Was away on holiday and made the mistake of not setting a password on my computer. When I returned, it was filled with so much spyware, adware and popups appeared non stop. Tried formatting a few times but the problem is still there. This is my HJT log, please help!!
Logfile of HijackThis v1.99.1
Scan saved at 7:53:17 PM, on 2/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ZXZlbHlu\command.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\msoftconfs2.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\firefox.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ssymsne] valuex.exe
O4 - HKLM\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames11.exe
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd11.exe
O4 - HKLM\..\RunServices: [ssymsne] valuex.exe
O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [ssymsne] valuex.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\RunServices: [ssymsne] valuex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterex...artload124a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c46.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/d...r/int_ver34.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\o4ro0e93eh.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZXZlbHlu\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: firefox auto update - Unknown owner - C:\WINDOWS\firefox.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
1
Please help... my computer is infested!
Started by fukwailui, Feb 24 2006 08:55 AM
15 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 25 February 2006 - 04:06 AM
Hi Fukwailui 
If you perform a full format and re-install of Windows using the XP disk then it will remove all the infections. Your pc has multiple problems showing including Worms and Spyware so formatting and installing a fresh copy of Windows maybe a good idea but you will need protection software if you do format to prevent more infections . There doesnt seem to be any Antivirus or Firewall programs installed which would leave the pc open to attack so the first step if you did want to clean up the pc is to install some protection software,
Follow these steps and let us know if you have any problems or questions:
*Install CA EZ Antivirus from Here which is a 1 year free trial for all Microsoft Users. Install and update then close for now.
*Download Blacklight from Here and save it to your desktop: Double-click blbeta.exe, accept statement > click next then scan.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx will be the date and time of the scan). Copy and paste this log in your next reply. Don't choose the rename option yet because legitimate items can also be present there, such as "wbemtest.exe"
*Please download, install, and update the free version of Ewido Anti-Malware from Here
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido it will open the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.
*Download l2mfix from Here and save it to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder yet, This Fix must NOT be run in safe mode.
If you receive an error while running option #1 similar to: ''C:\windows\system32\cmd.exe/ C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications" choose close to terminate the application then use option 5 or the web page link in the l2mfix folder to repair the corrupt files, do not run the fix portion if you receive this error without fixing the files.
*Download Ccleaner from Here if you dont already have it installed, When Installing it will display the agreement then after pressing Next it shows the install location, press next again and it will open the Install Options screen, Uncheck the bottom option which is ' Install Ccleaner Yahoo! Toolbar' then press 'Install', when it opens press the 'Run Cleaner' button to remove temp files then exit
Once the above is complete print out or make a copy of these instructions before rebooting to safe mode because you will not be able to connect to the internet during most of this fix.
Reboot into Safe Mode. To do this restart your computer and start pressing the F8 key on your keyboard. Select the safe mode option when the Windows Advanced Options menu appears, and then press ENTER.
In Safe Mode, Run EZ Antivirus and choose a full system scan,
Next run Ewido again. Click on the Scanner button in the left menu, then click on the 'Complete System Scan' button. If ewido finds anything, it will pop up a notification. When you see this first pop up select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". Save this text file to your desktop and post it back in your next reply.
Next open Hijack This and choose to run a System Scan, Place checks next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:// searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [ssymsne] valuex.exe
O4 - HKLM\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames11.exe
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd11.exe
O4 - HKLM\..\RunServices: [ssymsne] valuex.exe
O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [ssymsne] valuex.exe
O4 - HKCU\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\RunServices: [ssymsne] valuex.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http:// promo.dollarrevenue.com/webmasterex...artload124a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http:// static.zangocash.com/cab/Zango/ie/bridge-c46.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http:// advnt01.com/dialer/int_ver34.CAB
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\o4ro0e93eh.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZXZlbHlu\command.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINDOWS\firefox.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
Close all open windows except for Hijack This and then press the fixed checked button.
You will need to set Windows to show Hidden and Operating System Files to find some of the below files and folders:
To enable hidden files Click Start. Goto MyComputer then c:\drive , select the 'Tools' menu from the top bar and click 'Folder Options'. Select the 'View' Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files and folders:
C:\Windows\system32\valuex.exe <-- Delete File
C:\Windows\system32\msoftconfs2.exe <-- Delete File
C:\Windows\system32\msappview32.exe <-- Delete File
C:\Windows\system32\o4ro0e93eh.dll <-- Delete File
c:\gimmygames11.exe <-- Delete File
c:\Windows\winsysupd11.exe <-- Delete File
C:\Windows\firefox.exe <-- Delete File
C:\Program Files\Common Files\VCClient <--Delete Folder
C:\Windows\ZXZlbHlu <--Delete Folder
C:\Program Files\Network Monitor <--Delete Folder
Let us know any that cannot be found
Run Ccleaner again and press 'Run Cleaner' then exit.
Next Open a command prompt screen, Goto Start Menu > Run > and type
cmd
Press OK and then type (or copy and paste) these lines into the cmd screen one at a time and press enter after each one.
sc delete cmdService
sc delete "firefox auto update"
sc delete "Network Monitor"
Then type exit and press enter.
Reboot back to Normal mode and post a new Hijack This log, Ewido's Scan Log, Blacklight's Log & the L2mfix Log
All The Best
Andy
If you perform a full format and re-install of Windows using the XP disk then it will remove all the infections. Your pc has multiple problems showing including Worms and Spyware so formatting and installing a fresh copy of Windows maybe a good idea but you will need protection software if you do format to prevent more infections . There doesnt seem to be any Antivirus or Firewall programs installed which would leave the pc open to attack so the first step if you did want to clean up the pc is to install some protection software,
Follow these steps and let us know if you have any problems or questions:
*Install CA EZ Antivirus from Here which is a 1 year free trial for all Microsoft Users. Install and update then close for now.
*Download Blacklight from Here and save it to your desktop: Double-click blbeta.exe, accept statement > click next then scan.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx will be the date and time of the scan). Copy and paste this log in your next reply. Don't choose the rename option yet because legitimate items can also be present there, such as "wbemtest.exe"
*Please download, install, and update the free version of Ewido Anti-Malware from Here
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido it will open the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.
*Download l2mfix from Here and save it to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder yet, This Fix must NOT be run in safe mode.
If you receive an error while running option #1 similar to: ''C:\windows\system32\cmd.exe/ C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications" choose close to terminate the application then use option 5 or the web page link in the l2mfix folder to repair the corrupt files, do not run the fix portion if you receive this error without fixing the files.
*Download Ccleaner from Here if you dont already have it installed, When Installing it will display the agreement then after pressing Next it shows the install location, press next again and it will open the Install Options screen, Uncheck the bottom option which is ' Install Ccleaner Yahoo! Toolbar' then press 'Install', when it opens press the 'Run Cleaner' button to remove temp files then exit
Once the above is complete print out or make a copy of these instructions before rebooting to safe mode because you will not be able to connect to the internet during most of this fix.
Reboot into Safe Mode. To do this restart your computer and start pressing the F8 key on your keyboard. Select the safe mode option when the Windows Advanced Options menu appears, and then press ENTER.
In Safe Mode, Run EZ Antivirus and choose a full system scan,
Next run Ewido again. Click on the Scanner button in the left menu, then click on the 'Complete System Scan' button. If ewido finds anything, it will pop up a notification. When you see this first pop up select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". Save this text file to your desktop and post it back in your next reply.
Next open Hijack This and choose to run a System Scan, Place checks next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:// searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [ssymsne] valuex.exe
O4 - HKLM\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames11.exe
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd11.exe
O4 - HKLM\..\RunServices: [ssymsne] valuex.exe
O4 - HKLM\..\RunServices: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKCU\..\Run: [ssymsne] valuex.exe
O4 - HKCU\..\Run: [Microsoft Configurs12] msoftconfs2.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\RunServices: [ssymsne] valuex.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http:// promo.dollarrevenue.com/webmasterex...artload124a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http:// static.zangocash.com/cab/Zango/ie/bridge-c46.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http:// advnt01.com/dialer/int_ver34.CAB
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\o4ro0e93eh.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\ZXZlbHlu\command.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINDOWS\firefox.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
Close all open windows except for Hijack This and then press the fixed checked button.
You will need to set Windows to show Hidden and Operating System Files to find some of the below files and folders:
To enable hidden files Click Start. Goto MyComputer then c:\drive , select the 'Tools' menu from the top bar and click 'Folder Options'. Select the 'View' Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files and folders:
C:\Windows\system32\valuex.exe <-- Delete File
C:\Windows\system32\msoftconfs2.exe <-- Delete File
C:\Windows\system32\msappview32.exe <-- Delete File
C:\Windows\system32\o4ro0e93eh.dll <-- Delete File
c:\gimmygames11.exe <-- Delete File
c:\Windows\winsysupd11.exe <-- Delete File
C:\Windows\firefox.exe <-- Delete File
C:\Program Files\Common Files\VCClient <--Delete Folder
C:\Windows\ZXZlbHlu <--Delete Folder
C:\Program Files\Network Monitor <--Delete Folder
Let us know any that cannot be found
Run Ccleaner again and press 'Run Cleaner' then exit.
Next Open a command prompt screen, Goto Start Menu > Run > and type
cmd
Press OK and then type (or copy and paste) these lines into the cmd screen one at a time and press enter after each one.
sc delete cmdService
sc delete "firefox auto update"
sc delete "Network Monitor"
Then type exit and press enter.
Reboot back to Normal mode and post a new Hijack This log, Ewido's Scan Log, Blacklight's Log & the L2mfix Log
All The Best
Andy
#3 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 27 February 2006 - 12:00 AM
Hi Andy, followed your instructions and these are the results.
1st Blacklight log:
02/26/06 10:27:30 [Info]: BlackLight Engine 1.0.32 initialized
02/26/06 10:27:30 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/26/06 10:27:31 [Note]: 7019 4
02/26/06 10:27:31 [Note]: 7005 0
02/26/06 10:27:35 [Note]: 7006 0
02/26/06 10:27:35 [Note]: 7011 184
02/26/06 10:27:35 [Note]: 7015 692
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1212
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1252
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1736
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: FSRAW library version 1.7.1015
02/26/06 10:27:57 [Note]: 7007 0
1st l2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
guard.tmp Sun Feb 26 2006 10:25:52a ..S.R 233,585 228.11 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 233,585 bytes 228.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/26/2006 10:25 AM 233,585 guard.tmp
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
3 File(s) 572,025 bytes
2 Dir(s) 20,827,156,480 bytes free
1st Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:05:53 AM, 2/27/2006
+ Report-Checksum: 527DD686
+ Scan result:
C:\Documents and Settings\Evelyn\Cookies\evelyn@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Evelyn\Cookies\evelyn@e-2dj6wflysnczmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\WINDOWS\system32\TFTP556 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\valuex.exe -> Backdoor.Rbot : Cleaned with backup
::Report End
When deleting the files and folders, I could only find C:\Windows\ZXZlbHlu. The rest were not there.
In command prompt, I managed to delete "firefox auto update" and "Network Monitor". However, when I tried to delete cmdService, the message that came up was " OpenService FAILED 1060. The specified device does not exist as an installed service."
After rebooting to Normal mode, here are my new logs:
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:21:00 AM, on 2/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\wmisp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:56:31 AM, 2/27/2006
+ Report-Checksum: 8C2E74F7
+ Scan result:
No infected objects found.
::Report End
Blacklight log:
02/27/06 10:57:03 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 10:57:03 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/27/06 10:57:03 [Note]: 7019 4
02/27/06 10:57:03 [Note]: 7005 0
02/27/06 10:57:06 [Note]: 7006 0
02/27/06 10:57:06 [Note]: 7011 488
02/27/06 10:57:06 [Note]: 7015 696
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1220
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1252
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1748
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:07 [Note]: FSRAW library version 1.7.1015
02/27/06 10:57:36 [Note]: 7007 0
L2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
2 File(s) 338,440 bytes
2 Dir(s) 20,302,340,096 bytes free
Looks like my problem has been solved since I don't have any more popups...
1st Blacklight log:
02/26/06 10:27:30 [Info]: BlackLight Engine 1.0.32 initialized
02/26/06 10:27:30 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/26/06 10:27:31 [Note]: 7019 4
02/26/06 10:27:31 [Note]: 7005 0
02/26/06 10:27:35 [Note]: 7006 0
02/26/06 10:27:35 [Note]: 7011 184
02/26/06 10:27:35 [Note]: 7015 692
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1212
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1252
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1736
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: FSRAW library version 1.7.1015
02/26/06 10:27:57 [Note]: 7007 0
1st l2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
guard.tmp Sun Feb 26 2006 10:25:52a ..S.R 233,585 228.11 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 233,585 bytes 228.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/26/2006 10:25 AM 233,585 guard.tmp
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
3 File(s) 572,025 bytes
2 Dir(s) 20,827,156,480 bytes free
1st Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:05:53 AM, 2/27/2006
+ Report-Checksum: 527DD686
+ Scan result:
C:\Documents and Settings\Evelyn\Cookies\evelyn@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Evelyn\Cookies\evelyn@e-2dj6wflysnczmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\WINDOWS\system32\TFTP556 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\valuex.exe -> Backdoor.Rbot : Cleaned with backup
::Report End
When deleting the files and folders, I could only find C:\Windows\ZXZlbHlu. The rest were not there.
In command prompt, I managed to delete "firefox auto update" and "Network Monitor". However, when I tried to delete cmdService, the message that came up was " OpenService FAILED 1060. The specified device does not exist as an installed service."
After rebooting to Normal mode, here are my new logs:
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:21:00 AM, on 2/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\wmisp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:56:31 AM, 2/27/2006
+ Report-Checksum: 8C2E74F7
+ Scan result:
No infected objects found.
::Report End
Blacklight log:
02/27/06 10:57:03 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 10:57:03 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/27/06 10:57:03 [Note]: 7019 4
02/27/06 10:57:03 [Note]: 7005 0
02/27/06 10:57:06 [Note]: 7006 0
02/27/06 10:57:06 [Note]: 7011 488
02/27/06 10:57:06 [Note]: 7015 696
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1220
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1252
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1748
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:07 [Note]: FSRAW library version 1.7.1015
02/27/06 10:57:36 [Note]: 7007 0
L2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
2 File(s) 338,440 bytes
2 Dir(s) 20,302,340,096 bytes free
Looks like my problem has been solved since I don't have any more popups...
#4 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 27 February 2006 - 12:00 AM
Hi Andy, followed your instructions and these are the results.
1st Blacklight log:
02/26/06 10:27:30 [Info]: BlackLight Engine 1.0.32 initialized
02/26/06 10:27:30 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/26/06 10:27:31 [Note]: 7019 4
02/26/06 10:27:31 [Note]: 7005 0
02/26/06 10:27:35 [Note]: 7006 0
02/26/06 10:27:35 [Note]: 7011 184
02/26/06 10:27:35 [Note]: 7015 692
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1212
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1252
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1736
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: FSRAW library version 1.7.1015
02/26/06 10:27:57 [Note]: 7007 0
1st l2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
guard.tmp Sun Feb 26 2006 10:25:52a ..S.R 233,585 228.11 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 233,585 bytes 228.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/26/2006 10:25 AM 233,585 guard.tmp
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
3 File(s) 572,025 bytes
2 Dir(s) 20,827,156,480 bytes free
1st Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:05:53 AM, 2/27/2006
+ Report-Checksum: 527DD686
+ Scan result:
C:\Documents and Settings\Evelyn\Cookies\evelyn@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Evelyn\Cookies\evelyn@e-2dj6wflysnczmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\WINDOWS\system32\TFTP556 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\valuex.exe -> Backdoor.Rbot : Cleaned with backup
::Report End
When deleting the files and folders, I could only find C:\Windows\ZXZlbHlu. The rest were not there.
In command prompt, I managed to delete "firefox auto update" and "Network Monitor". However, when I tried to delete cmdService, the message that came up was " OpenService FAILED 1060. The specified device does not exist as an installed service."
After rebooting to Normal mode, here are my new logs:
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:21:00 AM, on 2/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\wmisp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:56:31 AM, 2/27/2006
+ Report-Checksum: 8C2E74F7
+ Scan result:
No infected objects found.
::Report End
Blacklight log:
02/27/06 10:57:03 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 10:57:03 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/27/06 10:57:03 [Note]: 7019 4
02/27/06 10:57:03 [Note]: 7005 0
02/27/06 10:57:06 [Note]: 7006 0
02/27/06 10:57:06 [Note]: 7011 488
02/27/06 10:57:06 [Note]: 7015 696
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1220
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1252
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1748
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:07 [Note]: FSRAW library version 1.7.1015
02/27/06 10:57:36 [Note]: 7007 0
L2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304
1st Blacklight log:
02/26/06 10:27:30 [Info]: BlackLight Engine 1.0.32 initialized
02/26/06 10:27:30 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/26/06 10:27:31 [Note]: 7019 4
02/26/06 10:27:31 [Note]: 7005 0
02/26/06 10:27:35 [Note]: 7006 0
02/26/06 10:27:35 [Note]: 7011 184
02/26/06 10:27:35 [Note]: 7015 692
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1212
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1252
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: 7015 1736
02/26/06 10:27:35 [Note]: 7015 5
02/26/06 10:27:35 [Note]: FSRAW library version 1.7.1015
02/26/06 10:27:57 [Note]: 7007 0
1st l2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304 73.54 K
libdivx.dll Sat Jan 21 2006 9:46:36a A.... 1,044,480 1020.00 K
oemdspif.dll Wed Jan 25 2006 2:47:04p A.... 77,824 76.00 K
pncrt.dll Fri Feb 24 2006 5:10:56a A.... 278,528 272.00 K
pndx5016.dll Fri Feb 24 2006 5:10:58a A.... 6,656 6.50 K
pndx5032.dll Fri Feb 24 2006 5:10:58a A.... 5,632 5.50 K
px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
qt-dx331.dll Sat Jan 21 2006 9:46:12a A.... 3,596,288 3.43 M
rmoc3260.dll Fri Feb 24 2006 5:11:00a A.... 176,167 172.04 K
ssldivx.dll Sat Jan 21 2006 9:46:36a A.... 200,704 196.00 K
unicows.dll Sat Jan 21 2006 9:46:36a A.... 245,408 239.66 K
vetredir.dll Sun Feb 26 2006 10:23:00a A.... 75,304 73.54 K
vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K
x3daud~1.dll Fri Feb 3 2006 8:41:26a A.... 14,032 13.70 K
xacten~1.dll Fri Feb 3 2006 8:42:06a A.... 230,096 224.70 K
xinput~1.dll Mon Dec 5 2005 6:07:30p A.... 61,136 59.70 K
49 items found: 49 files, 0 directories.
Total of file sizes: 33,465,295 bytes 31.91 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Fri Feb 24 2006 7:43:48p A.... 0 0.00 K
guard.tmp Sun Feb 26 2006 10:25:52a ..S.R 233,585 228.11 K
2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 233,585 bytes 228.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2870-ED9A
Directory of C:\WINDOWS\System32
02/26/2006 10:25 AM 233,585 guard.tmp
02/24/2006 01:08 PM <DIR> dllcache
02/24/2006 12:18 AM <DIR> Microsoft
04/06/2001 04:43 AM 94,208 msstkprp.dll
03/22/2001 07:34 AM 244,232 Msflxgrd.ocx
3 File(s) 572,025 bytes
2 Dir(s) 20,827,156,480 bytes free
1st Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:05:53 AM, 2/27/2006
+ Report-Checksum: 527DD686
+ Scan result:
C:\Documents and Settings\Evelyn\Cookies\evelyn@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Evelyn\Cookies\evelyn@e-2dj6wflysnczmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\WINDOWS\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
C:\WINDOWS\system32\TFTP556 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\valuex.exe -> Backdoor.Rbot : Cleaned with backup
::Report End
When deleting the files and folders, I could only find C:\Windows\ZXZlbHlu. The rest were not there.
In command prompt, I managed to delete "firefox auto update" and "Network Monitor". However, when I tried to delete cmdService, the message that came up was " OpenService FAILED 1060. The specified device does not exist as an installed service."
After rebooting to Normal mode, here are my new logs:
Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:21:00 AM, on 2/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\wmisp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:56:31 AM, 2/27/2006
+ Report-Checksum: 8C2E74F7
+ Scan result:
No infected objects found.
::Report End
Blacklight log:
02/27/06 10:57:03 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 10:57:03 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/27/06 10:57:03 [Note]: 7019 4
02/27/06 10:57:03 [Note]: 7005 0
02/27/06 10:57:06 [Note]: 7006 0
02/27/06 10:57:06 [Note]: 7011 488
02/27/06 10:57:06 [Note]: 7015 696
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1220
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1252
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:06 [Note]: 7015 1748
02/27/06 10:57:06 [Note]: 7015 5
02/27/06 10:57:07 [Note]: FSRAW library version 1.7.1015
02/27/06 10:57:36 [Note]: 7007 0
L2mfix log:
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DH]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4607hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{279DE821-F1F2-702F-ABDB-228EFC9A7BAE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=""
"{1250BB45-43F6-4F01-8859-484184CC7617}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed Jan 25 2006 2:10:38p A.... 258,048 252.00 K
ati2dvag.dll Wed Jan 25 2006 2:52:48p A.... 255,488 249.50 K
ati2edxx.dll Wed Jan 25 2006 2:46:50p A.... 41,472 40.50 K
ati2evxx.dll Wed Jan 25 2006 2:46:38p A.... 61,440 60.00 K
ati3duag.dll Wed Jan 25 2006 2:36:50p A.... 2,604,128 2.48 M
atiddc.dll Wed Jan 25 2006 2:44:58p A.... 53,248 52.00 K
atidemgr.dll Wed Jan 25 2006 1:29:40p A.... 282,624 276.00 K
atiiiexx.dll Wed Jan 25 2006 2:28:12p A.... 307,200 300.00 K
atikvmag.dll Wed Jan 25 2006 2:16:50p A.... 151,552 148.00 K
atioglx1.dll Wed Jan 25 2006 2:30:28p A.... 6,684,672 6.38 M
atioglxx.dll Wed Jan 25 2006 2:13:54p A.... 5,115,904 4.88 M
atipdlxx.dll Wed Jan 25 2006 2:47:18p A.... 114,688 112.00 K
atitvo32.dll Wed Jan 25 2006 2:16:08p A.... 17,408 17.00 K
ativvaxx.dll Wed Jan 25 2006 2:30:18p A.... 860,192 840.03 K
d3dx9_28.dll Mon Dec 5 2005 6:09:18p A.... 2,323,664 2.21 M
d3dx9_29.dll Fri Feb 3 2006 8:43:16a A.... 2,332,368 2.22 M
divx.dll Tue Feb 7 2006 6:41:52a A.... 574,976 561.50 K
divxwm~1.dll Sat Jan 21 2006 1:41:30p A.... 12,288 12.00 K
divx_x~1.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~2.dll Tue Feb 7 2006 6:41:50a A.... 679,936 664.00 K
divx_x~3.dll Tue Feb 7 2006 6:41:48a A.... 663,552 648.00 K
dpl100.dll Tue Feb 7 2006 6:42:02a A.... 86,016 84.00 K
dpu10.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpu11.dll Tue Feb 7 2006 6:42:00a A.... 294,912 288.00 K
dpugui10.dll Sat Jan 21 2006 9:46:10a A.... 53,248 52.00 K
dpugui11.dll Tue Feb 7 2006 6:42:02a A.... 593,920 580.00 K
dpus11.dll Tue Feb 7 2006 6:42:00a A.... 339,968 332.00 K
dpv11.dll Tue Feb 7 2006 6:42:00a A.... 57,344 56.00 K
dtu100.dll Tue Feb 7 2006 6:42:02a A.... 200,704 196.00 K
isafeif.dll Tue Nov 29 2005 11:03:08a A.... 95,784 93.54 K
isafprod.dll Tue Nov 29 2005 11:03:16a A.... 75,304
#5 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 07 March 2006 - 05:01 AM
Hi fukwailui
I'm not sure if you are still visiting the Forum but Ive just noticed you had replied to this topic, I'm sorry for the delay in responding but there seems to be a problem with notifications. I have it set to notify me of any replies and I didnt receive anything when you replied. From the Main Spyware Hell menu it only showed one reply to this topic which is the one I sent to you so I not sure what went wrong but there is still work to do on your log.
If you notice this message can you reply and we can finish the cleanup
Thanks Andy
EDIT: Now Ive replied to this the Main Menu shows there is 4 posts ??
I'm not sure if you are still visiting the Forum but Ive just noticed you had replied to this topic, I'm sorry for the delay in responding but there seems to be a problem with notifications. I have it set to notify me of any replies and I didnt receive anything when you replied. From the Main Spyware Hell menu it only showed one reply to this topic which is the one I sent to you so I not sure what went wrong but there is still work to do on your log.
If you notice this message can you reply and we can finish the cleanup
Thanks Andy
EDIT: Now Ive replied to this the Main Menu shows there is 4 posts ??
#6 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 11 March 2006 - 08:14 AM
Hi Andy, thanks for your reply. We can finish the clean up now
#7 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 11 March 2006 - 08:22 AM
Hi Again
Nice to hear back from you , I could see a Worm active in the last log and still some work to do with the Look2me infection so I'm glad you read the message.
Can you download l2mfix again to your desktop if you do not still have it installed (the download link is in my first reply to you)
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
Thanks
Chat to you later
Andy
Nice to hear back from you , I could see a Worm active in the last log and still some work to do with the Look2me infection so I'm glad you read the message.
Can you download l2mfix again to your desktop if you do not still have it installed (the download link is in my first reply to you)
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
Thanks
Chat to you later
Andy
#8 OFFLINE
-
- Banned
-
- 2,198 posts
Annoyance
- Location:Internet
- Interests:Free software, open-source, GNU GPL, Linux, security, encryption, privacy, anonymity.
Posted 11 March 2006 - 06:07 PM
Oh, I did that mistake too. Didnt put password on my computer when I went on vacation, and maybe I did not lock my room, dont remember.
When I came home, the computer wasnt full of spyware, but people been using it, and my room looked like crap with cups, plates, crap everywhere.
I was seriously, seriously pissed.
If you format your computer, everything will be gone and that include the nasty spyware.
When I came home, the computer wasnt full of spyware, but people been using it, and my room looked like crap with cups, plates, crap everywhere.
I was seriously, seriously pissed.
If you format your computer, everything will be gone and that include the nasty spyware.
#9 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 12 March 2006 - 02:11 AM
Eldmannen, on Mar 12 2006, 05:07 AM, said:
Oh, I did that mistake too. Didnt put password on my computer when I went on vacation, and maybe I did not lock my room, dont remember.
When I came home, the computer wasnt full of spyware, but people been using it, and my room looked like crap with cups, plates, crap everywhere.
I was seriously, seriously pissed.
If you format your computer, everything will be gone and that include the nasty spyware.
When I came home, the computer wasnt full of spyware, but people been using it, and my room looked like crap with cups, plates, crap everywhere.
I was seriously, seriously pissed.
If you format your computer, everything will be gone and that include the nasty spyware.
Annoying isn't it? I did format my computer twice but not entirely because I had a lot of important stuff in it that I couldn't delete. Luckily the guys here are so helpful!
Hi Andy,
Did as you instructed and here is the l2mfix log:
L2mfix 010406
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*
zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (140 bytes security) (deflated 63%)
As well as the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:07:54 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wmipvcs.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System Support Driver] wmipvcs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [System Support Driver] wmipvcs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Support Driver] wmipvcs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.
5.0_06\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/
activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft
Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust
EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust
Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
#10 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 12 March 2006 - 03:14 AM
Hi Again
EDIT: Ive been trying to add a new reply to the topic for about 30 minutes but when its sent, its takes ages then goes to a standard error screen showing 'Cannot find server - Page cannot be displayed' So Im going to try add the post into this reply
Lets try get rid of your Virus infection first then we can try l2mfix again as its having some problems (The log you post isnt what should happen so we need to run it again to reset permissions and remove leftover Look2me files)
Download the attached batch file (Fix.zip) and save it to your desktop, Right click and choose extract all then open the extracted folder and double click fix.bat. It will only take a couple of seconds to run, first it will try stop the virus files then remove the service and delete both files.
Next Run Hijack This and choose Do a system scan only then place a check next to these entries:
O4 - HKLM\..\Run: [System Support Driver] wmipvcs.exe
O4 - HKLM\..\RunServices: [System Support Driver] wmipvcs.exe
O4 - HKCU\..\Run: [System Support Driver] wmipvcs.exe
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
Close ALL open browser and other windows making sure only Hijack This is running then press the Fix Checked button.
After fixing the entries you can run the fix.bat again as Hijack This will also attempt to stop them running, if the process tool Ive added in the batch file fails, the removal may work better after fixing them with Hijack This.
Make sure you are logged into the Administrator account on your system before proceeding with the below steps.
Then Goto Start Menu > Run > Type
services.msc
Press Ok, When the services list opens, Find Secondary Logon in the list. This service should be running. Please double click Secondary Logon to open the Properties screen (Or right click and choose Properties), Next To Start Up Type make sure it's set to Automatic, Next To Service Status make sure its shows Started , If it shows Stopped then press the Start Button, If you make any changes press Apply then OK
Lets start the l2mfix steps again , Please delete the l2mfix folder you have on your system and then download it again. Here's the instructions again and download links.
Download L2mfix from one of these two locations:
l2mfix Link 1
l2mfix Link 2
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. At this stage close the log as it's already clear you have the infection. (you are just running this to make sure you don't receive the below errors before running option #2 again)
If you receive an error, similar to the following, while running option #1: 'C:\windows\system32\cmd.exe or C:\windows\system32\autoexec.nt "the system file is not suitable for running ms-dos and microsoft windows applications". choose close to terminate the application then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do NOT run the fix portion without fixing this first if you do receive either of the above errors.
Make sure all other programs are closed because this will re-boot your machine.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter,.....wait and follow the prompts; be patient and PLEASE do not press any keys until you see the press any key to reboot your computer. After a reboot, your desktop and icons may appear then disappear (this is normal), a command window will open & L2mfix will continue to scan your computer and when it's finished, NOTEPAD will open with a log, please post the contents of that log back.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Copy the contents of the l2mfix log and paste it back into this topic, along with a new hijackthis log and Panda's log.
All The Best
Andy
EDIT: Ive been trying to add a new reply to the topic for about 30 minutes but when its sent, its takes ages then goes to a standard error screen showing 'Cannot find server - Page cannot be displayed' So Im going to try add the post into this reply
Lets try get rid of your Virus infection first then we can try l2mfix again as its having some problems (The log you post isnt what should happen so we need to run it again to reset permissions and remove leftover Look2me files)
Download the attached batch file (Fix.zip) and save it to your desktop, Right click and choose extract all then open the extracted folder and double click fix.bat. It will only take a couple of seconds to run, first it will try stop the virus files then remove the service and delete both files.
Next Run Hijack This and choose Do a system scan only then place a check next to these entries:
O4 - HKLM\..\Run: [System Support Driver] wmipvcs.exe
O4 - HKLM\..\RunServices: [System Support Driver] wmipvcs.exe
O4 - HKCU\..\Run: [System Support Driver] wmipvcs.exe
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\jt4607hse.dll (file missing)
O23 - Service: nvsvc32.exe - Unknown owner - C:\WINDOWS\wmisp.exe
Close ALL open browser and other windows making sure only Hijack This is running then press the Fix Checked button.
After fixing the entries you can run the fix.bat again as Hijack This will also attempt to stop them running, if the process tool Ive added in the batch file fails, the removal may work better after fixing them with Hijack This.
Make sure you are logged into the Administrator account on your system before proceeding with the below steps.
Then Goto Start Menu > Run > Type
services.msc
Press Ok, When the services list opens, Find Secondary Logon in the list. This service should be running. Please double click Secondary Logon to open the Properties screen (Or right click and choose Properties), Next To Start Up Type make sure it's set to Automatic, Next To Service Status make sure its shows Started , If it shows Stopped then press the Start Button, If you make any changes press Apply then OK
Lets start the l2mfix steps again , Please delete the l2mfix folder you have on your system and then download it again. Here's the instructions again and download links.
Download L2mfix from one of these two locations:
l2mfix Link 1
l2mfix Link 2
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. At this stage close the log as it's already clear you have the infection. (you are just running this to make sure you don't receive the below errors before running option #2 again)
If you receive an error, similar to the following, while running option #1: 'C:\windows\system32\cmd.exe or C:\windows\system32\autoexec.nt "the system file is not suitable for running ms-dos and microsoft windows applications". choose close to terminate the application then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do NOT run the fix portion without fixing this first if you do receive either of the above errors.
Make sure all other programs are closed because this will re-boot your machine.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter,.....wait and follow the prompts; be patient and PLEASE do not press any keys until you see the press any key to reboot your computer. After a reboot, your desktop and icons may appear then disappear (this is normal), a command window will open & L2mfix will continue to scan your computer and when it's finished, NOTEPAD will open with a log, please post the contents of that log back.
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Copy the contents of the l2mfix log and paste it back into this topic, along with a new hijackthis log and Panda's log.
All The Best
Andy
#11 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 12 March 2006 - 01:55 PM
Here is the l2mfix log:
L2mfix 010406
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 412 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 856 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 252 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=-
"{1250BB45-43F6-4F01-8859-484184CC7617}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
[-HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*
zip error: Nothing to do! (backup.zip)
adding: backregs/1250BB45-43F6-4F01-8859-484184CC7617.reg (212 bytes security) (deflated 70%)
adding: backregs/5DB85F1E-E56D-48E8-8BCA-ECBD86836523.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
I can't run Panda Activescan as everytime I click Local Disks, it says "Error on Page". What should I do?
L2mfix 010406
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 412 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 856 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 252 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}\InprocServer32]
@="C:\\WINDOWS\\system32\\kedmac.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}\InprocServer32]
@="C:\\WINDOWS\\system32\\WxhRm.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}"=-
"{1250BB45-43F6-4F01-8859-484184CC7617}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5DB85F1E-E56D-48E8-8BCA-ECBD86836523}]
[-HKEY_CLASSES_ROOT\CLSID\{1250BB45-43F6-4F01-8859-484184CC7617}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*
zip error: Nothing to do! (backup.zip)
adding: backregs/1250BB45-43F6-4F01-8859-484184CC7617.reg (212 bytes security) (deflated 70%)
adding: backregs/5DB85F1E-E56D-48E8-8BCA-ECBD86836523.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
I can't run Panda Activescan as everytime I click Local Disks, it says "Error on Page". What should I do?
#12 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 12 March 2006 - 11:18 PM
Hi fukwailui
l2mfix is still having some issues, the original l2mfix log you post shows 'guard.tmp' which is a protecting file for look2me and I'm sure there would be other files relating to that infection on the system. The Fix part did reset the Winlogon notify key but then fails at the end when it got to the file section. This could mean the files have already been removed but it looks more likely that one of the Virus infections you have has made some system changes.
Let's try a different Look2me remover just to be sure the files are not still on your system:
Copy the Look2me Destroyer instructions to Notepad as you will have to close all windows before running the remover.
Please download Look2Me-Destroyer.exe from Here to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt. which you will find by opening the c:\drive.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. (Let me know if you need any help with that)
MSWINSCK.OCX
Then reset all of your I.E settings
Open a I.E browser window then goto Tools on the top bar then Internet Options
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http:// acs.pandasoftware.com/activescan/as5free/asinst.cab
Close all open Browser windows then press the fixed checked button, This way when you revisit Pandascan it will install the ActiveX again which may solve the error message, If not then continue with the Kaspersky steps below.
If you still cannot run Pandascan, try a different online scanner , This scanner will take along time to run but it is very precise and If your system still has malware files this scanner will find them. It doesnt remove the files but does create a log which can be post back, with that info I can then make another batch script to remove whatever is detected.
I'd also like you to upgrade your system to Service Pack 2 after we confirm there is no malware left on your system, Do not do that yet as it could cause problems if there is any malware present, so we can discuss that abit later after we are certain the system is clean. Upgrading to SP2 will help to prevent more infections as it will close alot of security holes through which attackers can gain access to your pc.
Run Kaspersky WebScanner
Thanks
Andy
l2mfix is still having some issues, the original l2mfix log you post shows 'guard.tmp' which is a protecting file for look2me and I'm sure there would be other files relating to that infection on the system. The Fix part did reset the Winlogon notify key but then fails at the end when it got to the file section. This could mean the files have already been removed but it looks more likely that one of the Virus infections you have has made some system changes.
Let's try a different Look2me remover just to be sure the files are not still on your system:
Copy the Look2me Destroyer instructions to Notepad as you will have to close all windows before running the remover.
Please download Look2Me-Destroyer.exe from Here to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt. which you will find by opening the c:\drive.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. (Let me know if you need any help with that)
MSWINSCK.OCX
Then reset all of your I.E settings
Open a I.E browser window then goto Tools on the top bar then Internet Options
- Goto The Advanced Tab and Press Restore Defaults
- Goto The Security Tab and Press Custom Level then press Reset and Yes on the pop up confirmation box, then press OK to close the Security Settings screen.
- Goto The General Tab and press Delete Cookies and OK to confirm then press Delete Files, Place a check next to Delete All Offline Content then press OK
- Finally Press the Apply button then Press OK to Close The Internet Options screen.
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http:// acs.pandasoftware.com/activescan/as5free/asinst.cab
Close all open Browser windows then press the fixed checked button, This way when you revisit Pandascan it will install the ActiveX again which may solve the error message, If not then continue with the Kaspersky steps below.
If you still cannot run Pandascan, try a different online scanner , This scanner will take along time to run but it is very precise and If your system still has malware files this scanner will find them. It doesnt remove the files but does create a log which can be post back, with that info I can then make another batch script to remove whatever is detected.
I'd also like you to upgrade your system to Service Pack 2 after we confirm there is no malware left on your system, Do not do that yet as it could cause problems if there is any malware present, so we can discuss that abit later after we are certain the system is clean. Upgrading to SP2 will help to prevent more infections as it will close alot of security holes through which attackers can gain access to your pc.
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Thanks
Andy
#13 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 13 March 2006 - 02:43 AM
Here is the Look2Me destroyer log:
Look2Me-Destroyer V1.0.7
Scanning for infected files.....
Scan started at 3/13/2006 11:50:04 AM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
I couldn't run the PandaScan so here is the Kapersky log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 1:41:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 182053
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 72041
Number of viruses found: 9
Number of infected objects: 85
Number of suspicious objects: 0
Duration of the scan process: 00:54:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\K1MZ0DUJ\wmipvcs[1].jpg Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005296.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005296.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005315.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006288.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006299.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006300.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006301.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006319.exe Infected: Trojan-Downloader.Win32.PurityScan.bv skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006321.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006323.exe Infected: Backdoor.Win32.SdBot.and skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006326.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007393.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007397.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007417.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007420.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007433.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008421.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009443.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP51\A0009527.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP54\A0010752.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP54\A0010781.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0012966.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0012973.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0013972.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0013979.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP59\A0016094.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP63\A0016175.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP63\A0016183.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017362.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017407.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017570.exe Infected: Backdoor.Win32.SdBot.and skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G96NWLMR\rp5[1].exe Infected: Backdoor.Win32.SdBot.and skipped
C:\WINDOWS\system32\wmisp.exe Infected: Backdoor.Win32.SdBot.aad skipped
Scan process completed.
And the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 1:41:56 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
Look2Me-Destroyer V1.0.7
Scanning for infected files.....
Scan started at 3/13/2006 11:50:04 AM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
I couldn't run the PandaScan so here is the Kapersky log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 13, 2006 1:41:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 182053
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 72041
Number of viruses found: 9
Number of infected objects: 85
Number of suspicious objects: 0
Duration of the scan process: 00:54:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\K1MZ0DUJ\wmipvcs[1].jpg Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0004287.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005296.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005296.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005307.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0005315.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006286.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006288.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006299.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006300.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006301.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006302.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006319.exe Infected: Trojan-Downloader.Win32.PurityScan.bv skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006321.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006323.exe Infected: Backdoor.Win32.SdBot.and skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006326.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0006332.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007367.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007376.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007381.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007393.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007397.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007417.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007420.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0007433.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008420.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008421.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008429.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008430.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0008432.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009442.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009443.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP50\A0009445.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP51\A0009527.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP54\A0010752.exe Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP54\A0010781.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0012966.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0012973.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0013972.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP55\A0013979.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP59\A0016094.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP63\A0016175.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP63\A0016183.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP64\A0016202.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017362.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017407.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{174C716D-7503-40B0-9476-AA1846F3D3A4}\RP67\A0017570.exe Infected: Backdoor.Win32.SdBot.and skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1A74LI7\dot[1].exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G96NWLMR\rp5[1].exe Infected: Backdoor.Win32.SdBot.and skipped
C:\WINDOWS\system32\wmisp.exe Infected: Backdoor.Win32.SdBot.aad skipped
Scan process completed.
And the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 1:41:56 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78821361-90B5-42A9-80D1-DDEE97F88931}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
#14 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 13 March 2006 - 03:39 AM
Hi Again
Your logs looking really good so I think we are nearly there Its shows the batch file you run was successful as In your previous log it showed the SDBot virus file was in the Windows folder but it's also got a copy in system32 so we can remove that now, can you delete the Fix.bat that you downloaded earlier and download the attached file again (FinalFix.zip). Extract the file and double click fix.bat. This will remove the Virus file and also clean up your temp folders.
Also download Ccleaner and press the Run Cleaner button to remove any remaining temp files.
Most of the detected items are in your restore area so they are not a threat unless you use the System Restore, We can remove them all now (Run the attached batch file first).
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'
Next goto Start Menu > Run > type
cleanmgr
click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created.
Reboot the system and then upgrade to Service Pack 2 by going to this site http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Please let me know if you have any problems upgrading or after installing Service Pack 2 and let me know how things are running.
All The Best
Your logs looking really good so I think we are nearly there
Its shows the batch file you run was successful as In your previous log it showed the SDBot virus file was in the Windows folder but it's also got a copy in system32 so we can remove that now, can you delete the Fix.bat that you downloaded earlier and download the attached file again (FinalFix.zip). Extract the file and double click fix.bat. This will remove the Virus file and also clean up your temp folders. Also download Ccleaner and press the Run Cleaner button to remove any remaining temp files.
Most of the detected items are in your restore area so they are not a threat unless you use the System Restore, We can remove them all now (Run the attached batch file first).
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'
Next goto Start Menu > Run > type
cleanmgr
click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created.
Reboot the system and then upgrade to Service Pack 2 by going to this site http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Please let me know if you have any problems upgrading or after installing Service Pack 2 and let me know how things are running.
All The Best
#15 OFFLINE
-
- Members
-
- 15 posts
Member
Posted 13 March 2006 - 05:02 AM
Thanks so much for all your help Andy. I'm just in the middle of downloading the updates now and everything seems to be going fine. I'm so glad my computer is clean once again! Thanks!!
#16 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 13 March 2006 - 05:06 AM
No Problem M8
Glad I could help, Keep us informed if you have any issues after upgrading. With the virus having Backdoor features (which means it allows the attacker access to your system) also change passwords for email, messenger programs and any confidential sites you use, It may not be needed but it is best to be safe as some of your information may of been sent out.
Chat to you later
Andy
Glad I could help, Keep us informed if you have any issues after upgrading. With the virus having Backdoor features (which means it allows the attacker access to your system) also change passwords for email, messenger programs and any confidential sites you use, It may not be needed but it is best to be safe as some of your information may of been sent out.
Chat to you later
Andy
