1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: l2m help needed please

Discussion in 'Virus & Other Malware Removal' started by imhungry, Jan 13, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    well i browsed around the forums before posting and found out i have the l2m adware problem. i downloaded and ran the l2mfix.bat and followed the first instructions to get the
    report. heres what i got: (a hijackthis log is also included after the l2mfix report)

    L2MFIX find log 010406
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\mvj2l91o1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddabb]
    "Asynchronous"=dword:00000001
    "DllName"="C:\\WINDOWS\\System32\\ddabb.dll"
    "Impersonate"=dword:00000000
    "Startup"="SysLogon"
    "Logoff"="SysLogoff"

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{0176E938-FA30-AE8B-599A-B0846D890C61}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{C0BF66AC-0B9E-4609-94EB-E51F752035C3}"=""
    "{795951C1-0D85-4D3C-9C9F-E7C920D4F842}"=""
    "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C0BF66AC-0B9E-4609-94EB-E51F752035C3}]
    @=""
    "IDEx"="ADDR"

    [HKEY_CLASSES_ROOT\CLSID\{C0BF66AC-0B9E-4609-94EB-E51F752035C3}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C0BF66AC-0B9E-4609-94EB-E51F752035C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C0BF66AC-0B9E-4609-94EB-E51F752035C3}\InprocServer32]
    @="C:\\WINDOWS\\system32\\qgdwipes.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{795951C1-0D85-4D3C-9C9F-E7C920D4F842}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{795951C1-0D85-4D3C-9C9F-E7C920D4F842}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{795951C1-0D85-4D3C-9C9F-E7C920D4F842}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{795951C1-0D85-4D3C-9C9F-E7C920D4F842}\InprocServer32]
    @="C:\\WINDOWS\\system32\\tbkwks.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    ddabb.dll Fri Jan 13 2006 1:04:50p ..SH. 565,300 552.05 K
    divx.dll Wed Dec 7 2005 9:05:52a A.... 573,952 560.50 K
    divx_x~1.dll Wed Dec 7 2005 9:05:50a A.... 679,936 664.00 K
    divx_x~2.dll Wed Dec 7 2005 9:05:50a A.... 679,936 664.00 K
    divx_x~3.dll Wed Dec 7 2005 9:05:50a A.... 663,552 648.00 K
    dpl100.dll Thu Oct 27 2005 11:37:46a A.... 86,016 84.00 K
    dpu10.dll Thu Oct 27 2005 11:37:44a A.... 294,912 288.00 K
    dpu11.dll Thu Oct 27 2005 11:37:44a A.... 294,912 288.00 K
    dpugui10.dll Thu Oct 27 2005 11:37:48a A.... 53,248 52.00 K
    dpugui11.dll Thu Oct 27 2005 11:37:46a A.... 593,920 580.00 K
    dpus11.dll Thu Oct 27 2005 11:37:44a A.... 339,968 332.00 K
    dpv11.dll Thu Oct 27 2005 11:37:44a A.... 57,344 56.00 K
    dtu100.dll Thu Oct 27 2005 11:37:44a A.... 200,704 196.00 K
    gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
    gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
    gppul3~1.dll Fri Jan 13 2006 8:30:36p ..S.R 235,830 230.30 K
    gwfspi~1.dll Fri Nov 4 2005 4:27:18p A.... 23,304 22.76 K
    hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
    legitc~1.dll Fri Nov 4 2005 4:27:24p A.... 534,280 521.76 K
    rtlcpapi.dll Wed Dec 7 2005 1:54:00p A.... 135,168 132.00 K
    s32evnt1.dll Tue Jan 3 2006 3:31:44p A.... 91,904 89.75 K
    vsdata.dll Tue Nov 15 2005 12:50:30a A.... 83,720 81.76 K
    vsinit.dll Tue Nov 15 2005 12:50:42a A.... 141,064 137.76 K
    vsmonapi.dll Tue Nov 15 2005 12:50:52a A.... 104,208 101.77 K
    vspubapi.dll Tue Nov 15 2005 12:50:56a A.... 227,088 221.77 K
    vsregexp.dll Tue Nov 15 2005 12:51:00a A.... 71,440 69.77 K
    vsutil.dll Tue Nov 15 2005 12:51:12a A.... 382,728 373.76 K
    vsxml.dll Tue Nov 15 2005 12:51:20a A.... 100,104 97.76 K
    vtsqo.dll Thu Jan 12 2006 4:17:54p ..SH. 36,877 36.01 K
    wrlogo~1.dll Wed Nov 9 2005 11:45:56a A.... 492,544 481.00 K
    wrlzma.dll Wed Nov 9 2005 11:45:52a A.... 17,920 17.50 K
    zgdqhkml.dll Fri Dec 23 2005 5:11:34a A.... 139,264 136.00 K
    zlcomm.dll Tue Nov 15 2005 12:51:40a A.... 79,624 77.76 K
    zlcommdb.dll Tue Nov 15 2005 12:51:44a A.... 71,440 69.77 K

    34 items found: 34 files (3 H/S), 0 directories.
    Total of file sizes: 8,392,311 bytes 8.00 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 7C1A-4622

    Directory of C:\WINDOWS\System32

    13/01/2006 08:42 PM 93,591 bbadd.ini
    13/01/2006 08:30 PM 235,830 gppul3791.dll
    13/01/2006 08:29 PM <DIR> dllcache
    13/01/2006 01:05 PM 90,173 bbadd.bak1
    13/01/2006 01:04 PM 565,300 ddabb.dll
    12/01/2006 04:42 PM 32 {681484FE-2C01-4205-80F4-F70EEEE34F01}.dat
    12/01/2006 04:18 PM <DIR> Microsoft
    12/01/2006 04:17 PM 36,877 vtsqo.dll
    23/12/2005 05:12 AM 405,504 ??ool32.exe
    7 File(s) 1,427,307 bytes
    2 Dir(s) 73,885,827,072 bytes free
    __________________________________________________________________________
    HJT report:
    Logfile of HijackThis v1.99.1
    Scan saved at 8:54:00 PM, on 13/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddabb.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\RunServices: [firewallxp service] winxpfwl.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137123803165
    O17 - HKLM\System\CCS\Services\Tcpip\..\{009CAC62-1CAF-410F-9282-9CAFB891D8AF}: NameServer = 207.236.176.26 206.47.244.89
    O17 - HKLM\System\CS1\Services\Tcpip\..\{009CAC62-1CAF-410F-9282-9CAFB891D8AF}: NameServer = 207.236.176.26 206.47.244.89
    O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\mvj2l91o1.dll (file missing)
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    thank you very much for your replies and help.
    Edit:also i scanned with ewido security,microsoft antispyware,spybot S&D 1.4 and AVG
    (i scanned with spysware sweeper but registration was required for removal).
    ewido security found many infections and i chose to remove them all,but everytime i
    restarted,another L2M file would be found when i scanned.
    Please help me.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

    If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    you do have several other problems including vundo/conhook as well but let's aattempt to kill vx2 first
     
  4. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    thanks for the reply dvk01,but today i brought my computer to Staples and got it scanned.
    it was costly,but now it is completely clean. thanks alot for replying though.
     
  5. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    although i got it scanned,id wanted to be completely sure that my computer truely is clean.
    so heres a HJT log:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:22:47 PM, on 15/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddabb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    hopefully staples did a proper scan.thanks for the replies.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    well they haven't done a very good job
    It is still infected

    it will take a few stages to fix

    first

    Run VundoFix and click Scan for Vundo
    Click Remove Vundo, and choose Yes when prompted to remove files
    Your Desktop will disappear for a moment
    Click OK when prompted to shutdown your computer
    Turn your computer back on. Post the contents of C:\vundofix.txt as well as a new HijackThis log

    before you post back

    when I see this entry
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    it normally means that some start ups have been disabled using MSconfig

    open msconfig and enable EVERYTHING on the start up tab and on the generl tab select normal start up, reboot & post a new full hijackthis log so we can check

    there will be some more to fix

    I would advise printing out all these posts so you can complain to "staples" and get your money back as they haven't cleaned it properly
     
  7. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    i ran vundofix last night (downloaded from symantec) and it said that there was no
    infection on my computer,so should i run a scan in safe mode?

    also,the start ups were disabled after i brought my computer back from staples (aka Business Depot) and i told them to scan and remove virus/spyware so they mustve followed
    my instructions very specifically...

    ill enable the start ups and post a new hjt log after i come home from classes. thanks dvk.
    PS:i ran a scan with spy sweeper and it found these infections:L2M,virtumonde,command
    and purityscanner. theyre all ad-ware by the way and how do i remove them with spy
    sweeper? it says to buy/activate it,but no removal choice...
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    You must have the scan only trial of spysweeper

    uninstall it & reboot

    use the vundofix I gave you to use above & then post a new HJT log so we can see
     
  9. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    alright i used the vundofix you posted and it found infected files.after the reboot,i did the
    scan again and this time it found 2 files (ddabb.dll and bbadd.ini) which im guessing are
    "the ones that wont delete." also i re-enable all the window process on msconfig and ran
    HJT, heres the log:
    Logfile of HijackThis v1.99.1
    Scan saved at 4:38:32 PM, on 16/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddabb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [firewallxp service] winxpfwl.exe
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    also on msconfig, i noticed a process called w3.exe, i recall that i saw it as a virus of some
    sort so i left it disabled. and after enabling everything, i noticed that my computer speed
    became a bit slower (the mouse "stuttering" and games "flinching") will the speed be fixed
    after this removal process? thank you very much for you continuing help dvk.
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    lets fix what we can see
    first re run the vundo fix and post the log it makes
    Next if you only have the scan only version of spysweeper uninstall it from add/remove programs in control panel


    next

    We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

    Open Microsoft AntiSpyware. by double clicking it's icon in the system tray, click on real time protection and on the left a screen will appear, select each of the agents in turn and press deactivate
    then
    Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    go to start/run and type services.msc press OK
    when the screen opens scroll down to windows dll service right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

    be very careful to get the right one as there are several similar named ones there

    repeat for

    Service Hosts

    now open HJT press config/misc tools and select delete an NT service

    paste this into the box & press OK

    dll service

    repeat for
    ServiceHost

    then

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddabb.dll

    O4 - HKLM\..\Run: [firewallxp service] winxpfwl.exe
    O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe

    O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe

    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll

    O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe (file missing)
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)



    now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\System32\ddabb.dll
    C:\WINDOWS\shost.exe
    C:\WINDOWS\rund1132.exe
    C:\windows\banmanpro.exe
    C:\windows\enewsletterpro.exe
    C:\WINDOWS\System32\winxpfwl.exe

    Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

    then reboot &

    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Click " Configure Scan Options"
    • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

    and post a new HJT log
     
  11. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    alright heres the new HJT log after the scan:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:52:23 PM, on 16/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\ddabb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --------------------------------------------------------------------------------------
    and heres the WinPFind log:
    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...
    qoologic 13/01/2006 3:02:02 PM 11886785 C:\AVG7QT.DAT
    urllogic 13/01/2006 3:02:02 PM 11886785 C:\AVG7QT.DAT

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    PEC2 18/08/2001 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PEC2 07/12/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 07/12/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
    UPX! 13/01/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
    PECompact2 04/01/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 04/01/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 03/08/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 03/08/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 20/01/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe
    winsync 18/08/2001 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

    Checking %System%\Drivers folder and sub-folders...
    UPX! 13/01/2006 3:00:38 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    FSG! 13/01/2006 3:00:38 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PEC2 13/01/2006 3:00:38 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    aspack 13/01/2006 3:00:38 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PTech 03/08/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

    qoologic 13/01/2006 8:34:28 PM 1581 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
    urllogic 13/01/2006 8:34:28 PM 1581 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak

    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    16/01/2006 7:22:38 PM S 2048 C:\WINDOWS\bootstat.dat
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
    12/01/2006 4:42:02 PM HS 32 C:\WINDOWS\{A6D91FDF-37C4-4715-B2A5-6E8F5CDAE1B8}.dat
    12/01/2006 6:27:42 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
    12/01/2006 6:28:14 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
    12/01/2006 7:44:04 PM H 0 C:\WINDOWS\inf\oem2.inf
    12/01/2006 6:27:42 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
    12/01/2006 6:27:56 PM RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
    12/01/2006 6:27:56 PM RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
    12/01/2006 6:27:56 PM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
    13/01/2006 6:12:40 PM RHS 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
    12/01/2006 5:43:46 PM H 8 C:\WINDOWS\PCHEALTH\UploadLB\Queue\upload_library.db
    12/01/2006 6:28:38 PM H 233472 C:\WINDOWS\repair\ntuser.dat
    16/01/2006 5:37:56 PM HS 383794 C:\WINDOWS\system32\bbadd.bak2
    16/01/2006 7:30:54 PM HS 385350 C:\WINDOWS\system32\bbadd.ini
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
    12/01/2006 6:27:42 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
    16/01/2006 4:37:36 PM H 35870 C:\WINDOWS\system32\vsconfig.xml
    12/01/2006 4:17:54 PM HS 36877 C:\WINDOWS\system32\vtsqo.dll
    12/01/2006 6:27:42 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
    12/01/2006 6:27:36 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
    12/01/2006 5:53:50 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
    12/01/2006 4:42:02 PM HS 32 C:\WINDOWS\system32\{681484FE-2C01-4205-80F4-F70EEEE34F01}.dat
    23/12/2005 5:12:18 AM RHS 405504 C:\WINDOWS\system32\??ool32.exe
    30/11/2005 8:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
    01/12/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
    02/01/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
    23/12/2005 1:13:00 AM S 459991 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT
    16/01/2006 7:22:44 PM H 12288 C:\WINDOWS\system32\config\default.LOG
    16/01/2006 7:22:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    16/01/2006 7:22:40 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
    16/01/2006 7:23:50 PM H 1024 C:\WINDOWS\system32\config\software.LOG
    16/01/2006 7:23:08 PM H 1024 C:\WINDOWS\system32\config\system.LOG
    12/01/2006 10:10:42 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
    12/01/2006 10:10:42 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
    13/01/2006 2:39:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    12/01/2006 10:11:56 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
    13/01/2006 7:28:20 PM S 19877 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
    13/01/2006 7:28:20 PM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
    13/01/2006 6:23:14 PM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
    13/01/2006 7:28:20 PM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
    13/01/2006 7:28:20 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
    13/01/2006 6:23:14 PM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
    12/01/2006 10:11:56 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
    12/01/2006 6:27:58 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
    12/01/2006 6:27:58 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\552ZS9FL\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6YOXDHI3\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K74QNZLC\desktop.ini
    12/01/2006 6:27:58 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O71DO2PI\desktop.ini
    12/01/2006 6:27:44 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
    12/01/2006 10:11:56 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
    12/01/2006 6:28:36 PM HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
    12/01/2006 6:28:36 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
    12/01/2006 6:28:36 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
    12/01/2006 6:28:36 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
    12/01/2006 6:28:36 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
    12/01/2006 6:32:44 PM HS 226304 C:\WINDOWS\system32\DirectX\Dinput\Thumbs.db
    12/01/2006 5:44:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\47d4119d-2524-4f6a-8aab-e6eb68ed665d
    12/01/2006 5:44:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
    12/01/2006 4:18:28 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cb277b03-0be8-4ac6-8a45-205c52f44683
    12/01/2006 4:18:28 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    16/01/2006 7:21:44 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 03/08/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Realtek Semiconductor Corp. 16/12/2005 2:19:00 PM 18776064 C:\WINDOWS\SYSTEM32\alsndmgr.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Intel Corporation 21/06/2005 4:46:18 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 03/08/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 18/08/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    Realtek Semiconductor Corp. 20/09/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\ALSNDMGR.CPL

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    12/01/2006 6:28:36 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    12/01/2006 6:49:34 PM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    12/01/2006 10:11:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

    Checking files in %USERPROFILE%\Startup folder...
    12/01/2006 6:28:36 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    12/01/2006 10:11:56 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    {C0BF66AC-0B9E-4609-94EB-E51F752035C3} = C:\WINDOWS\system32\qgdwipes.dll
    {795951C1-0D85-4D3C-9C9F-E7C920D4F842} = C:\WINDOWS\system32\tbkwks.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
     
  12. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9}
    ATLDistrib Object = C:\WINDOWS\System32\ddabb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    SoundMan SOUNDMAN.EXE
    Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    Motive SmartBridge C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    IMJPMIG8.1 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    IgfxTray C:\WINDOWS\System32\igfxtray.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    AlcxMonitor ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
    MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Services
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item w3
    hkey HKLM
    command C:\w3.exe
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 2
    services 0
    startup 2


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddabb
    = C:\WINDOWS\System32\ddabb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    <<<<<<<<<< Checking for AddOn Monitors.def information >>>>>>>>>>
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors;;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors found!

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor
    Driver cnbjmon.dll


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port
    Driver localspl.dll


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor
    Driver pjlmon.dll
    EOJTimeout 60000


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
    Driver tcpmon.dll


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
    StatusUpdateInterval 10
    StatusUpdateEnabled 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor
    Driver usbmon.dll



    <<<<<<<<<< Checking for AddOn OpenCommand.def information >>>>>>>>>>
    >>>>>>>>>> Exporting Shell Open\Command entries
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command found!
    "%1" %*

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command found!
    "%1" %*

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command found!
    "%1" %*

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command found!
    "%1" %*

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command found!
    regedit.exe "%1"

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command found!
    "%1" /S

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command found!

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command found!
    "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command found!
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command found!
    "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command found!
    "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"

    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command;;
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command found!


    <<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

    <<<<<<<<<< Checking for AddOn Qoologic.def information >>>>>>>>>>
    >>>>>>>>>> Search by size and name
    >>>>>>>>>> Files found by this method are not necessarily bad
    >>>>>>>>>> Example PNGFILT.DLL is a windows file
    Parameter line : file=%sysdir%;*.exe;150;61952;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 61952 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;150;7680;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7680 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;150;91648;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 91648 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;150;81920;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 81920 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;150;7168;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7168 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;150;65536;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 65536 bytes was not found!
    Parameter line : file=%sysdir%;redit.cpl;;;;;
    File C:\WINDOWS\SYSTEM32\redit.cpl was not found!
    Parameter line : file=%sysdir%;conres.cpl;;;;;
    File C:\WINDOWS\SYSTEM32\conres.cpl was not found!
    Parameter line : file=%sysdir%;datadx.dll;;;;;
    File C:\WINDOWS\SYSTEM32\datadx.dll was not found!
    Parameter line : file=%sysdir%;*.dll;150;10240;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10240 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;46080;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 46080 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;34816;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 34816 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;16384;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 16384 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;29184;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 29184 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;26624;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 26624 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;9728;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 9728 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;10843;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10843 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;18432;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 18432 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;23040;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 23040 bytes was not found!
    Parameter line : file=%sysdir%;*.dll;150;17920;;;
    File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 17920 bytes was not found!
    Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
    File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
    >>>>>>>>>> Misc Checks
    Parameter line : file=%sysdir%;*.dat;150;81920;;;
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 81920 bytes was not found!
    Parameter line : file=%sysdir%;*.dat;150;61952;;;
     
  13. imhungry

    imhungry Thread Starter

    Joined:
    Jan 13, 2006
    Messages:
    63
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 61952 bytes was not found!
    Parameter line : file=%sysdir%;*.dat;150;65536;;;
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 65536 bytes was not found!
    Parameter line : file=%sysdir%;*.dat;150;7680;;;
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7680 bytes was not found!
    Parameter line : file=%sysdir%;*.dat;150;91648;;;
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 91648 bytes was not found!
    Parameter line : file=%sysdir%;*.dat;150;7168;;;
    File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7168 bytes was not found!
    Parameter line : file=%windir%;*.dll;150;10843;;;
    File C:\WINDOWS\*.dll for today - 150 days with a size of 10843 bytes was not found!
    Parameter line : file=%windir%;*.dll;150;3950;;;
    File C:\WINDOWS\*.dll for today - 150 days with a size of 3950 bytes was not found!
    Parameter line : file=%windir%;*.dll;150;3943;;;
    File C:\WINDOWS\*.dll for today - 150 days with a size of 3943 bytes was not found!

    <<<<<<<<<< Checking for AddOn RDriv.def information >>>>>>>>>>
    Registry Entries
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center found!
    UpdatesDisableNotify 0
    AntiVirusDisableNotify 1
    FirewallDisableNotify 0
    AntiVirusOverride 0
    FirewallOverride 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
    DisableMonitoring 1
    DisableMonitoring 1

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall
    DisableMonitoring 1
    DisableMonitoring 1

    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates;;
    HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus;;
    HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall;;
    HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\OLE;;
    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE found!
    EnableDCOM N

    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat

    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat\ActivationSecurityCheckExemptionList
    {A50398B8-9075-4FBF-A7A1-456BF21937AD} 1
    {AD65A69D-3831-40D7-9629-9B0B50A93843} 1
    {0040D221-54A1-11D1-9DE0-006097042D69} 1
    {2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} 1

    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv;;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic;;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC;;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV;;
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV not found!
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate;;
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate found!
    DoNotAllowXPSP2 0

    Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall found!

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
    EnableFirewall 0


    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
    EnableFirewall 0


    Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters;;
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters found!
    autodisconnect 15
    enableforcedlogoff 1
    enablesecuritysignature 0
    requiresecuritysignature 0
    Lmannounce 0
    Size 1
    Guid ga&#8240;&#339;&#382;L·|1Eb_
    
    AutoShareWks 0
    AutoShareServer 0
    CachedOpenLimit 0
    AdjustedNullSessionPipes 1
    Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters;;
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters found!
    enableplaintextpassword 0
    enablesecuritysignature 1
    requiresecuritysignature 0
    AutoShareWks 0
    AutoShareServer 0

    Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions;;
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions found!

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    {00022613-0000-0000-C000-000000000046} Multimedia File Property Sheet
    {176d6597-26d3-11d1-b350-080036a75b03} ICM Scanner Management
    {1F2E5C40-9550-11CE-99D2-00AA006E086C} NTFS Security Page
    {3EA48300-8CF6-101B-84FB-666CCB9BCD32} OLE Docfile Property Page
    {40dd6e20-7c17-11ce-a804-00aa003ca9f6} Shell extensions for sharing
    {41E300E0-78B6-11ce-849B-444553540000} PlusPack CPL Extension
    {42071712-76d4-11d1-8b24-00a0c9068ff3} Display Adapter CPL Extension
    {42071713-76d4-11d1-8b24-00a0c9068ff3} Display Monitor CPL Extension
    {42071714-76d4-11d1-8b24-00a0c9068ff3} Display Panning CPL Extension
    {4E40F770-369C-11d0-8922-00A024AB2DBB} DS Security Page
    {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} Compatibility Page
    {56117100-C0CD-101B-81E2-00AA004AE837} Shell Scrap DataHandler
    {59099400-57FF-11CE-BD94-0020AF85B590} Disk Copy Extension
    {59be4990-f85c-11ce-aff7-00aa003ca9f6} Shell extensions for Microsoft Windows Network objects
    {5DB2625A-54DF-11D0-B6C4-0800091AA605} ICM Monitor Management
    {675F097E-4C4D-11D0-B6C1-0800091AA605} ICM Printer Management
    {764BF0E1-F219-11ce-972D-00AA00A14F56} Shell extensions for file compression
    {77597368-7b15-11d0-a0c2-080036af3f03} Web Printer Shell Extension
    {7988B573-EC89-11cf-9C00-00AA00A14F56} Disk Quota UI
    {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Encryption Context Menu
    {85BBD920-42A0-1069-A2E4-08002B30309D} Briefcase
    {88895560-9AA2-1069-930E-00AA0030EBC8} HyperTerminal Icon Ext
    {BD84B380-8CA2-1069-AB1D-08000948F534} Fonts
    {DBCE2480-C732-101B-BE72-BA78E9AD5B27} ICC Profile
    {F37C5810-4D3F-11d0-B4BF-00AA00BBB723} Printers Security Page
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} Shell extensions for sharing
    {f92e8c40-3d33-11d2-b1aa-080036a75b03} Display TroubleShoot CPL Extension
    {7444C717-39BF-11D1-8CD9-00C04FC29D45} Crypto PKO Extension
    {7444C719-39BF-11D1-8CD9-00C04FC29D45} Crypto Sign Extension
    {7007ACC7-3202-11D1-AAD2-00805FC1270E} Network Connections
    {992CFFA0-F557-101A-88EC-00DD010CCC48} Network Connections
    {E211B736-43FD-11D1-9EFB-0000F8757FCD} Scanners & Cameras
    {FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} Scanners & Cameras
    {905667aa-acd6-11d2-8080-00805f6596d2} Scanners & Cameras
    {3F953603-1008-4f6e-A73A-04AAC7A992F1} Scanners & Cameras
    {83bbcbf3-b28a-4919-a5aa-73027445d672} Scanners & Cameras
    {F0152790-D56E-4445-850E-4F3117DB740C} Remote Sessions CPL Extension
    {5F327514-6C5E-4d60-8F16-D07FA08A78ED} Auto Update Property Sheet Extension
    {60254CA5-953B-11CF-8C96-00AA00B8708C} Shell extensions for Windows Script Host
    {2206CDB2-19C1-11D1-89E0-00C04FD7A829} Microsoft Data Link
    {DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} Tasks Folder Icon Handler
    {797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} Tasks Folder Shell Extension
    {D6277990-4C6A-11CF-8D87-00AA0060F5BF} Scheduled Tasks
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} Taskbar and Start Menu
    {2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} Search
    {2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} Help and Support
    {2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} Help and Support
    {2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} Run...
    {2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} Internet
    {2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} E-mail
    {D20EA4E1-3957-11d2-A40B-0C5020524152} Fonts
    {D20EA4E1-3957-11d2-A40B-0C5020524153} Administrative Tools
    {875CB1A1-0F29-45de-A1AE-CFB4950D0B78} Audio Media Properties Handler
    {40C3D757-D6E4-4b49-BB41-0E5BBEA28817} Video Media Properties Handler
    {E4B29F9D-D390-480b-92FD-7DDB47101D71} Wav Properties Handler
    {87D62D94-71B3-4b9a-9489-5FE6850DC73E} Avi Properties Handler
    {A6FD9E45-6E44-43f9-8644-08598F5A74D9} Midi Properties Handler
    {c5a40261-cd64-4ccf-84cb-c394da41d590} Video Thumbnail Extractor
    {5E6AB780-7743-11CF-A12B-00AA004AE837} Microsoft Internet Toolbar
    {22BF0C20-6DA7-11D0-B373-00A0C9034938} Download Status
    {91EA3F8B-C99B-11d0-9815-00C04FD91972} Augmented Shell Folder
    {6413BA2C-B461-11d1-A18A-080036B11A03} Augmented Shell Folder 2
    {F61FFEC1-754F-11d0-80CA-00AA005B4383} BandProxy
    {7BA4C742-9E81-11CF-99D3-00AA004AE837} Microsoft BrowserBand
    {30D02401-6A81-11d0-8274-00C04FD5AE38} Search Band
    {32683183-48a0-441b-a342-7c2a440a9478} Media Band
    {169A0691-8DF9-11d1-A1C4-00C04FD75D13} In-pane search
    {07798131-AF23-11d1-9111-00A0C98BA67D} Web Search
    {AF4F6510-F982-11d0-8595-00AA004CD6D8} Registry Tree Options Utility
    {01E04581-4EEE-11d0-BFE9-00AA005B4383} &Address
    {A08C11D2-A228-11d0-825B-00AA005B4383} Address EditBox
    {00BB2763-6A77-11D0-A535-00C04FD7D062} Microsoft AutoComplete
    {7376D660-C583-11d0-A3A5-00C04FD706EC} TridentImageExtractor
    {6756A641-DE71-11d0-831B-00AA005B4383} MRU AutoComplete List
    {6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} Custom MRU AutoCompleted List
    {7e653215-fa25-46bd-a339-34a2790f3cb7} Accessible
    {acf35015-526e-4230-9596-becbe19f0ac9} Track Popup Bar
    {E0E11A09-5CB8-4B6C-8332-E00720A168F2} Address Bar Parser
    {00BB2764-6A77-11D0-A535-00C04FD7D062} Microsoft History AutoComplete List
    {03C036F1-A186-11D0-824A-00AA005B4383} Microsoft Shell Folder AutoComplete List
    {00BB2765-6A77-11D0-A535-00C04FD7D062} Microsoft Multiple AutoComplete List Container
    {ECD4FC4E-521C-11D0-B792-00A0C90312E1} Shell Band Site Menu
    {3CCF8A41-5C85-11d0-9796-00AA00B90ADF} Shell DeskBarApp
    {ECD4FC4C-521C-11D0-B792-00A0C90312E1} Shell DeskBar
    {ECD4FC4D-521C-11D0-B792-00A0C90312E1} Shell Rebar BandSite
    {DD313E04-FEFF-11d1-8ECD-0000F87A470C} User Assist
    {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} Global Folder Settings
    {EFA24E61-B078-11d0-89E4-00C04FC9E26E} Favorites Band
    {0A89A860-D7B1-11CE-8350-444553540000} Shell Automation Inproc Service
    {E7E4BC40-E76A-11CE-A9BB-00AA004AE837} Shell DocObject Viewer
    {A5E46E3A-8849-11D1-9D8C-00C04FC99D61} Microsoft Browser Architecture
    {FBF23B40-E3F0-101B-8488-00AA003E56F8} InternetShortcut
    {3C374A40-BAE4-11CF-BF7D-00AA006946EE} Microsoft Url History Service
    {FF393560-C2A7-11CF-BFF4-444553540000} History
    {7BD29E00-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
    {7BD29E01-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
    {CFBFAE00-17A6-11D0-99CB-00C04FD64497} Microsoft Url Search Hook
    {A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} IE4 Suite Splash Screen
    {67EA19A0-CCEF-11d0-8024-00C04FD75D13} CDF Extension Copy Hook
    {131A6951-7F78-11D0-A979-00C04FD705A2} ISFBand OC
    {9461b922-3c5a-11d2-bf8b-00c04fb93661} Search Assistant OC
    {3DC7A020-0ACD-11CF-A9BB-00AA004AE837} The Internet
    {871C5380-42A0-1069-A2EA-08002B30309D} Internet Name Space
    {EFA24E64-B078-11d0-89E4-00C04FC9E26E} Explorer Band
    {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
    {9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
    {88C6C381-2E85-11D0-94DE-444553540000} ActiveX Cache Folder
    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} WebCheck
    {ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} Subscription Mgr
    {F5175861-2688-11d0-9C5E-00AA00A45957} Subscription Folder
    {08165EA0-E946-11CF-9C87-00AA005127ED} WebCheckWebCrawler
    {E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} WebCheckChannelAgent
    {E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} TrayAgent
    {7D559C10-9FE9-11d0-93F7-00AA0059CE02} Code Download Agent
    {E6CC6978-6B6E-11D0-BECA-00C04FD940BE} ConnectionAgent
    {D8BD2030-6FC9-11D0-864F-00AA006809D9} PostAgent
    {7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} WebCheck SyncMgr Handler
    {352EC2B7-8B9A-11D1-B8AE-006008059382} Shell Application Manager
    {0B124F8F-91F0-11D1-B8B5-006008059382} Installed Apps Enumerator
    {CFCCC7A0-A282-11D1-9082-006008059382} Darwin App Publisher
    {e84fda7c-1d6a-45f6-b725-cb260c236066} Shell Image Verbs
    {66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} Shell Image Data Factory
    {3F30C968-480A-4C6C-862D-EFC0897BB84B} GDI+ file thumbnail extractor
    {9DBD2C50-62AD-11d0-B806-00C04FD706EC} Summary Info Thumbnail handler (DOCFILES)
    {EAB841A0-9550-11cf-8C16-00805F1408F3} HTML Thumbnail Extractor
    {eb9b1153-3b57-4e68-959a-a3266bc3d7fe} Shell Image Property Handler
    {CC6EEFFB-43F6-46c5-9619-51D571967F7D} Web Publishing Wizard
    {add36aa8-751a-4579-a266-d66f5202ccbb} Print Ordering via the Web
    {6b33163c-76a5-4b6c-bf21-45de9cd503a1} Shell Publishing Wizard Object
    {58f1f272-9240-4f51-b6d4-fd63d1618591} Get a Passport Wizard
    {7A9D77BD-5403-11d2-8785-2E0420524153} User Accounts
    {E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} Compressed (zipped) Folder
    {BD472F60-27FA-11cf-B8B4-444553540000} Compressed (zipped) Folder Right Drag Handler
    {888DCA60-FC0A-11CF-8F0F-00C04FD7D062} Compressed (zipped) Folder SendTo Target
    {f39a0dc0-9cc8-11d0-a599-00c04fd64433} Channel File
    {f3aa0dc0-9cc8-11d0-a599-00c04fd64434} Channel Shortcut
    {f3ba0dc0-9cc8-11d0-a599-00c04fd64435} Channel Handler Object
    {f3da0dc0-9cc8-11d0-a599-00c04fd64437} Channel Menu
    {f3ea0dc0-9cc8-11d0-a599-00c04fd64438} Channel Properties
    {63da6ec0-2e98-11cf-8d82-444553540000} FTP Folders Webview
    {883373C3-BF89-11D1-BE35-080036B11A03} Microsoft DocProp Shell Ext
    {A9CF0EAE-901A-4739-A481-E35B73E47F6D} Microsoft DocProp Inplace Edit Box Control
    {8EE97210-FD1F-4B19-91DA-67914005F020} Microsoft DocProp Inplace ML Edit Box Control
    {0EEA25CC-4362-4A12-850B-86EE61B0D3EB} Microsoft DocProp Inplace Droplist Combo Control
    {6A205B57-2567-4A2C-B881-F787FAB579A3} Microsoft DocProp Inplace Calendar Control
    {28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} Microsoft DocProp Inplace Time Control
    {8A23E65E-31C2-11d0-891C-00A024AB2DBB} Directory Query UI
    {9E51E0D0-6E0F-11d2-9601-00C04FA31A86} Shell properties for a DS object
    {163FDC20-2ABC-11d0-88F0-00A024AB2DBB} Directory Object Find
    {F020E586-5264-11d1-A532-0000F8757D7E} Directory Start/Search Find
    {0D45D530-764B-11d0-A1CA-00AA00C16E65} Directory Property UI
    {62AE1F9A-126A-11D0-A14B-0800361B1103} Directory Context Menu Verbs
    {ECF03A33-103D-11d2-854D-006008059367} MyDocs Copy Hook
    {ECF03A32-103D-11d2-854D-006008059367} MyDocs Drop Target
    {4a7ded0a-ad25-11d0-98a8-0800361b1103} MyDocs Properties
    {750fdf0e-2a26-11d1-a3ea-080036587f03} Offline Files Menu
    {10CFC467-4392-11d2-8DB4-00C04FA31A66} Offline Files Folder Options
    {AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} Offline Files Folder
    {143A62C8-C33B-11D1-84FE-00C04FA34A14} Microsoft Agent Character Property Sheet Handler
    {ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} DfsShell
    {60fd46de-f830-4894-a628-6fa81bc0190d} %DESC_PublishDropTarget%
    {7A80E4A8-8005-11D2-BCF8-00C04F72C717} MMC Icon Handler
    {0CD7A5C0-9F37-11CE-AE65-08002B2E1262} .CAB file viewer
    {32714800-2E5F-11d0-8B85-00AA0044F941} For &People...
    {8DD448E6-C188-4aed-AF92-44956194EB1F} Windows Media Player Play as Playlist Context Menu Handler
    {CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} Windows Media Player Burn Audio CD Context Menu Handler
    {F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} Windows Media Player Add to Playlist Context Menu Handler
    {C0BF66AC-0B9E-4609-94EB-E51F752035C3}
    {795951C1-0D85-4D3C-9C9F-E7C920D4F842}
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} WinRAR shell extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} AVG7 Shell Extension
    {9F97547E-460A-42C5-AE0C-81C61FFAEBC3} AVG7 Find Extension
    {2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} Set Program Access and Defaults
    {596AB062-B4D2-4215-9F74-E9109B0A8153} Previous Versions Property Page
    {9DB7A13C-F208-4981-8353-73CC61AE2783} Previous Versions
    {692F0339-CBAA-47e6-B5B5-3B84DB604E87} Extensions Manager Folder
    {21569614-B795-46b1-85F4-E737A8DC09AD} Shell Search Band


    Files
    Parameter line : File=%sysdir%;rdriv.sys;;;;;
    File C:\WINDOWS\SYSTEM32\rdriv.sys was not found!
    Parameter line : File=%sysdir%;ItunesMusic.exe;;;;;
    File C:\WINDOWS\SYSTEM32\ItunesMusic.exe was not found!
    Parameter line : File=%sysdir%;wkssvc.exe;;;;;
    File C:\WINDOWS\SYSTEM32\wkssvc.exe was not found!
    Parameter line : File=%windir%;ItunesMusic.exe;;;;;
    File C:\WINDOWS\ItunesMusic.exe was not found!
    Parameter line : File=%windir%;wkssvc.exe;;;;;
    File C:\WINDOWS\wkssvc.exe was not found!

    <<<<<<<<<< Checking for AddOn SharedTaskScheduler.def information >>>>>>>>>>
    >>>>>>>>>> Exporting Policies from HKLM
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler found!
    {438755C2-A8BA-11D1-B96B-00A0C90312E1} Browseui preloader
    {8C7461EF-2B13-11d2-BE35-3078302C2030} Component Categories cache daemon


    <<<<<<<<<< Checking for AddOn WareOut.def information >>>>>>>>>>
    >>>>>>>>>> PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Parameter line : file=%sysdir%;*.exe;300;55304;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 55304 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;;43528;;;
    File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;300;4096;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 4096 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;;43528;;;
    File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;300;28680;;;
    File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 28680 bytes was not found!
    Parameter line : file=%sysdir%;*.exe;;11264;;;
    03/08/2004 11:56:48 PM 11264 C:\WINDOWS\SYSTEM32\atmadm.exe found!
    18/08/2001 4:00:00 AM 11264 C:\WINDOWS\SYSTEM32\attrib.exe found!
    03/08/2004 11:56:48 PM 11264 C:\WINDOWS\SYSTEM32\autolfn.exe found!
    18/08/2001 4:00:00 AM 11264 C:\WINDOWS\SYSTEM32\chkntfs.exe found!
    18/08/2001 4:00:00 AM 11264 C:\WINDOWS\SYSTEM32\rasdial.exe found!
    Parameter line : file=%sysdir%;*.ren;300;43528;;;
    File C:\WINDOWS\SYSTEM32\*.ren for today - 300 days with a size of 43528 bytes was not found!
    Parameter line : file=%sysdir%;ntfsnlpa.exe;;;;;
    File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe was not found!
    Parameter line : file=%sysdir%;cisvvc.exe;;;;;
    File C:\WINDOWS\SYSTEM32\cisvvc.exe was not found!
    Parameter line : file=%sysdir%;drv2cltr.dll;;;;;
    File C:\WINDOWS\SYSTEM32\drv2cltr.dll was not found!
    Parameter line : file=%sysdir%;hybsys32.dll;;;;;
    File C:\WINDOWS\SYSTEM32\hybsys32.dll was not found!
    Parameter line : file=%sysdir%;loadctr.exe;;;;;
    File C:\WINDOWS\SYSTEM32\loadctr.exe was not found!
    Parameter line : file=%sysdir%;rdsndin.exe;;;;;
    File C:\WINDOWS\SYSTEM32\rdsndin.exe was not found!
    Parameter line : file=%sysdir%;pxpcya64.exe;;;;;
    File C:\WINDOWS\SYSTEM32\pxpcya64.exe was not found!
    Parameter line : file=%windir%;*.exe;300;55304;;;
    File C:\WINDOWS\*.exe for today - 300 days with a size of 55304 bytes was not found!
    Parameter line : file=%windir%;*.exe;300;43528;;;
    File C:\WINDOWS\*.exe for today - 300 days with a size of 43528 bytes was not found!
    Parameter line : file=%windir%;*.exe;300;4096;;;
    File C:\WINDOWS\*.exe for today - 300 days with a size of 4096 bytes was not found!
    Parameter line : file=%windir%;rdt.ini;;;;;
    File C:\WINDOWS\rdt.ini was not found!
    Parameter line : file=%windir%;baloon.wav;;;;;
    File C:\WINDOWS\baloon.wav was not found!
    Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
    File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
    >>>>>>>>>>Registry keys to look for
    Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon;system;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon found!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\system found!
    System
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins not found!
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut not found!
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\WareOut;;
    HKEY_LOCAL_MACHINE\SOFTWARE\WareOut not found!
    Parameter line : regkey=HKEY_CURRENT_USER\Software\WareOut;;
    HKEY_CURRENT_USER\Software\WareOut not found!
    Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoBandCustomize;;
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer found!
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoBandCustomize not found!
    Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion;Disabled;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion found!
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\Disabled not found!
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar;;
    HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar not found!
    Parameter line : regkey=HKEY_CURRENT_USER\Software\SearchToolbar;;
    HKEY_CURRENT_USER\Software\SearchToolbar not found!
    Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls;;
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls not found!
    Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser;{08BEC6AA-49FC-4379-3587-4B21E286C19E};;
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser found!
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} not found!

    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 16/01/2006 7:31:21 PM

    and the vundofix found these infected files:
    ddabb.dll, bbadd.ini and bbadd.bak2
    thanks again for the continuous help dvk.
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    We still ahve a few problems

    either Microsoft anttispyware or spyware doctor is blocking the registry changes we need to do

    We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

    Open Microsoft AntiSpyware. by double clicking it's icon in the system tray, click on real time protection and on the left a screen will appear, select each of the agents in turn and press deactivate
    then
    Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

    and for Spyware Doctor

    1. From within Spyware Doctor, click the "OnGuard" button on the left side.
    2. Uncheck "Activate OnGuard". Spyware Doctor

    1. From within Spyware Doctor, click the "OnGuard" button on the left side.
    2. Uncheck "Activate OnGuard".

    Now

    Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\system32\bbadd.bak2
    C:\WINDOWS\system32\bbadd.ini
    C:\WINDOWS\system32\vtsqo.dll
    C:\WINDOWS\system32\??ool32.exe
    C:\w3.exe

    Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

    then reboot &

    please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    C:\WINDOWS\system32\qgdwipes.dll
    C:\WINDOWS\system32\tbkwks.dll

    there are a few suspicious entries that I am doindg soem research on taht will need fixing afterwards

    we do need everything enabled in MSconfig to be able to fix them though
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    You also seem to have some sections of Norton Antivirus running as wella s AVG

    That isn't a good idea as they will clash

    Decide which antivirus you want to keep and uninstall the other one

    If you want to remove Norton as I suspect you think you already have done tehn let us know and we can avise how to
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/433928

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice