1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP please HIJACK this log

Discussion in 'Virus & Other Malware Removal' started by weaponsx, Feb 10, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. weaponsx

    weaponsx Thread Starter

    Joined:
    Feb 12, 2004
    Messages:
    100
    i went away for 2 weeks on a trip and left my house to be looked into by out friends 17 yr old. stupid me i forgot to put a password on the comp. i come back and theres TONS of things going on with my computer. Please someone help me out here.


    Logfile of HijackThis v1.99.0
    Scan saved at 12:35:52 PM, on 2/10/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\netwy32.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\system32\d3tn.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\WINDOWS\System32\wgrqgu.exe
    C:\WINDOWS\System32\printz.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\NetSpy Protector\quarantie\2-3-2005-10-13-24-AM\a134981b-3cbd-4714-a03f-9cbc81111e63\AdDestroyer.exe
    C:\Program Files\Logitech\Video\LowLight.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\hkcstr.exe
    C:\WINDOWS\System32\hotxdev(3).exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Weaponsx\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.savehits.com//
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.savehits.com//
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.savehits.com//
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.savehits.com//
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pnoeg.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.savehits.com//
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.savehits.com///%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.savehits.com/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {4C71452A-6C8B-7351-0338-0370964A66D2} - C:\WINDOWS\iewg32.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [msvp32.exe] C:\WINDOWS\system32\msvp32.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [netwy32.exe] C:\WINDOWS\system32\netwy32.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKLM\..\Run: [vFnV3pg] hotxdev(3).exe
    O4 - HKLM\..\Run: [AutoLoadervs4p1ddXIPXW] "C:\WINDOWS\System32\printz.exe" /HideDir /HideUninstall /PC="CP.AMS" /ShowLegalNote="nonbranded"
    O4 - HKLM\..\Run: [mdbevqtr] C:\WINDOWS\System32\mdbevqtr.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [eo49RfM3T] hkcstr.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\NetSpy Protector\quarantie\2-3-2005-10-13-24-AM\a134981b-3cbd-4714-a03f-9cbc81111e63\AdDestroyer.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.125.149 (HKLM)
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\d3tn.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    First you MUST move HJT to a permanent folder like C:\HJT

    SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
    AdAware SE http://www.majorgeeks.com/download506.html
    SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

    DL them (they are free), install them, check each for their
    definition updates
    and then run AdAware and Spybot, fixing anything
    they say.

    In SpywareBlaster - Always enable all protection after updates
    SpyBot - After an update run immunize

    Then after doing the above, follow this link and then await a pro

    http://forums.techguy.org/t328043.html
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    First download lspfix.exe from http://www.spyware911.net/downloads/LSPFix.exe. Launch the application, and
    click the "I know what I'm doing" checkbox. and move all instances of aklsp.dll dolsp.dlll to the remove
    pane(left hand) and click finish.

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  4. weaponsx

    weaponsx Thread Starter

    Joined:
    Feb 12, 2004
    Messages:
    100
    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\fp8203loe.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    @=""
    "DLLName"="igfxsrvc.dll"
    "Asynchronous"=dword:00000001
    "Impersonate"=dword:00000001
    "Unlock"="WinlogonUnlockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{67CEFC01-003F-4F88-8A7C-03CB498B6E38}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
    "{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
    "{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
    "{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
    "{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
    "{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
    "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
    "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
    "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{2D8AAFAB-726E-4142-96C4-BDFD55476833}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{2D8AAFAB-726E-4142-96C4-BDFD55476833}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2D8AAFAB-726E-4142-96C4-BDFD55476833}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2D8AAFAB-726E-4142-96C4-BDFD55476833}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2D8AAFAB-726E-4142-96C4-BDFD55476833}\InprocServer32]
    @="C:\\WINDOWS\\system32\\kpd101b.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    akcore.dll Wed Feb 2 2005 12:37:22p A.... 188,416 184.00 K
    aklsp.dll Wed Feb 2 2005 12:37:24p A.... 196,608 192.00 K
    akrules.dll Wed Feb 2 2005 12:37:22p A.... 110,592 108.00 K
    akupd.dll Wed Feb 2 2005 12:37:08p A.... 155,648 152.00 K
    bauvm.dll Thu Jan 20 2005 5:53:48a A.SH. 0 0.00 K
    brlzt.dll Sat Jan 8 2005 5:14:42a A.SH. 68,096 66.50 K
    bvukr.dll Sat Jan 1 2005 3:18:44a A.SH. 68,096 66.50 K
    cdlkp.dll Thu Jan 20 2005 1:18:30p A.SH. 68,096 66.50 K
    cqoiqu.dll Wed Feb 2 2005 1:15:04p A.... 5,632 5.50 K
    docore.dll Wed Feb 2 2005 1:37:12p A.... 151,552 148.00 K
    dolsp.dll Wed Feb 2 2005 1:37:12p A.... 139,264 136.00 K
    dosync.dll Thu Feb 10 2005 1:51:54p A.... 114,688 112.00 K
    dsmana~1.dll Wed Jan 19 2005 4:20:04p ..... 25,600 25.00 K
    dxwsx.dll Sat Jan 22 2005 5:27:08a A.SH. 68,096 66.50 K
    e4020e~1.dll Thu Feb 10 2005 12:26:42p ..S.R 229,736 224.35 K
    enbsnp.dll Wed Feb 2 2005 1:15:04p A.... 24,576 24.00 K
    eydyd.dll Mon Jan 31 2005 3:15:30a A.SH. 68,096 66.50 K
    eyquw.dll Sat Jan 22 2005 5:18:06a A.SH. 68,096 66.50 K
    fcvgk.dll Tue Jan 4 2005 7:37:04a A.SH. 68,096 66.50 K
    fdaqo.dll Thu Feb 3 2005 4:40:16a A.SH. 68,096 66.50 K
    fp8203~1.dll Thu Feb 3 2005 9:50:36a ..S.R 230,019 224.63 K
    gpgou.dll Sat Jan 15 2005 12:09:20a A.SH. 68,096 66.50 K
    hmsjy.dll Sat Jan 15 2005 11:40:12p A.SH. 68,096 66.50 K
    hocam.dll Sun Dec 26 2004 4:31:10a A.SH. 68,096 66.50 K
    iega32.dll Thu Jan 20 2005 5:57:56a ..... 99,204 96.88 K
    ievh.dll Wed Jan 12 2005 6:49:02p ..... 99,924 97.58 K
    irr2l5~1.dll Thu Feb 10 2005 12:28:42p ..S.R 230,019 224.63 K
    kpd101b.dll Thu Feb 10 2005 9:05:48p ..... 230,019 224.63 K
    lbysn.dll Wed Jan 5 2005 10:54:00p A.SH. 68,096 66.50 K
    lv4s09~1.dll Thu Feb 10 2005 9:01:34p ..S.R 230,019 224.63 K
    mdciy.dll Sun Jan 30 2005 11:35:30a A.SH. 68,096 66.50 K
    mser.dll Wed Jan 26 2005 12:49:08a ..... 96,118 93.86 K
    nykss.dll Wed Jan 19 2005 8:14:00p A.SH. 68,096 66.50 K
    ogzti.dll Sun Jan 16 2005 10:49:14p A.SH. 68,096 66.50 K
    oysnt.dll Fri Jan 14 2005 1:21:12a A.SH. 68,096 66.50 K
    pnoeg.dll Fri Feb 4 2005 11:50:18a A.SH. 68,096 66.50 K
    qizes.dll Tue Jan 4 2005 11:41:28p A.SH. 68,096 66.50 K
    sporder.dll Wed Feb 2 2005 12:37:22p A.... 8,464 8.27 K
    syyhq.dll Sat Jan 8 2005 1:57:58a A.SH. 68,096 66.50 K
    timhg.dll Sun Jan 23 2005 12:22:10p A.SH. 68,096 66.50 K
    tqdic.dll Sun Jan 30 2005 2:27:52a A.SH. 68,096 66.50 K
    winmd32.dll Thu Dec 23 2004 7:26:10p ..... 96,212 93.96 K
    winzz32.dll Sat Jan 15 2005 1:00:06p ..... 96,212 93.96 K
    xdiny.dll Thu Jan 27 2005 3:42:32a A.SH. 68,096 66.50 K
    yoybu.dll Tue Jan 25 2005 10:12:26p A.SH. 68,096 66.50 K
    ypvtk.dll Wed Jan 5 2005 9:25:44a A.SH. 68,096 66.50 K
    zkjhg.dll Mon Jan 3 2005 3:44:10a A.SH. 68,096 66.50 K

    47 items found: 47 files (30 H/S), 0 directories.
    Total of file sizes: 4,460,922 bytes 4.25 M
    Locate .tmp files:

    C:\WINDOWS\SYSTEM32\
    guard.tmp Thu Feb 10 2005 9:06:48p A.... 230,019 224.63 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 230,019 bytes 224.63 K
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 68E2-FD45

    Directory of C:\WINDOWS\System32

    02/11/2005 03:43 AM <DIR> dllcache
    02/10/2005 09:01 PM 230,019 lv4s09h7e.dll
    02/10/2005 12:28 PM 230,019 irr2l59o1.dll
    02/10/2005 12:26 PM 229,736 e4020edoeh0c0.dll
    02/10/2005 03:33 AM 11,592 aglph.dat
    02/08/2005 05:41 PM 0 bdkhu.dat
    02/08/2005 05:03 AM 11,592 fvtri.txt
    02/07/2005 12:08 PM 3,567 zouic.dat
    02/07/2005 11:44 AM 7,305 xlshu.log
    02/07/2005 03:28 AM 3,567 ujfbo.txt
    02/06/2005 04:33 PM 3,567 xafly.txt
    02/04/2005 04:31 PM 11,592 weaul.log
    02/04/2005 11:50 AM 68,096 pnoeg.dll
    02/04/2005 07:29 AM 0 ltarb.txt
    02/03/2005 09:50 AM 230,019 fp8203loe.dll
    02/03/2005 04:40 AM 68,096 fdaqo.dll
    02/01/2005 05:16 PM 3,567 qcvxd.txt
    02/01/2005 03:36 PM 11,592 nizzf.log
    02/01/2005 12:19 AM 0 ykaca.txt
    01/31/2005 03:15 AM 68,096 eydyd.dll
    01/30/2005 11:35 AM 68,096 mdciy.dll
    01/30/2005 03:20 AM 11,592 waokw.dat
    01/30/2005 02:27 AM 68,096 tqdic.dll
    01/29/2005 01:37 AM 11,592 nmtft.dat
    01/28/2005 07:55 PM 3,567 gyuri.log
    01/28/2005 06:14 PM 11,592 cwztr.log
    01/28/2005 05:58 PM 0 uxzdq.dat
    01/28/2005 12:02 AM 7,305 xwmxk.txt
    01/27/2005 10:22 AM 11,592 zdvfl.log
    01/27/2005 08:50 AM 11,592 wykxl.txt
    01/27/2005 03:42 AM 68,096 xdiny.dll
    01/26/2005 04:57 PM 7,305 kfyyi.txt
    01/26/2005 03:25 PM 7,305 hrvih.txt
    01/26/2005 12:00 PM 11,592 xartd.txt
    01/25/2005 10:12 PM 68,096 yoybu.dll
    01/24/2005 08:22 PM 3,567 gpmbs.dat
    01/24/2005 07:44 AM 7,305 daivm.dat
    01/24/2005 05:29 AM 7,305 ytyja.txt
    01/24/2005 03:19 AM 7,305 edisv.log
    01/23/2005 12:22 PM 68,096 timhg.dll
    01/23/2005 03:50 AM 7,305 omjqf.dat
    01/22/2005 03:00 PM 11,592 fxbvu.log
    01/22/2005 05:27 AM 68,096 dxwsx.dll
    01/22/2005 05:18 AM 68,096 eyquw.dll
    01/22/2005 02:38 AM 10,824 sysvw.exe
    01/22/2005 02:07 AM 29,256 winvb32.exe
    01/22/2005 02:07 AM 10,824 netih.exe
    01/21/2005 09:35 PM 7,305 qyfor.log
    01/21/2005 04:11 PM 0 bwgdt.dat
    01/21/2005 07:56 AM 7,305 icdse.dat
    01/21/2005 07:36 AM 7,305 ksjmo.txt
    01/21/2005 02:42 AM 11,592 xopyz.log
    01/20/2005 01:18 PM 68,096 cdlkp.dll
    01/20/2005 09:18 AM 7,305 gwcnm.dat
    01/20/2005 08:50 AM 7,305 jnxoz.dat
    01/20/2005 05:53 AM 0 bauvm.dll
    01/20/2005 03:56 AM 0 qvbry.log
    01/19/2005 08:13 PM 68,096 nykss.dll
    01/19/2005 08:08 PM 11,592 clhig.log
    01/19/2005 02:10 PM 10,824 apiic32.exe
    01/19/2005 12:37 PM 29,256 javaro.exe
    01/19/2005 07:30 AM 29,256 mfcgn.exe
    01/18/2005 12:28 PM 3,547 icssm.log
    01/18/2005 10:48 AM 11,592 niwun.log
    01/16/2005 10:49 PM 68,096 ogzti.dll
    01/16/2005 04:43 PM 7,305 hfqcl.log
    01/15/2005 11:40 PM 68,096 hmsjy.dll
    01/15/2005 07:05 PM 7,305 cdhko.log
    01/15/2005 01:08 PM 7,305 bsbxp.txt
    01/15/2005 12:10 PM 7,305 ylgxq.dat
    01/15/2005 12:09 AM 68,096 gpgou.dll
    01/14/2005 06:24 AM 10,563 d3wy32.exe
    01/14/2005 03:25 AM 3,567 ackin.log
    01/14/2005 01:21 AM 68,096 oysnt.dll
    01/13/2005 08:15 AM 11,592 yvgka.dat
    01/12/2005 02:50 PM 7,305 bwjux.dat
    01/11/2005 07:59 PM 11,592 amqzm.txt
    01/11/2005 10:22 AM 9,728 d3tn.exe
    01/11/2005 09:18 AM 29,184 netwy32.exe
    01/10/2005 11:51 PM 3,567 asgvj.txt
    01/09/2005 11:56 PM 7,305 nbkcn.log
    01/09/2005 08:06 PM 3,567 fiwys.dat
    01/09/2005 03:47 PM 3,567 hemlr.log
    01/09/2005 02:06 PM 11,592 lcqnb.log
    01/09/2005 11:29 AM 7,305 oycir.log
    01/09/2005 06:38 AM 0 ydovj.txt
    01/08/2005 05:14 AM 68,096 brlzt.dll
    01/08/2005 01:57 AM 68,096 syyhq.dll
    01/07/2005 03:55 PM 7,305 dmvzq.dat
    01/07/2005 04:48 AM 3,547 fbjaq.log
    01/07/2005 03:07 AM 11,592 kzfcz.dat
    01/06/2005 11:18 AM 7,305 nfeos.log
    01/05/2005 10:53 PM 68,096 lbysn.dll
    01/05/2005 08:12 PM 7,305 ppilt.txt
    01/05/2005 12:58 PM 7,305 xorih.dat
    01/05/2005 11:31 AM 9,728 mfcaq32.exe
    01/05/2005 11:08 AM 7,305 ghvnj.dat
    01/05/2005 09:25 AM 68,096 ypvtk.dll
    01/04/2005 11:41 PM 68,096 qizes.dll
    01/04/2005 06:35 PM 9,728 crsm32.exe
    01/04/2005 06:14 PM 29,184 winli32.exe
    01/04/2005 07:37 AM 68,096 fcvgk.dll
    01/03/2005 08:05 PM 3,547 xncgx.txt
    01/03/2005 03:44 AM 68,096 zkjhg.dll
    01/02/2005 12:33 AM 7,305 pfdke.dat
    01/01/2005 03:18 AM 68,096 bvukr.dll
    12/31/2004 08:29 AM 7,305 hofbn.log
    12/31/2004 05:18 AM 3,537 qlzlk.dat
    12/28/2004 09:53 AM 3,547 xzyyq.txt
    12/27/2004 07:17 PM 4,354 sipiz.txt
    12/26/2004 04:31 AM 68,096 hocam.dll
    12/25/2004 03:54 PM 9,728 ntoz32.exe
    12/22/2004 08:26 PM 7,305 kfmkx.dat
    09/12/2004 03:29 PM 11,388 ugnmi.dat
    09/01/2004 09:09 PM 10,730 sysem.exe
    08/26/2004 06:32 AM 11,388 hcrri.txt
    08/17/2004 10:49 PM 11,591 xwivb.txt
    07/29/2004 06:44 PM 11,388 wnqru.txt
    06/18/2004 02:26 AM 2,569 mybyk.dat
    06/17/2004 05:02 PM 2,569 xrzox.dat
    06/11/2004 04:26 AM 11,388 ythyz.dat
    06/04/2004 04:34 PM 2,569 lrfck.dat
    06/02/2004 10:19 AM <DIR> Microsoft
    121 File(s) 3,396,801 bytes
    2 Dir(s) 27,774,537,728 bytes free
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You need to keep posting back to the same thread, not starting a new one please.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  7. weaponsx

    weaponsx Thread Starter

    Joined:
    Feb 12, 2004
    Messages:
    100
    ok this is the recent log.




    L2Mfix 1.02a

    Running From:
    C:\Documents and Settings\Weaponsx\Desktop\l2mfix



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting registry permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C access for really "Everyone"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- Everyone
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting up for Reboot


    Starting Reboot!

    C:\Documents and Settings\Weaponsx\Desktop\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\Weaponsx\Desktop\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 1604 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 180 'rundll32.exe'
    Killing PID 1248 'rundll32.exe'

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\e4020edoeh0c0.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\irr2l59o1.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\lv4s09h7e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\guard.tmp
    1 file(s) copied.
    deleting: C:\WINDOWS\system32\e4020edoeh0c0.dll
    Successfully Deleted: C:\WINDOWS\system32\e4020edoeh0c0.dll
    deleting: C:\WINDOWS\system32\irr2l59o1.dll
    Successfully Deleted: C:\WINDOWS\system32\irr2l59o1.dll
    deleting: C:\WINDOWS\system32\lv4s09h7e.dll
    Successfully Deleted: C:\WINDOWS\system32\lv4s09h7e.dll
    deleting: C:\WINDOWS\system32\guard.tmp
    Successfully Deleted: C:\WINDOWS\system32\guard.tmp

    Desktop.ini sucessfully removed

    Zipping up files for submission:
    adding: e4020edoeh0c0.dll (140 bytes security) (deflated 5%)
    adding: irr2l59o1.dll (140 bytes security) (deflated 5%)
    adding: lv4s09h7e.dll (140 bytes security) (deflated 5%)
    adding: guard.tmp (140 bytes security) (deflated 5%)
    adding: clear.reg (140 bytes security) (deflated 22%)
    adding: echo.reg (140 bytes security) (deflated 9%)
    adding: desktop.ini (140 bytes security) (deflated 15%)
    adding: direct.txt (140 bytes security) (stored 0%)
    adding: lo2.txt (140 bytes security) (deflated 74%)
    adding: readme.txt (140 bytes security) (deflated 49%)
    adding: report.txt (140 bytes security) (deflated 67%)
    adding: test.txt (140 bytes security) (deflated 53%)
    adding: test2.txt (140 bytes security) (stored 0%)
    adding: test3.txt (140 bytes security) (stored 0%)
    adding: test5.txt (140 bytes security) (stored 0%)
    adding: xfind.txt (140 bytes security) (deflated 46%)
    adding: backregs/2D8AAFAB-726E-4142-96C4-BDFD55476833.reg (140 bytes security) (deflated 70%)
    adding: backregs/shell.reg (140 bytes security) (deflated 74%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for really "Everyone"


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: e4020edoeh0c0.dll
    deleting local copy: irr2l59o1.dll
    deleting local copy: lv4s09h7e.dll
    deleting local copy: guard.tmp

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    @=""
    "DLLName"="igfxsrvc.dll"
    "Asynchronous"=dword:00000001
    "Impersonate"=dword:00000001
    "Unlock"="WinlogonUnlockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\e4020edoeh0c0.dll
    C:\WINDOWS\system32\irr2l59o1.dll
    C:\WINDOWS\system32\lv4s09h7e.dll
    C:\WINDOWS\system32\guard.tmp

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{2D8AAFAB-726E-4142-96C4-BDFD55476833}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{2D8AAFAB-726E-4142-96C4-BDFD55476833}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{67CEFC01-003F-4F88-8A7C-03CB498B6E38}"=-
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{67CEFC01-003F-4F88-8A7C-03CB498B6E38}</IDone>
    <IDtwo>VT00</IDtwo>
    <VERSION>200</VERSION>
    ****************************************************************************
    
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Now you need to post another Hijack This log as well.
     
  9. weaponsx

    weaponsx Thread Starter

    Joined:
    Feb 12, 2004
    Messages:
    100
    newest HIjack log


    Logfile of HijackThis v1.97.7
    Scan saved at 9:11:30 PM, on 2/12/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\d3tn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wgrqgu.exe
    C:\Program Files\World of Warcraft\WoW.exe
    C:\WINDOWS\system32\netwy32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Weaponsx\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rmoum.dll/sp.html#12345
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O2 - BHO: (no name) - {30A9ADD5-7E61-D29C-8F16-BC8A3DD7C359} - C:\WINDOWS\system32\apihc.dll
    O4 - HKLM\..\Run: [msvp32.exe] C:\WINDOWS\system32\msvp32.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [netwy32.exe] C:\WINDOWS\system32\netwy32.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You posted a log from the old version of Hijack This. Get rid of the old one. There is no need to keep it. Post a log from the new one please.

    After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329003

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice