1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: A Mess.....3 viruses

Discussion in 'Virus & Other Malware Removal' started by Roe727, Feb 5, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    I'm working on a computer for a friend and what a mess. Error messages and Virus Warnings from Norton. To start I ran Ad-Adware twice, because the first time it wouldn't remove everything. I ran Spybot and it removed everything except C:\Program Files\eZula.
    An Error message that keeps coming up reads as follows:
    Ox77f58ddf referenced @ ox32017800. The memory could not be "written".
    The Virus warnings read as follows:
    C:\Program Files\Wild Tangent\Apps\CDA.DLL
    C:\Program Files\Homepage\winpage.dll
    C:\Program Files\NaviSearch\t1104710002.dll
    I thought maybe I should stop and send you a HijackThis log and see if there is a better way to do this. Any and all help is much appreciated. Thanks....Roe

    Logfile of HijackThis v1.98.2
    Scan saved at 1:38:14 PM, on 2/5/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\nvdzzqrw.exe
    C:\WINDOWS\System32\EXPLORERZ.EXE
    C:\windows\180ax.exe
    C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\documents and settings\susan zweig\local settings\temp\I4b.exe
    C:\documents and settings\susan zweig\local settings\temp\Tn.exe
    C:\WINDOWS\System32\winupdtl.exe
    C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\ICD4.tmp\svcmm32.exe
    C:\WINDOWS\mmups.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\WINDOWS\jtnezabz.exe
    C:\Program Files\CSBB\CSv10P070.exe
    C:\WINDOWS\ARUpdate.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\documents and settings\susan zweig\local settings\temp\tlixFF.exe
    C:\documents and settings\susan zweig\local settings\temp\DSgfKTf.exe
    C:\Program Files\Gkusccw\Yaallcd.exe
    C:\WINDOWS\System32\kuiury.exe
    C:\Program Files\Bpt\bpt.exe
    C:\WINDOWS\System32\wys.exe
    C:\windows\system32\ueKxG.exe
    C:\windows\system32\4qXNTJ.exe
    C:\WINDOWS\newpop62.exe
    C:\WINDOWS\System32\ochv9i.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    C:\WINDOWS\System32\nvueers.exe
    C:\WINDOWS\System32\??ool32.exe
    C:\Documents and Settings\Susan Zweig\Application Data\eetu.exe
    C:\WINDOWS\System32\prutnct.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINDOWS\System32\prutnct.exe
    C:\WINDOWS\SYSTEM32\ueKxG.exe
    C:\PROGRA~1\COMMON~1\tsa\ts2.exe
    C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
    C:\WINDOWS\System32\Wyl0J.exe
    C:\WINDOWS\System32\MroU.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navw32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Susan Zweig\Local Settings\Temp\gS2v.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [aahhkmhebqj] C:\WINDOWS\System32\nvdzzqrw.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\QjxWV.exe
    O4 - HKLM\..\Run: [Windows Explorer] EXPLORERZ.EXE
    O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [I4b] C:\documents and settings\susan zweig\local settings\temp\I4b.exe
    O4 - HKLM\..\Run: [Tn] C:\documents and settings\susan zweig\local settings\temp\Tn.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\ICD4.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvbe32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [C:\WINDOWS\jtnezabz.exe] C:\WINDOWS\jtnezabz.exe
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
    O4 - HKLM\..\Run: [pmlduc] C:\WINDOWS\System32\pmlduc.exe
    O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [SStb.exe] SStb.exe
    O4 - HKLM\..\Run: [tlixFF] C:\documents and settings\susan zweig\local settings\temp\tlixFF.exe
    O4 - HKLM\..\Run: [DSgfKTf] C:\documents and settings\susan zweig\local settings\temp\DSgfKTf.exe
    O4 - HKLM\..\Run: [Okmwczw] C:\Program Files\Gkusccw\Yaallcd.exe
    O4 - HKLM\..\Run: [mhyjcx] C:\WINDOWS\mhyjcx.exe
    O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
    O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\27.exe\27.exe"
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup
    O4 - HKLM\..\Run: [ueKxG.exe] c:\windows\system32\ueKxG.exe
    O4 - HKLM\..\Run: [4qXNTJ] C:\windows\system32\4qXNTJ.exe
    O4 - HKLM\..\Run: [popuppers] C:\WINDOWS\newpop62.exe
    O4 - HKLM\..\Run: [oF9U3ng] ochv9i.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [Zoq8RhMnV] nvueers.exe
    O4 - HKCU\..\Run: [Lbsefvo] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Susan Zweig\Application Data\eetu.exe
    O4 - HKCU\..\Run: [prutnct] C:\WINDOWS\System32\prutnct.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [Windows Explorer] EXPLORERZ.EXE
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm244XXUS
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/installer_ICMEDIAX.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...56fa9d809633:a4835914695e3eeec245bc6f8b5fbb1c
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/files/czone_bundle_p2.cab
    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50043/QDow_AS2.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
    O21 - SSODL: WinTools - {ABEC834E-AD86-6496-9524-85347844E8DF} - C:\PROGRA~1\COMMON~1\ODBC.dll
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG :)

    You have a lot of infection (including a VX2)

    I will PM a Moderator to assist you
     
  3. jd_957

    jd_957 Banned

    Joined:
    Dec 30, 2004
    Messages:
    1,099
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download L2mfix.

    Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!.
     
  5. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Ok.....I don't know if this is going to be any good. I got an error message before it ran saying that it couldn't run it??? The new hijack this wouldn't run so can we start with the original that I sent you that is above?? What a mess.

    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\kt8ul7l91.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
    "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="America Online"
    "{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
    "{1697F9A2-6F53-4E48-ACA0-57070EA3DD73}"=""
    "{018B55AE-D773-48E5-AFDE-87B18ECFDA75}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{1697F9A2-6F53-4E48-ACA0-57070EA3DD73}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1697F9A2-6F53-4E48-ACA0-57070EA3DD73}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1697F9A2-6F53-4E48-ACA0-57070EA3DD73}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1697F9A2-6F53-4E48-ACA0-57070EA3DD73}\InprocServer32]
    @="C:\\WINDOWS\\system32\\MXDEX.DLL"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{018B55AE-D773-48E5-AFDE-87B18ECFDA75}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{018B55AE-D773-48E5-AFDE-87B18ECFDA75}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{018B55AE-D773-48E5-AFDE-87B18ECFDA75}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{018B55AE-D773-48E5-AFDE-87B18ECFDA75}\InprocServer32]
    @="C:\\WINDOWS\\system32\\LRCMP11n.DLL"
    "ThreadingModel"="Apartment"
     
  6. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Files Found are not all bad files:
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 1833-DDD3

    Directory of C:\WINDOWS\System32

    02/05/2005 03:51 PM 1,182 TBPS.ini
    02/05/2005 03:40 PM 846 GnsDj.b90
    02/05/2005 02:03 PM 223,201 MXDEX.DLL
    02/05/2005 02:03 PM 225,246 jr4025hmg.dll
    02/05/2005 11:30 AM 223,201 iWnmlg5116.dll
    02/05/2005 11:26 AM 225,675 p8r4li9q18.dll
    02/05/2005 09:02 AM 225,675 pH4u0gh9e64.dll
    02/05/2005 09:02 AM 223,201 kt8ul7l91.dll
    02/04/2005 09:20 PM 225,675 nihtml.dll
    02/04/2005 09:20 PM 226,272 az10031me.dll
    02/04/2005 03:21 PM 222,573 dnls0137e.dll
    02/04/2005 02:59 PM 223,100 ir8sl5l71.dll
    02/04/2005 01:19 PM 222,983 aza2le3o1h.dll
    02/04/2005 01:02 PM 223,216 d6j02g1mg6.dll
    02/04/2005 12:31 PM 222,718 e020lafm1d2a.dll
    02/04/2005 10:11 AM 226,222 jt4q07h5e.dll
    02/04/2005 10:05 AM 222,987 m8nqli5518.dll
    02/04/2005 08:31 AM 225,675 aksldpc.dll
    02/04/2005 08:31 AM 222,925 j4l4le3q1h.dll
    02/04/2005 08:08 AM 222,575 m4ls0e37eh.dll
    02/04/2005 08:03 AM 222,795 k4pmle711h.dll
    02/03/2005 06:37 PM 225,675 glkrsrc.dll
    02/03/2005 06:37 PM 223,093 q0psla771d.dll
    02/03/2005 05:23 PM 223,181 kt4ul7h91.dll
    02/03/2005 05:09 PM 225,675 lznkinfo.dll
    02/03/2005 05:09 PM 222,652 s8880ilue8q80.dll
    02/03/2005 03:44 PM 222,962 h80qlid5180.dll
    02/03/2005 03:31 PM 222,830 ir42l5ho1.dll
    02/03/2005 01:22 PM 222,657 lvr8099ue.dll
    02/03/2005 12:58 PM 226,298 fp2603fse.dll
    02/03/2005 11:38 AM 222,945 n4p4le7q1h.dll
    02/03/2005 10:09 AM 226,017 j24o0ch3ef4.dll
    02/03/2005 09:49 AM 222,798 aza80ejueho80.dll
    02/02/2005 10:41 PM 223,003 q0rqla951d.dll
    02/02/2005 10:19 PM 222,660 l40u0ed9eh0.dll
    02/02/2005 03:16 PM 223,119 azaqlgd5160.dll
    02/02/2005 02:05 PM 223,020 ir26l5fs1.dll
    02/02/2005 01:27 PM 475 uekxg.dll
    02/02/2005 10:07 AM 225,675 mavcr71.dll
    02/02/2005 10:07 AM 222,636 p6n80g5ue6.dll
    02/02/2005 09:39 AM 225,685 d0j00a1med.dll
    02/02/2005 08:21 AM 225,691 d6j00g1me6.dll
    02/01/2005 10:53 PM 223,089 p26slcj71fo.dll
    02/01/2005 10:27 PM 223,207 u8ruli9918.dll
    02/01/2005 10:04 PM 222,632 o8480ihue8480.dll
    02/01/2005 06:38 PM 225,874 lvrm0991e.dll
    02/01/2005 06:22 PM 226,174 lvr4099qe.dll
    02/01/2005 04:21 PM 222,848 m082lalo1dqc.dll
    02/01/2005 04:02 PM 226,001 h62o0gf3e62.dll
    02/01/2005 03:19 PM 222,660 hr0u05d9e.dll
    02/01/2005 06:21 AM 225,675 MCRDIM.DLL
    02/01/2005 06:21 AM 222,688 r06u0aj9edo.dll
    01/31/2005 10:23 PM 222,969 gp2ql3f51.dll
    01/31/2005 09:52 PM 225,798 fp2m03f1e.dll
    01/31/2005 01:23 PM 225,892 jtj2071oe.dll
    01/31/2005 10:31 AM 226,279 i424lefq1h2e.dll
    01/31/2005 10:31 AM 222,825 h4l2le3o1h.dll
    01/31/2005 09:47 AM 225,675 KXDPO.DLL
    01/31/2005 09:47 AM 222,676 aza60afsed260.dll
    01/31/2005 06:28 AM 226,223 l84q0ih5e84.dll
    01/30/2005 09:56 PM 222,649 azaq07j5e.dll
    01/30/2005 09:32 PM 222,700 hr8u05l9e.dll
    01/28/2005 03:10 PM 222,663 dnju0119e.dll
    01/27/2005 06:46 PM 222,926 ktl4l73q1.dll
    01/27/2005 04:33 PM 223,145 r4p8le7u1h.dll
    01/27/2005 03:12 PM 222,556 jtr6079se.dll
    01/27/2005 01:26 AM 176,362 ueKxG.exe
    01/26/2005 03:25 PM 226,220 hr4q05h5e.dll
    01/26/2005 01:22 PM 225,923 i8420ihoe84c0.dll
    01/26/2005 11:08 AM 226,171 azam0al1edq.dll
    01/26/2005 10:07 AM 223,068 l02slaf71d2.dll
    01/26/2005 08:39 AM 222,801 kt8ml7l11.dll
    01/25/2005 02:53 PM 223,079 n24slch71f4.dll
    01/25/2005 02:36 PM 222,982 az1u0ej9eho.dll
    01/25/2005 09:34 AM 225,675 crlbact.dll
    01/25/2005 09:34 AM 222,656 t6r80g9ue6.dll
    01/25/2005 12:10 AM 222,908 en04l1dq1.dll
    01/24/2005 10:16 AM 225,850 hrpm0571e.dll
    01/23/2005 08:35 PM 226,255 p08q0al5edq.dll
    01/23/2005 12:37 PM 225,855 l08m0al1edq.dll
    01/23/2005 11:09 AM 222,562 az1m05f1e.dll
    01/22/2005 11:18 PM 222,734 h2n0lc5m1f.dll
    01/22/2005 05:41 PM 223,004 gprql3951.dll
    01/22/2005 05:14 PM 225,746 dnp0017me.dll
    01/22/2005 04:53 PM 222,897 mvpol9731.dll
    01/22/2005 10:49 AM 223,133 azaql5351.dll
    01/21/2005 05:36 PM 223,063 k0jsla171d.dll
    01/20/2005 03:12 PM 223,221 e6202gfmg62a2.dll
    01/20/2005 01:19 PM 226,000 aza009dme.dll
    01/20/2005 10:34 AM 225,727 h2n00c5mef.dll
    01/20/2005 12:11 AM 223,095 q4psle771h.dll
    01/19/2005 08:21 PM 222,773 g0lmla311d.dll
    01/19/2005 08:10 PM 222,822 mv22l9fo1.dll
    01/19/2005 11:24 AM 222,911 g604lgdq160e.dll
    01/19/2005 09:59 AM 223,043 p0p6la7s1d.dll
    01/19/2005 06:18 AM 222,670 n42u0ef9eh2.dll
    01/18/2005 07:07 PM 223,316 azaul1d91.dll
    01/18/2005 06:44 PM 222,788 en6ml1j11.dll
    01/18/2005 12:36 PM 223,144 r2p8lc7u1f.dll
    01/18/2005 11:35 AM 222,987 azau0ej9eho.dll
    01/18/2005 11:35 AM 223,005 irrql5951.dll
    01/18/2005 11:25 AM 225,675 ddprov.dll
    01/18/2005 11:25 AM 223,221 lt2027fmg.dll
    01/17/2005 08:47 PM 222,786 i6nmlg5116.dll
    01/17/2005 06:40 PM 223,090 p46slej71ho.dll
    01/17/2005 06:09 PM 223,166 m6julg1916.dll
    01/17/2005 12:32 PM 222,526 azao01f3e.dll
    01/17/2005 11:30 AM 222,674 o2lu0c39ef.dll
    01/17/2005 10:52 AM 223,207 mvrul9991.dll
    01/17/2005 10:11 AM 226,116 azam05f1e.dll
    01/17/2005 08:46 AM 226,066 dnro0193e.dll
    01/16/2005 08:11 PM 225,800 hr2m05f1e.dll
    01/16/2005 03:57 PM 226,078 fp0403dqe.dll
    01/12/2005 05:08 PM 225,902 jt2207foe.dll
    01/12/2005 04:02 PM 223,113 aza4le9q1h.dll
    01/12/2005 08:29 AM 225,675 CBADMIN.DLL
    01/12/2005 08:29 AM 222,633 p0n80a5ued.dll
    01/12/2005 08:26 AM 222,739 azcm01j1e.dll
    01/11/2005 01:05 PM 225,675 VIOY.DLL
    01/11/2005 01:05 PM 226,216 dn4q01h5e.dll
    01/11/2005 10:56 AM 222,691 jt6u07j9e.dll
    01/11/2005 09:13 AM 401,408 ??ool32.exe
    01/11/2005 08:36 AM 225,737 i2600cjmefoa0.dll
    01/11/2005 08:24 AM 225,890 hrj2051oe.dll
    01/10/2005 06:46 PM 225,675 vfsapi.dll
    01/10/2005 06:46 PM 226,004 aza0031me.dll
    01/10/2005 04:51 PM 223,106 ktrsl7971.dll
    01/10/2005 03:25 PM 226,170 azam0971e.dll
    01/10/2005 02:45 PM 226,191 i6jq0g15e6.dll
    01/09/2005 08:11 PM 226,044 aza0035me.dll
    01/09/2005 01:40 PM 222,607 lvrs0997e.dll
    01/09/2005 09:22 AM 226,242 jt6q07j5e.dll
    01/07/2005 07:25 PM 225,854 lvpm0971e.dll
    01/07/2005 03:05 PM 225,728 fpn0035me.dll
    01/06/2005 04:59 PM 222,580 az1m01j1e.dll
    01/06/2005 03:12 PM 223,185 irnul5591.dll
    01/06/2005 02:05 PM 222,991 kt6ql7j51.dll
    01/06/2005 10:08 AM 222,640 q4680ejueho80.dll
    01/05/2005 04:57 PM 223,031 m646lghs1646.dll
    01/05/2005 11:25 AM 223,977 q6ps0g77e6.dll
    01/05/2005 07:08 AM 223,977 pzrfos.dll
    01/05/2005 07:08 AM 225,231 j4n2le5o1h.dll
    01/04/2005 04:48 PM 224,454 azam01j1e.dll
    01/04/2005 02:31 PM 222,947 gpj8l31u1.dll
    01/03/2005 02:31 PM 222,947 qvcspi.dll
    01/02/2005 08:16 PM 224,533 p68qlgl516q.dll
    01/02/2005 06:48 PM 224,771 m428lefu1h28.dll
    01/02/2005 06:03 PM 224,043 l6r0lg9m16.dll
    01/02/2005 01:03 PM 223,032 hr8005lme.dll
    01/02/2005 09:29 AM 224,149 e202lcdo1f0c.dll
    01/01/2005 05:10 PM 224,356 mv04l9dq1.dll
    12/31/2004 05:01 PM 223,100 fpnm0351e.dll
    12/30/2004 07:02 PM 224,586 mvl6l93s1.dll
    12/30/2004 06:47 PM 224,876 mv2ul9f91.dll
    12/30/2004 01:26 PM 222,985 f8l00i3me8.dll
    12/30/2004 09:51 AM 222,947 ktpul7791.dll
    12/30/2004 07:35 AM 223,600 fpn6035se.dll
    12/28/2004 08:29 PM 223,968 en20l1fm1.dll
    12/28/2004 07:47 PM 224,386 mvl4l93q1.dll
    12/28/2004 07:38 PM 223,333 kt2ul7f91.dll
    12/28/2004 07:18 PM 223,333 kB260afsed260.dll
    12/28/2004 07:12 PM 222,947 LRCMP11n.DLL
    12/28/2004 11:50 AM 224,952 jr0025dmg.dll
    12/28/2004 11:38 AM 222,947 MCC250.DLL
    12/28/2004 11:38 AM 224,403 l6n4lg5q16.dll
    12/28/2004 09:17 AM 222,947 IUSSVCS.DLL
    12/28/2004 09:17 AM 224,008 en60l1jm1.dll
    12/28/2004 07:11 AM 226,085 fpj0031me.dll
    12/28/2004 07:04 AM 226,085 CBMVS3k.DLL
    12/27/2004 09:04 PM <DIR> DLLCACHE
    12/27/2004 04:22 PM 222,349 m2820cloefqc0.dll
    12/27/2004 12:10 PM 223,175 irlul5391.dll
    12/26/2004 05:35 PM 222,473 aza20e1oeh.dll
    12/26/2004 03:50 PM 226,205 f02m0af1ed2.dll
    12/26/2004 01:39 PM 225,196 en06l1ds1.dll
    12/25/2004 07:01 PM 222,808 en02l1do1.dll
    12/25/2004 06:34 PM 225,868 p2p60c7sef.dll
    12/24/2004 08:45 PM 225,730 k4lq0e35eh.dll
    12/24/2004 05:55 PM 225,713 jtjq0715e.dll
    12/24/2004 11:36 AM 223,129 o248lchu1f48.dll
    12/24/2004 08:25 AM 225,317 dn2m01f1e.dll
    12/23/2004 04:40 PM 223,000 p48qlel51hq.dll
    12/23/2004 12:40 PM 222,879 gp4ol3h31.dll
    12/22/2004 11:43 PM 225,876 q0860alsedq60.dll
    12/22/2004 11:16 PM 225,203 jt0007dme.dll
    12/22/2004 05:26 PM 226,094 t8r80i9ue8.dll
    12/22/2004 02:41 PM 222,931 kt44l7hq1.dll
    12/22/2004 01:45 PM 222,773 enlml1311.dll
    12/21/2004 03:57 PM 222,904 gprol3931.dll
    12/21/2004 10:17 AM 223,016 ktj6l71s1.dll
    12/20/2004 04:41 PM 225,816 k0260afsed260.dll
    12/20/2004 02:24 PM 223,044 gpp6l37s1.dll
    12/20/2004 01:05 PM 222,933 enn4l15q1.dll
    12/20/2004 08:51 AM 222,877 mvlol9331.dll
    12/20/2004 08:47 AM 223,226 ltl0273mg.dll
    12/20/2004 12:20 AM 225,196 wnhext.dll
    12/20/2004 12:20 AM 223,072 l82slif7182.dll
    12/19/2004 08:20 PM 225,941 hr4s05h7e.dll
    12/19/2004 07:47 PM 223,063 enjsl1171.dll
    12/19/2004 03:47 PM 223,190 r46ulej91ho.dll
    12/19/2004 03:36 PM 222,899 n28olcl31fq.dll
    12/19/2004 03:26 PM 225,875 lvp6097se.dll
    12/19/2004 02:11 PM 225,410 f4j20e1oeh.dll
    12/19/2004 09:22 AM 225,196 MSPISTUB.DLL
    12/19/2004 09:22 AM 225,929 fpls0337e.dll
    12/19/2004 09:11 AM 225,205 lv0009dme.dll
    12/18/2004 12:19 PM 225,196 wrdmps.dll
    12/18/2004 12:19 PM 222,923 j0l4la3q1d.dll
    12/18/2004 09:41 AM 225,509 fpjo0313e.dll
    12/18/2004 12:23 AM 225,055 jtj4071qe.dll
    12/17/2004 04:11 PM 225,055 xfsp2res.dll
    12/17/2004 04:11 PM 222,857 n8r2li9o18.dll
    12/17/2004 03:44 PM 222,935 irn4l55q1.dll
    12/17/2004 03:32 PM 226,090 irl0l53m1.dll
    12/17/2004 03:07 PM 225,055 POONtObj.dll
    12/17/2004 03:07 PM 226,001 p64u0gh9e64.dll
    12/17/2004 02:55 PM 223,032 mv46l9hs1.dll
    12/17/2004 09:18 AM 225,101 g6400ghme64a0.dll
    12/17/2004 12:07 AM 226,111 h6n0lg5m16.dll
    12/16/2004 06:43 PM 225,792 jtls0737e.dll
    12/16/2004 06:24 PM 222,941 kt64l7jq1.dll
    12/16/2004 11:53 AM 223,569 hrn0055me.dll
    12/15/2004 03:49 PM 223,657 k8800ilme8qa0.dll
    12/15/2004 02:44 PM 223,569 wesdmod.dll
    12/15/2004 02:44 PM 225,302 gplsl3371.dll
    12/15/2004 02:30 PM 223,232 lvpq0975e.dll
    12/15/2004 11:40 AM 224,870 l8l6li3s18.dll
    12/15/2004 11:30 AM 224,543 enjol1131.dll
    12/15/2004 10:46 AM 223,397 hr6m05j1e.dll
    12/15/2004 10:03 AM 224,767 irlql5351.dll
    12/14/2004 09:09 PM 224,188 aza60ahsed460.dll
    12/14/2004 03:29 PM 223,572 j04o0ah3ed4.dll
    12/14/2004 02:55 PM 223,946 k4js0e17eh.dll
    12/14/2004 02:35 PM 223,393 dn6m01j1e.dll
    12/14/2004 09:58 AM 224,738 h60qlgd5160.dll
    12/13/2004 09:44 PM 225,133 en0ul1d91.dll
    12/12/2004 08:24 PM 224,308 j6p0lg7m16.dll
    12/12/2004 08:12 PM 223,259 jt2007fme.dll
    12/12/2004 01:54 PM 224,196 r46u0ej9eho.dll
    12/12/2004 09:03 AM 224,762 k0lqla351d.dll
    12/11/2004 06:56 PM 225,244 p4r4le9q1h.dll
    12/09/2004 02:49 PM 224,600 l86olij318o.dll
    12/09/2004 12:25 PM 224,467 irl2l53o1.dll
    12/09/2004 11:40 AM 225,117 ir88l5lu1.dll
    12/09/2004 10:51 AM 224,207 hrpu0579e.dll
    12/08/2004 06:27 AM 223,872 m0460ahsed460.dll
    12/07/2004 10:56 PM 224,760 j82qlif5182.dll
    12/07/2004 09:35 PM 223,553 dn2o01f3e.dll
    09/22/2004 03:36 PM 499,722 Ozf42o.exe
    09/19/2004 11:23 AM 499,722 Ozg43o.exe
    09/18/2004 11:21 AM 499,722 Smf4ikZ.exe
    09/17/2004 12:19 PM 253,962 Yix4cp5B.exe
    09/17/2004 12:19 PM 253,962 BjlV9i.exe
    09/17/2004 12:19 PM 253,962 WgdSrmN3.exe
    09/17/2004 12:19 PM 253,962 MroU.exe
    09/17/2004 12:19 PM 253,962 MxjQzK.exe
    09/17/2004 12:19 PM 253,962 Wyl0J.exe
    09/17/2004 12:19 PM 499,722 QjxWV.exe
    09/17/2004 12:19 PM 499,722 Vqxt.exe
    09/17/2004 07:15 AM 499,722 Wkv9.exe
    09/16/2004 10:55 AM 512 Elr0i.a99
    09/14/2004 06:53 AM 499,722 Qmz8N.exe
    09/11/2004 06:52 AM 499,722 CqbFH.exe
    09/11/2004 06:52 AM 499,722 Zgl8.exe
    09/11/2004 06:52 AM 499,722 Cxe0K.exe
    09/10/2004 06:51 AM 253,962 GllF2b.exe
    09/10/2004 06:51 AM 253,962 HinEV5H.exe
    09/10/2004 06:51 AM 253,962 Grd3T.exe
    09/10/2004 06:51 AM 253,962 KedH.exe
    09/10/2004 06:51 AM 253,962 Xqeccx.exe
    09/10/2004 06:51 AM 253,962 Vqxu.exe
    01/12/2004 03:29 PM 1,020 ZlwJR.j5q
    01/11/2004 01:33 PM 1,104 Yfk8.ct6
    01/03/2004 02:19 PM 1,020 TafqW5mn.cvb
    01/02/2004 10:22 AM 1,104 SzepW5ln.cvb
    12/22/2003 09:55 AM 1,104 Kpg76.fez
    12/18/2003 06:25 PM 1,104 Qxcn74j.las
    12/17/2003 01:25 PM 1,020 WxfV9U5.uf3
    12/08/2003 02:48 PM 1,020 UbgrYPnp.exd
    12/08/2003 01:48 PM 1,020 Elq0i.a99
    11/18/2003 06:45 PM 1,020 Zgl8.du7
    11/17/2003 04:44 PM 1,020 Rydo84km.btz
    11/17/2003 03:44 PM 1,020 Cjo9g.x88
    11/17/2003 02:44 PM 1,020 Ahm8.ev7
    02/21/2003 03:07 AM <DIR> Microsoft
    283 File(s) 62,879,254 bytes
    2 Dir(s) 18,193,874,944 bytes free
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  8. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    It will not run it.....it just sits there and eventually starts putting UMonitor over and over...And I can get it to run a hijackthis but it comes up with an error at the end and I can't save it. Can you please tell me some things to do with the first hijackthis file to get started on this....???? Please help
     
  9. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    k..I found an old version of hijackthis on the computer and ran it...here it is...better than nothing:
    ogfile of HijackThis v1.98.2
    Scan saved at 4:51:41 PM, on 2/5/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\nvdzzqrw.exe
    C:\WINDOWS\System32\EXPLORERZ.EXE
    C:\windows\180ax.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\documents and settings\susan zweig\local settings\temp\I4b.exe
    C:\documents and settings\susan zweig\local settings\temp\Tn.exe
    C:\WINDOWS\System32\winupdtl.exe
    C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\ICD4.tmp\svcmm32.exe
    C:\WINDOWS\mmups.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\jtnezabz.exe
    C:\Program Files\CSBB\CSv10P070.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\documents and settings\susan zweig\local settings\temp\tlixFF.exe
    C:\Program Files\Gkusccw\Yaallcd.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\WINDOWS\System32\kuiury.exe
    C:\Program Files\Bpt\bpt.exe
    C:\WINDOWS\System32\wys.exe
    C:\windows\system32\ueKxG.exe
    C:\windows\system32\4qXNTJ.exe
    C:\WINDOWS\newpop62.exe
    C:\WINDOWS\System32\ochv9i.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    C:\WINDOWS\System32\nvueers.exe
    C:\WINDOWS\System32\??ool32.exe
    C:\Documents and Settings\Susan Zweig\Application Data\eetu.exe
    C:\WINDOWS\System32\prutnct.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\WINDOWS\SYSTEM32\ueKxG.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\WINDOWS\System32\prutnct.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\COMMON~1\tsa\ts2.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Susan Zweig\Local Settings\Temp\gS2v.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [aahhkmhebqj] C:\WINDOWS\System32\nvdzzqrw.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cxe0K.exe
    O4 - HKLM\..\Run: [Windows Explorer] EXPLORERZ.EXE
    O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [I4b] C:\documents and settings\susan zweig\local settings\temp\I4b.exe
    O4 - HKLM\..\Run: [Tn] C:\documents and settings\susan zweig\local settings\temp\Tn.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\ICD4.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvbe32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [C:\WINDOWS\jtnezabz.exe] C:\WINDOWS\jtnezabz.exe
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [pmlduc] C:\WINDOWS\System32\pmlduc.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [SStb.exe] SStb.exe
    O4 - HKLM\..\Run: [tlixFF] C:\documents and settings\susan zweig\local settings\temp\tlixFF.exe
    O4 - HKLM\..\Run: [DSgfKTf] C:\documents and settings\susan zweig\local settings\temp\DSgfKTf.exe
    O4 - HKLM\..\Run: [Okmwczw] C:\Program Files\Gkusccw\Yaallcd.exe
    O4 - HKLM\..\Run: [mhyjcx] C:\WINDOWS\mhyjcx.exe
    O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
    O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\SUSANZ~1\LOCALS~1\Temp\27.exe\27.exe"
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup
    O4 - HKLM\..\Run: [ueKxG.exe] c:\windows\system32\ueKxG.exe
    O4 - HKLM\..\Run: [4qXNTJ] C:\windows\system32\4qXNTJ.exe
    O4 - HKLM\..\Run: [popuppers] C:\WINDOWS\newpop62.exe
    O4 - HKLM\..\Run: [oF9U3ng] ochv9i.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [second] C:\Documents and Settings\Susan Zweig\Desktop\l2mfix\second.bat
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKCU\..\Run: [Zoq8RhMnV] nvueers.exe
    O4 - HKCU\..\Run: [Lbsefvo] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Susan Zweig\Application Data\eetu.exe
    O4 - HKCU\..\Run: [prutnct] C:\WINDOWS\System32\prutnct.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [Windows Explorer] EXPLORERZ.EXE
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm244XXUS
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.20/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/installer_ICMEDIAX.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...56fa9d809633:a4835914695e3eeec245bc6f8b5fbb1c
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/files/czone_bundle_p2.cab
    O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50043/QDow_AS2.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll
    O21 - SSODL: WinTools - {ABEC834E-AD86-6496-9524-85347844E8DF} - C:\PROGRA~1\COMMON~1\ODBC.dll
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    What wouldn't work? L2mFix or Hijack This?
     
  11. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Lm2fix....but neither would the new HijackThis...The post I gave you is from an older version, but I think until I get rid of some of this it is all I have.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You have a vx2 infection that will keep reinstalling much of the other malware that is in your log so it is pretty much a waste of time to try fixing anything else in the log before we fix VX2. You need to try this again:
    As many files as L2MFix showed in the log you posted, it will probably take it a while to complete so have some patience and let it run until it completes.

    If it still doesn't work, we can try a manual removal method that is very time consuming and a pain in the butt.
     
  13. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Ok...I will try it again...why do you think it runs umonitor forever????
     
  14. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    I have yet another error that is coming up
    C:\Windows\system32\cmd.exe
    killing explorer and rundll32.exe
    The system cannot find the file specified
    The system cannot fine the file specified
    could not find C:\Documents and settings\susan zweig\desktop\l2mfix\shell.reg
    Scanning first pass. Please wait.
    second pass scanning
    umonitor
    umonitor
    umonitor....and it just continues doing that
    second pass completed

    and then it is just sitting...I have to go out for a bit...let me know your thoughts on this....



    But I can start it fine in safemode, so I went in and started the l2mfix and I'm seeing what happens. I am so frustrated, I hope you can help with this. I didn't realize how messed up it was...Nope won't do anything past that in regular mode....NOW what....
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Click here to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Click here to download DLLCompare.exe.

    Save it to your desktop.

    Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

    It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
    In a few minutes it will complete then you will see in blue Completed.
    Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

    Also Click Here and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here too. If it doesn't open the log in notepad then just copy it from the Window where the info is displayed in VX2Finder.

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326954

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice