1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: possible virus? please help

Discussion in 'Virus & Other Malware Removal' started by bella6100, Feb 6, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    My comp. has been running fine until a couple days ago..started getting many IE popups even while using Netscape, things are downloading onto my comp. without me doing anything: TopText iLookup, AdDestroyer, Virtual Bouncer are just a few.... comp. sometimes shuts down on it's own, also getting popups on netscape that i never got before...i ran Ad-aware as well as Spybot numerous times, and thought that would take care of it but it seems only to be getting worse...here is my hijackthis log: Please help!! :confused:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:30:27 PM, on 2/6/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yikptn.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\PROGRA~1\EZULA\mmod.exe
    C:\PROGRA~1\WEBOFF~1\wo.exe
    C:\Program Files\SED\SED.exe
    D:\SpywareBlast\SpywareBlaster\spywareblaster.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    D:\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://aimhome.netscape.com/aimhome.adp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [System Restore] svcnet.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\ygvork.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "D:\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [System Restore] svcnet.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: Calenz Startup.lnk = D:\Calenz\Calenz\Calenz.exe
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: yikptn.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...loper.viewpoint.com/download/autoinstall.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Hi and welcome to TSG,

    Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

    Save the file to your desktop and double click l2mfix.exe. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  4. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    I downloaded hijackthis v. 1.99 but it kept giving me an error msg and closing, so the best I could do is the following:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:37:59 PM, on 2/6/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\WINDOWS\System32\ygvork.exe
    C:\Program Files\SED\SED.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://aimhome.netscape.com/aimhome.adp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [System Restore] svcnet.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "D:\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [System Restore] svcnet.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
    O4 - Startup: Calenz Startup.lnk = D:\Calenz\Calenz\Calenz.exe
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...loper.viewpoint.com/download/autoinstall.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
     
  5. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\ktrol7931.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{5C26B7BF-B81F-4A4D-9F6F-0CE313D150AD}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
    "{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
    "{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}"="IZArc DragDrop Menu"
    "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"="IZArc Shell Context Menu"
    "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
    "{D1D78AD7-DDC6-4312-8F71-9D352CB76A7B}"="MuVo C100 Media Explorer"
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
    "{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}\InprocServer32]
    @="C:\\WINDOWS\\system32\\amsmsext.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    user32.dll Tue Dec 28 2004 7:31:44p A.... 574,464 561.00 K
    zniuba.dll Sun Feb 6 2005 6:42:34p A.... 24,576 24.00 K
    msvbvm60.dll Sun Dec 5 2004 9:48:14p A.... 1,385,744 1.32 M
    shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
    l6j80g~1.dll Sun Feb 6 2005 10:52:12a ..... 230,775 225.36 K
    prospe~1.dll Sun Jan 30 2005 2:23:54p A.... 22,016 21.50 K
    ktrol7~1.dll Sun Feb 6 2005 10:54:28p ..S.R 230,594 225.19 K
    k2080c~1.dll Sun Feb 6 2005 11:05:10a ..S.R 231,577 226.15 K
    akupd.dll Sun Feb 6 2005 12:20:22p A.... 155,648 152.00 K
    unicows.dll Mon Nov 8 2004 7:12:06p A.... 245,408 239.66 K
    g0lmla~1.dll Sun Feb 6 2005 12:12:52p ..S.R 228,765 223.40 K
    akcore.dll Sat Feb 5 2005 6:39:42p A.... 188,416 184.00 K
    amsmsext.dll Sun Feb 6 2005 11:22:06p A.... 230,594 225.19 K
    akrules.dll Sat Feb 5 2005 6:39:42p A.... 110,592 108.00 K
    aklsp.dll Sat Feb 5 2005 6:39:44p A.... 196,608 192.00 K
    jtlq07~1.dll Sat Feb 5 2005 9:57:40p ..S.R 230,444 225.04 K
    h2n00c~1.dll Sun Feb 6 2005 10:09:02a ..... 229,959 224.57 K
    sporder.dll Sun Feb 6 2005 12:20:28p A.... 8,464 8.27 K
    gqlzop.dll Sun Feb 6 2005 3:15:24p A.... 5,632 5.50 K
    dosync.dll Sun Feb 6 2005 7:25:40p A.... 114,688 112.00 K
    docore.dll Sun Feb 6 2005 12:56:02p A.... 151,552 148.00 K
    dolsp.dll Sun Feb 6 2005 12:56:02p A.... 139,264 136.00 K
    q2ps0c~1.dll Sun Feb 6 2005 11:22:06p ..S.R 231,366 225.94 K

    23 items found: 23 files (5 H/S), 0 directories.
    Total of file sizes: 6,499,370 bytes 6.20 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 1052-B046

    Directory of C:\WINDOWS\System32

    02/06/2005 11:22 PM 231,366 q2ps0c77ef.dll
    02/06/2005 10:54 PM 230,594 ktrol7931.dll
    02/06/2005 12:12 PM 228,765 g0lmla311d.dll
    02/06/2005 11:05 AM 231,577 k2080cduef080.dll
    02/05/2005 09:57 PM 230,444 jtlq0735e.dll
    09/03/2004 04:08 PM 10,022 KGyGaAvL.sys
    09/03/2004 04:08 PM 56 DD173D8185.sys
    08/25/2004 03:09 PM <DIR> Microsoft
    09/08/2001 10:55 AM <DIR> dllcache
    09/08/2001 10:55 AM 6,144 access.ctl
    09/30/1999 07:21 PM 166,672 mstext35.dll
    09/28/1999 09:42 PM 1,050,896 msjet35.dll
    09/09/1999 10:06 PM 168,720 msltus35.dll
    09/09/1999 10:06 PM 252,688 msexcl35.dll
    08/25/1999 02:57 PM 415,504 msrepl35.dll
    06/10/1999 09:34 AM 24,848 msjter35.dll
    06/10/1999 09:34 AM 123,664 msjint35.dll
    06/07/1999 06:59 PM 250,128 mspdox35.dll
    04/25/1999 05:00 PM 252,176 Msrd2x35.dll
    04/25/1999 05:00 PM 287,504 Msxbse35.dll
    18 File(s) 4,161,768 bytes
    2 Dir(s) 5,706,719,232 bytes free




    thanks to both of you for responding so quickly, i really appreciate it :)
     
  6. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello bella6100 and Welcome to TSG! :D

    Download LSPFix from here:
    http://www.cexx.org/LSPFix.exe

    Run it, make sure you click the "I know what I'm doing" button. Select aklsp.dll and dolsp.dll and using the right-pointing arrows and move all instances of aklsp.dll and dolsp.dll it mentions and nothing else to the "Remove" side but leave everything else. Click "Finished".

    Download VX2 Cleaner plugin for Ad-Aware:
    http://majorgeeks.com/downloadget.php?id=4283&file=11&evp=34312f31f5a8511bfb7cf839b1eaff0b

    Install and run Ad-Aware. Click on "Add-ons" and choose "VX2 Cleaner" then "Run Tool". After running the tool, exit out of Ad-Aware.

    Download CWShredder from here:
    http://cwshredder.net/bin/CWSInstall.exe

    Install and run CWShredder. Click on "Check for Update" and download the latest updates. Next, click on "Fix". Exit out of CWShredder.

    Run both Spybot S&D and Ad-Aware and download the latest updates.

    Run both of those programs.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  7. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Aslo download SpywareBlaster from here:
    http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

    Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.
     
  8. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    hey crushbone:)

    i followed all your instructions, here is the new hijackthis log:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:43:56 PM, on 2/7/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yikptn.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    D:\Calenz\Calenz\Calenz.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://aimhome.netscape.com/aimhome.adp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [System Restore] svcnet.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "D:\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [System Restore] svcnet.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - Startup: Calenz Startup.lnk = D:\Calenz\Calenz\Calenz.exe
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...loper.viewpoint.com/download/autoinstall.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
     
  9. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
    Find and "End Process" the following processes:
    TBPS.exe
    PIB.exe
    TBPSSvc.exe
    WToolsS.exe
    WToolsA.exe
    WSup.exe
    wsxsvc.exe
    yikptn.exe


    Turn off System Restore by right-clicking on My Computer and choosing "Properties". Click on the "System Restore" tab and put a tick next to "Turn System Restore off". Click "OK".

    Go to My Computer and click on "Tools" then "Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is enabled. Click "OK".

    Find and delete the following files and folders hilighted in RED:
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\Program Files\Common Files\WinTools
    C:\WINDOWS\System32\wsxsvc
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yikptn.exe

    Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

    Run HijackThis and fix the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html

    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

    O1 - Hosts: 69.20.16.183 auto.search.msn.com

    O1 - Hosts: 69.20.16.183 search.netscape.com

    O1 - Hosts: 69.20.16.183 ieautosearch

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

    O4 - HKLM\..\Run: [System Restore] svcnet.exe

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

    O4 - HKCU\..\Run: [ares] "D:\Ares\Ares.exe" -h

    O4 - HKCU\..\Run: [System Restore] svcnet.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab

    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab

    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


    Download Ad-Aware SE from here:
    http://www.download.com/3001-8022_4-10319876.html

    Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

    Download Spybot S&D from here:
    http://users.skynet.be/fa936042/spybotsd13.exe

    Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  10. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    I did everything except the comp. wouldn't allow me to end or delete:

    TBPS.exe
    PIB.exe
    TBPSSvc.exe
    WToolsS.exe
    WToolsA.exe
    WSup.exe



    Logfile of HijackThis v1.98.2
    Scan saved at 3:36:42 PM, on 2/8/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\TBPS.exe
    C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\PIB.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\TBPSSvc.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\AIM\aim.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yikptn.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar.com/ie.aspx?tb_id=50154
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://aimhome.netscape.com/aimhome.adp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\TBPS.exe
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - Startup: Calenz Startup.lnk = D:\Calenz\Calenz\Calenz.exe
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...loper.viewpoint.com/download/autoinstall.html
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\DOCUME~1\Pri\LOCALS~1\Temp\TEMP~1.FRA\toolbar.dll
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
     
  12. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    C:\
    C:\
    System Rebooted!

    Running From:
    C:\

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 1228 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Error, Cannot find a process with an image name of rundll32.exe

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\mqimg32.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\l6j80g1ue6.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\MDIDENT.DLL
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\wjsapi32.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\sessetup.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\duwsockx.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\k2080cduef080.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\ih41_qc.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\g0lmla311d.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\jtlq0735e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\h2n00c5mef.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\fp8q03l5e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\amctres.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\p0n8la5u1d.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\ciutil.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\iunathlp.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\kt2ml7f11.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\hrro0593e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\o6ns0g57e6.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\n08o0al3edq.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\h60qlgd5160.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\m0ju0a19ed.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\m4820eloehqc0.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\mbbind.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\WMNINET.DLL
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\ivetpp.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\h2j40c1qef.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\pKqsp.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\o0660ajsedo60.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\oseprn.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\mgsystem.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\l42slef71h2.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\mbwebdvd.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\j4n20e5oeh.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\nxxpnt.dll
    1 file(s) copied.
    deleting: C:\WINDOWS\system32\mqimg32.dll
    Successfully Deleted: C:\WINDOWS\system32\mqimg32.dll
    deleting: C:\WINDOWS\system32\l6j80g1ue6.dll
    Successfully Deleted: C:\WINDOWS\system32\l6j80g1ue6.dll
    deleting: C:\WINDOWS\system32\MDIDENT.DLL
    Successfully Deleted: C:\WINDOWS\system32\MDIDENT.DLL
    deleting: C:\WINDOWS\system32\wjsapi32.dll
    Successfully Deleted: C:\WINDOWS\system32\wjsapi32.dll
    deleting: C:\WINDOWS\system32\sessetup.dll
    Successfully Deleted: C:\WINDOWS\system32\sessetup.dll
    deleting: C:\WINDOWS\system32\duwsockx.dll
    Successfully Deleted: C:\WINDOWS\system32\duwsockx.dll
    deleting: C:\WINDOWS\system32\k2080cduef080.dll
    Successfully Deleted: C:\WINDOWS\system32\k2080cduef080.dll
    deleting: C:\WINDOWS\system32\ih41_qc.dll
    Successfully Deleted: C:\WINDOWS\system32\ih41_qc.dll
    deleting: C:\WINDOWS\system32\g0lmla311d.dll
    Successfully Deleted: C:\WINDOWS\system32\g0lmla311d.dll
    deleting: C:\WINDOWS\system32\jtlq0735e.dll
    Successfully Deleted: C:\WINDOWS\system32\jtlq0735e.dll
    deleting: C:\WINDOWS\system32\h2n00c5mef.dll
    Successfully Deleted: C:\WINDOWS\system32\h2n00c5mef.dll
    deleting: C:\WINDOWS\system32\fp8q03l5e.dll
    Successfully Deleted: C:\WINDOWS\system32\fp8q03l5e.dll
    deleting: C:\WINDOWS\system32\amctres.dll
    Successfully Deleted: C:\WINDOWS\system32\amctres.dll
    deleting: C:\WINDOWS\system32\p0n8la5u1d.dll
    Successfully Deleted: C:\WINDOWS\system32\p0n8la5u1d.dll
    deleting: C:\WINDOWS\system32\ciutil.dll
    Successfully Deleted: C:\WINDOWS\system32\ciutil.dll
    deleting: C:\WINDOWS\system32\iunathlp.dll
    Successfully Deleted: C:\WINDOWS\system32\iunathlp.dll
    deleting: C:\WINDOWS\system32\kt2ml7f11.dll
    Successfully Deleted: C:\WINDOWS\system32\kt2ml7f11.dll
    deleting: C:\WINDOWS\system32\hrro0593e.dll
    Successfully Deleted: C:\WINDOWS\system32\hrro0593e.dll
    deleting: C:\WINDOWS\system32\o6ns0g57e6.dll
    Successfully Deleted: C:\WINDOWS\system32\o6ns0g57e6.dll
    deleting: C:\WINDOWS\system32\n08o0al3edq.dll
    Successfully Deleted: C:\WINDOWS\system32\n08o0al3edq.dll
    deleting: C:\WINDOWS\system32\h60qlgd5160.dll
    Successfully Deleted: C:\WINDOWS\system32\h60qlgd5160.dll
    deleting: C:\WINDOWS\system32\m0ju0a19ed.dll
    Successfully Deleted: C:\WINDOWS\system32\m0ju0a19ed.dll
    deleting: C:\WINDOWS\system32\m4820eloehqc0.dll
    Successfully Deleted: C:\WINDOWS\system32\m4820eloehqc0.dll
    deleting: C:\WINDOWS\system32\mbbind.dll
    Successfully Deleted: C:\WINDOWS\system32\mbbind.dll
    deleting: C:\WINDOWS\system32\WMNINET.DLL
    Successfully Deleted: C:\WINDOWS\system32\WMNINET.DLL
    deleting: C:\WINDOWS\system32\ivetpp.dll
    Successfully Deleted: C:\WINDOWS\system32\ivetpp.dll
    deleting: C:\WINDOWS\system32\h2j40c1qef.dll
    Successfully Deleted: C:\WINDOWS\system32\h2j40c1qef.dll
    deleting: C:\WINDOWS\system32\pKqsp.dll
    Successfully Deleted: C:\WINDOWS\system32\pKqsp.dll
    deleting: C:\WINDOWS\system32\o0660ajsedo60.dll
    Successfully Deleted: C:\WINDOWS\system32\o0660ajsedo60.dll
    deleting: C:\WINDOWS\system32\oseprn.dll
    Successfully Deleted: C:\WINDOWS\system32\oseprn.dll
    deleting: C:\WINDOWS\system32\mgsystem.dll
    Successfully Deleted: C:\WINDOWS\system32\mgsystem.dll
    deleting: C:\WINDOWS\system32\l42slef71h2.dll
    Successfully Deleted: C:\WINDOWS\system32\l42slef71h2.dll
    deleting: C:\WINDOWS\system32\mbwebdvd.dll
    Successfully Deleted: C:\WINDOWS\system32\mbwebdvd.dll
    deleting: C:\WINDOWS\system32\j4n20e5oeh.dll
    Successfully Deleted: C:\WINDOWS\system32\j4n20e5oeh.dll
    deleting: C:\WINDOWS\system32\nxxpnt.dll
    Successfully Deleted: C:\WINDOWS\system32\nxxpnt.dll

    Desktop.ini sucessfully removed


    Zipping up files for submission:
    adding: mqimg32.dll (deflated 5%)
    adding: l6j80g1ue6.dll (deflated 5%)
    adding: MDIDENT.DLL (deflated 5%)
    adding: wjsapi32.dll (deflated 5%)
    adding: sessetup.dll (deflated 5%)
    adding: duwsockx.dll (deflated 5%)
    adding: k2080cduef080.dll (deflated 5%)
    adding: ih41_qc.dll (deflated 5%)
    adding: g0lmla311d.dll (deflated 4%)
    adding: jtlq0735e.dll (deflated 5%)
    adding: h2n00c5mef.dll (deflated 5%)
    adding: fp8q03l5e.dll (deflated 6%)
    adding: amctres.dll (deflated 5%)
    adding: p0n8la5u1d.dll (deflated 5%)
    adding: ciutil.dll (deflated 5%)
    adding: iunathlp.dll (deflated 5%)
    adding: kt2ml7f11.dll (deflated 5%)
    adding: hrro0593e.dll (deflated 5%)
    adding: o6ns0g57e6.dll (deflated 5%)
    adding: n08o0al3edq.dll (deflated 6%)
    adding: h60qlgd5160.dll (deflated 5%)
    adding: m0ju0a19ed.dll (deflated 5%)
    adding: m4820eloehqc0.dll (deflated 5%)
    adding: mbbind.dll (deflated 5%)
    adding: WMNINET.DLL (deflated 5%)
    adding: ivetpp.dll (deflated 5%)
    adding: h2j40c1qef.dll (deflated 5%)
    adding: pKqsp.dll (deflated 5%)
    adding: o0660ajsedo60.dll (deflated 5%)
    adding: oseprn.dll (deflated 5%)
    adding: mgsystem.dll (deflated 5%)
    adding: l42slef71h2.dll (deflated 6%)
    adding: mbwebdvd.dll (deflated 5%)
    adding: j4n20e5oeh.dll (deflated 5%)
    adding: nxxpnt.dll (deflated 5%)
    adding: clear.reg (deflated 22%)
    adding: desktop.ini (stored 0%)
    adding: tmp.txt (deflated 50%)
    adding: lo2.txt (deflated 85%)
    adding: test2.txt (stored 0%)
    adding: test3.txt (stored 0%)
    adding: test5.txt (stored 0%)
    adding: test.txt (deflated 80%)
    adding: xfind.txt (deflated 74%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for really "Everyone"


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: mqimg32.dll
    deleting local copy: l6j80g1ue6.dll
    deleting local copy: MDIDENT.DLL
    deleting local copy: wjsapi32.dll
    deleting local copy: sessetup.dll
    deleting local copy: duwsockx.dll
    deleting local copy: k2080cduef080.dll
    deleting local copy: ih41_qc.dll
    deleting local copy: g0lmla311d.dll
    deleting local copy: jtlq0735e.dll
    deleting local copy: h2n00c5mef.dll
    deleting local copy: fp8q03l5e.dll
    deleting local copy: amctres.dll
    deleting local copy: p0n8la5u1d.dll
    deleting local copy: ciutil.dll
    deleting local copy: iunathlp.dll
    deleting local copy: kt2ml7f11.dll
    deleting local copy: hrro0593e.dll
    deleting local copy: o6ns0g57e6.dll
    deleting local copy: n08o0al3edq.dll
    deleting local copy: h60qlgd5160.dll
    deleting local copy: m0ju0a19ed.dll
    deleting local copy: m4820eloehqc0.dll
    deleting local copy: mbbind.dll
    deleting local copy: WMNINET.DLL
    deleting local copy: ivetpp.dll
    deleting local copy: h2j40c1qef.dll
    deleting local copy: pKqsp.dll
    deleting local copy: o0660ajsedo60.dll
    deleting local copy: oseprn.dll
    deleting local copy: mgsystem.dll
    deleting local copy: l42slef71h2.dll
    deleting local copy: mbwebdvd.dll
    deleting local copy: j4n20e5oeh.dll
    deleting local copy: nxxpnt.dll

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\mqimg32.dll
    C:\WINDOWS\system32\l6j80g1ue6.dll
    C:\WINDOWS\system32\MDIDENT.DLL
    C:\WINDOWS\system32\wjsapi32.dll
    C:\WINDOWS\system32\sessetup.dll
    C:\WINDOWS\system32\duwsockx.dll
    C:\WINDOWS\system32\k2080cduef080.dll
    C:\WINDOWS\system32\ih41_qc.dll
    C:\WINDOWS\system32\g0lmla311d.dll
    C:\WINDOWS\system32\jtlq0735e.dll
    C:\WINDOWS\system32\h2n00c5mef.dll
    C:\WINDOWS\system32\fp8q03l5e.dll
    C:\WINDOWS\system32\amctres.dll
    C:\WINDOWS\system32\p0n8la5u1d.dll
    C:\WINDOWS\system32\ciutil.dll
    C:\WINDOWS\system32\iunathlp.dll
    C:\WINDOWS\system32\kt2ml7f11.dll
    C:\WINDOWS\system32\hrro0593e.dll
    C:\WINDOWS\system32\o6ns0g57e6.dll
    C:\WINDOWS\system32\n08o0al3edq.dll
    C:\WINDOWS\system32\h60qlgd5160.dll
    C:\WINDOWS\system32\m0ju0a19ed.dll
    C:\WINDOWS\system32\m4820eloehqc0.dll
    C:\WINDOWS\system32\mbbind.dll
    C:\WINDOWS\system32\WMNINET.DLL
    C:\WINDOWS\system32\ivetpp.dll
    C:\WINDOWS\system32\h2j40c1qef.dll
    C:\WINDOWS\system32\pKqsp.dll
    C:\WINDOWS\system32\o0660ajsedo60.dll
    C:\WINDOWS\system32\oseprn.dll
    C:\WINDOWS\system32\mgsystem.dll
    C:\WINDOWS\system32\l42slef71h2.dll
    C:\WINDOWS\system32\mbwebdvd.dll
    C:\WINDOWS\system32\j4n20e5oeh.dll
    C:\WINDOWS\system32\nxxpnt.dll

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{BD812953-4CB0-4B79-8522-C0E8B26EB8A2}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{}"=-
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    ****************************************************************************
    


    HIJACKTHIS LOG




    Logfile of HijackThis v1.98.2
    Scan saved at 10:54:45 PM, on 2/9/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ygvork.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\SED\SED.exe
    C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYDOC~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYDOC~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "D:\SpyDoctor\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYDOC~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...loper.viewpoint.com/download/autoinstall.html
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Please download and run the following program(s):

    CWSHREDDER

    http://www.intermute.com/spysubtract/cwshredder_download.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    Then, download the LSP Fix:

    http://cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of dolsp.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete:

    The C:\windows\system32\dolsp.dll file


    Go to Control Panel - Add/Remove programs and remove these if there:

    Viewpoint
    Toolbar
    SED
    WinTools or WinTools for Internet Explorer V2 or WinTools Easy Installer
    VBouncer (VirtualBouncer)


    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"

    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

    The following is a valid application but it shouldn't be running from the Temp files. If you want to keep it you should move it because we will be deleting the temp files later on in the clean-up:
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Pri\Local
    Settings\Temp\ARC22A\FreeRAM XP Pro 1.40.exe" -win

    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...utoinstall.html

    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll



    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\PROGRA~1\Toolbar - folder
    C\PROGRA~1\COMMON~1\WinTools - folder
    C:\Program Files\Viewpoint - folder
    C:\WINDOWS\system32\n20050308.exe - file
    C:\Program Files\SED - folder
    C:\PROGRA~1\VBOUNCER - folder
    C:\WINDOWS\System32\wsxsvc - folder
    C:\WINDOWS\System32\vmss - folder
    C:\Program Files\AdDestroyer - folder


    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Reboot and post another log please.
     
  14. bella6100

    bella6100 Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    117
    Logfile of HijackThis v1.98.2
    Scan saved at 11:34:14 AM, on 2/11/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ygvork.exe
    D:\AIM\aim.exe
    D:\SpyDoctor\Spyware Doctor\swdoctor.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Documents and Settings\Pri\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Pri\Application Data\Mozilla\Profiles\default\hb0dd665.slt\prefs.js)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYDOC~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYDOC~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PHOTOS~1\PHOTOS~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "D:\SpyDoctor\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYDOC~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,012
    Click here: http://www.downloads.subratam.org/KillBox.exe to download Pocket KillBox.

    Unzip the files to the folder of your choice.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each the following line then click on the button that has the red circle with the X in the middle after you enter the file. It will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click Yes.

    C:\WINDOWS\System32\ygvork.exe


    Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Also, please post a new Hijack This log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327582

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice