkey    HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msmsgs
hkey    HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msmsgs
hkey    HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mc-110-12-0000140
hkey    HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mc-110-12-0000140
hkey    HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\timessquare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    timessquare
hkey    HKLM
command C:\windows\timessquare.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    timessquare
hkey    HKLM
command C:\windows\timessquare.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winstall
hkey    HKCU
command C:\winstall.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winstall
hkey    HKCU
command C:\winstall.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsupdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsupdater
hkey    HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsupdater
hkey    HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysban
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysban
hkey    HKLM
command C:\windows\winsysban.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysban
hkey    HKLM
command C:\windows\winsysban.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysupd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysupd
hkey    HKLM
command C:\windows\winsysupd.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysupd
hkey    HKLM
command C:\windows\winsysupd.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\[01]##############################################################################################################################
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    rogue
hkey    HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    rogue
hkey    HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini  0
win.ini 0
bootini 0
services    2
startup 1



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1
undockwithoutlogon  1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents    0
NoAddingComponents  0
NoDeletingComponents    0
NoEditingComponents 0


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  145
ForceActiveDesktopOn    0


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = D:\WINDOWS\system32\webctl.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\system32\stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = D:\WINDOWS\System32\userinit.exe,
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings
= D:\WINDOWS\system32\n4l80e3ueh.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/24/2006 4:47:15 PM

Edited by happygeek: fixed formatting

0

Hi,
There are a lot of files to remove!


Please download Trojan Hunter (trial) and install it.


Boot in SAFE mode.


Now, run Trojan Hunter. Go to Tools Menu > Process Viewer. This opens up process viewer window, here click on the + symbol beside the process Winlogon.exe. Now, in this expanded list for process Winlogon.exe, look for the filename D:\WINDOWS\system32\n4l80e3ueh.dll, if you find it, right-click on it and select Unload module.

Similarly, expand the process Explorer.exe by clicking the + sign beside it, and look for the same D:\WINDOWS\system32\n4l80e3ueh.dll file and if its found, right-click on it and click Unload module.

Now, close Trojan Hunter.


Uninstall this Software from Add/Remove Programs in Control Panel:-
Internet Optimizer (if found)


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\n4l80e3ueh.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete these folders:-
D:\PROGRAM FILES\COMMON FILES\fimq
D:\Program Files\winsupdater
D:\Program Files\Internet Optimizer


Open Killbox.exe. Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\winstall.exe
C:\windows\adtech2006a.exe
C:\windows\timessquare.exe
C:\windows\winsysban.exe
C:\windows\winsysupd.exe
D:\WINDOWS\p1cxK
D:\WINDOWS\system32\igps.exe
D:\WINDOWS\SYSTEM32\ir2ml5f11.dll
D:\WINDOWS\SYSTEM32\IvagX7.dll
D:\WINDOWS\SYSTEM32\myxml3.dll
D:\WINDOWS\SYSTEM32\webctl.dll
D:\WINDOWS\system32\dsserial.dll
D:\WINDOWS\system32\enr6l19s1.dll
D:\WINDOWS\system32\n4l80e3ueh.dll
D:\WINDOWS\system32\imakeng.dll
D:\WINDOWS\system32\MIC71ESP.DLL
D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkma.GID

Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes".

A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


Once rebooted to Normal mode, please run WinPFind again and post a new log of it.

0

did all of the following, the requested n4l180e3ueh.dll isn't found, nor was internet optimizer.

i did have to delete common files on both drives,
as i use both drives after my c was reformatted, and have been trying to switch more to c because it has about 40 gigs free compared to the 3 gigs on d left... so there may be files on one or the other. ewido has about 6 l2me files in quarentine, including guard.tmp yyy65 are still popping up, and a
heres the scan.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
aspack               3/18/2005 4:19:58 PM        2337488    D:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2                 8/6/2004 7:15:42 PM         41397      D:\WINDOWS\SYSTEM32\dfrg.msc
PTech                7/12/2005 6:04:22 PM        520456     D:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX!                 1/13/2005 9:41:48 PM        11254      D:\WINDOWS\SYSTEM32\locate.com
PECompact2           1/4/2006 7:46:40 PM         2827616    D:\WINDOWS\SYSTEM32\MRT.exe
aspack               1/4/2006 7:46:40 PM         2827616    D:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown          1/25/2006 6:06:22 PM    R S 236187     D:\WINDOWS\SYSTEM32\n46q0ej5eho.dllad-w-a-r-e.com       1/25/2006 6:06:22 PM    R S 236187     D:\WINDOWS\SYSTEM32\n46q0ej5eho.dll
aspack               8/3/2004 11:56:38 PM        708096     D:\WINDOWS\SYSTEM32\ntdll.dll
UPX!                 12/20/2003 6:44:34 PM       8704       D:\WINDOWS\SYSTEM32\ogg.dll
Umonitor             8/3/2004 11:56:46 PM        657920     D:\WINDOWS\SYSTEM32\rasdlg.dll
UPX!                 1/20/2005 1:47:50 PM        175616     D:\WINDOWS\SYSTEM32\strings.exe
UPX!                 10/30/2005 8:49:02 PM       42496      D:\WINDOWS\SYSTEM32\swreg.exe
UPX!                 12/20/2003 6:45:26 PM       112128     D:\WINDOWS\SYSTEM32\vorbis.dll
winsync              8/6/2004 7:18:14 PM         1309184    D:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown          1/26/2006 3:34:08 PM        234093     D:\WINDOWS\SYSTEM32\__delete_on_reboot__rjpcfgex.dllad-w-a-r-e.com       1/26/2006 3:34:08 PM        234093     D:\WINDOWS\SYSTEM32\__delete_on_reboot__rjpcfgex.dll


Checking %System%\Drivers folder and sub-folders...


Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts127.0.0.1  www.qoologic.com127.0.0.1  www.urllogic.com



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/26/2006 3:33:44 PM      S 2048       D:\WINDOWS\bootstat.dat
1/26/2006 3:47:38 PM     H  24         D:\WINDOWS\p1cxK
12/21/2005 4:06:04 PM   RHS 227        D:\WINDOWS\assembly\Desktop.ini
1/8/2006 8:43:22 PM      H  10820      D:\WINDOWS\Help\nocontnt.GID
12/25/2005 12:28:28 AM   H  10820      D:\WINDOWS\Help\update.GID
1/26/2006 3:38:12 PM     H  0          D:\WINDOWS\inf\oem12.inf
1/26/2006 3:38:12 PM     H  0          D:\WINDOWS\LastGood\INF\oem12.inf
1/26/2006 3:38:12 PM     H  0          D:\WINDOWS\LastGood\INF\oem12.PNF
1/26/2006 3:39:56 PM     H  0          D:\WINDOWS\LastGood\INF\oem13.inf
1/26/2006 3:39:56 PM     H  0          D:\WINDOWS\LastGood\INF\oem13.PNF
1/25/2006 6:06:22 PM    R S 236187     D:\WINDOWS\system32\n46q0ej5eho.dll
1/26/2006 3:16:20 PM    R S 234093     D:\WINDOWS\system32\wx2help.dll
11/30/2005 11:17:10 PM    S 21633      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM      S 10925      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 6:09:36 PM       S 11223      D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/26/2006 3:40:12 PM     H  1024       D:\WINDOWS\system32\config\default.LOG
1/26/2006 3:33:56 PM     H  1024       D:\WINDOWS\system32\config\SAM.LOG
1/26/2006 3:36:04 PM     H  1024       D:\WINDOWS\system32\config\SECURITY.LOG
1/26/2006 3:47:10 PM     H  1024       D:\WINDOWS\system32\config\software.LOG
1/26/2006 3:41:28 PM     H  1024       D:\WINDOWS\system32\config\system.LOG
1/16/2006 11:35:44 AM    H  1024       D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/21/2006 4:20:26 PM     H  6          D:\WINDOWS\Tasks\SA.DAT
1/24/2006 4:36:26 PM     HS 113        D:\WINDOWS\Temp\History\History.IE5\desktop.ini
1/24/2006 4:36:26 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2VYDIX8H\desktop.ini
1/24/2006 4:48:42 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4PCLEN41\desktop.ini
1/24/2006 4:54:24 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6C4MQ38U\desktop.ini
1/24/2006 5:21:42 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\B2BANVIS\desktop.ini
1/24/2006 4:40:28 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C7KDBWED\desktop.ini
1/24/2006 4:52:46 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E9WFA5AL\desktop.ini
1/24/2006 4:44:50 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1470R8J\desktop.ini
1/24/2006 4:54:20 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\JLD0CZ67\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RQ1J653Y\desktop.ini
1/24/2006 4:44:46 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SPUNCD2F\desktop.ini
1/24/2006 4:44:44 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UPKF4FGP\desktop.ini
1/24/2006 4:40:28 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WSWGVFBR\desktop.ini
1/24/2006 4:40:32 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6ZO9YF\desktop.ini
1/24/2006 4:44:36 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y3EMIGNN\desktop.ini
1/24/2006 4:48:56 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YFUP0VAV\desktop.ini
1/24/2006 4:48:56 PM     HS 67         D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YVYV2DQB\desktop.ini


Checking for CPL files...
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        549888     D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        110592     D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        135168     D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        80384      D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        155136     D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        358400     D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        129536     D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        380416     D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         11/10/2005 1:03:50 PM       49265      D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/6/2004 7:17:02 PM         187904     D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        618496     D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/6/2004 7:17:26 PM         35840      D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        25600      D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        257024     D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/6/2004 7:17:32 PM         36864      D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        32768      D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        114688     D:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           6/20/2001 3:34:36 PM        287232     D:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        298496     D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/6/2004 7:18:04 PM         28160      D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        94208      D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        148480     D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     D:\WINDOWS\SYSTEM32\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/13/2005 7:16:08 PM     HS 84         D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM     HS 62         D:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 4:11:58 PM       2046       D:\Documents and Settings\All Users\Application Data\hpzinstall.log


Checking files in %USERPROFILE%\Startup folder...
9/13/2005 7:16:08 PM     HS 84         D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\desktop.ini


Checking files in %USERPROFILE%\Application Data folder...
9/13/2005 2:45:46 PM     HS 62         D:\Documents and Settings\Benincasa\Application Data\desktop.ini
12/29/2005 5:53:22 PM       1850843    D:\Documents and Settings\Benincasa\Application Data\Install.dat


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{8C4786B2-1C31-40F3-A998-2C82BDA648CF}   = D:\WINDOWS\system32\imakeng.dll
{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}   = D:\WINDOWS\system32\myxml3.dll
{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}   = D:\WINDOWS\system32\MIC71ESP.DLL
{64EDC752-4460-48E6-8730-B9B18A740C9E}   = D:\WINDOWS\system32\IvagX7.dll
{716662EE-0F72-4DF4-9789-72ADFE54FFEC}   = D:\WINDOWS\system32\dsserial.dll
{25942B62-516E-4A7E-B195-A361C2139755}   = D:\WINDOWS\system32\wx2help.dll


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\M2WShlExMenu
{DC6FA7E0-6666-11D5-8CE2-444553540000}   = D:\PROGRA~1\ACOUST~1\M2WShlEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mygksnnt
{47b160de-c8f1-43ee-837b-3fb77a4093cc}   = D:\WINDOWS\system32\kmgkq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}   = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText     = Sun Java Console : D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText   = AIM  : D:\Program Files\AIM\aim.exe


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus   : C:\Program Files\NavShExt.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task  "D:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard "D:\Program Files\TrojanHunter 4.2\THGuard.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
Flags


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe  D:\WINDOWS\system32\ctfmon.exe
AIM D:\Program Files\AIM\aim.exe -cnetwait.odl


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
STOPzilla Local Service 2
SysmonLog   3
Schedule    2
Browser 2



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup  D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item    HP Digital Imaging Monitor
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup  D:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item    HP Digital Imaging Monitor


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup  D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item    HP Image Zone Fast Start
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup  D:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
item    HP Image Zone Fast Start


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item    Microsoft Office
path    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command D:\PROGRA~1\MICROS~3\Office10\OSA.EXE -b -l
item    Microsoft Office


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\D:^Documents and Settings^Benincasa^Start Menu^Programs^Startup^Sound Control.lnk
path    D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup  D:\WINDOWS\pss\Sound Control.lnkStartup
location    Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item    Sound Control
path    D:\Documents and Settings\Benincasa\Start Menu\Programs\Startup\Sound Control.lnk
backup  D:\WINDOWS\pss\Sound Control.lnkStartup
location    Startup
command D:\PROGRA~1\SOUNDC~1\SC.EXE
item    Sound Control


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winlog
hkey    HKLM
command winlog.exe
inimapping  0



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adtech2006
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    adtech2006a
hkey    HKLM
command C:\windows\adtech2006a.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    adtech2006a
hkey    HKLM
command C:\windows\adtech2006a.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    aim
hkey    HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    aim
hkey    HKCU
command D:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ccApp
hkey    HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ccApp
hkey    HKLM
command "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command D:\WINDOWS\system32\ctfmon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    daemon
hkey    HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    daemon
hkey    HKLM
command "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fimq
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    fimqm
hkey    HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    fimqm
hkey    HKCU
command D:\PROGRA~1\COMMON~1\fimq\fimqm.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpcmpmgr
hkey    HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpcmpmgr
hkey    HKLM
command "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    HPWuSchd2
hkey    HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    HPWuSchd2
hkey    HKLM
command "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpztsb11
hkey    HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hpztsb11
hkey    HKLM
command D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHmon06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphmon06
hkey    HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphmon06
hkey    HKLM
command D:\WINDOWS\system32\hphmon06.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPHUPD06
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphupd06
hkey    HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    hphupd06
hkey    HKLM
command D:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    dumprep 0 -k
hkey    HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    dumprep 0 -k
hkey    HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lexmark X1100 Series
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    lxbkbmgr
hkey    HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    lxbkbmgr
hkey    HKLM
command "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lspins
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    igps
hkey    HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    igps
hkey    HKLM
command "D:\WINDOWS\system32\igps.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msmsgs
hkey    HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msmsgs
hkey    HKCU
command "D:\Program Files\Messenger\msmsgs.exe" /background
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mc-110-12-0000140
hkey    HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mc-110-12-0000140
hkey    HKCU
command D:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKLM
command D:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\timessquare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    timessquare
hkey    HKLM
command C:\windows\timessquare.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    timessquare
hkey    HKLM
command C:\windows\timessquare.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winstall
hkey    HKCU
command C:\winstall.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winstall
hkey    HKCU
command C:\winstall.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsupdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsupdater
hkey    HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsupdater
hkey    HKLM
command D:\Program Files\winsupdater\winsupdater.exe /auto
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysban
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysban
hkey    HKLM
command C:\windows\winsysban.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysban
hkey    HKLM
command C:\windows\winsysban.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsysupd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysupd
hkey    HKLM
command C:\windows\winsysupd.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    winsysupd
hkey    HKLM
command C:\windows\winsysupd.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\[01]##############################################################################################################################
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    rogue
hkey    HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    rogue
hkey    HKLM
command D:\Program Files\Internet Optimizer\update\rogue.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini  0
win.ini 0
bootini 0
services    2
startup 1



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1
undockwithoutlogon  1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents    0
NoAddingComponents  0
NoDeletingComponents    0
NoEditingComponents 0


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  145
ForceActiveDesktopOn    0


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = D:\WINDOWS\system32\webctl.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\system32\stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = D:\WINDOWS\System32\userinit.exe,
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation
= D:\WINDOWS\system32\wx2help.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
= D:\WINDOWS\system32\enr6l19s1.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/26/2006 3:48:42 PM

Edited by happygeek: fixed formatting

0

here's the scan with ewido.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:26:05 PM, 1/26/2006
+ Report-Checksum: A484391

+ Scan result:

HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historystring -> Spyware.ISTBar : Error during cleaning
HKU\S-1-5-21-220523388-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-220523388-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoAddingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-220523388-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoDeletingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-220523388-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoEditingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-220523388-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ForceActiveDesktopOn -> Trojan.Small : Cleaned with backup
[1484] D:\WINDOWS\system32\wx2help.dll -> Spyware.Look2Me : Error during cleaning
[1936] D:\WINDOWS\system32\rjpcfgex.dll -> Spyware.Look2Me : Error during cleaning
D:\!KillBox\dsserial.dll -> Spyware.Look2Me : Cleaned with backup
D:\!KillBox\ir2ml5f11.dll -> Spyware.Look2Me : Cleaned with backup
D:\!KillBox\IvagX7.dll -> Spyware.Look2Me : Cleaned with backup
D:\!KillBox\myxml3.dll -> Spyware.Look2Me : Cleaned with backup
D:\!KillBox\p68qlgl516q.dll -> Spyware.Look2Me : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Benincasa\Cookies\benincasa@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@reduxads.valuead[1].txt -> Spyware.Cookie.Valuead : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Benincasa\Local Settings\Temp\Cookies\benincasa@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\WINDOWS\system32\n46q0ej5eho.dll -> Spyware.Look2Me : Cleaned with backup
D:\WINDOWS\system32\__delete_on_reboot__rjpcfgex.dll -> Spyware.Look2Me : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@entrepreneur.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\WINDOWS\Temp\Cookies\benincasa@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
D:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WX6ZO9YF\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End

0

Hi,
Please download WebRoot SpySweeper from HERE (It is a 2-week trial version.):

  • Click on Free Spy Scan.
  • On the next page, click on Start Scan Now
  • Save the Setup file to your Desktop>click OK.
  • Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
  • You will be prompted to check for updated definitions, please do so.
  • Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
  • Check "Local Disc C" and under "What to Sweep", check every box.
  • Click on "Sweep" and allow it to fully scan your system.
  • When the sweep has finished, click "Remove" to remove any items found.
  • Exit SpySweeper and reboot your computer.

NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

0

After the SpySweeper scan, please run L2MFix and choose Option #1 to get the log file and post it here.

0

im sorry, i ran the webroot scan, and it goes through everything, then at the end, it just keeps going and going scanning nothing, but the traces found keeps going up, i left it on all night and it was still scanning : /

0

Hi,
Open a new file in NotePad and copy the contents of the below "Quote" box:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{8C4786B2-1C31-40F3-A998-2C82BDA648CF}=-
{73C81572-87F7-48CA-A5A8-ADA82AF73D7C}=-
{59B492DA-8C3A-4A9E-8FAA-6FF908ADDACD}=-
{64EDC752-4460-48E6-8730-B9B18A740C9E}=-
{716662EE-0F72-4DF4-9789-72ADFE54FFEC}=-
{25942B62-516E-4A7E-B195-A361C2139755}=-

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mygksnnt]

Go to File Menu (in NotePad) > Save AS and save the file with the name Fix.REG and exit from NotePad.


Double-click on this file and click "Yes" to merge it to Registry.


Now, in the TrojanHunter's Process Viewer, expand the Winlogon.exe and Explorer.exe processes (by clicking the "+" sign, as mentioned in my previous post), and then look for these DLLs, respectively:-

D:\WINDOWS\system32\wx2help.dll
D:\WINDOWS\system32\kmgkq.dll
D:\WINDOWS\system32\rjpcfgex.dll
D:\WINDOWS\system32\n46q0ej5eho.dll

If they are found, right-click on them and click "Unload Module". Afte this, close TrojanHunter.


Open KillBox.exe. Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

D:\WINDOWS\system32\wx2help.dll
D:\WINDOWS\system32\kmgkq.dll
D:\WINDOWS\system32\rjpcfgex.dll
D:\WINDOWS\system32\n46q0ej5eho.dll
D:\WINDOWS\SYSTEM32\__delete_on_reboot__rjpcfgex.dll

Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


After the reboot, please post a new WinPFind log and HijackThis log.


Also, please try running SpySweeper in SAFE mode.

0

Logfile of HijackThis v1.99.1
Scan saved at 4:14:41 PM, on 1/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "D:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: App Management - D:\WINDOWS\system32\q4860elsehq60.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - D:\WINDOWS\system32\enr6l19s1.dll (file missing)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: OYJCYAD - Unknown owner - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

ps: popups are not appearing , spysweeper is no longer having to block a-d-w-a-r-e and variant sites.

0

Hi,
There are some stray Registry entries to be removed now. Download CCleaner and install it. Do not run it now!

Download SpywareBlaster and install it.


Reboot in Safe Mode.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named OYJCYAD and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O20 - Winlogon Notify: App Management - D:\WINDOWS\system32\q4860elsehq60.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - D:\WINDOWS\system32\enr6l19s1.dll (file missing)
O23 - Service: OYJCYAD - Unknown owner - D:\DOCUME~1\BENINC~1\LOCALS~1\Temp\OYJCYAD.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.


Run SpywareBlaster and click "Enable All Protection" and exit from it.


Reboot back to Normal Mode, run HijackThis again, click Do a System scan and save log, and post the fresh log.

0

Logfile of HijackThis v1.99.1
Scan saved at 3:30:01 PM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\TrojanHunter 4.2\THGuard.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM+\AIM+.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\navapsvc.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Benincasa\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "D:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126727932050
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137427556375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ps: only one of the requested files to be deleted couldn't be found, the 23 one, however, there was a simlar unknown owner one, and i deleted it. : P

0

Hi,
Log looks clean :) Are you getting any popups? If there's no problem, then i will mark this thread as "Solved" :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.